EmblemHealth is committed to protecting and securing our members' personal information. Our Notice of Privacy Practices describes how members’ medical information may be used and disclosed, and how our members can get access to this information.
The member handbook tells members how to consent to the collection, use, and release of protected health information (PHI), how to obtain access to their medical records, and what we do to protect access to their PHI.
Confidentiality of Personal Information
We want members to know that EmblemHealth makes the protection of PHI a high priority. Our members entrust us with personal, sensitive, and highly confidential information. Our employees and other authorized individuals working for us are accountable for exercising a high degree of care in safeguarding the confidentiality of PHI.
Our employees and other authorized individuals are prohibited from:
- Accessing or trying to access PHI, except on a "need to know" basis and only when authorized to do so.
- Disclosing PHI to any person or organization within or outside of EmblemHealth, unless that person or organization has a "need to know" and is authorized to receive that information.
Confidentiality of Health Information for Minors Enrolled in Medicaid Managed Care Plans
EmblemHealth suppresses all Explanation of Benefits (EOBs) for Medicaid minors 0 – under 18 years of age, except for dental-related services and situations where the member may be financially responsible. NYSDOH requires Medicaid Managed Care Plans, including EmblemHealth, to establish an effective, uniform, and systemic mechanism to comply with confidentiality protections for health care services provided to minors who are enabled by statute to consent to their own heath care.
Authorization to Release Information
The member or qualified person must give authorization before any PHI can be released to an outside organization or agency, unless release of that information is legally required or permitted.
Special restrictions apply to the release of information relating to substance use disorders (alcohol and drug), mental health, psychotherapy notes, genetic information (including genetic test results), HIV/AIDS, and sexually transmitted disease(s).
In many cases, routine consent for release of information is obtained on the enrollment application. The consent authorizes the use of PHI for general treatment, coordination of care, quality assessment, utilization review, and fraud detection. The consent also authorizes the use of PHI for oversight reviews, such as those performed by the State or for accreditation purposes. In addition, it covers future routine use of such information.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA permits the disclosure of information for payment, treatment, and health care operations. HIPAA requires providers to take reasonable and appropriate measures to protect member/patient information. Examples of measures considered reasonable and appropriate to safeguard the patient chart include:
- Limiting access to certain areas.
- Ensuring the area is supervised.
- Escorting non-employees in the area.
- Placing the chart in a box next to the exam room with the front cover facing the wall so PHI is not visible to anyone who walks by.
An office sign-in sheet may not display medical information (e.g., information about symptoms or treatment). Messages on home answering machines should be limited to the member's name and information necessary to confirm an appointment, or simply request a returned call.
Confidentiality of Behavioral Health, Substance Use, and HIV-related Information
Providers must develop policies and procedures to assure confidentiality of behavioral health (BH), substance use (SU), and HIV-related information. These policies and procedures must include:
- Initial and annual in-service education of staff and contractors.
- Identification of staff allowed access and limits of access.
- Procedures to limit access to trained staff (including contractors).
- Protocols for secure storage (including electronic storage).
- Procedures for handling requests for information.
- Protocols to protect members from discrimination.