Your Privacy

Notice of Privacy Practices

This Notice describes how health information about you may be used and disclosed, and how you may access this information. Please review this Notice of Privacy Practices carefully. If you have any questions or would like a copy of this Notice of Privacy Practices, please contact the BMC HealthNet Plan Member Services Call Center.

Senior Care Options Members: 1-855-833-8125

BMC HealthNet Plan
Two Copley Place, Suite 600
Boston, MA 02116
Web site:

This Notice of Privacy Practices is effective September 23, 2013 and supersedes the revision dated June 30, 2012. This Notice describes how we may use and disclose your health information to carry out treatment, payment or health care operations, and for other purposes that are permitted or required by law. It also describes your rights to access and control your health information.

“Protected health information” or “PHI” is health information, including individually identifiable information, related to your physical or behavioral health condition used in providing health care to you or for payment for health care services.

By law, we are required to:

  • Maintain the privacy and confidentiality of your protected health information
  • Give you this Notice of Privacy Practices
  • Follow the practices in this Notice

We use physical, electronic and procedural safeguards to protect your privacy. Even when disclosure of PHI is allowed, we only use and disclose PHI to the minimum amount necessary for the permitted purpose.

Other than the situations mentioned in this Notice, we cannot use or share your protected health information without your written permission, and you may cancel your permission at any time by sending us a written notice.

We reserve the right to change this Notice and to make the revised notice effective for any of your current or future protected health information. You are entitled to a copy of the Notice currently in effect.


For Treatment: We may communicate PHI about you to doctors, nurses, technicians, office staff or other personnel who are involved in taking care of you and need the information to provide you with medical care. For example, if you are being treated for a back injury, we may share information with your primary care physician, the back specialist and the physical therapist so they can determine the proper care for you. We will also record the actions they took and the medical claims they made. Other examples of when we may disclose your PHI include:

  • Quality improvement and cost containment wellness programs, preventive health initiatives, early detection programs, safety initiatives and disease management programs.
  • To administer quality-based cost effective care models, such as sharing information with medical providers about the services you receive elsewhere to assure effective and high quality care is coordinated.

For Payment: We may use and disclose your PHI to administer your health benefits, which may include claims payment, utilization review activities, determination of eligibility, medical necessity review, coordination of benefits and appeals. For example, we may pay claims submitted to us by a provider or hospital.

For Health Care Operations: We may use and disclose your PHI to support our normal business activities. For example, we may use your information for care management, customer service, coordination of care or quality management.

Appointment Reminders/Treatment Alternatives/Health-Related Benefits and Services: We may contact you to provide appointment or refill reminders, or information about possible treatment options or alternatives and other health-related benefits, or services that may be of interest to you.

As Required By Law: We will disclose PHI about you when we are required to do so by international, federal, state or local law.

Business Associates: We may disclose PHI to our business associates who perform functions on our behalf or provide services if the PHI is necessary for those functions or services. All of our business associates are obligated, under contract with us, to protect the privacy of your PHI.

Coroners, Medical Examiners and Funeral Directors: We may communicate PHI to coroners, medical examiners and funeral directors for identification purposes and as needed to help them carry out their duties consistent with applicable law.

Correctional Facilities: If you are or become an inmate in a correctional facility, we may communicate your PHI to the correctional facility or its agents, as necessary, for your health and the health and safety of other individuals.

Disaster Relief: We may communicate PHI to an authorized public or private entity for disaster relief purposes. For example, we might communicate your PHI to help notify family members of your location or general condition.

Family and Friends: We may communicate PHI to a member of your family, a relative, a close friend, or any other person you identify who is directly involved in your health care or payment related to your care.

Food and Drug Administration (FDA): We may communicate to the FDA, or persons under the jurisdiction of the FDA, your PHI as it relates to adverse events with drugs, foods, supplements and other products and marketing information to support product recalls, repairs or replacement.

Health Oversight Activities: We may communicate your PHI to state or federal health oversight agencies authorized to oversee the health care system or governmental programs, or to their contractors, for activities authorized by law, audits, investigations, inspections, and licensing purposes.

Law Enforcement: We may release your PHI upon request by a law enforcement official in response to a valid court order, subpoena or similar process. Lawsuits and Disputes: If you are involved in a lawsuit or dispute, we may communicate PHI about you in response to a court or administrative order. We may also communicate PHI about you because of a subpoena or other lawful process, subject to all applicable legal requirements.

Military, Veterans, National Security and Intelligence: If you are a member of the armed forces, we may release your PHI as required by military command authorities. We may be required by other government authorities to release your PHI for national security activities.

Minors: We may disclose PHI of minor children to their parents or guardians unless such disclosure is otherwise prohibited by law.

Organ and Tissue Donation: If you are an organ or tissue donor, we may use or disclose your PHI to organizations that handle organ procurement or transplantation – such as an organ bank – as necessary to facilitate organ or tissue donation and transplantation.

Personal Representative: If you have a personal representative, such as a legal guardian (or an executor or administrator of your estate after your death), we will treat that person as if that person is you with respect to disclosures of your PHI.

Public Health and Safety: We may communicate your PHI for public health activities. This includes disclosures to: (1) prevent or control disease, injury or disability; (2) report birth and deaths; (3) report child abuse or neglect; (4) a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and (5) the appropriate government authority if we believe a person has been the victim of abuse, neglect, or domestic violence and the person agrees or we are required to by law to make that disclosure or (6) when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.

Research: We may use and disclose your PHI for research purposes, but we will only do that if the research has been specially approved by an institutional review board or a privacy board that has reviewed the research proposal and has set up protocols to ensure the privacy of your PHI. Even without that special approval, we may permit researchers to look at PHI to help them prepare for research, for example, to allow them to identify persons who may be included in their research project, as long as they do not remove, or take a copy of, any PHI. We may use and disclose a limited data set that does not contain specific readily identifiable information about you for research. But we will only disclose the limited data set if we enter into a data use agreement with the recipient who must agree to (1) use the data set only for the purposes for which it was provided, (2) ensure the security of the data, and (3) not identify the information or use it to contact any individual.

Worker’s Compensation: We may use or disclose PHI for worker’s compensation or similar programs that provide benefits for work-related injuries or illness.


Fundraising: We may use PHI about you in an effort to raise money. If you do not want us to contact you for fundraising efforts, you may opt out by notifying us, in writing, with a letter addressed to the BMC HealthNet Plan Privacy Officer.


Special privacy protections apply to HIV-related information, alcohol and substance abuse, mental health, and genetic information that require your written permission, and therefore some parts of this general Notice of Privacy Practices may not apply to these more restricted kinds of PHI.


Right to Access and Copy: You have the right to inspect and obtain a copy of your PHI. To do so, you must submit a written request to the BMC HealthNet Plan Privacy Officer. We will provide you with a copy or a summary of your records, usually within 30 days and we may ask you to pay a fee to cover our costs of providing you with that PHI, and certain information may not be easily available prior to July 1, 2002. We may deny your request to inspect and copy, in certain limited circumstances.

Right to an Electronic Copy of PHI: You have the right to require that an electronic copy of your health information be given to you or transmitted to another individual or entity if it is readily producible. We may charge you a reasonable, cost-based fee for the labor associated with transmitting the electronic record.

Right to Get Notice of a Security Breach: We are required to notify you by first class mail of any breach of your Unsecured PHI as soon as possible, but no later than 60 days after we discover the breach. “Unsecured PHI” is PHI that has not been made unusable or unreadable. The notice will give you the following information:

  • A short description of what happened, the date of the breach and the date it was discovered
  • The steps you should take to protect yourself from potential harm from the breach;
  • The steps we are taking to investigate the breach, mitigate loses, and protect against further breaches; and
  • Contact information where you can ask questions and get additional information

Right to Amend: If you believe the PHI we have about you is incorrect or incomplete, you may ask us to amend the PHI. You must request an amendment, in writing, to the BMC HealthNet Plan Privacy Officer and include a reason that supports your request. In certain cases, we may deny your request for amendment, but we will advise you of the reason within 60 days. For example, we may deny a request if we did not create the information, or if we believe the current information is correct.

Right to an Accounting of Disclosures: You have the right to request an "accounting of disclosures”. This is a list of the disclosures we made of PHI about you for most purposes other than treatment, payment and health care operations. The right to receive an accounting is subject to certain exceptions, restrictions and limitations. To obtain an accounting, you must submit your request, in writing, to the BMC HealthNet Plan Privacy Officer. We will provide one accounting a year for free but may charge a reasonable, cost-based fee if you submit a request for another one within 12 months. It must state a time period, which may not be longer than six years and may not include dates before April 14, 2003.

Right to Request Restrictions: You have the right to request, in writing, to the BMC HealthNet Plan Privacy Officer, a restriction or limitation on our use or disclosure of your PHI. We are not, however, required by law to agree to your request. If we do agree, we will comply with your request unless the PHI is needed to provide emergency treatment to you.

Right to Request Confidential Communication: You have the right to request that we communicate with you about medical matters only in writing or at a different residence or post office box. To request confidential communications, you must complete and submit a Request for Confidential Communication Form to the BMC HealthNet Plan Privacy Officer. Your request must specify how or where you wish to be contacted. We will accommodate all reasonable requests.

Right to Notice of Privacy Practice: You have the right to receive a paper copy of the Notice of Privacy Practices upon request at any time.


To exercise your rights as described in this Notice, send your request, in writing, to our Privacy Officer at the address listed in this Notice.

Assistance in Preparing Written Documents: BMC HealthNet Plan will provide you with assistance in preparing any of the requests explained in this Notice that must be submitted in writing. There will be no cost to you for this.


Other Uses and Disclosures of PHI: We will obtain your written authorization before using or disclosing your PHI for purposes other than those provided for above (or as otherwise permitted or required by law). You may revoke such an authorization at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI, except to the extent that we have already taken action in reliance on the authorization.

We will never sell your health information or use your health information for marketing purposes or to offer you services or products unrelated to your health care coverage or your health status, without your written authorization.

Compliance with State and Federal Laws: If more than one law applies to this Notice, we will follow the more stringent law. You may be entitled to additional rights under state law, and we protect your health information as required by these state laws.

Complaints: If you believe your privacy rights have been violated, you may file a complaint with our office or with the Department of Health and Human Services. To file a complaint with our office, contact:

Privacy Officer
BMC HealthNet Plan
Two Copley Place, Suite 600
Boston, MA 02116

Or, you may call this office at 1-617-748-6325.

You may also notify the Secretary of the Department of Health and Human Services (HHS). Send your complaint to:

Medical Privacy, Complaint Division
Office for Civil Rights (OCR)
United States Department of Health and Human Services
200 Independence Avenue, SW, Room 509F, HHH Building
Washington D.C., 20201

You may also contact OCR’s Voice Hotline Number at (800) 368-1019 or send the information to their Internet address

BMC HealthNet Plan will not take retaliatory action against you if you file a complaint about our privacy practices with either OCR or BMC HealthNet Plan.