warning

Change Healthcare data breach


We are aware Change Healthcare has confirmed data was compromised in its February cyber incident.

Highmark is working with Change and United HealthGroup to fully understand the nature and extent of the impact on our members and customers. We will continue to support our members as more information becomes available.

close
search

Digital Privacy Policy — Highmark Health1

At Highmark Health, transparency is a key principle guiding our business decisions and the relationship with our customers. All the information we collect from or about our customers is maintained in accordance with a variety of state and federal laws and regulations, industry best practices, and our corporate standards. This Digital Privacy Policy ("Privacy Policy") describes the information we collect, use, and disclose when you access our online services, as well as our approach to maintaining the privacy and security of information, and your options as you interact with our websites, mobile apps, and related digital assets.

Note on HIPAA and Protected Health Information

The Health Insurance Portability and Accountability Act (HIPAA) regulates and defines protected health information (PHI) maintained by covered entities and business associates. HIPAA requires covered entities to maintain a Notice of Privacy Practices (NPP), which describes how PHI is collected, used, and disclosed by the regulated entity. PHI is part of the larger category of personal information, as defined below, and the terms of an NPP will apply to the collection, use, and disclosure of PHI rather than this Privacy Policy. For example, individually identifiable health information collected on a regulated entity’s website or mobile application is generally PHI, even if the individual does not have an existing relationship with the regulated entity and even if the information, such as IP address or geographic location, does not include specific treatment or billing details. Therefore, most of the information collected, used, and disclosed through use of our online services is PHI and is subject to the applicable Notice of Privacy Practices.

Links to the NPPs of our affiliated entities are included below for review:

Your Consent

We urge you to fully read this Privacy Policy to remain informed. Please be advised that this Privacy Policy constitutes an agreement between you and Highmark Health when you utilize our online services, which includes our enterprise websites, mobile applications, member and patient portals, and our other affiliated online or digital resources, owned or managed by Highmark Health, that refer to this Privacy Policy. Please be advised that some of our online services may have separate or additional terms of use which will apply in addition to this Privacy Policy, and you are encouraged to review such supplemental terms of use. Your ongoing use of our online services confirms i) your acknowledgement and acceptance of the conditions contained in this Privacy Policy and any supplemental terms of use, and ii) your express consent to collect, use, and disclose your information in accordance with applicable law. Please note, our privacy practices are subject to the laws of the places in which we operate; as such, you may see additional region-specific terms that apply only to customers located in those geographic regions, as may be required by applicable laws.

1. Information That We Collect

We collect personal information from and about you in a number of ways. Personal information means individually identifiable information such as your name, email address, and demographic information if you choose to complete an online form. We leverage various tools, components, and features (as described below), in accordance with applicable law, to collect personal information to conduct our business operations, including understanding our users, maintaining and optimizing our online services, and customizing your user experience. Most of the information we collect, use, and disclose through use of our online services is PHI.

How you interact with a particular Highmark Health online service will generally determine the type and amount of personal information we collect. For general website browsing, we capture basic information such as your browser type, IP address, device hardware model, referring URL, as well as server log information such as session time, click streams, and crash reports. For other features, such as use of a secure portal, we may need to verify your identity through a login process and collect sufficient personal information to provide a response or administer the service requested.

What follows below are further details regarding the personal information we collect, use, and disclose for our business purposes.

Online Forms
Highmark Health offers online inquiry forms on our corporate-owned websites for account questions or to learn more about our products and services. The personal information we collect on inquiry forms generally includes your name, address, phone number, email address, and the details of your inquiry. By submitting personal information, you grant Highmark Health the right to transmit, monitor, retrieve, store and use your information in connection with the operation of the website. We may use such information to review and respond to your request or communication, or use contracted service providers to do that for us. We may also use information collected through online forms as stated in Section 2 below.

Secure Portals
Highmark Health has established secure portals for use by our customers and business partners. When secure portals are accessed, we collect certain personal information, such as user ID and password, IP address, click streams, and related session data. Communications sent by users through these secure portals may also be recorded in transaction logs to monitor content, compliance with applicable law and regulations, or functionality of the services. We may also use information collected through secure portals as stated in Section 2 below.

Interactive Chat
Our online services may offer interactive chat technology to assist users. That interactive technology collects personal information such as name, date of birth, address, and account number for authentication purposes or to provide customized details as requested by a user, and may also capture session-related information such as web logs to document the interaction. Users are reminded that supplemental terms of use may apply with respect to an interactive chat feature in addition to this Privacy Policy, and users are encouraged to read such terms as well. We may also use information collected through interactive chat as stated in Section 2 below.

Biometric Login
You may be invited by your mobile device to use fingerprint, facial recognition, or similar biometric technology to login to our online service. When a biometric login is enabled, our online services recognize that you have selected this as a preference and have been authenticated through your mobile device, and you are permitted to access our online services accordingly. When you use biometric login functionality on our online services, we do not collect any of the actual biometrics (e.g., fingerprints or facial images); that is managed and maintained on your mobile device and by the mobile device manufacturer (e.g., Apple, Samsung).

Geolocation Functionality
Our online services may use the location services functionality on your mobile device and thereby collect your geolocation data. We use geolocation data to assist you in finding geographically-based products and services, and to provide you with relevant content based on your location. We may also use information collected through location services as stated in Section 2 below.

Mobile Device
Our online services collect certain personal information when being run on a mobile device; for example, if one of our mobile applications is downloaded, we collect information about the device type, its software/operating system, and device identifier. We use this information to assess our general user base and to improve our technical support capabilities. We may also use information collected from your mobile device as stated in Section 2 below.

Cookies
A cookie is a small text file that is stored on a computer or other internet-connected device when it accesses a digital resource. Cookies can capture user information such as IP address, internet browser and operating system type, the date and time of a digital interaction, session information such as page response times, your search history, saved preferences and password information (if a user elects to have a website remember this information), information about the referring URL, click stream to and through and from our online services.

Highmark Health’s online services use first-party cookies (ones we create and configure) to support our digital resources, monitor their performance, enhance the user experience, and assess information about our user base. We may gather and use information obtained from first-party cookies to provide customers and prospects with tailored content and optimize our offerings.

We also use third-party cookies (ones we do not create or configure), in accordance with the requirements of applicable law, to help assess our user base, understand a user’s digital journey from external sources to our online services, and optimize our offerings in the market. In the event that third-party cookies are used to deliver relevant ads of interest, you can review and manage applicable third-party ad cookies by navigating to the following links provided by the Network Advertising Initiativeand the Digital Advertising Alliance.

Cookies employed on our online services include the following types:

  • Strictly necessary: cookies which enable various underlying resource features and functionalities such as authenticating users.
  • Functional: cookies which support enhanced browsing experience and personalization.
  • Performance/Analytics: cookies which help us evaluate the effectiveness of digital resources, understand user patterns, and measure errors.

Most internet browser settings can be modified by users to attempt to block cookies (e.g., choosing a “do not track” or "global privacy control" setting). Also, you should be aware that blocking cookies could prevent a particular online service or certain features from fully functioning. We are not responsible for and make no representations or claims regarding the effectiveness of third party opt-out mechanisms or programs. Please note that if you delete your cookies or upgrade your browser after having opted-out, you will need to opt-out again to reaffirm your selections.

Third-Party Widgets
Users may encounter third-party widgets (e.g., Twitter, LinkedIn) on our online services; these widgets (icons) are owned and controlled by third parties and not by Highmark Health. These widgets are provided out of convenience only, and do not reflect an affiliation with or endorsement of the third-party company. If a user clicks a widget, he/she will be redirected to the landing page of that third-party company, and any data collection, use, and disclosure activities will be subject to that third party’s privacy standards (and not this Privacy Policy). Here’s an example: Highmark Health maintains a LinkedIn page, but we have no control over how LinkedIn, as a third party, collects, uses, or discloses information obtained from users when they visit the LinkedIn platform.

When you click a third-party widget and leave our site, Highmark Health makes no representations or warranties regarding third-party platforms or components, their content, data management, or security. To be an informed consumer, you should review the privacy standards of the applicable third parties.

Redirecting Hyperlinks and Embedded Third-Party Media
Our online services may contain redirecting hyperlinks or embedded third-party media content, as applicable; an example includes YouTube videos which may exist as tile images that redirect to YouTube when clicked, or as embedded files which begin playing on our web pages when clicked. This third-party content is not managed or configured by Highmark Health, which means we do not control any code which may be linked to this content by the media host, and we do not control any data collection which might occur as a result of such code. By viewing any embedded third-party media content on our online services, as applicable, users acknowledge, accept, and expressly consent to any associated data collection, use, and disclosure which might occur between Highmark Health and the media host.

2. Use, Access, and Disclosure Of This Information

Highmark Health uses the information collected through our online services for the specified purposes stated in Section 1 above. Additional uses include:

  • Provide product, program, and service updates, event notices, details about new offerings, and announcements of interest.
  • Update and maintain information about users.
  • Monitor the effectiveness of our online services and features.
  • Ensure our digital resources function as intended and meet our users’ expectations.
  • Help us authenticate you as an authorized user and unique individual.
  • Evaluate your individual experience across our digital properties and help us assess and optimize our products, programs, services, and digital offerings.
  • Carry out our marketing, advertising, and general commercial business purposes.

We may also use your personal information to provide you with access to information about additional products, programs, and services offered by our family of companies or our business partners. You may remove yourself from certain communication channels or programs at any time — just follow the opt-out instructions included in those specific communications.

Disclosure To Service Providers
Highmark Health may disclose your personal information collected through its online services to service providers that are contracted by Highmark Health to support our functions. For example, a service provider may have access to your information to perform a specific task such as sending you a survey or a newsletter. Highmark Health’s service providers are bound by contract to follow robust data privacy and security standards, and to handle your personal information with due care.

Links to External Websites
Third parties include non-affiliated companies whose platforms or components we may employ or present to our users, but whose data collection and usage activities we do not control, and which are not governed by this Privacy Policy (e.g., third-party widgets referenced above). For example, we may utilize a third party vendor to host certain informational videos. When you click on the link to the video, you are re-directed from our site to the platform of the video host. The host’s data collection and usage activities will govern your interaction with that third-party site and content. Third parties can also refer to other types of entities or bodies that we do not have a contractual or commercial relationship with, but that we share data with as permitted or required by law (e.g., government oversight agencies). Highmark Health generally does not disclose personal information collected through its online services to third parties except as set forth in this Privacy Policy, or as permitted or required by law. At times, personal information may be disclosed to a third party if there is a specific legal basis, if there is a need to complete a transaction requested by the user, or if necessary for providing a service or benefit to the user.

Disclosure To Comply With Law, Respond To Legal Requests, Prevent Harm, and Protect Our Rights
Highmark Health may disclose your personal information to courts, law enforcement, governmental oversight agencies, and other appropriate regulatory bodies as permitted or required by applicable law, or if such disclosure is reasonably necessary to:

  • Comply with legal obligations.
  • Comply with legal process and to respond to claims asserted against Highmark Health.
  • Respond to verified requests in relation to a criminal investigation or alleged or suspected illegal activity, or any other activity that may expose us or any of our users to legal liability.
  • Enforce and administer this Privacy Policy or any applicable terms of use.
  • Protect the rights of Highmark Health, its employees, customers, business partners, or the public.
3. Other Relevant Data And Consumer Protection Laws

Children's Online Privacy Protection Act (COPPA)
Our online services are not generally intended for, nor made available to, children under the age of 13, and we typically do not make attempts to collect, use, or disclose information from children under the age of 13, unless otherwise permitted or required by applicable law.

European Union General Data Protection Regulation (GDPR)
Some of our entities or product lines may be subject to certain obligations set by the GDPR. With respect to our entities or product lines that may be subject to GDPR, a separate notice aligned to GDPR’s requirements will be made available on the public websites of the applicable entities.

State Consumer Privacy Laws
Some of our entities may be subject to certain obligations set by state consumer privacy laws, such as those enacted in California and Colorado, among other jurisdictions. These laws require the posting of a consumer notice regarding data collection, use, and disclosure activities. With respect to our entities that may be subject to this type of requirement, one or more separate notices aligned to those specific state laws will be made available on the public websites of the applicable entities.

4. Changes To This Digital Privacy Policy and Questions

Highmark Health reserves the right to change, modify, or update this Privacy Policy at any time and for any reason. Highmark Health will promptly post such changes, modifications, or updates to its online services accordingly. Please review this Privacy Policy periodically to keep informed of any changes. Users are reminded that continued use of our online services confirms i) your acknowledgement and acceptance of the conditions contained in this Privacy Policy, and ii) your express consent to collect, use, and disclose your information in accordance with applicable law.

Questions
If you have questions about this Privacy Policy, please contact us by emailing privacy@highmarkhealth.org or calling 1-866-228-9424.

1 Highmark Health includes the wholly-owned subsidiaries and affiliates making up the Highmark Health enterprise, including, among others, Highmark Inc., Allegheny Health Network, HM Health Solutions d/b/a enGen, HM Home and Community Services d/b/a Helion, and other affiliated businesses such as HM Insurance Group and United Concordia Companies Inc. References to "us," "we," and "our" in this Privacy Policy mean Highmark Health.

(© 2014 Highmark Health — last revised August 2023)