Note on HIPAA and Protected Health Information
The Health Insurance Portability and Accountability Act (HIPAA) regulates protected health information (PHI) kept by covered entities and business associates. HIPAA requires covered entities to have a Notice of Privacy Practices (NPP), which describes how entities collect, use, and disclose PHI.
PHI is part of the larger category of personal information, as defined below. The terms of an NPP will apply to the collection, use, and disclosure of PHI rather than this Privacy Policy. For example, individually identifiable health information collected on our websites or mobile applications is generally PHI, even if:
Most of the information collected, used, and disclosed through use of our online services is PHI and is subject to the applicable Notice of Privacy Practices.
We encourage you to fully read this Privacy Policy. This Privacy Policy creates an agreement between you and Highmark Health when you use any of our online services. These online services include our enterprise websites, mobile applications, member and patient portals, and our other online or digital resources, owned or managed by Highmark Health. Some of our online services may have separate or additional terms of use which will also apply. Please review those terms of use.
Your use of our online services confirms:
Please note, our privacy practices are subject to the laws of the places in which we operate. You may see more region-specific terms that apply only to customers located in those regions.
We collect personal information about you in several ways. Personal information means individually identifiable information like your name, email address, and demographic information. We use various tools, components, and features (as described below) to collect this information to conduct our business operations. This includes understanding our users, maintaining and improving our online services, and customizing your user experience. Most of the information we collect, use, and disclose through our online services is PHI.
How you interact with our online service will determine the type and amount of personal information we collect. For general website browsing, we capture basic information such as:
For other features, such as use of a secure portal, we may need to verify your identity through a login process and collect enough personal information to respond to the service requested.
What follows below are further details about the personal information we collect, use, and disclose for our business purposes.
We have online inquiry forms on our websites for account questions or to learn more about our products and services. The personal information collected on these forms may include your name, address, phone number, email address, and the details of your inquiry. When you submit personal information, you give us the right to transmit, monitor, retrieve, store and use your information to operate the website. We may use such information to review and respond to your request or use contracted service providers to do that for us.
When you access our secure portals, we collect certain personal information like user ID and password, IP address, click streams, and related session data. The communications sent through these portals may also be recorded in transaction logs. The logs help to monitor content, compliance with applicable law and regulations, or functionality of the services. We may also use information collected through secure portals as stated in Section 2 below.
We may offer interactive chat technology to help you. This technology collects personal information like name, date of birth, address, and account number to verify you or to provide you with customized details. This may also capture session-related information, like web logs, to document the interaction. Additional terms of use may apply to interactive chat features in addition to this Privacy Policy. We encourage you to read such terms.
Your mobile device may permit you to use fingerprint, facial recognition, or similar biometric technology to login to our online service. When this is enabled, our online services can see that you have selected this as a preference and have been verified through your mobile device, and you are permitted to access our online services accordingly. When you use a biometric login, we do not collect any of the actual biometrics (e.g., fingerprints or facial images). Your mobile device manufacturer manages and maintains that information (e.g., Apple, Samsung).
We may use the location services function on your mobile device to collect your geolocation data. We use this data to help you find local products and services, and to provide you with relevant content based on your location.
We collect certain personal information when run on a mobile device. For example, if you download one of our mobile applications, we collect information about the device type, its software/operating system, and the device identifier. We use this information to assess our general user base and to improve our technical support capabilities.
A cookie is a small text file stored on a computer or other internet-connected device when it accesses a digital resource. Cookies can capture user information such as:
Our online services use first-party cookies (ones we create) to support our digital resources, monitor their performance, improve your experience, and assess information about our user base. We may use the information we get from first-party cookies to provide customers and prospects with personalized content and improve our offerings.
We also use third-party cookies (ones we do not create), as permitted by applicable law, to help assess our user base, understand your digital journey from external sources to our online services, and improve our offerings in the market. If third-party cookies are used to deliver relevant ads of interest, you can review and manage applicable third-party ad cookies by using the following links provided by the Network Advertising Initiative and the Digital Advertising Alliance.
Cookies used on our online services include the following types:
You can modify most internet browser settings to try to block cookies (e.g., choosing a “do not track” or “global privacy control” setting). You should be aware that blocking cookies could prevent certain online services or features from fully functioning. We are not responsible for and make no representations or claims regarding the success of third party opt-out mechanisms or programs. Please note that if you delete your cookies or upgrade your browser after opting out, you will need to opt-out again to reaffirm your choices.
You may see third-party widgets (e.g., Twitter, LinkedIn) on our online services. These widgets (icons) are owned and controlled by third parties and not by us. These widgets are there for convenience only, and do not reflect an affiliation with or endorsement of the third-party. If you click a widget, you will be taken to the home page of that third-party. Any data collection, use, and disclosure activities will be subject to that third party’s privacy standards (and not this Privacy Policy). Here’s an example: We maintain a LinkedIn page, but we have no control over how LinkedIn, as a third party, collects, uses, or discloses information about you when you visit the LinkedIn platform.
When you click a third-party widget and leave our site, we make no representations or warranties regarding third-party platforms or components, their content, data management, or security. You should review the privacy standards of the applicable third parties.
Our online services may contain redirecting hyperlinks or embedded third-party media content. An example includes YouTube videos which may be tile images that redirect to YouTube when clicked. Another example is an embedded file which will begin playing on our web pages when clicked. We do not manage or configure this third-party content. We do not control any code which may be linked to this content by the media host or any data collection which might occur as a result of such code. When you review this content on our online services, you acknowledge, accept, and expressly consent to any associated data collection, use, and disclosure which might occur between us and the media host.
We use the information we get through our online services for the purposes stated in Section 1 above. Any additional uses may include:
We may also use your personal information to give you information about additional products, programs, and services offered by our family of companies or our business partners. You may remove yourself from certain communication channels or programs at any time -- just follow the opt-out instructions included in those communications.
We may disclose your personal information collected through our online services to service providers that we contract with to support our functions. For example, a service provider may have access to your information to send you a survey or a newsletter. Our service providers are bound by contract to follow strict data privacy and security standards and to handle your personal information with due care.
Third parties include non-affiliated companies whose platforms or components we may use or present to our users. We do not control their data collection and usage activities and they are not governed by this Privacy Policy (like third-party widgets noted above). For example, we may use a third-party vendor to host certain informational videos. When you click on the link to the video, you are taken from our site to the platform of the video host. The host’s data collection and usage activities will control your interaction with that third-party site and content.
Third parties can also refer to other types of entities or bodies that we do not have a contractual or commercial relationship with, but that we share data with as permitted or required by law (e.g., government oversight agencies). We generally do not disclose personal information collected through our online services to third parties except as set forth in this Privacy Policy, or as permitted or required by law. At times, personal information may be disclosed to a third party if:
We may disclose your personal information to courts, law enforcement, governmental oversight agencies, and other regulatory bodies as permitted or required by applicable law, or if such disclosure is reasonably necessary to:
Our online services are not generally intended for, nor made available to, children under the age of 13. We typically do not try to collect, use, or disclose information from children under the age of 13, unless otherwise permitted or required by applicable law.
Some of our entities or product lines may be subject to certain duties set by the GDPR. For those entities or product lines, a notice that meets GDPR’s requirements will be shown on the entities’ public websites.
Some of our entities may be subject to certain duties set by state consumer privacy laws, such as those set in California and Colorado. These laws require posting a consumer notice on data collection, use, and disclosure activities. For our entities that may be subject to these requirements, notices aligned to those specific state laws will be shown on those entities’ public websites.
We reserve the right to change, modify, or update this Privacy Policy at any time and for any reason. We will promptly post such changes, modifications, or updates to our online services. Please review this Privacy Policy every so often to keep informed of any changes. Remember that continued use of our online services confirms i) your acknowledgement and acceptance of the conditions contained in this Privacy Policy, and ii) your express consent to collect, use, and disclose your information in accordance with applicable law.
If you have questions about this Privacy Policy, please contact us by emailing HighmarkHealthPrivacy@highmarkhealth.org or calling 1-866-228-9424.
(© 2014 Highmark Health — last revised January 2025)
Highmark Health includes the wholly owned subsidiaries and affiliates making up the Highmark Health enterprise, including, among others, Highmark Inc., Allegheny Health Network, HM Health Solutions d/b/a enGen, HM Home and Community Services d/b/a Helion, and other affiliated businesses such as HM Insurance Group and United Concordia Companies Inc. References to "us," "we," and "our" in this Privacy Policy mean Highmark Health.
