THIS NOTICE DESCRIBES HOW YOUR PROTECTED HEALTH INFORMATION MIGHT BE USED AND DISCLOSED AND HOW YOU CAN OBTAIN ACCESS TO THE SAME. PLEASE, REVIEW IT CAREFULLY.
MCS is committed to safeguarding your Protected Health Information (PHI). We are required by Law to maintain the privacy, security, and confidentiality of your PHI, to provide you with this Notice of our legal duties and privacy practices with respect to PHI, and to inform affected individuals following a reportable breach of unsecured PHI.
MCS is required to abide by the terms of this Notice. However, we reserve the right to change or modify the terms of this Notice, and to make the provisions in our revised Notice effective for all PHI that we maintain. In the event, the terms of this Notice are revised, we will post a copy of the amended Notice in our Internet site, and will mail a printed copy of this document to our subscribers by its effective date. Any type of information that MCS can collect and/or disclose, and that is considered non-public financial personal information, as defined in Regulation Number 75 of the Office of the Commonwealth of Puerto Rico’s Insurance Commissioner, will also be considered as PHI, as defined in 45 CFR Part 164, Section 164.501, and Chapter 14 – Protection of Health Information of the Puerto Rico Health Insurance Code – 26 L.P.R.A. 9231 et al., as amended.
PHI is information that can identify you (name, last name, social security number); including demographic information (like address, zip code), obtained from you through a request or other document in order to obtain a service, created and received by a health care provider, a medical plan, intermediaries who submit claims for medical services, business associates, and that is related to (1) your health, past, present, or future physical or mental conditions; (2) the provision of medical care to you, or (3) past, present, or future payments for the provision of such medical care. For purposes of this Notice, this information will be called PHI. This Notice of Privacy Practices has been written and amended, so that it will comply with the HIPAA Privacy Regulation. Any term not defined in this Notice will hold the same meaning as in the HIPAA Privacy Regulation. We have also implemented policies and procedures to handle PHI, which you may examine.
MCS may use and disclose PHI for the following purposes:
Treatment: For the provision, coordination, or supervision of your medical care, and other related services. For example, the plan may disclose medical information to your health care provider for treatment, if so requested.
Payment: To collect or provide payment for medical care, including collections and claims handling. For example, the plan may use or disclose PHI in order to pay claims for health services rendered, or to provide eligibility information to your health care provider when you receive treatment.
Health care operations: To support our business functions. For example, for legal and audit processes, fraud and abuse detection, compliance, business planning and development, administrative activities, and businesses management. The plan might use or disclose your protected Health information (PHI) to provide you with appointment or meeting reminders, information about treatment alternatives, or other health related benefits and services. Also, we may disclose your health information to the sponsor of a health plan, in accordance with Section 164.504(f) of the Privacy Regulation. However, MCS is prohibited from using or disclosing PHI that is genetic information for underwriting related activities, in accordance with Section 164.520(b)(1)(iii) of the Privacy Regulation.
Covered Entities In order to perform our duties as insurance or benefit administrator, we may use or disclose PHI among the following entities: MCS Healthcare Holdings, LLC., MCS Life Insurance Company, and MCS Advantage, Inc.
Business Associates We contract with persons and organizations (business associates) so they can perform certain functions in our name, or to provide certain types of services. Business associates may receive, create, maintain, use, or disclose PHI, but only after they agree in writing to properly safeguard such information.
Third Party Apps Third-Party App are not subject to the HIPAA Rules and other privacy laws, which generally protect your health information. Instead, Third-Party App’s privacy policy describes self-imposed limitations on how the App will use, disclose, and (possibly) sell information about you.
Required by law We may use or disclose your PHI whenever Federal, State, or Local Laws require its use or disclosure. In this Notice, the term “as required by Law” is defined in the same as it is in the HIPAA Privacy regulation.
Public health activities We may use or disclose your PHI for public health activities, including the statistical report on illnesses and vital information, among others.
Health oversight activities We may use or disclose your PHI to government agencies that regulate health care related activities.
Food and Drug Administration (FDA) We may use or disclose your PHI to the FDA in order to prevent an imminent threat to the health or national security in relation to adverse events involving food, supplements, products and product defects, among others.
Abuse or neglect We may use or disclose your PHI to a government official authorized to receive reports of abuse or neglect against minors or adults or domestic violence situations.
Legal proceedings We may use or disclose your PHI during the course of any judicial or administrative proceedings: (1) in response to an order from a court or administrative agency (provided that the covered entity discloses only the PHI expressly specified by such order); or (2) in response to a subpoena, discovery request, or other lawful process.
Law enforcement officials We may use or disclose your PHI to law enforcement officials. For example, we may provide information necessary to report a crime, or to locate or identify a suspect, a fugitive, material witness or missing person, or necessary to provide evidence of a crime committed on our premises.
Medical examiners, funeral directors, and organ donation cases We may use or disclose your PHI to a medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties authorized by law. We may also disclose your information to a funeral director, as necessary to carry out its duties with respect to a decedent and to other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue.
Research We may use or disclose your PHI for research purposes, if an Institutional Review Board or an Ethics Committee: (1) has reviewed the research proposal and has established protocols to protect your information’s confidentiality, and (2) has approved the research as part of a limited data set, which does not include individual identifiers.
To avert a serious threat to health or safety We may use or disclose your PHI in order to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Correctional institutions We may disclose PHI to a correctional institution or a law enforcement official having lawful custody of an inmate: (1) for the provision of health care to the inmate; (2) in order to protect the health and safety of the inmate or other persons, or (3) in order to protect the health and safety of the entire correctional institution.
Worker’s compensation We may use or disclose your PHI to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
Disaster relief We may disclose your PHI to a public or private entity authorized by law or by its charter to assist in disaster relief efforts. This way, your family may be provided with information about your health condition and your location in case of a disaster, or any other emergency.
Military activity, national security, protective services We may disclose your PHI to appropriate military command authorities if you are a member of the Armed Forces, or a veteran. Also, to authorized federal officials for the conduct of national security activities, lawful intelligence, counter-intelligence, or other national security and intelligence activities for the protection of the President, other authorities, and heads of state.
Other persons participating in your health care We may disclose limited PHI to a friend or family member who is involved with your care, or who is responsible for payment of medical services. If you are not in person, if you are disabled, or it is an emergency, we will use our professional judgment in the disclosure of information that we understand will be in your better interest.
Disclosures to you We are required to disclose to you most of your PHI. This includes, but is not limited to, all information related to your claims history.
Disclosures to an authorized representative We will disclose your PHI to a person designated by you as your authorized representative, and who qualifies for this designation in accordance with applicable laws of the Commonwealth of Puerto Rico. However, before we disclose your PHI to your authorized representative, you must provide us with a written document designating this person as such, along with any other supporting documents (like a power of attorney or an Advanced Statement of Will Regarding Treatment). A paper form is available for this purpose through our service centers and through our Internet site.
Even when you designate an authorized representative, HIPAA Privacy Regulations allow us not to treat this person as your authorized representative if, in our professional judgment, conclude that: (1) you have been or may be subject to domestic violence, abuse, or neglect by such person; (2) treating such person as your authorized representative could endanger you, or (3) we, in the exercise of our professional judgment, decide that it is not in your best interest to consider this person as your authorized representative.
With your authorization You may authorize us in writing to use or disclose your PHI to other persons, for any other purpose. The authorization must be signed and dated by you, it must indicate the person or entity authorized to receive the information, a short description of the information been disclosed, and expiration date for the authorization. Additionally, the following uses and disclosures require an authorization, in accordance with Section 164.508(a)(2) – (a)(4) of the Privacy Regulation: (a) For psychotherapy notes, which are notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private or group counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. (b) For marketing activities, which involve communications about a product or service that encourage recipients of said communications to purchase or use the product or service. (c) Sale of PHI, which involves the disclosure of PHI by a covered entity or business associate in exchange for direct or indirect remuneration. You have the right to revoke the authorization in writing, in accordance with Section 164.508(b)(5) of the Privacy Regulation. The revocation will be in effect for future uses and disclosures of your PHI, but it will not apply to information that we have already used or disclosed. Unless you submit a written authorization, we may not use or disclose your protected health information for any other reason not described in this Notice.
Disclosures to the Secretary of Health and Human Services We are required to disclose your PHI to the Secretary of Health and Human Services, in order to determine if we are complying with HIPAA regulations.
Right to request a restriction You have the right to request a restriction to certain uses and disclosures of PHI as provided in Section 164.522(a) of the Privacy Regulation. However, we are not required to agree to any restriction that you request, except in case of a disclosure restricted under Section 164.522(a)(1)(vi) of the same regulation. If we agree to a restriction, we will comply with it, unless the information is needed to provide you with emergency treatment. You may request a restriction by completing a request form, available at our service centers and through our Internet site.
Right to confidential communications You may request that we communicate with you concerning your PHI using an alternate method or physical location. For example, you may request that we contact you only at your work address, or that of one of your relatives. You may request confidential communications by completing a request form, available at our service centers and through our Internet site.
Right to access You have the right to inspect and copy your personal, financial, insurance, or health information, within the limits and exceptions provided by law. In order to access your information, contact our Call Center to submit your request. We will validate your identity before providing assistance. You may also visit any of our Service Centers in order to submit a written request for a copy or to review your PHI. We will provide you with access within 30 business days. We may deny access to inspect or copy your PHI under certain limited circumstances.
Right to amend If you believe that your PHI and the information that we keep in our files and/or systems is incomplete or incorrect, you may request that we amend it. Submit a request to amend your PHI by completing a request form, available at our service centers or through our Internet site.
Right to an accounting of disclosures You have the right to request an accounting of certain disclosures of your PHI, made by MCS, for events not related to medical treatment, payment for medical services, health care operations, or in compliance with your authorization. You may request an accounting of disclosures by completing a request form available at our service centers or through our Internet site.
Right to a printed copy of this Notice You have the right to obtain a paper copy of this Notice of Privacy Practices at your request, even after agreeing to receive a copy in electronic form.
COMPLAINTS You have the right to file a complaint with MCS and the Secretary of the Department of Health and Human Services (DHHS), if you believe that your privacy rights have been violated. All complaints must: (1) be filed in writing; (2) include the name of the covered entity that is the subject of the complaint; (3) describe the acts or omissions believed to be in violation of the standards, and (4) be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred. We will not penalize nor retaliate against you for filing a complaint with the Secretary of DHHS, or with MCS.
MCS complies with applicable Federal civil rights laws and do not discriminate on the basis on race, color, national origin, age, disability, or sex. MCS does not exclude people or treat them differently because of race, color, national origin, age, disability, or sex. MCS provides free aids and services to people with disabilities to communicate effectively with us, such as: qualified sign language interpreters, written information in other formats (large print, audio, accessible electronic formats, other formats). MCS provides free language services to people whose primary language is not English, such as: qualified interpreters, and information written in other languages. If you need these services, contact our Call Center. If you believe that MCS has failed to provide these services or discriminated in another way on the basis of race, color, national origin, age, disability, or sex, you can file a grievance with: MCS Call Center, PO BOX 191720, San Juan, PR 00919-1720, 787-281-2800 (Metro Area), 1-888-758-1616 (toll free), 1-866-627-8182 (TTY users). You can file a grievance in person or by mail. If you need help filing a grievance, our Call Center is available to help you.
You can also file a civil rights complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, electronically, through the Office for Civil Rights Complaint Portal, available at https://ocrportal.hhs.gov/ocr/portal/lobby.jsf or by mail or phone at: U.S. Department of Health and Human Services, 200 Independence Avenue SW, Room 509F, HHH Building, Washington, DC 20201, 1-800-368-1019, 800-537-7697 (TDD). Complaint forms are available at www.hhs.gov/ocr/office/file/index.html
Please be advised that most Third-Party App’s will not be covered by HIPAA. Most apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission, despite having a privacy policy that says it will not do so). If you have any concerns regarding the use of Third-Party App’s and your information you may contact the Federal Trade Commission (FTC) and file a complaint at https://reportfraud.ftc.gov/#/.
ATTENTION: If you speak English, language assistance services, free of charge, are available to you. Call 1.888.758.1616 (TTY: 1.866.627.8182). ATENCIÓN: Si habla español, tiene a su disposición servicios gratuitos de asistencia lingüística. Llame al 1.888.758.1616 (TTY: 1.866.627.8182). 注意:如果您使用繁體中文,您可以免費獲得語言援助服務。請致電 1.888.758.1616(TTY: 1.866.627.8182).
CONTACT INFORMATION FOR MCS You may request additional information about this Notice of Privacy Practices, or file a complaint with MCS at the following address:
MCS Attention: Privacy Officer Box 9023547 San Juan, PR 00902-3547 Telephone line for Privacy and Security Metro Area: (787) 620-3186 Toll Free: 1-877-627-0004 mcscompliance@medicalcardsystem.com
EFFECTIVE DAY This Notice of Privacy Practices is effective on July 1, 2021.