Privacy Notice

Aetna Privacy Notice

 

Why do we process your personal data?

Group Plans: we use your personal data for the following purposes:

• providing a quotation to a plan sponsor (e.g. the organization who has taken out insurance under which you will be provided insurance cover as part of a group plan, for example your employer),
• fraud prevention together with any other required regulatory checks,
• onboarding you onto the group plan to which you belong and registering you for its benefits,
• managing, administering and improving the policy of which are a member,
• managing our information technology and to ensure the security of our systems,
• investigating, responding to and dealing with complaints or incidents relating to us or our business and maintaining service quality and training staff,
• contacting you with information about your plan,
• contacting you for the purposes of providing healthcare or wellness advice and information,
• processing and completing any claims you make under the policy,
• establishing, exercising and/or defending legal claims or rights and protecting, exercising and enforcing our rights, property or safety.
• Before we process (use) your personal data we need to have a legal basis for doing so. This is often referred to as ‘the lawful basis for processing’ and there are specific grounds on which we can rely. We explain the lawful basis on which we process your personal data in the paragraphs below.
• Where we receive personal data from a plan sponsor (i.e. the company applying to cover you under a group insurance plan), we will process your personal data as we have a legitimate interest in processing it. Our legitimate interest includes processing for the purposes of providing the plan sponsor with a quotation for cover, and where that quotation is accepted for the purposes of onboarding and administering the group insurance plan. In any processing on this basis we have considered and balanced any potential impact on you and your rights and will only process the minimal personal data necessary for carrying out those actions.

It will be necessary to receive and hold your health information for dealing with your insurance for example:

• arranging, underwriting, administering the insurance contract under which you benefit,
• administering a claim under the insurance contract, or
• exercising a right or complying with an obligation.  

Individuals Plans: we use your personal data for the following purposes:

• determining eligibility and providing a quotation to you or your broker,
• fraud prevention together with any other required regulatory checks,
• onboarding you onto the individual plan which you have requested and registering you for its benefits,
• processing payments/premiums under the plan which you have requested,
• managing, administering and improving the policy of which are a member,
• managing our information technology and to ensure the security of our systems
• investigating, responding to and dealing with complaints or incidents relating to us or our business, to maintaining service quality and training staff,
• contacting you with information about your plan,
• contacting you for the purposes of providing healthcare or wellness advice and information,
• processing and completing any claims you make under the policy,
• establishing, exercising and/or defending legal claims or rights and to protect, exercising and enforcing our rights, property or safety.

Before we process (use) your personal data we need to have a legal basis for doing so. This is often referred to as ‘the lawful basis for processing’ and there are specific grounds on which we can rely. We explain the lawful basis on which we process your personal data in the paragraphs below.

Where we receive personal data from you, we will process your personal data for the performance of a contract with you including pre-contractual discussions with either you or your broker (if you have one), and subsequent contractual performance of the insurance plan together with processing any benefits to which you are contractually entitled.

It will be necessary to receive and hold your health information for dealing with your insurance for example:

• arranging, underwriting, administering the insurance contract under which you benefit,
• administering a claim under the insurance contract, or
• exercising a right or complying with an obligation.  

Where your health data is used for any of the above we rely on the insurance condition provided under UK law (Data Protection Act 2018), which means we do not need to acquire your consent for the processing.

How do we obtain your personal data?

Group Plans: we get some personal data from your plan sponsor when they request an insurance quote from us, and we retain that information after any quote has been accepted and they start the group plan with us. This information includes your name, date of birth and country of residence. We do not process your information for any other purpose unless you submit a claim under the policy (see above).

Individual Plans: where you have taken out an individual insurance plan with us, we will have received your personal data either directly from you or from an insurance broker that you instructed. We may also receive some personal data from other insurers, brokers, third-party administrators (TPAs), and health care providers. Please see above for the type of personal data received.

How long do we retain your personal data?

We retain your personal data for as long as necessary to provide you the benefits under your insurance plan, until such time as any claim under the insurance policy is concluded, until the limitation for exercising any legal rights has expired or for compliance with any legal or regulatory requirements.

All personal data that we retain is subject to this Privacy Notice together with our internal Retention Policy and guidelines.

Do we share your personal data with other organisations?

Group and Individual Plans: We may disclose Information about you in various ways, including, but not limited to:

Health Care Operations: during the course of running our health business — that is, during operational activities such as assessing the standard of our services and implementing service enhancements and improvements; performance measurement and outcomes assessment; health services research; and preventive health, disease management, case management and care coordination. For example, we may use the Information to provide disease management programs for members with specific conditions, such as diabetes, asthma or heart failure. Other operational activities requiring use and disclosure including administration of reinsurance and stop loss; underwriting and rating; detection and investigation of fraud; administration of pharmaceutical programs and payments; transfer of policies or contracts from and to other health plans; facilitation of a sale, transfer, merger or consolidation of all or part of Aetna with another entity (including due diligence related to such activity); and other general administrative activities, including data and information systems management, and customer service.

Treatment: We may disclose information to doctors, dentists, pharmacies, hospitals and other health care providers who take care of you. For example, doctors may request medical information from us to supplement their own records. We also may use information in providing mail order pharmacy services and by sending certain information to doctors for patient safety or other treatment-related reasons.

Disclosures to Other Covered Entities: We may disclose Information to other insurers, healthcare providers, or business associates of those entities for treatment, payment and certain health care operations purposes. For example, we may disclose Information to other health plans maintained by your employer if it has been arranged for us to do so in order to have certain expenses reimbursed.

Additional Reasons for Disclosure: We may use or disclose personal information about you in providing you with treatment alternatives, treatment reminders, or other health-related benefits and services. We also may disclose such Information in support of:

• Plan Administration (Group Plans)– to your employer, as applicable, when we have been informed that appropriate language has been included in your plan documents, or when summary data is disclosed to assist in bidding or amending a group health plan.
• Research – to researchers, provided measures are taken to protect your privacy.
• Business Associates – to persons who provide services to us and assure us they will protect the information.
• Industry Regulation – to Government agencies that regulate us (different countries and U.S. state insurance departments).
• Law Enforcement – to Government law enforcement officials.
• Legal Proceedings – in response to a court order or other lawful process.
• Public Welfare – to address matters of public interest as required or permitted by law (e.g., child abuse and neglect, threats to public health and safety, and national security).

Disclosure to Others Involved in Your Health Care: We may disclose health information about you to a relative, a friend, the employer, the subscriber of your health benefits plan or any other person you identify, provided the Information is directly relevant to that person’s involvement with your health care or payment for that care. For example, if a family member or a caregiver calls us with prior knowledge of a claim, we may confirm whether or not the claim has been received and paid. You have the right to stop or limit this kind of disclosure by calling the Member Services number on your ID card.

Uses and Disclosures Requiring Your Written Authorization: In all situations other than those described above, we will ask for your written authorization before using or disclosing Information about you. For example, we will get your authorization:

• For marketing purposes that are unrelated to your benefit plan(s),
• Before disclosing any psychotherapy notes, and
• For other reasons as required by law.

If you have given us an authorization, you may revoke it at any time, if we have not already acted on it. If you have questions regarding authorizations, please call the Member Services number on your ID card.

Sending your personal data abroad

There are occasions where we need to send your personal data, including health information, outside of the European Economic Area (EEA). Organisations that we may send your personal or health data to include:

• Other organisations within the Aetna group for the purposes of corporate administrative, regulatory reporting, dealing with complaints or seeking legal advice. We have appropriate contractual protections (known as model contract clauses) in place with other group companies that receive your personal data. You can request copies of these model contract clauses by contacting the Data Protection Officer at the details provided below.
• Providers of health care, where you make a claim under the insurance. This may include medical information for the purposes of an organization providing health care to you when you are overseas.

We will not send any personal data or health information outside the EEA unless the appropriate protections are in place, or unless there are emergency medical ground for doing so.

Profiling and Automated Decisions

We do not conduct any profiling or automated decisions, other than in circumstances where you are expressly informed.

Your rights in connection with personal information

Under certain circumstances you have the right to:

• Request access to your personal information (commonly known as a “data subject access request”).
• Request correction of the personal information that we hold about you.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of personal information that you have provided to us in a commonly used electronic format.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer (details below).

Right to object to us processing your personal data

You have the right to object to us processing your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. To exercise your right to object you should write to the Data Protection Officer by using the contact details below.

Aetna’s Legal Obligations

Privacy regulations require us to keep Information about you private, confidential, and secure, to give you notice of our legal duties and privacy practices, and to follow the terms of the Notice currently in effect.

Safeguarding Your Information

We guard your information with administrative, technical, and physical safeguards to protect it against unauthorized access and against threats and hazards to its security and integrity.

This Notice is Subject to Change

We may change the terms of this Notice and our privacy policies at any time in accordance with applicable law or due to a change of circumstances,. If we do, the new terms and policies will be effective for all of the Information that we already have about you, as well as any Information that we may receive or hold in the future.

Please note that we do not destroy Information about you when you terminate your coverage with us. It may be necessary to use and disclose this information, for legal and regulatory reasons, for the purposes described above even after your coverage terminates, although policies and procedures will remain in place to protect against inappropriate use or disclosure.