Privacy Practices



This Notice Describes How Protected Health Information About You May Be Used and Disclosed And How You Can Get Access To This Information.  Please Review it Carefully.  

Effective Date: October 1, 2015 

This Notice describes the privacy practices of North Shore–LIJ CareConnect Insurance Company, Inc.  (referred to as “CareConnect”, “we” or “us” in this Notice).  We must follow the duties and privacy practices described in this Notice.

What is the Notice of Privacy Practices?

In order to provide you with the benefits to which you are entitled, CareConnect must collect, create and maintain protected health information about you. Protected health information (“PHI”) is individually identifiable information about you, which may include:  

  • Information about your health condition (such as medical conditions and test results you may have);
  • Information about health care services you have received or may receive in the future (such as a surgical procedure);
  • Information about your health care benefits under an insurance plan (such as whether a prescription is covered);
  • Geographic information (such as where you live or work);
  • Demographic information (such as your race, gender, ethnicity, or marital status);
  • Unique numbers that may identify you (such as your social security number, your phone number, or your driver’s license); and 
  • Biometric identifiers (such as finger prints).  

This Notice tells you about the ways we may use and share your PHI, as well as the legal obligations we have regarding that information. The Notice also tells you about your rights under federal and state laws. The Notice applies to all records held by CareConnect regardless of whether the record is written, computerized or in any other form. We are required by law to make sure that PHI is kept private and to make this Notice available to you.  If you are a CareConnect member and an employee, information in your employment records is not covered by this Notice.  


For your convenience, what follows is a summary of the key provisions in our Notice. This summary is not a complete listing of how we use and disclose your PHI. If you have any questions about any of the information contained in this summary, please read this full Notice of Privacy Practices or contact the CareConnect Privacy Officer for more information.

CareConnect may use and disclose your PHI without your consent, to:

  • Process and pay your claims;
  • Coordinate your benefits under the plan and other services, which may include such things as giving you appointment reminders and telling you about treatment alternatives or other health-related benefits;
  • Ensure that we follow the rules of regulatory agencies regarding the quality of services we provide;
  • Comply with all legal requirements, subpoenas, and court orders; 
  • Engage in certain pre-approved research activities;  
  • Assist in our own payment process and the payment activities of other health plans and health care providers; and 
  • Meet special situations as described in this Notice such as public health and safety.

You have a right to:

  • See and obtain a copy of the PHI we have about you in the format of your choosing, with certain restrictions;
  • Ask us to amend the PHI we have about you, if you feel the information we have is wrong or incomplete;
  • Ask us to restrict or limit the PHI we use and share about you;
  • Ask for confidential communications;
  • Obtain a list of individuals or entities that have received your PHI from CareConnect, subject to limits permitted by law; 
  • Be notified if the privacy of your PHI is breached;
  • Obtain a paper copy of the Notice; and 
  • Submit a complaint. 

How We May Use and Share your PHI with Others

The following categories describe different ways that we may use and disclose your PHI. For each category of uses or disclosures, we will explain what we mean and try to give some examples. Not every possible use or disclosure within each category will be listed. However, all of the ways we are permitted to use and disclose your information will fall within at least one of the following categories.

For Treatment. We may use or disclose PHI about you to facilitate treatment by health care providers. For example, if one of our participating health care providers is treating you, we may disclose to this provider PHI relating to other health care services you have received that may be relevant to the provider’s treatment. 

For Payment. We may use and disclose PHI about you for our own payment purposes and to assist in the payment activities of other health plans and health care providers. Our payment activities include collecting premiums, determining your eligibility for benefits, reimbursing health care providers that treat you and obtaining payment from other insurers that may be responsible for providing coverage to you. For example, if a health care provider submits a bill to us for services you received, we may use PHI about you to determine whether these services are covered under your benefit plan and the appropriate amount of payment to which the provider may be entitled. In addition, insurance companies and other third parties may require that we provide your social security number for verification and payment purposes.

For Healthcare Operations. We may use your PHI to support our business activities, which can include quality assessment and improvement activities, case management and care coordination, and the resolution of any complaints or grievances you may have. For example, we may use your PHI to review the treatment and services given to you by doctors and hospitals in order to see whether they have provided you with preventative treatment and other important health services that are recommended by medical authorities.

Underwriting.  We may use or disclose PHI about you for certain underwriting  purposes. However, we are not allowed to use genetic information to decide whether we will give you coverage and the price of that coverage.

Appointment Reminders. We may use and share your PHI to remind you of appointments you have made to receive health care services or to encourage you to make such appointments. 

Business Associates. We may share your PHI with a “business associate” that we hire to help us, such as a billing or computer company, or an accounting or law firm. Business associates will have assured us in writing that they will safeguard your PHI as required by federal law. 

Plan Administration. We may disclose your PHI to your employer when needed to perform plan administration functions if appropriate language has been included in your plan documents. We may disclose summaries of your health information to your employer to assist with the bidding process or with modifying or terminating a group health plan.

Treatment Alternatives and Other Health-Related Benefits and Services. We may use your PHI to contact you about the management of your health care and to discuss treatment alternatives and other health-related benefits and services that may be of interest to you.  We will not, however, send you communications about health-related products or services that are subsidized by a third party without your authorization.

Marketing Activities. We may use or share your PHI for marketing purposes when we discuss such products or services with you face to face or provide you with an inexpensive promotional gift related to a product or service.  We also will never sell your PHI to third parties without your written authorization to do so.  However, we may receive payment to disclose your PHI for certain limited purposes permitted by law, such as public health reporting.

Individuals Involved in Your Care or Payment for Your Care. Unless you say no, we may disclose PHI to people such as family members, relatives, or close personal friends who are helping to care for you or helping to pay your medical bills. Additionally, we may disclose information to a personal representative. If a person has the authority under the law to make health care decisions for you, we will treat that personal representative the same way we would treat you with respect to your PHI. Parents and legal guardians are generally patient representatives for minors unless the minors are permitted by law to act on their own behalf and make their own medical decisions in certain circumstances. If you do not want PHI about you disclosed to those involved in your care, please notify us.

Disaster-Relief Efforts. We may disclose your PHI to an organization, such as the American Red Cross, assisting in a disaster relief effort, so that your family can be notified about your condition, status and location. If we can reasonably do so while trying to respond to the emergency, we will try to find out if you want us to share this information.

Research. We may use or disclose your PHI for research purposes, such as studies comparing the benefits of alternative treatments received by our members. All research projects conducted through CareConnect must be approved through a special review process to protect plan member safety, welfare and confidentiality. Your PHI may be important to research efforts and may be used for research purposes in accordance with state and federal law. 

Government Programs Providing Public Benefits. We may disclose your PHI relating to eligibility for or enrollment in CareConnect to an agency administering a government program providing public benefits, as long as sharing the PHI is required or otherwise authorized by law.

As Required By Law. We will share your PHI when federal, state, or local law requires us to do so.

De-identified Information and Limited Data Sets: We may use and disclose health information that has been “de-identified” by removing information that may identify you. We may also use and disclose certain health information about you known as a “limited data set” for the purposes of research, public health and health care operations.  Limited data sets do not contain any information that would directly identify you. For example, a limited data set may include your city, county and zip code, but not your name or street address.  

Special Situations

Legal Proceedings, Lawsuits, and Other Legal Actions. We may share your PHI with courts, attorneys and court employees when we get a court order, subpoena, discovery request, warrant, summons or other lawful instructions from those courts or public bodies, and in the course of certain other lawful, judicial or administrative proceedings, or to defend ourselves against a lawsuit brought against us.

Law Enforcement. If asked to do so by law enforcement, and as authorized or required by law, we may disclose PHI:

  • To identify or locate a suspect, fugitive, material witness or missing person;
  • About a suspected victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
  • About a death suspected to be the result of criminal conduct; 
  • To report a crime that occurred on our premises; and
  • In certain cases when we provide emergency treatment.

To Avert a Serious Threat to Health or Safety. We may use and disclose your PHI when necessary to prevent or lessen a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure would be to help stop or reduce the threat. 

Public Health Risks. As required by law, we may disclose your PHI to public health authorities for purposes related to: preventing or controlling disease, injuries or disability; reporting suspected child abuse or neglect; reporting suspected domestic violence; reporting reactions to medications or problems with products; preventing or reducing a serious threat to someone’s health and safety; notifying people of recalls, repairs or replacements of products they may be using; notifying a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease; and reporting to your employer findings concerning work-related illness or injury so that your workplace may be monitored for safety.

Worker’s Compensation. We may share your PHI for Worker’s Compensation or similar programs that provide benefits for work-related injuries or illness. 

Specialized Government Functions. If you are a member of the armed forces (of either the United States or of a foreign government), we may share your PHI with military authorities so they may carry out their duties under the law. We may also disclose your PHI if it relates to national security and intelligence activities, or to providing protective services for the President or for other important officials, such as foreign heads of state.

Health Oversight Activities. We may disclose your PHI to local, state or federal governmental authorities responsible for the oversight of medical matters as authorized by law. This includes licensing, auditing, and accrediting agencies and agencies that administer public health programs such as Medicare and Medicaid.

Coroners, Medical Examiners and Funeral Directors. We may disclose your PHI to a coroner or medical examiner as necessary to identify a deceased person or to determine the cause of death.  We also may disclose PHI to funeral directors so they can carry out their duties.

Organ, Eye and Tissue Donation. If you are an organ donor, we may disclose your PHI to organizations that obtain organs or handle organ, eye or tissue transplantation. We also may disclose your information to an organ donation bank as necessary to facilitate organ, eye or tissue donation and transplantation. 

Inmates. If you are an inmate of a correctional institution or in the custody of a law enforcement official, we may disclose your medical information to the correctional institution or law officer as authorized or required by law. This includes sharing information that is necessary to protect the health and safety of other inmates or persons involved in supervising or transporting inmates.

Incidental Disclosures. Although we will take reasonable steps to safeguard the privacy of your PHI, certain disclosures of your information may occur during or as an unavoidable result of our otherwise permissible uses or disclosures of your information. These “incidental disclosures” are permissible.

Uses and Disclosures Requiring Your Written Authorization

Uses and Disclosures Not Covered in This Notice. Other uses and disclosures of your PHI not described above in this Notice or permitted by law will be made only with your written authorization.  For example, we will generally not have access to any psychotherapy notes about you without your written authorization. If we obtain any of these records, we will not use or disclose them except as permitted by your authorization or applicable law. When consent for disclosure is required by law, your authorization will be obtained prior to such disclosure. We may not refuse to enroll or continue to provide benefits to you if you decide not to sign an authorization form. If you give us authorization to use or share PHI about you, you may revoke that authorization in writing at any time. Please understand that we are unable to retract any disclosures already made with your authorization.

Your Rights Concerning Your PHI

Right to Ask to See and Obtain a Copy. With certain exceptions (such as information collected for certain legal proceedings and PHI restricted by law), you have the right to ask to see and copy the PHI we use to make decisions about your benefits. This information is maintained by us for use in enrollment, payment, claims settlement and case or medical management record systems, or it is part of a set of records that is otherwise used by us to make a decision about you. If the record is maintained electronically by CareConnect, you have the right to obtain an electronic copy of the record. 

Your request must be in writing and must be given to the CareConnect Privacy Officer at the address listed on the last page of this Notice. Your request should describe the information you want to review and the format in which you want to review it. We may charge you a reasonable fee for the costs of copying, mailing, or other expenses associated with complying with your request. We may deny access in its entirety or in part under certain, limited circumstances. In some situations, if we deny your request, in part or in its entirety, you may request that the denial be reviewed. 

Right to Ask for an Amendment or Addendum. If you feel that the PHI that we have about you is incorrect or incomplete, you may ask us to amend the information. You have a right to request an amendment as long as the information is kept by or for CareConnect. You are required to submit this request in writing to CareConnect. We may deny your request for certain reasons, such as your failure to make the request in writing or to include a reason to support the request, or if we do not believe an amendment is appropriate. If we deny your request, we will give you a written explanation of why we did not make the amendment. You will have the opportunity to have certain information related to your request included in your records, such as your disagreement with our decision. We will also provide you with information on how to file a complaint with CareConnect or with the U.S. Department of Health and Human Services. 

Right to Ask for an Accounting of Disclosures. You have the right to ask us for a listing of those individuals or entities who have received your PHI from CareConnect in the six years prior to your request, the times we have shared your PHI with them and why. This listing will not cover disclosures made:

  • To you or your personal representative;
  • To carry out treatment, payment or healthcare operations;
  • Incident to a permitted or required use or disclosure;
  • To parties you authorize in writing to receive your PHI;
  • To your family members, relatives, or friends who are involved in your care;
  • For national security or intelligence services;
  • To correctional institutions or law enforcement officials; and 
  • As part of a “limited data set” for research purposes.  

You must submit your request in writing to the CareConnect Privacy Officer at the address listed on the last page of this Notice. Your request must state the time period for the requested disclosures. The first list requested within a 12-month period will be free. We may charge you a reasonable fee for responding to any additional requests in that same period. 

Right to Request Restrictions. You have the right to ask us to restrict or limit the PHI we use or disclose about you for treatment, payment or healthcare operations. We are not required to agree to all such requests.  You also have the right to request a limit on the PHI we disclose about you to someone who is involved in your care or the payment of your care, such as a family member or a friend. For example, you could ask that we not disclose information to a family member about a surgery you had. You must submit your request in writing to the CareConnect Privacy Officer at the address listed on the last page of this Notice.

Right to Request Confidential Communications. You have the right to request that we communicate with you in a certain way or at a certain location. For example, you can ask that we contact you only at home or only by mail. You must clearly state how or where you wish to receive communications from us and how payment, if any, will be handled. We must accommodate reasonable requests that indicate that the disclosure of all or part of the protected health information could endanger you. Your request must be made in writing by submitting your request to the CareConnect Privacy Officer at the address listed on the last page of this Notice.

If we grant your request but are unable to contact you using the requested means or locations, we may contact you using whatever information we have.

Right to Receive Notice of a Breach. You have a right to be notified in the event of a breach of the privacy of your unsecured PHI by the CareConnect or its business associates. You will be notified as soon as reasonably possible, but no later than 60 days following our discovery of the breach. The notice will provide you with the date we discovered the breach, a brief description of the type of information that was involved, and the steps we are taking to investigate and mitigate the situation, as well as contact information for you to ask questions and obtain additional information.  

Right to a Paper Copy of this Notice. Upon request, you may at any time obtain a paper copy of this Notice, even if you previously agreed to receive this Notice electronically. To request a copy, please contact the CareConnect Customer Service Department at (855) 706-7545.

Additional Rights.  This Notice explains the rights you have with respect to your health information under federal law.  Some state laws provide additional rights, including increased protection for certain sensitive information such as information involving mental health, alcohol and drug abuse, HIV/AIDS, genetic tests, sexually transmitted diseases and reproductive health.  If you reside in a state that has laws providing you with greater rights than as described in this Notice, we will comply with these laws. 


Contact Information.  If you have any questions about this Notice, you may contact the Customer Service Department at 855-706-7545 and ask to speak with the Privacy Officer or write to us at: 

North Shore-LIJ CareConnect Insurance Company, Inc.
Attention: CareConnect Privacy Officer
2200 Northern Blvd., Suite 104
East Hills, New York 11548

How to File a Privacy Complaint. If you believe that your privacy rights have not been followed as directed by federal regulations and state law or as explained in this Notice, you may file a written complaint with us. Please submit your complaint to the CareConnect Privacy Officer at the following address:

North Shore-LIJ CareConnect Insurance Company, Inc.
Attention: CareConnect Privacy Officer
2200 Northern Blvd., Suite 104
East Hills, New York 11548 

You will not be retaliated against or denied any health benefits if you file a complaint. If you are not satisfied with our response to your privacy complaint or you otherwise wish to file a complaint, you may also file a complaint with the Secretary of the U.S. Department of Health and Human Services. The complaint must be in writing, it must describe the subject matter of the complaint and the individuals or organization that you believe violated your privacy and it must be filed within 180 days of when you knew or should have known that the violation occurred. The complaint should then be sent to:

Region II - New York 
Attention: Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza - Suite 3312
New York, NY 10278
Voice Phone (800) 368-1019
FAX (212) 264-3039
TDD (800) 537-7697

Future Changes to this Notice. CareConnect may change the terms of this Notice at any time. If we change the terms of this Notice, the new terms will apply to all of your PHI, whether created or received by CareConnect before or after the date on which the Notice is changed. We will notify you of any material changes to this Notice by posting the change or the revised Notice on our CareConnect website and by mailing a copy to you. The current Notice will always be posted on the CareConnect website,  If you would like additional information or want a copy of the Notice, please contact the CareConnect Customer Service Department at (855) 706-7545.