Website and Mobile Privacy Policies
Website and Mobile Application Privacy Policies
Tracking, Monitoring, and Cookies
We do not collect personally identifiable information about you unless you voluntarily provide it to us. Personally identifiable information is any information or data that is unique to an individual such as a name, Social Security Number, address, birth date, etc. Parts of the Quartz website may allow you to provide Quartz with personally identifiable information in order for Quartz to provide requested products, services, or materials to you, or to respond to your questions. The personally identifiable information you provide is used only for the stated purposes on that website page. Quartz does not sell, license, transmit or disclose personal information that you provide to us outside of Quartz, and its affiliated companies, except with the following exceptions:
- If all or part of the company is sold, merged, dissolved, acquired, or other similar business transactions occur
- If we receive a lawful court order, subpoena, or search warrant requesting such information
- If a law or regulation requires us to share the information
- If we choose to work with law enforcement when they investigate and/or prosecute illegal or harmful activities
- If we choose to investigate activities that violate our rules
It is your choice to provide personal information to us through this website. You do not have to provide personal information if you do not want to. That may limit your ability to use certain parts of the website. Please contact Quartz Customer Service to learn how to obtain products, services, or materials, or have your questions answered, in a different manner.
Quartz will not intentionally collect any personal information from children under the age of 13 through our website without first obtaining parental consent. If you think we have collected personal information from a child under the age of 13 through this website please contact Quartz Customer Service.
Protecting Social Security Numbers
Quartz protects personally identifiable information, including any Social Security Number Quartz receives during the course of business. Quartz uses various physical, technological, and administrative safeguards designed to protect against unauthorized access of your Social Security Number.
Quartz takes the duty to protect your personally identifiable information seriously. We strive to keep your data safe by using industry-proven best practices. Quartz protects the confidentiality of the data you submit through this website by encrypting sensitive information. Encryption is a way of concealing and securing data. Quartz uses a 128-bit Secure Socket Layer (SSL). Quartz uses a system of firewalls to help protect our private network from unauthorized Internet users. Quartz continually checks the whole system and makes sure data is secure. We use an Intrusion Prevention System (IPS) and other monitoring tools. These tools alert our security team so that they can find and block attacks against our systems. Quartz analyzes data in real time to check for threats. We also check to make sure that everything is working properly. Data is collected from all security and network hardware, software and systems. Quartz has back-up systems and a disaster recovery plan in place. This means that all critical systems and data will continue be safe and available. This is a common way to prepare for a range of problems that can include power outages or natural disasters.
Despite these best efforts, Quartz cannot guarantee the security of our website. We cannot guarantee that the personal information sent or submitted through our website will not be intercepted while being transmitted to us. We are not liable for the acts of malicious third parties.
The effective date of this policy is September 1, 2018.
The Quartz family of companies is comprised of Quartz Health Benefit Plans Corporation, Quartz Health Plan Corporation, Quartz Health Plan MN Corporation, Quartz Health Insurance Corporation, and Quartz Health Solutions, Inc. These companies are separate legal entities. For more information, see our Companies and Licenses page.
Quartz takes very seriously its obligation to protect the confidentiality of your personal information. The Quartz MyChart mobile application for members is available for iOS and Android. These Applications connect to servers and systems operated and maintained by Quartz to provide secure, mobile access to those systems and your health information.
The effective date of this policy is May 18, 2021.
Your Personal Information
Our Applications and the Limited Ways in Which Quartz Uses Your Information
Quartz does not sell or license any information that you may provide to us as you use our Applications.
Except for those things stated below, our Applications do not send your personal information directly to Quartz. They do not store any of your data on your device or in the cloud-based storage solution associated with your device (i.e., iCloud or the equivalent).
Quartz attempts to minimize the amount of your personal or health information stored or retained on your device. Nevertheless, our Applications may:
- Store a copy of a picture on your device if you choose to add a photo to your profile.
- Create encrypted identifiers to identify target healthcare providers for HealthKit or Google Fit data if you are using HealthKit or Google Fit.
- Temporarily store your personal information in memory or on the device while you use our Applications.
In addition, to provide certain features, our Applications may request information from servers and systems owned or operated by Quartz. Those servers and systems may record technical information about that request, such as an IP address and data related to the type of device, platform, location data, and operating system you use with our Applications.
HealthKit and Google Fit
With your permission, specific versions of our Applications can connect to Apple HealthKit or Google Fit to receive health information and share that information with your healthcare providers.
Our Applications do not share your health information with HealthKit, Google Fit, or other software-enabled with HealthKit or Google Fit.
How We Protect Your Personal Information
The security of your information and data while using our Applications is critical to us. Our Applications employ various technical safeguards to protect the confidentiality, integrity, and availability of your personal information, including supporting Transport Layer Security (TLS)/Secure Sockets Layer (SSL) certificate technology and encryption.
In addition, healthcare providers with whom you connect may use various physical, administrative, and technical measures to protect your personal information.
To learn more about how Quartz uses and protects your personal information, please read our Notice of Privacy Practices/Aviso Sobre Las Normas de Privacidad.
You may print a copy for your records or request a copy by calling a Customer Service representative at (800) 897-1923.
Centers for Medicare & Medicaid Services
PATIENT PRIVACY AND SECURITY RESOURCES – SUPPORTING PAYERS EDUCATING THEIR PATIENTS
The Centers for Medicare and Medicaid Services (CMS) released the Interoperability and Patient Access final rule on March 9, 2020. This final rule requires most CMS-regulated-payers – specifically, Medicare Advantage (MA) organizations, Medicaid Fee-For-Service (FFS) programs, CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs), excluding issuers offering only Stand-alone dental plans (SADPs) and QHP issuers offering coverage in the Federally-facilitated Small Business Health Options Program (FF-SHOP) – to implement and maintain a secure, standards-based Patient Access Application Programming Interface (API) (using Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1) that allows patients to easily access their claims and encounter information including cost, specifically provider remittances and enrollee cost-sharing, as well as a defined sub-set of their
clinical information through third-party applications of their choice. This rule also requires these payers to make resources regarding privacy and security available to all patients.
In the CMS Interoperability and Patient Access proposed rule, we asked stakeholders what kinds of information we could make available to help payers meet these requirements. Commenters asked us to provide sample information they could consult when producing their patient resource materials.
This document provides an overview of what is required to be included in a payer’s patient resource document and some content payers may choose to use to help meet this requirement. Use of this document is not required; this is meant to support payers as they produce patient resources tailored to their patient population.
What the Rule Requires
The final rule requires impacted payers to provide in an easily accessible location on their public websites, or through other channels used for regular communication with patients, educational resources in non-technical, simple, and easy-to-understand language that explains, at a minimum:
- General information on steps the individual may consider taking to help protect the privacy and security of their health information, including factors to consider in selecting an application including secondary uses of data, and the importance of understanding the security and privacy practices of any application to which they will entrust their health information; and
- An overview of which types of organizations or individuals are and are not likely to be HIPAA covered entities, the oversight responsibilities of the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC), and how to submit a complaint to OCR and the FTC.
Helpful Information for Payers Creating Educational Resources for their Patients
What are important things patients should consider before authorizing a third-party app to retrieve their health care data?
- What health data will this app collect? Will this app collect non-health data from my device, such as my location?
- Will my data be stored in a de-identified or anonymized form?
- How will this app use my data?
- Will this app disclose my data to third parties?
- Will this app sell my data for any reason, such as advertising or research?
- Will this app share my data for any reason? If so, with whom? For what purpose?
- How can I limit this app’s use and disclosure of my data?
- What security measures does this app use to protect my data?
- What impact could sharing my data with this app have on others, such as my family members?
- How can I access my data and correct inaccuracies in data retrieved by this app?
- Does this app have a process for collecting and responding to user complaints?
- If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
- What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
- How does this app inform users of changes that could affect its privacy practices?
What should a patient consider if they are part of an enrollment group?
Some patients, particularly patients who are covered by Qualified Health Plans (QHPs) on the Federally-facilitated Exchanges (FFEs), may be part of an enrollment group where they share the same health plan as multiple members of their tax household. Often, the primary policyholder and other members can access information for all members of an enrollment group unless a specific request is made to restrict access to member data. Patients should be informed about how their data will be accessed and used if they are part of an enrollment group based on the enrollment group policies of their specific health plan in their specific state. Patients who share a tax household but who do not want to share an enrollment group have the option of enrolling individual household members into separate enrollment groups, even while applying for Exchange coverage and financial assistance on the same application; however, this may result in higher premiums for the household and some members, (i.e. dependent minors, may not be able to enroll in all QHPs in a service area if enrolling in their own enrollment group) and in higher total out-of-pocket expenses if each member has to meet a separate annual limitation on cost-sharing (i.e., Maximum Out-of-Pocket (MOOP)).
What are a patient’s rights under the Health Insurance Portability and Accountability Act (HIPAA) and who must follow HIPAA?
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/
You may also want to share with patients the HIPAA FAQs for Individuals:
Are third-party apps covered by HIPAA?
The FTC provides information about mobile app privacy and security for consumers here: https://www.consumer.ftc.gov/articles/how-protect-your-privacy-apps
What should a patient do if they think their data have been breached or an app has used their data inappropriately?
Payers should clearly explain to patients what their policy is for filing a complaint with their internal privacy office. In addition, payers should provide information about submitting a complaint to OCR or FTC, as appropriate.
To learn more about filing a complaint with OCR under HIPAA, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html
Individuals can file a complaint with OCR using the OCR complaint portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
Individuals can file a complaint with the FTC using the FTC complaint assistant: https://reportfraud.ftc.gov/#/
Disclaimer: This educational product was prepared as a service to the public and is not intended to grant rights or impose obligations. This educational product may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage readers to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents. Paid for by the Department of Health & Human Services.