Menu

Website and Mobile Privacy Policies

Website and Mobile Application Privacy Policies

Overview

Welcome to the Quartz Health Solutions, Inc. (“Quartz”) website. We appreciate your interest in us. Quartz’s Website and Mobile Application Privacy Policy lets you know how Quartz collects information through your use of the website. It also lets you know what we do with the information we collect. The Website and Mobile Application Privacy Policy only applies to Quartz’s website, and to the Quartz MyChart mobile application. It does not apply to other ways you might communicate with us, such as telephone or in-person communications. Terms such as “we”, “our”, or “us” refer to all companies in the Quartz family, including current and future affiliated entities. This website and our mobile applications are intended for an audience in the United States of America. The information you provide will be transferred and processed by a computer server located within the United States of America.

Tracking, Monitoring, and Cookies

This site is owned and operated by Quartz Health Solutions, Inc. Any activity on this site is subject to monitoring by Quartz at any time. Quartz uses technologies, including but not limited to single session “cookie” technology. Cookies are used to gather information from visitors to our website. You may disable the use of cookies at any time. If you do so, this may limit your ability to use all aspects of our website. Quartz does not respond to web browser “Do Not Track” signals at this time.

Quartz uses third-party vendors to use technologies, including but not limited to cookie technology, to gather information from visitors to our website. This includes information such as which web browser was used to read our website and which websites referred you to our site. Quartz does not control these third-party vendors’ technologies or their privacy practices. Quartz also uses third-party vendors to gather, aggregate, and analyze data such as the number of users to the site, the pages visited, and user demographics, to provide, maintain and improve our services. No personally identifiable information is collected when Quartz or its third-party vendors gather such information. Quartz reserves the right to use and share or disclose this information with others unless otherwise restricted by this Privacy Policy or applicable law.

We do not collect personally identifiable information about you unless you voluntarily provide it to us. Personally identifiable information is any information or data that is unique to an individual such as a name, Social Security Number, address, birth date, etc. Parts of the Quartz website may allow you to provide Quartz with personally identifiable information in order for Quartz to provide requested products, services, or materials to you, or to respond to your questions. The personally identifiable information you provide is used only for the stated purposes on that website page. Quartz does not sell, license, transmit or disclose personal information that you provide to us outside of Quartz, and its affiliated companies, except with the following exceptions:

  • If all or part of the company is sold, merged, dissolved, acquired, or other similar business transactions occur
  • If we receive a lawful court order, subpoena, or search warrant requesting such information
  • If a law or regulation requires us to share the information
  • If we choose to work with law enforcement when they investigate and/or prosecute illegal or harmful activities
  • If we choose to investigate activities that violate our rules

It is your choice to provide personal information to us through this website. You do not have to provide personal information if you do not want to. That may limit your ability to use certain parts of the website. Please contact Quartz Customer Service to learn how to obtain products, services, or materials, or have your questions answered, in a different manner.

Quartz will not intentionally collect any personal information from children under the age of 13 through our website without first obtaining parental consent. If you think we have collected personal information from a child under the age of 13 through this website please contact Quartz Customer Service.

Protecting Social Security Numbers

Quartz protects personally identifiable information, including any Social Security Number Quartz receives during the course of business. Quartz uses various physical, technological, and administrative safeguards designed to protect against unauthorized access of your Social Security Number.

Security

Quartz takes the duty to protect your personally identifiable information seriously. We strive to keep your data safe by using industry-proven best practices. Quartz protects the confidentiality of the data you submit through this website by encrypting sensitive information. Encryption is a way of concealing and securing data. Quartz uses a 128-bit Secure Socket Layer (SSL). Quartz uses a system of firewalls to help protect our private network from unauthorized Internet users. Quartz continually checks the whole system and makes sure data is secure. We use an Intrusion Prevention System (IPS) and other monitoring tools. These tools alert our security team so that they can find and block attacks against our systems. Quartz analyzes data in real time to check for threats. We also check to make sure that everything is working properly. Data is collected from all security and network hardware, software and systems. Quartz has back-up systems and a disaster recovery plan in place. This means that all critical systems and data will continue be safe and available. This is a common way to prepare for a range of problems that can include power outages or natural disasters.

Despite these best efforts, Quartz cannot guarantee the security of our website. We cannot guarantee that the personal information sent or submitted through our website will not be intercepted while being transmitted to us. We are not liable for the acts of malicious third parties.

Effective Date

The effective date of this policy is September 1, 2018.

Updates to the Website Privacy Policy

We may update this Website Privacy Policy. If we update the Website Privacy Policy we will publish the updated version on our website. We will let you know that updates were made, what options you have (if applicable).

The Quartz family of companies is comprised of Quartz Health Benefit Plans Corporation, Quartz Health Plan Corporation, Quartz Health Plan MN Corporation, Quartz Health Insurance Corporation, and Quartz Health Solutions, Inc. These companies are separate legal entities. For more information, see our Companies and Licenses page.

Mobile Application Privacy Policy

Overview

Quartz takes very seriously its obligation to protect the confidentiality of your personal information. The Quartz MyChart mobile application for members is available for iOS and Android. These Applications connect to servers and systems operated and maintained by Quartz to provide secure, mobile access to those systems and your health information.

This Privacy Policy

This Privacy Policy describes how the Quartz MyChart mobile applications use, store, and transmit information and data. Quartz may modify this Privacy Policy at any time effective upon its posting. Your use of our Applications constitutes your acceptance of this Privacy Policy and any updates. Your use of our Applications is subject to the applicable Applications’ End User License Agreement.

Effective Date

The effective date of this policy is May 18, 2021.

Purpose

This Privacy Policy lets you know what limited information you provide to us when you use our Applications and what we do with that information. 

Your Personal Information

Our Applications and the Limited Ways in Which Quartz Uses Your Information

Quartz does not sell or license any information that you may provide to us as you use our Applications.

Except for those things stated below, our Applications do not send your personal information directly to Quartz. They do not store any of your data on your device or in the cloud-based storage solution associated with your device (i.e., iCloud or the equivalent).

Quartz attempts to minimize the amount of your personal or health information stored or retained on your device. Nevertheless, our Applications may:

  • Store a copy of a picture on your device if you choose to add a photo to your profile.
  • Create encrypted identifiers to identify target healthcare providers for HealthKit or Google Fit data if you are using HealthKit or Google Fit.
  • Temporarily store your personal information in memory or on the device while you use our Applications.

In addition, to provide certain features, our Applications may request information from servers and systems owned or operated by Quartz. Those servers and systems may record technical information about that request, such as an IP address and data related to the type of device, platform, location data, and operating system you use with our Applications.

HealthKit and Google Fit

With your permission, specific versions of our Applications can connect to Apple HealthKit or Google Fit to receive health information and share that information with your healthcare providers.

Our Applications do not share your health information with HealthKit, Google Fit, or other software-enabled with HealthKit or Google Fit.

The Limited Ways We Use Your Information

We do not sell or license your information.  These are the limited ways we interact with your information in connection with our mobile apps:

  • When you choose to add a profile photo to our mobile apps, you may select an existing photo on your device or take a new photo using the camera app on your device. If you select an existing photo on your device, we store a copy of your chosen photo in app-private storage on your device. If you use the camera app on your device to take a new photo, the photo you take is first saved to your camera app and then also saved to app-private storage on your device.   If you remove the photo from your profile or delete our mobile apps, the copy of the photo is deleted from the app-private storage, but the photo saved to your camera app remains available in your camera app until you choose to delete it. If you already have a photo stored in your profile through your healthcare organization – we do not interact with that photo in any way.
  • When you choose to use Apple’s HealthKit or Google Fit, we create encrypted identifiers to identify recipients of your Apple’s HealthKit or Google Fit data and store them on your device in app-private storage.  If you choose to stop using Apple HealthKit or Google Fit or delete our mobile apps, the identifiers are deleted.
  • When you choose to view documents from your healthcare organization (such as letters or images) using our mobile apps, to make the files viewable for you we temporarily store copies on your device in app-private storage.  The temporary copies are deleted when you close your session on our mobile apps.
  • When you choose to include a photo or video in a message you send to your healthcare organization using our mobile apps, you may select an existing photo or video from your device or take a new photo or video using the camera app on your device. If you use the camera app on your device to take a new photo or video, it will be saved to your camera app. Any photo or video saved to your camera app remains available in your camera app until you choose to delete it.
  • If your healthcare organization offers telehealth visits using our mobile apps, when you join a visit with your provider, we will ask for permission to access your device’s video and audio functionality to make the telehealth visit possible. We do not record or store video or audio data from these visits.
  • If your healthcare organization offers automatic appointment arrival and you choose to enable it, we temporarily store identifiers and times for your upcoming appointments in app-private storage to detect when you arrive for an upcoming appointment.  If you choose to stop using our mobile apps or you disable automatic appointment arrival, the identifiers are deleted.
  • If your healthcare organization offers location-based check-in for in-person appointments or allows you to find healthcare providers near you, you may choose to allow our mobile apps to interact with your location data for those purposes. We do not store your location data.
  • If your healthcare organization allows you to notify front desk staff electronically when you arrive for an appointment, you may choose to allow our mobile apps to interact with your Bluetooth data for this purpose. We do not store your Bluetooth data.
  • While you use our apps, we collect non-identifying information so we can provide customer service to you or your healthcare organization and understand how people use our mobile apps so we can improve our products.  This information includes the time you began using the app, the healthcare organization you interacted with, any error messages or codes, the model of the device used and its operating system, and the version of our mobile app users. If you use Android devices, we also collect your connection type (cellular or WiFi) during an error.
  • You may contact us through the methods listed on Our Website. If you contact us, we may keep a record of the communication.  You can decide how much information you want to share with us in those cases.
Your Healthcare Organizations

To use our mobile apps, you must have an account with a healthcare organization using Epic’s software. Because of this, your use of our mobile apps is also subject to your healthcare organization’s privacy policy.  Please contact your healthcare organization if you have any questions about their privacy policy.

How We Protect Your Personal Information

The security of your information and data while using our Applications is critical to us. Our Applications employ various technical safeguards to protect the confidentiality, integrity, and availability of your personal information, including supporting Transport Layer Security (TLS)/Secure Sockets Layer (SSL) certificate technology and encryption.

In addition, healthcare providers with whom you connect may use various physical, administrative, and technical measures to protect your personal information.

For Android Users – Required Google Play Disclosures for Certain Health Apps

Google has determined our mobile apps are subject to their COVID-19 apps requirements.  As a result, we are required to provide the following information so we can make our mobile apps available to you in the Play store.

  • Our mobile apps interact with your microphone only if you choose to use your microphone to navigate our mobile apps.  Our mobile apps interact with your camera roll only if you choose to add a profile image to a profile in our mobile apps.   This information is not used in connection with COVID-19.
  • Our mobile apps access, collect, use, and share your information (including video, audio, images, files) as stated above in the section titled, “The Limited Ways We Use Your Information.” We also prominently highlight these uses, describe the type of data being accessed, and obtain your consent for these purposes as you use our mobile apps.
  • Our mobile apps were not created specifically for the COVID-19 pandemic.  They existed before the COVID-19 pandemic to allow you to access your health information on file with your healthcare organization.  Your healthcare organization may allow you to access COVID-19-related vaccination information, laboratory test results, and documents with illness-related information using our mobile apps.  You may choose if or how you want to access, display, or use the information – just like you can make those decisions about health information relating to other conditions, services, tests, or vaccinations.
  • Your healthcare organization may allow you to use our mobile apps to conduct telehealth appointments with your healthcare providers.  Our mobile apps only provide the technical support for those appointments to happen.  We do not interact with any health information about you exchanged during any telehealth appointments.[SG1] 

Contact Quartz

If you have any questions about this Privacy Policy or Security measure we utilize, you may contact Quartz Customer Service.

To learn more about how Quartz uses and protects your personal information, please read our Notice of Privacy Practices/Aviso Sobre Las Normas de Privacidad.

You may print a copy for your records or request a copy by calling a Customer Service representative at (800) 897-1923.

Centers for Medicare & Medicaid Services

PATIENT PRIVACY AND SECURITY RESOURCES – SUPPORTING PAYERS EDUCATING THEIR PATIENTS

The Centers for Medicare and Medicaid Services (CMS) released the Interoperability and Patient Access final rule on March 9, 2020. This final rule requires most CMS-regulated-payers – specifically, Medicare Advantage (MA) organizations, Medicaid Fee-For-Service (FFS) programs, CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs), excluding issuers offering only Stand-alone dental plans (SADPs) and QHP issuers offering coverage in the Federally-facilitated Small Business Health Options Program (FF-SHOP) – to implement and maintain a secure, standards-based Patient Access Application Programming Interface (API) (using Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1) that allows patients to easily access their claims and encounter information including cost, specifically provider remittances and enrollee cost-sharing, as well as a defined sub-set of their
clinical information through third-party applications of their choice. This rule also requires these payers to make resources regarding privacy and security available to all patients.

In the CMS Interoperability and Patient Access proposed rule, we asked stakeholders what kinds of information we could make available to help payers meet these requirements. Commenters asked us to provide sample information they could consult when producing their patient resource materials.

This document provides an overview of what is required to be included in a payer’s patient resource document and some content payers may choose to use to help meet this requirement. Use of this document is not required; this is meant to support payers as they produce patient resources tailored to their patient population.

What the Rule Requires

The final rule requires impacted payers to provide in an easily accessible location on their public websites, or through other channels used for regular communication with patients, educational resources in non-technical, simple, and easy-to-understand language that explains, at a minimum:

  • General information on steps the individual may consider taking to help protect the privacy and security of their health information, including factors to consider in selecting an application including secondary uses of data, and the importance of understanding the security and privacy practices of any application to which they will entrust their health information; and
  • An overview of which types of organizations or individuals are and are not likely to be HIPAA covered entities, the oversight responsibilities of the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC), and how to submit a complaint to OCR and the FTC.

The CMS Interoperability and Patient Access final rule also encourages impacted payers to ask third-party app developers to attest to having certain provisions in their privacy policy. Payers that ask for this attestation should share with the patient a clear explanation of what the attestation is asking and how the process will work as part of their educational resources. It is important to make sure patients understand that if an app developer is asked to attest and does not respond to this request or attests negatively, the patient will have an opportunity to change their mind about sharing their data. But, if the patient does not actively respond to the payer within the period of time clearly communicated to them by the payer, the patient’s data will be shared as they originally requested.

Helpful Information for Payers Creating Educational Resources for their Patients

What are important things patients should consider before authorizing a third-party app to retrieve their health care data?

It is important for patients to take an active role in protecting their health information. Helping patients know what to look for when choosing an app can help patients make more informed decisions. Patients should look for an easy-to-read privacy policy that clearly explains how the app will use their data. If an app does not have a privacy policy, patients should be advised not to use the app. Patients should consider:

  • What health data will this app collect? Will this app collect non-health data from my device, such as my location?
  • Will my data be stored in a de-identified or anonymized form?
  • How will this app use my data?
  • Will this app disclose my data to third parties?
    • Will this app sell my data for any reason, such as advertising or research?
    • Will this app share my data for any reason? If so, with whom? For what purpose?
  • How can I limit this app’s use and disclosure of my data?
  • What security measures does this app use to protect my data?
  • What impact could sharing my data with this app have on others, such as my family members?
  • How can I access my data and correct inaccuracies in data retrieved by this app?
  • Does this app have a process for collecting and responding to user complaints?
  • If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
    • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
  • How does this app inform users of changes that could affect its privacy practices?

If the app’s privacy policy does not clearly answer these questions, patients should reconsider using the app to access their health information. Health information is very sensitive information, and patients should be careful to choose apps with strong privacy and security standards to protect it.

What should a patient consider if they are part of an enrollment group?

Some patients, particularly patients who are covered by Qualified Health Plans (QHPs) on the Federally-facilitated Exchanges (FFEs), may be part of an enrollment group where they share the same health plan as multiple members of their tax household. Often, the primary policyholder and other members can access information for all members of an enrollment group unless a specific request is made to restrict access to member data. Patients should be informed about how their data will be accessed and used if they are part of an enrollment group based on the enrollment group policies of their specific health plan in their specific state. Patients who share a tax household but who do not want to share an enrollment group have the option of enrolling individual household members into separate enrollment groups, even while applying for Exchange coverage and financial assistance on the same application; however, this may result in higher premiums for the household and some members, (i.e. dependent minors, may not be able to enroll in all QHPs in a service area if enrolling in their own enrollment group) and in higher total out-of-pocket expenses if each member has to meet a separate annual limitation on cost-sharing (i.e., Maximum Out-of-Pocket (MOOP)).

What are a patient’s rights under the Health Insurance Portability and Accountability Act (HIPAA) and who must follow HIPAA?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/

You may also want to share with patients the HIPAA FAQs for Individuals:

https://www.hhs.gov/hipaa/for-individuals/faq/index.html

Are third-party apps covered by HIPAA?

Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission, despite having a privacy policy that says it will not do so).

The FTC provides information about mobile app privacy and security for consumers here: https://www.consumer.ftc.gov/articles/how-protect-your-privacy-apps

What should a patient do if they think their data have been breached or an app has used their data inappropriately?

Payers should clearly explain to patients what their policy is for filing a complaint with their internal privacy office. In addition, payers should provide information about submitting a complaint to OCR or FTC, as appropriate.

To learn more about filing a complaint with OCR under HIPAA, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html

Individuals can file a complaint with OCR using the OCR complaint portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf

Individuals can file a complaint with the FTC using the FTC complaint assistant: https://reportfraud.ftc.gov/#/

Disclaimer: This educational product was prepared as a service to the public and is not intended to grant rights or impose obligations. This educational product may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage readers to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents. Paid for by the Department of Health & Human Services.

Contact Us

Quartz is committed to providing superior customer service. That's one reason we offer so many ways to reach us.