This Notice describes the medical and financial information that Crosby Benefit Systems, a division of WageWorks, Inc. (Crosby) collects and manages on behalf of its employer clients’ benefit plans (Plans) for their respective participant employees, how this information may be used and disclosed, and how you can get access to it. This Notice relates to all participant protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA), and personal information (PI) as defined by the MA Data Security Law. This notice applies to:
- Crosby’s current and former clients’ current and former employees
- Any information in Crosby’s possession that would allow someone to identify a participant and learn something about his/her health or financial accounts
All Crosby workforce members, permanent and temporary must abide by this Notice, and may share your information with each other for purposes of your enrollment and payment for health care coverage, as described below.
Protecting the privacy and security of the PHI and PI of plan participants and other covered persons (collectively, "Covered Persons") is very important to Crosby and is also our legal duty. This Notice describes the types of information we collect from and about Covered Persons, and how we use and safeguard that information. The Notice only applies to individuals who obtain services from Crosby in the United States for personal, family or household purposes. The most up-to-date Notice will always be posted on our website
Crosby will not use or disclose with other parties any nonpublic protected health or financial information about Covered Persons except as authorized by the Covered Person, or as permitted by law, including for the servicing of the Plans by Crosby, or on our behalf. Crosby will not further disclose any participant PHI and PI about a former Covered Person other than as may be required or permitted by law.
Confidentiality and Security
Crosby restricts access to participant PHI and PI to our workforce employees, consultants, business associates and vendors. Access is granted only on a need-to-know basis. When access is required to carry out the legitimate business purposes only the minimum amount necessary is collected and used. Crosby maintains physical, administrative and technical safeguards to protect the confidentiality and security of participant PHI and PI.
Collection and Use Practices
Crosby collects and uses participant PHI and PI that we believe is necessary in servicing the Plans for our employer clients. This use includes the following:
- Information from the employer or the Covered Person (including names, addresses, Social Security Numbers, financial and marital status, health and dependent child-care information, benefit elections and employment information)
- Information about the employer's or the Covered Person's transactions with Crosby (including claims, payment and banking information)
- Information from the Covered Person’s health care providers or provider organizations (including drug receipts and medical information), drug card administrators (including prescription information), and family members
Crosby may disclose the nonpublic personal medical and financial information, including PHI and PI we collect, as described above, as well as information about Covered Persons' transactions with Crosby (such as election amounts, premiums and payment history) to our business associates and other third parties who perform services for Crosby or function on our behalf. Crosby maintains Business Associate Agreements and confidentiality agreements with all third party subcontractors that require they follow the same security and privacy practices to protect Covered Persons’ PHI and PI from unauthorized use and disclosure. Crosby may also disclose the nonpublic personal medical and financial information we collect to other third parties as authorized by the Covered Person, or as required or permitted by law.
All other disclosures of your PHI or PI would be handled by or at the direction of your employer, including: legal requirements, public health requirements, suspected abuse, neglect or domestic violence, law enforcement, to avert serious threat to the public or to an individual,
- Authorization. We may use or disclose your medical or financial information, including PHI and PI for any purpose that is listed in this Notice without your written authorization. We will not use or disclose your PHI or PI for any other reason without your authorization. If you authorize us to use or disclose your PHI or PI, you have the right to revoke the authorization at any time. Contact information is at the end of this notice.
- Confidential Communication. You have a right to ask us to communicate with you at a special address or by a special means. We will agree to any reasonable request.
- All other HIPAA requirements regarding your right to request amendment of PHI, an accounting of disclosures, and an inspection of your PHI should be made to your employer, and your employer will contact Crosby for any required requested information we may have.
Please contact Crosby if you have any questions, because your privacy, the security of your information, our professional ethics, and the ability to provide you with quality services are very important to us.