Legal and Privacy

Privacy notices

Privacy Policy and Terms

Last revised: October 2024

Digital Privacy Policy — Blue Cross and Blue Shield of Minnesota

At Blue Cross and Blue Shield of Minnesota, your privacy is important to us. Blue Cross and Blue Shield of Minnesota maintains high standards for the protection of your privacy at our website. All the information we collect from or about our customers is maintained in accordance with a variety of state and federal laws and regulations, industry best practices, and our corporate standards. This Digital Privacy Policy ("Privacy Policy") describes the information we collect, use, and disclose when you access our online services, as well as our approach to maintaining the privacy and security of information, and your options as you interact with our websites, mobile apps, and related digital assets.

Note on HIPAA and Protected Health Information

The Health Insurance Portability and Accountability Act (HIPAA) regulates and defines protected health information (PHI) maintained by covered entities and business associates. HIPAA requires covered entities to maintain a Notice of Privacy Practices (NPP), which describes how PHI is collected, used, and disclosed by the regulated entity. PHI is part of the larger category of personal information, as defined below, and the terms of an NPP will apply to the collection, use, and disclosure of PHI rather than this Privacy Policy. For example, individually identifiable health information collected on a regulated entity’s website or mobile application is generally PHI, even if the individual does not have an existing relationship with the regulated entity and even if the information, such as IP address or geographic location, does not include specific treatment or billing details. Therefore, most of the information collected, used, and disclosed through use of our online services is PHI and is subject to the applicable Notice of Privacy Practices.

Links to our NPP is included above for review.

Your Consent

We urge you to fully read this Privacy Policy to remain informed. Please be advised that this Privacy Policy constitutes an agreement between you and Blue Cross and Blue Shield of Minnesota when you utilize our online services, which includes our enterprise websites, mobile applications, member portals, and our other affiliated online or digital resources, owned or managed by Blue Cross and Blue Shield of Minnesota, that refer to this Privacy Policy. Please be advised that some of our online services may have separate or additional terms of use which will apply in addition to this Privacy Policy, and you are encouraged to review such supplemental terms of use. Your ongoing use of our online services confirms i) your acknowledgement and acceptance of the conditions contained in this Privacy Policy and any supplemental terms of use, and ii) your express consent to collect, use, and disclose your information in accordance with applicable law. Please note, our privacy practices are subject to the laws of the places in which we operate; as such, you may see additional region-specific terms that apply only to customers located in those geographic regions, as may be required by applicable laws.

1. Information That We Collect

We collect personal information from and about you in several ways. Personal information means individually identifiable information such as your name, email address, and demographic information if you choose to complete an online form. We leverage various tools, components, and features (as described below), in accordance with applicable law, to collect personal information to conduct our business operations, including understanding our users, maintaining and optimizing our online services, and customizing your user experience. Most of the information we collect, use, and disclose through use of our online services is PHI.
How you interact with a particular Blue Cross and Blue Shield of Minnesota online service will generally determine the type and amount of personal information we collect. For general website browsing, we capture basic information such as your browser type, IP address, device hardware model, referring URL, as well as server log information such as session time, click streams, and crash reports. For other features, such as use of a secure portal, we may need to verify your identity through a login process and collect sufficient personal information to provide a response or administer the service requested.

What follows below are further details regarding the personal information we collect, use, and disclose for our business purposes.

Online Forms

Blue Cross and Blue Shield of Minnesota offers online inquiry forms on our corporate-owned websites for account questions or to learn more about our products and services. The personal information we collect on inquiry forms generally includes your name, address, phone number, email address, and the details of your inquiry. By submitting personal information, you grant Blue Cross and Blue Shield of Minnesota the right to transmit, monitor, retrieve, store and use your information in connection with the operation of the website. We may use such information to review and respond to your request or communication or use contracted service providers to do that for us. We may also use information collected through online forms as stated in Section 2 below.

Secure Portals

Blue Cross and Blue Shield of Minnesota has established secure portals for use by our customers and business partners. When secure portals are accessed, we collect certain personal information, such as user ID and password, IP address, click streams, and related session data. Communications sent by users through these secure portals may also be recorded in transaction logs to monitor content, compliance with applicable law and regulations, or functionality of the services. We may also use information collected through secure portals as stated in Section 2 below.

Interactive Chat

Our online services may offer interactive chat technology to assist users. That interactive technology collects personal information such as name, date of birth, address, and account number for authentication purposes or to provide customized details as requested by a user and may also capture session-related information such as web logs to document the interaction. Users are reminded that supplemental terms of use may apply with respect to an interactive chat feature in addition to this Privacy Policy, and users are encouraged to read such terms as well. We may also use information collected through interactive chat as stated in Section 2 below.

Biometric Login

You may be invited by your mobile device to use fingerprint, facial recognition, or similar biometric technology to login to our online service. When a biometric login is enabled, our online services recognize that you have selected this as a preference and have been authenticated through your mobile device, and you are permitted to access our online services accordingly. When you use biometric login functionality on our online services, we do not collect any of the actual biometrics (e.g., fingerprints or facial images); that is managed and maintained on your mobile device and by the mobile device manufacturer (e.g., Apple, Samsung).

Geolocation Functionality

Our online services may use the location services functionality on your mobile device and thereby collect your geolocation data. We use geolocation data to assist you in finding geographically based products and services, and to provide you with relevant content based on your location. We may also use information collected through location services as stated in Section 2 below.

Mobile Device

Our online services collect certain personal information when being run on a mobile device; for example, if one of our mobile applications is downloaded, we collect information about the device type, its software/operating system, and device identifier. We use this information to assess our general user base and to improve our technical support capabilities. We may also use information collected from your mobile device as stated in Section 2 below.

Cookies

A cookie is a small text file that is stored on a computer or other internet-connected device when it accesses a digital resource. Cookies can capture user information such as IP address, internet browser and operating system type, the date and time of a digital interaction, session information such as page response times, your search history, saved preferences and password information (if a user elects to have a website remember this information), information about the referring URL, click stream to and through and from our online services.

Blue Cross and Blue Shield of Minnesota’s online services use first-party cookies (ones we create and configure) to support our digital resources, monitor their performance, enhance the user experience, and assess information about our user base. We may gather and use information obtained from first-party cookies to provide customers and prospects with tailored content and optimize our offerings.

We also use third-party cookies (ones we do not create or configure), in accordance with the requirements of applicable law, to help assess our user base, understand a user’s digital journey from external sources to our online services, and optimize our offerings in the market. In the event that third-party cookies are used to deliver relevant ads of interest, you can review and manage applicable third-party ad cookies by navigating to the following links provided by the Network Advertising Initiative and the Digital Advertising Alliance.

Cookies employed on our online services include the following types:

  • Strictly necessary: cookies which enable various underlying resource features and functionalities such as authenticating users.
  • Functional: cookies which support enhanced browsing experience and personalization.
  • Performance/Analytics: cookies which help us evaluate the effectiveness of digital resources, understand user patterns, and measure errors.

Most internet browser settings can be modified by users to attempt to block cookies (e.g., choosing a “do not track” or "global privacy control" setting). Also, you should be aware that blocking cookies could prevent a particular online service or certain features from fully functioning. We are not responsible for and make no representations or claims regarding the effectiveness of third party opt-out mechanisms or programs. Please note that if you delete your cookies or upgrade your browser after having opted-out, you will need to opt-out again to reaffirm your selections.

Pixels and Web Beacons

Pages on our online services, or our e-mails, may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an e-mail and for other related Digital Services statistics (for example, recording the popularity of certain Digital Services content and verifying system and server integrity).

Advanced Analytics and Tracking and Session Replay and Recording Technologies

We use tracking and session replay and recoding technologies to record your movements, clicks, keystrokes, data entry, and other activities while you interact with our Digital Services.

Third-Party Widgets

Users may encounter third-party widgets on our online services; these widgets (icons) are owned and controlled by third parties and not by Blue Cross and Blue Shield of Minnesota. These widgets are provided out of convenience only, and do not reflect an affiliation with or endorsement of the third-party company. If a user clicks a widget, he/she will be redirected to the landing page of that third-party company, and any data collection, use, and disclosure activities will be subject to that third party’s privacy standards (and not this Privacy Policy). Here’s an example: Blue Cross and Blue Shield of Minnesota maintains a LinkedIn page, but we have no control over how LinkedIn, as a third party, collects, uses, or discloses information obtained from users when they visit the LinkedIn platform.

When you click a third-party widget and leave our site, Blue Cross and Blue Shield of Minnesota makes no representations or warranties regarding third-party platforms or components, their content, data management, or security. To be an informed consumer, you should review the privacy standards of the applicable third parties.

Redirecting Hyperlinks and Embedded Third-Party Media

Our online services may contain redirecting hyperlinks or embedded third-party media content, as applicable; an example includes YouTube videos which may exist as tile images that redirect to YouTube when clicked, or as embedded files which begin playing on our web pages when clicked. This third-party content is not managed or configured by Blue Cross and Blue Shield of Minnesota, which means we do not control any code which may be linked to this content by the media host, and we do not control any data collection which might occur because of such code. By viewing any embedded third-party media content on our online services, as applicable, users acknowledge, accept, and expressly consent to any associated data collection, use, and disclosure which might occur between Blue Cross and Blue Shield of Minnesota and the media host.

2. Use, Access, and Disclosure Of This Information

Blue Cross and Blue Shield of Minnesota uses the information collected through our online services for the specified purposes stated in Section 1 above. Additional uses include:

  • Provide product, program, and service updates, event notices, details about new offerings, and announcements of interest.
  • Update and maintain information about users.
  • Monitor the effectiveness of our online services and features.
  • Ensure our digital resources function as intended and meet our users’ expectations.
  • Help us authenticate you as an authorized user and unique individual.
  • Evaluate your individual experience across our digital properties and help us assess and optimize our products, programs, services, and digital offerings.
  • Carry out our marketing, advertising, and general commercial business purposes.

We may also use your personal information to provide you with access to information about additional products, programs, and services offered by our family of companies or our business partners. You may remove yourself from certain communication channels or programs at any time — just follow the opt-out instructions included in those specific communications.

Disclosure To Service Providers

Blue Cross and Blue Shield of Minnesota may disclose your personal information collected through its online services to service providers that are contracted by Blue Cross and Blue Shield of Minnesota to support our functions. For example, a service provider may have access to your information to perform a specific task such as sending you a survey or a newsletter. Blue Cross and Blue Shield of Minnesota’s service providers are bound by contract to follow robust data privacy and security standards, and to handle your personal information with due care.

Links to External Websites

Third parties include non-affiliated companies whose platforms or components we may employ or present to our users, but whose data collection and usage activities we do not control, and which are not governed by this Privacy Policy (e.g., third-party widgets referenced above). For example, we may utilize a third-party vendor to host certain informational videos. When you click on the link to the video, you are re-directed from our site to the platform of the video host. The host’s data collection and usage activities will govern your interaction with that third-party site and content. Third parties can also refer to other types of entities or bodies that we do not have a contractual or commercial relationship with, but that we share data with as permitted or required by law (e.g., government oversight agencies). Blue Cross and Blue Shield of Minnesota generally does not disclose personal information collected through its online services to third parties except as set forth in this Privacy Policy, or as permitted or required by law. At times, personal information may be disclosed to a third party if there is a specific legal basis, if there is a need to complete a transaction requested by the user, or if necessary for providing a service or benefit to the user.

Disclosure To Comply With Law, Respond To Legal Requests, Prevent Harm, and Protect Our Rights

Blue Cross and Blue Shield of Minnesota may disclose your personal information to courts, law enforcement, governmental oversight agencies, and other appropriate regulatory bodies as permitted or required by applicable law, or if such disclosure is reasonably necessary to:

  • Comply with legal obligations.
  • Comply with legal process and to respond to claims asserted against Blue Cross and Blue Shield of Minnesota.
  • Respond to verified requests in relation to a criminal investigation or alleged or suspected illegal activity, or any other activity that may expose us or any of our users to legal liability.
  • Enforce and administer this Privacy Policy or any applicable terms of use.
  • Protect the rights of Blue Cross and Blue Shield of Minnesota, its employees, customers, business partners, or the public.

3. Other Relevant Data And Consumer Protection Laws

Children's Online Privacy Protection Act (COPPA)

Our online services are not generally intended for, nor made available to, children under the age of 13, and we typically do not make attempts to collect, use, or disclose information from children under the age of 13, unless otherwise permitted or required by applicable law.

State Consumer Privacy Laws

There are many state consumer privacy laws that have been enacted. Blue Cross and Blue Shield of Minnesota periodically reviews all relevant state consumer privacy laws to determine whether or not they are applicable to Blue Cross.  Blue Cross complies with all applicable state consumer privacy laws. 

4. Changes To This Digital Privacy Policy and Questions

Blue Cross and Blue Shield of Minnesota reserves the right to change, modify, or update this Privacy Policy at any time and for any reason. Blue Cross and Blue Shield of Minnesota will promptly post such changes, modifications, or updates to its online services accordingly. Please review this Privacy Policy periodically to keep informed of any changes. Users are reminded that continued use of our online services confirms i) your acknowledgement and acceptance of the conditions contained in this Privacy Policy, and ii) your express consent to collect, use, and disclose your information in accordance with applicable law.

Questions

If you have any questions, concerns, complaints, or suggestions regarding our Privacy Policy, you may visit our Contact Us page or call the number on the back of your member identification card.

Effective October 1, 2024. Last reviewed in September 2024. Unless otherwise noted, the effective and review dates noted are for the Privacy Page in its entirety.
 

Minnesota government data practices act policy statement

Effective June 30, 2015

Blue Cross and Blue Shield of Minnesota and Blue Plus ("Blue Cross") have contracts with a government entity for certain health care related services. To the extent a private entity contracts to perform health care services that are a government function, the Minnesota Government Data Practices Act ("MGDPA") may apply.

The Principal Records & Information Management Administrator is responsible for managing MGDPA requests including determining applicable administrative, production, and copying costs associated with the request. 

Requests under the MGDPA should be submitted via the following:

Via email

DPArequests@bluecrossmn.com

Via mail

Blue Cross and Blue Shield of Minnesota
Attn: Records & Information Management Administrator
3400 Yankee Drive
Eagan, MN 55121

Members seeking information about their health records should contact Blue Cross as outlined in the Notice of Privacy Practices.