Cubic Health Statement of Privacy Principles and Practices
At Cubic Health, we understand that privacy is a critical consideration for our plan sponsor clients, insurance carrier partners, and all members covered under the benefit plans we service. As an organization founded in 2003 by practicing pharmacists required to follow a professional Code of Ethics that clearly outlines standards around privacy and confidentiality, privacy has always been fundamental to how we conduct our business.
To earn the trust of our plan sponsor clients, insurance carrier partners and the plan members covered under the benefit plans we service, we abide by the ten (10) Privacy Principles below. These principles are based on the federal government’s privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
The range of services we offer continues to change, but regardless of how our business changes, we are committed to protecting and respecting everyone’s right to privacy and confidentiality.
Cubic Health is accountable for the protection all personal information under its custody or control. This accountability extends to all Cubic Health employees, regardless of role or position. We have a dedicated Chief Privacy Officer who is responsible for monitoring our ongoing compliance with these Privacy Principles.
Cubic Health identifies the purposes for which it collects personal information before or at the time of collections. Collection of personal information is required in order to render a clinical coverage decision, provide appropriate information to a plan member, and/or review an appeal of a specific claim.
Cubic Health shall not use or disclose, for any purpose, personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the covered individual.
Cubic Health collects, uses and discloses personal information only with the consent of the individual, subject to certain exceptions. Such exceptions are set out in the law and include where legal, medical or security reasons make it impossible or impractical to seek consent. Consent may be expressed in writing. It may also be given verbally, electronically, or through an authorized representative.
In some situations, an authorized representative may take the place of the covered plan member. This means that another person has the authority to do what the individual can do under the Act. An authorized representative may be:
- A guardian of a minor (someone who has the care and custody of a minor or takes daily care of the minor – for example, a married parent, a divorced parent with a custody order, a guardian appointed by a court, etc.);
- An executor or administrator of the estate of an individual who has died;
- A guardian or trustee of a dependent adult;
- An individual acting with the written authorization of an individual; or
- An individual who is acting under a power of attorney.
Consent regarding the collection, use or disclosure of personal information related to an individual under 18 years of age will be obtained from the minor’s parent, guardian or legal representative.
Consent may be withdrawn at any time subject to legal or contractual restrictions and reasonable notice. Persons withdrawing consent will be notified of any impact this may have on their eligibility for services provided by Cubic Health.
Limiting collection of personal information
Cubic Health only collects personal information required for business purposes. We do not collect information indiscriminately.
Where appropriate, Cubic Health will collect personal information directly from plan members. Nevertheless, it is sometimes necessary to collect personal information from other sources such as physicians (e.g. diagnoses and test results) and pharmacists (e.g. detailed medication history and medication intolerances/adverse reaction.) Cubic Health will obtain consent to collect this information.
However, where Cubic Health collects information from third parties (e.g. pharmacists and physicians), it is assumed that such third party has obtained its clients’ consent before disclosing the information. Cubic Health is not responsible for any additional information covered members provide directly to these parties. We may record telephone conversations and will provide advance notice of any such recordings. Additionally, although not recorded, calls are sometimes monitored for training purposes as well as documented to enhance customer service and confirm our discussions with covered plan members.
Limiting use, disclosure, and retention of personal information
Personal information is not, without consent, used or disclosed to a third party for any purpose other than that for which it was collected, unless such use or disclosure is required or allowed by law.
Cubic Health retains personal information only as long as necessary to fulfill the identified purpose or as otherwise required or allowed by law.
Reasonable and systematic controls shall be maintained to ensure that records retention and destruction schedules are followed for personal information that is no longer required. Personal information that is no longer required shall be destroyed, erased or made anonymous. Cubic Health shall use appropriate security measures when disposing of personal information no longer required.
Cubic Health does not engage in any activity involving the selling, trading, renting or leasing of personal information.
Cubic Health will make reasonable efforts to ensure that covered members’ personal information is as accurate, complete, and current as required for the purposes for which it was collected. In some cases, Cubic Health relies on individuals to ensure that certain information, such as mailing address, e-mail address or telephone number, is current, complete, and accurate.
Cubic Health protects the security and confidentiality of personal information with safeguards appropriate to the sensitivity of the information, in order to protect your personal information from unwanted intrusion, release or misuse.
Information about our privacy policies and practices for managing your personal information shall be made available to you. Upon written request addressed to the Chief Privacy Officer, we will provide a copy of these guidelines, and respond to inquiries about our practices relating to personal information.
Upon written request, you will be informed of the existence, use and disclosure of your personal information and you will be given access to it, subject to certain exceptions, as permitted by law. You may also verify the accuracy and completeness of your information, and request that it be amended, if appropriate.
Inquiries and concerns
Any concerns or inquiries related to our privacy policies and practices should be made in writing to Cubic Health’s Chief Privacy Officer.
The information we collect
Personal information is information about an identifiable individual.
We will use fair and lawful means to collect covered plan member personal information. We only collect information that is pertinent and consistent with the purposes of collection. We may collect the required information directly from the covered plan member, or from their authorized representative(s), in completed applications and forms, through other means of correspondence such as telephone, mail, or the internet or other electronic means.
If information is being collected by telephone, the call may be recorded or monitored for the following reasons:
- To establish a record of the information provided by a covered plan member
- To take or verify instructions from a covered plan member
- To confirm a covered plan member’s identity
- To assist in training
If an individual is not comfortable with having their telephone calls recorded, they have the option of communicating with Cubic Health in writing instead.
What we need to know and why
The type of personal information we gather will depend on the service involved.
Generally, as a third-party, independent clinical case adjudication company focused on Prior Authorization claims (both new and renewal) for high-cost and specialty drug therapies, assessment of therapeutic alternatives available to a specific individual and member coverage appeals, we collect, use and disclose your personal information to:
- Evaluate a claim received related to a coverage request for a specific drug therapy and/or disease state
- Determine eligibility for a given drug benefit
- Properly administer the assessment of claims
- Communicate clinical decisions and/or coverage parameters to necessary parties such as the prescribing physician and insurance carrier
Covered plan member consent
A covered plan member’s consent may be expressed in writing, or it may be given verbally, electronically or through an authorized representative.
A covered plan member may withhold or withdraw consent for Cubic Health to collect, use and disclose personal information, as long as there are no legal or contractual reasons preventing a covered plan member from doing so. Depending on the circumstances, however, withdrawal of consent may impact Cubic Health’s ability to evaluate and process any claims.
How we share and destroy personal information
The disclosure of personal information will be restricted to those who have a need for, and the right to, the information.
A covered plan member’s personal information will only be provided to, or be accessible by:
- Cubic Health employees, agents and representatives who need the information to perform their duties
- Any person or organization to whom a covered plan member gave consent (e.g. physician, pharmacy, nurse case manager, etc.), and,
- Anyone who is otherwise authorized under law
Personal information that is no longer required will be destroyed, erased or made anonymous. When we destroy personal information, we will use safeguards to prevent unauthorized access to the information during the destruction process.
Commitment to protecting personal information
We are committed to protecting your personal information from unauthorized access or use, by ensuring the necessary physical, organizational and technical safeguards are in place, that are appropriate to the sensitivity of the information. This means that personal information is protected:
- Physically, by building and data centre security measures and physical barriers
- Organizationally by our policies, procedures and access levels, and,
- Technologically by, for example, where appropriate, the use of passwords, encryption, multi-factor authentication, firewalls, anti-virus and intrusion detection.
If you have any questions or concerns about our privacy policies and practices, or if you want to know more about the process for accessing and/or correcting your personal information, please contact us:
Chief Privacy Officer
Cubic Health Inc.
26 Soho Street
Toronto, ON M5T 1Z7