Benistar Admin Services, Inc. 

Notice and Summary of Privacy Practices  

Benistar Admin Services, Inc. (BASI) is a third-party administrator (TPA) for administering retiree medical and prescription drug plans. In providing our services, we abide by the privacy practices and data protection standards outlined in all applicable federal, state, and local laws, as well as the specific privacy practices of each group plan we administer. For a complete description of the privacy practices that should apply to you, please get in touch with your employer group or insurance provider directly and request a copy of their Notice of Privacy Practices. 

Maintaining and protecting the privacy, security, confidentiality, availability, and integrity of personal and health information is our top priority. To effectively administer member benefits, we must collect and share non-public protected health information (PHI). BASI has put information security policies and procedures in place to ensure that we share only the minimum amount necessary to provide services to our groups and members and only with authorized parties with legitimate business needs for the information.  

BASI’s HIPAA Privacy Policy describes how we may use and disclose group-member personal information, their rights to access and update their information, and how to require restrictions on BASI’s use and disclosure of their information under federal, state, and local data protection and privacy laws. BASI’s Information Protection Program Policy describes the establishment and maintenance of its Information Security Management Program.  

This notice summarized BASI’s privacy practices and policies, including what kind of information we work with, what types of information we may disclose, to whom we may disclose information, and how we prevent information from unauthorized access, use, or disclosure. 

How does BASI define “personal information?” 

BASI is firmly committed to protecting the privacy and security of individual’s personal information. The term “personal information” means any information which can be used to identify, contact, or locate an individual, either alone or combined with other easily accessible sources. 

What data does BASI collect from its website, and how is it used? 

To maximize your privacy, BASI does not require users to register or enter any personal information to use our website. The site is provided to users as a service to provide information about our company’s services and how to contact us. 

For questions regarding the security and privacy practices of the Benistar Retiree RX Resource Center, please visit Privacy Policy (express-scripts.com). 

The Information We Obtain from Carriers, Groups, and Members: 

BASI obtains information about individuals (including PII, PHI, and e-PHI) subject to the terms and conditions of our agreements with the insurance carriers and employer retiree groups we serve. We obtain this information to provide administration services associated with the management of retiree health and prescription benefit plans. This information may come to us in writing, in person, by telephone, or electronically and may include: 

  • Enrollment information, including items such as members’ names, addresses, social security numbers, and dates of birth 
  • Sensitive health information is provided to us by members, their representatives, their health insurers, or their health providers to help answer questions about their plan’s coverage or claims processes. 
  • Information collected during transactions that occur during the administration of benefits, including claims information, data necessary to calculate premiums, billing and payment information, service inquiries, and appeals information. 

Use and Disclosure of Covered Information 

BASI may not disclosure covered information except as permitted by agreement or law 

BASI may disclose covered information to other parties to administer its services according to specific policies and practices to ensure the privacy, security, confidentiality, integrity, and availability of information. 

Disclosure policies and practices ensure that only the minimum amount of information required is released to verified, authorized parties with a legitimate need for the information.  

Disclosures are tracked and monitored to ensure compliance. 

For more information on our HIPAA Privacy and Compliance Programs, please call.

Protecting Information: 

BASI takes its duty to protect sensitive and confidential information seriously. In addition to our HIPAA Privacy Policy and Compliance Program, BASI has implemented an Information Protection Program based on an industry-recommended cybersecurity framework to ensure the security, privacy, confidentiality, integrity, and availability of the PII, PHI, and e-PHI, which is entrusted to our care.  

Summary of BASI’s Information Protection Program 

·        BASI has a formally documented information protection program based on an accepted industry cybersecurity framework that is actively monitored, reviewed, and updated to ensure program objectives continue to be met 

·        BASI maintains high standards for physical and environmental security safeguards in addition to cybersecurity controls to protect our information systems against unauthorized access 

·        BASI ensures plans for security testing, training, and monitoring activities are developed, implemented, maintained, and reviewed for consistency with its security strategy and response priorities 

·        BASI conducts screening and training of our workforce before granting access to our information systems. Users of BASI’s information systems: 

  • Understand their security roles, responsibilities, and expectations which are clearly defined and communicated through written policies, procedures, and guidelines that conform with the terms and conditions of employment at BASI 
  • Are motivated to comply with security policies 
  • Continue to receive training to ensure they have the appropriate skills and qualifications for their roles 
  • Are held accountable for violations of security requirements through a formal disciplinary process 
  • information security education, training, and awareness 

·        Training includes (but is not limited to): 

  •  Extensive HIPAA compliance training 
  • Fraud waste and abuse identification and prevention training 
  • Best practices in communication protection requirements, including the handling and exchange of covered information 

·        BASI restricts access to PII, PHI, and e-PHI to only authorized representatives with a legitimate business need to provide services to our insurance carrier partners, groups, members, and their representatives. 

·        Cybersecurity controls include (but are not limited to) nationally recognized best practices such as: 

  • Multifactor authentication  
  • Endpoint detection and response 
  • Encryption 
  • A skilled, empowered security team to update and patch information systems and respond to security incidents 
  • Data backup and recovery protocols as part of our Business Continuity and Disaster Response policy 
  • External security review and testing