Policy effective and last reviewed July 11, 2022
Noridian Healthcare Solutions (Noridian) contracts with the Centers for Medicare & Medicaid Services (CMS) and is a CMS contractor under the authority granted in Sections 1842, 1862 (b) and 1874 of Title XVIII of the Social Security Act (the Act) (42 United States Code (U.S.C.) §§1395u, 1395y (b), and 1395kk).
As a CMS contractor, Noridian maintains the three (3) websites identified below, two of which are public and one that is non-public. Noridian is providing this notice to you concerning (i) how Noridian might use or disclose personally identifiable information (PII) that you might provide while visiting our public websites at http://med.noridianmedicare.com or http://www.edissweb.com (“Noridian’s Public Websites”) and (ii) how we might use or disclose PII or protected health information (PHI) that a health care provider might provide when using the non-public provider portal at https://www.noridianmedicareportal.com (“Noridian’s Non-Public Portal”).
Under this policy, PII means any information that alone, or in combination with other data elements, could be used to identify you, such as a name, address, telephone number, Social Security number (SSN), or other personal identifier unique to you (e.g., Medicare provider/supplier number). In general, PHI means individually identifiable health information that is created by a health care provider or other covered entity that relates to the health or condition of an individual.
How We Collect, Use, and Disclose Information on Noridian’s Websites
Noridian’s Public Websites:
Noridian’s Public Websites may collect PII about you during your visit when you choose to provide it to us—for example, when you provide us information about you on our “Email Customer Service” or “Website Feedback” pages; when you sign up for a list serve; when you register on our site; when you register for an event; or when you participate in surveys, as described more below. You do not have to give us PII to visit Noridian’s Public Websites. If you choose to provide us with PII, we will use the information you provide only as long as needed to respond to your question, grant access, or to fulfill the stated purpose of the communication. Groups of records that contain PII about an individual and are designed to be retrieved by the individual’s name or other personal identifier linked to the individual will be safeguarded in accordance with the Privacy Act of 1974, Health Insurance Portability and Accountability Act of 1996 (HIPAA), CMS’ Information Security Acceptable Risks Safeguards (ARS) and other CMS contract requirements.
Noridian’s Non-Public Portal:
Noridian as a CMS contractor will collect PII from health care providers using the Non-Public Portal if they specifically and knowingly choose to provide it to us. We will use the PII only in connection with our services as a CMS contractor, or for such purposes that we describe to you at the point of collection. For example, health care providers might submit PII in connection with their enrolling to use Noridian’s secure provider portal. In such a case, Noridian will actively guard any PII they provide and will not disclose, give, sell or transfer any such personal information to third parties. If we share demographic information with third parties, we will give them aggregate information only. By supplying Noridian with PII, the health care provider users have consented to allowing Noridian to use that PII in any way in accordance with CMS/HIPAA standards.
Noridian also collects PII to track those users registering for portal access. For health care providers to become users, they are required to enter in personal information (that is, name, work phone, email address, the provider/supplier’s Tax Identification Number (TIN) or Social Security number (SSN), organization name, trading partner ID, NPI, and PTAN). This information is used to permit them continued access to the Non-Public Portal.
In addition to PII, health care providers might submit PHI in connection with the functionality provided through Noridian’s secure non-public provider portal. We use and disclose such PHI only in connection with our role as a CMS contractor and then only as permitted or required under the HIPAA Privacy Rules and under our contract with CMS. Please see the Notice of Privacy Practices applicable to CMS contractors that is published by CMS on its website for a full description of all uses and disclosures of such PHI under the HIPAA Privacy Rule.
Noridian’s Websites Generally: Noridian may also collect PII to track those users registering for educational events. Users are required to enter in personal information (that is, name, email address, company name, and so on) when registering for most educational events, such as webinars and in-person seminars. This information is then used for continued communication with the user regarding their event registration and participation.
Users also have the option when registering on our List Serve Email newsletter to receive Medicare news and information. In order to complete this request, they need only supply their email address and name.
Noridian may also use an online survey to collect opinions and feedback. This online survey will appear at random to users. Survey respondents have the option of not including any PII in their comments. However, if the user has a question, there is an option to leave their email address. Noridian analyzes and uses this information to improve our website’s operation and content and to improve the end user experience.
Noridian’s Websites may also collect certain technical information—such as IP addresses, and browser and device information—from visitors who read, browse, and/or download information from our websites. We do this so we can analyze and understand how the websites are used and how to make them more helpful.
None of Noridian’s Websites collect information for commercial marketing or any purpose unrelated to our mission and goals.
PII collected via Noridian’s Websites is kept on secure servers and is accessed only by staff members with a business need to use it. This information is disposed of in accordance with the Noridian Records Retention program when no longer needed. On occasion, PII collected is requested by, and shared with the CMS for use in contract activities. In accordance with CMS regulations, collected information is not disposed of; instead, it is kept on an indefinite basis. If Noridian transmits your protected data to CMS or any CMS-contracted entities, Noridian will ensure the data is encrypted according to CMS standards.
Additionally, Noridian may share the information we collect to the following categories of third-parties:
How We Might Use or Disclose Information Collected from Third-Party Websites
Noridian uses third-party websites to collect various types of information. Some of these third-party companies (and information about their privacy policies) are listed below. Any of your activity on these third-party websites is governed by the security and privacy policies of those websites. If you choose to use any of these third-party websites, you should review their privacy policies before such use and ensure that you understand how your information may be used and disclosed.
General Information Applicable to Noridian’s Websites
Web Server Usage
We may record information about how users access our websites. This information may include your IP address (or the DNS name associated with it) and what Web software you are using (browser and version). Information provided will be used only for statistical purposes to help improve this site. This information cannot be used to identify a specific individual.
While we make every attempt to protect the personal information that you share with us, it is important to realize that electronic mail is not secure against interception. If your communication is very sensitive, we recommend sending it by postal mail instead. Noridian will not use email as a form of communication if it involves sensitive information, unless the email is encrypted per CMS standards. Otherwise, only telephone, fax or postal services will be used for communicating sensitive information.
A cookie is a small piece of information that is sent to your browser when you access a website. There are two kinds of cookies, a session cookie and a persistent cookie. A session cookie is text that is stored temporarily in your computer’s memory but never written to a drive. It is destroyed as soon as you close your browser. A persistent cookie is saved to a file on your hard drive. Noridian primarily uses only session cookies. A persistent cookie that expires on its own in 30 days may be used in conjunction with a website satisfaction survey, however no PII is collected. You may be able to decline using cookies, but you may be asked to re-enter previously supplied information to complete the website satisfaction survey each time you access it.
How to opt Out or Disable Cookies
If you do not wish to have temporary or persistent cookies placed on your computer, you may disable them using your Web browser. If you decide to “opt out” of cookies, you will still have access to all information and resources the Noridian website provides.
You can easily remove any cookies that have been created in the cookie folder of the most popular Internet browsers. Select the “Help” function on your browser and enter “cookies” to search for information on how to remove all or individual cookies.
Do Not Track
Our systems are not configured to recognize or respond to Do Not Track headers or signals.
We Value Your Opinion
Noridian Medicare Privacy Officer
Noridian has a designated privacy official who is available to answer privacy questions, for reporting privacy issues, specifically, the types of data we collect and how we use it, as well as how we share, safeguard, and dispose of collected information. You may contact the Medicare Privacy Officer by submitting your comments or questions to the following address or phone number:
Noridian Healthcare Solutions
Attn: Medicare Privacy Officer
PO Box 6055
Fargo ND 58103
1-800-667-8519 (Privacy concerns only)
1-855-609-9960 (Noridian Medicare Portal sign-in issues)