Policy last reviewed July 12, 2021
Noridian Healthcare Solutions (Noridian) contracts with the Centers for Medicare & Medicaid Services (CMS) and is a CMS contractor under the authority granted in Sections 1842, 1862 (b) and 1874 of Title XVIII of the Social Security Act (the Act) (42 United States Code (U.S.C.) §§1395u, 1395y (b), and 1395kk).
As a CMS contractor, Noridian maintains the three (3) websites identified below, two of which are public and one that is non-public. Noridian is providing this notice to you concerning (i) how Noridian might use or disclose personally identifiable information (PII) that you might provide while visiting our public websites at http://med.noridianmedicare.com or https://www.edissweb.com and (ii) how we might use or disclose PII or protected health information (PHI) that a health care provider might provide when using the non-public provider portal at https://www.noridianmedicareportal.com.
PII means any information that alone, or in combination with other data elements, could be used to identify you, such as a name, address, telephone number, Social Security number (SSN), or other personal identifier unique to you (e.g., Medicare provider/supplier number). In general, PHI means individually identifiable health information that is created by a health care provider or other covered entity that relates to the health or condition of an individual.
- http://med.noridianmedicare.com (public)
- https://www.edissweb.com (public)
- https://www.noridianmedicareportal.com (non-public)
Information Provided by Visitors on Public Websites
Noridian's public websites do not collect any PII about you during your visit unless you choose to provide it to us.
We do, however, collect information from visitors who read, browse, and/or download information from our websites. We do this so we can understand how the public uses the website and how to make it more helpful. None of Noridian's websites - public or non-public - collect information for commercial marketing or any purpose unrelated to our mission and goals.
How We Use, Disclose and Collect PII That Visitors' Choose to Provide
You do not have to give us PII to visit Noridian's public websites. If you choose to provide us with PII, we will maintain the information you provide only as long as needed to respond to your question, grant access or to fulfill the stated purpose of the communication. Groups of records that contain PII about an individual and are designed to be retrieved by the individual's name or other personal identifier linked to the individual will be safeguarded in accordance with the Privacy Act of 1974, Health Insurance Portability and Accountability Act of 1996 (HIPAA), CMS' Information Security Acceptable Risks Safeguards (ARS) and other CMS contract requirements.
PII collected via any Noridian website is kept on secure servers and is accessed only by staff members with a business need to use it. This information is disposed of in accordance with the Noridian Records Retention program when no longer needed. On occasion, PII collected is requested by, and shared with the CMS for use in contract activities. In accordance with CMS regulations, collected information is not disposed of; instead, it is kept on an indefinite basis. If Noridian transmits your protected data to CMS or any CMS-contracted entities, Noridian will ensure the data is encrypted according to CMS standards.
How We Use, Disclose and Collect PII and PHI That Health Care Providers' Enter into Our Non-Public Provider Portal
Noridian as a CMS contractor will collect PII from health care providers using the non-public provider portal if they specifically and knowingly choose to provide it to us. We will use the PII only in connection with our services as a CMS contractor, or for such purposes that we describe to you at the point of collection. For example, health care providers might submit PII in connection with their enrolling to use Noridian's secure provider portal. In such a case, Noridian will actively guard any PII they provide and will not disclose, give, sell or transfer any such personal information to third parties. If we share demographic information with third parties, we will give them aggregate information only. By supplying Noridian with PII, the health care provider users have consented to allowing Noridian to use that PII in any way in accordance with CMS/HIPAA standards.
Noridian also collects PII to track those users registering for portal access. For health care providers to become users, they are required to enter in personal information (that is, name, work phone, email address, the provider/supplier's Tax Identification Number (TIN) or Social Security number (SSN), organization name, trading partner ID, NPI, and PTAN). This information is used to permit them continued access to the provider portal.
Noridian also collects PII to track those users registering for educational events. Users are required to enter in personal information (that is, name, email address, company name, and so on) when registering for most educational events, such as webinars and in-person seminars. This information is then used for continued communication with the user regarding their event registration and participation.
Users also have the option when registering on our List Serve Email newsletter to receive Medicare news and information. In order to complete this request, they need only supply their email address and name.
Noridian also uses an online survey to collect opinions and feedback. This online survey will appear at random to users. Survey respondents have the option of not including any PII in their comments. However, if the user has a question, there is an option to leave their email address. Noridian analyzes and uses this information to improve our website's operation and content.
In addition to PII, health care providers might submit PHI in connection with the functionality provided through Noridian's secure non-public provider portal. We use and disclose such PHI only in connection with our role as a CMS contractor and then only as permitted or required under the HIPAA Privacy Rules and under our contract with CMS. Please see the Notice of Privacy Practices applicable to CMS contractors that is published by CMS on its website for a full description of all uses and disclosures of such PHI under the HIPAA Privacy Rule.
How We Might Use or Disclose Information Collected from Third-Party Websites
Noridian uses third-party websites to collect various types of information. Some of these third-party companies (and information about their privacy policies) are listed below. Any of your activity on these third-party websites is governed by the security and privacy policies of those websites. If you choose to use any of these third-party websites, you should review their privacy policies before such use and ensure that you understand how your information may be used and disclosed.
General Information Applicable to All Noridian Websites
Web Server Usage
We may record information about how users access our websites. This information may include your IP address (or the DNS name associated with it) and what Web software you are using (browser and version). Information provided will be used only for statistical purposes to help improve this site. This information cannot be used to identify a specific individual.
While we make every attempt to protect the personal information that you share with us, it is important to realize that electronic mail is not secure against interception. If your communication is very sensitive, we recommend sending it by postal mail instead. Noridian will not use email as a form of communication if it involves sensitive information, unless the email is encrypted per CMS standards. Otherwise, only telephone, fax or postal services will be used for communicating sensitive information.
A cookie is a small piece of information that is sent to your browser when you access a website. There are two kinds of cookies, a session cookie and a persistent cookie. A session cookie is text that is stored temporarily in your computer's memory but never written to a drive. It is destroyed as soon as you close your browser. A persistent cookie is saved to a file on your hard drive. Noridian primarily uses only session cookies. A persistent cookie that expires on its own in 30 days may be used in conjunction with a website satisfaction survey, however no personal information is collected. You may be able to decline using cookies, but you may be asked to re-enter previously supplied information to complete the website satisfaction survey each time you access it.
How to opt Out or Disable Cookies
If you do not wish to have temporary or persistent cookies placed on your computer, you may disable them using your Web browser. If you decide to "opt out" of cookies, you will still have access to all information and resources the Noridian website provides.
You can easily remove any cookies that have been created in the cookie folder of the most popular Internet browsers. Select the "Help" function on your browser and enter "cookies" to search for information on how to remove all or individual cookies.
We Value Your Opinion
Noridian Medicare Privacy Officer
Noridian has a designated privacy official who is available to answer privacy questions, for reporting privacy issues, specifically, the types of data we collect and how we use it, as well as how we share, safeguard, and dispose of collected information. You may contact the Medicare Privacy Officer by submitting your comments or questions to the following address or phone number:
Noridian Healthcare Solutions
Attn: Medicare Privacy Officer
PO Box 6055
Fargo ND 58103
1-800-667-8519 (Privacy concerns only)
1-855-609-9960 (Noridian Medicare Portal sign in issues)
Noridian may occasionally update this policy.
Last Updated Thu, 14 Apr 2022 12:12:35 +0000