Aetna's Privacy Center

We value the trust you place in us. Protecting your privacy is important to Aetna and we take care to safeguard your personal information. Additional information regarding how we collect, maintain and use your information is available in our Privacy Center.

Web and Mobile Privacy Statement

Welcome to our web and mobile experience. By using our websites and mobile apps, you agree to the terms of this Privacy Statement.

What does this Privacy Statement cover?
This statement describes how Aetna (“Aetna,” “we” or “us”) may collect information about you through your interactions with us on our website and mobile applications (“apps”) that contain a link to this statement (collectively, the “Services”).

If information collected through the Services is member information, please refer to your “Notice of Privacy Practices” and not this Privacy Policy. If you are a member covered by an Aetna insured policy, this Notice can be found on this app, if you are covered through an employer plan which is self funded, ask your employer for a copy of your Notice. Examples of member information are information collected when you enroll in an Aetna health plan or access services related to your health plan.
Who may use the Services?
We do not knowingly collect personal information online from any person we know to be under the age of 13. We tell users under 13 not to send any information to us through the online Services without their parents’ consent.
What types of information do we collect?
We may collect two basic types of information:
  • Personal Information is data that is unique to a person. It may include information such as your name, address, Social Security number, email address, telephone number and certain personal device information.
  • Non-personally identifiable Information is data that doesn’t personally identify you. This may include demographic information, aggregated information or certain information collected automatically through your device. These may include what web browser you use, server log files, cookies, pixel tags, web beacons and other tracking methods, and other non-personally identifiable information collected by us or provided by you.
How do we collect your personal information?
We collect your personal information when you:
  • Sign up or create a personal profile with us
  • Request products, services or information from us
We may also automatically collect certain personal device information. This may include your device’s physical location, internet protocol (IP) address, battery information, app activity, data usage, and malware information. This helps us identify you and your device to prevent fraud and data loss and keep our app secure.

In some cases, and in all cases required by law, you can update the information you give us. Just send us an email or update your online profile. Please revisit the specific place in the app where you first gave us your information.
How do we use your personal information?
We may use your personal information to:
  • Confirm it’s you so we can be sure our interactions with you are secure and confidential
  • Respond to your questions or requests
  • Deliver web-based products and services to you
  • Send you marketing messages that may interest you
Except during the sale, transfer, merger or other transaction involving all or part of our company, we won’t sell, license or otherwise transfer any rights to your personal information to any third party unless you expressly authorize it.

We may transmit or share your personal information with other parties:
  • If required by law, such as to comply with a subpoena, regulatory oversight or other legal process
  • When our contractors or vendors need to perform certain services, such as app maintenance or to improve performance
In all cases, we’ll require the other party to protect the information. They can use it only for the purpose we provided it.
How do we collect and use your non-personally identifiable information?

We collect and aggregate non-personally identifiable information when you visit our website or use our apps. It helps us to analyze and improve the services we provide you. Because this information doesn’t personally identify you, we may use and share it for any purpose permitted by law.

We may:

  • Automatically collect certain web browser information. Web browsers collect and store data about your device and operating system when you use our apps. When we collect this information, as well as your device’s media access control (MAC) address, we use it to help create a secure and consistent connection to you and customize experience and content when you use our apps.
  • Perform page tagging. This is a way to log web page and visitor information when you use our apps. "Tagging" does include a JavaScript program running in your browser. But it’s limited to providing information about the page you’re requesting and the setup of your browser. It won’t read any of your data files, extract personal information about you, or run any other programs. You can disable JavaScript in your browser to stop tagging, but that may keep you from using all the functions on our apps.
  • Use tracking pixels or beacons. These electronic files track your activity on our apps. They also track your completion of transactions and other browsing behavior.

 

Cookies and other technologies enhance your user experience

A "cookie" is a bit of data that we can send to your browser when you link to our apps. It isn’t a computer program. It can’t get any data or personal information on your computer. Your browser software can be set to reject or accept cookies.

Our use of cookies allows us to collect and retain certain information about a website user, such as the type of Web browser you use. Reviewing our Web server logs and site usage helps us monitor performance. Cookies also help us:

  • Enhance web and mobile navigation
  • Personalize your experience
  • Understand how you use our services
  • Diagnose problems
  • Measure the success of our marketing campaigns
  • Deliver online content on services/products that may interest you
  • Otherwise administer our services

 

Collecting IP addresses is also a standard practice and is done automatically by many websites and apps. We use IP addresses to administer our services, measure service levels and help diagnose server problems. Your IP address is a number that is automatically assigned to the computer that you are using by your Internet Service Provider. An IP address may be identified and logged automatically in our server log files whenever a user accesses our services, along with the time of the visit and the page(s) visited.

Our Services use tracking technologies to collect and record your activities and movements across our websites throughout your browsing session, including page hits, mouse movements, scrolling, typing, out-of-the-box errors and events, and API calls (“session data”). We use this information to provide us with analytics and to improve our products, services, and your experience. Such tracking may also include recorded sessions, which we may play back for these purposes. We may share session data with our vendors (which may change over time) for these purposes, who will use the session data solely on our behalf.

Deidentified patient information

As permitted by law, we may also sell or disclose patient or member information that has been deidentified. This means data that can be used to identify a patient or member has been removed or changed according to one of the methods described in the Code of Federal Regulations. These are known as the HIPAA expert determination and HIPAA safe harbor methods. (See Section 164.514(b)(1) or (b)(2) of Title 45 of the Code of Federal Regulations.)

How do we protect your information?

We understand that the security, integrity and confidentiality of your information are very important to you. And we want to protect it. Here’s how:

 

  • We seek to use technical, administrative and physical security measures to protect your personal information from unauthorized access, disclosure, use or changes.
  • We regularly review our security practices. We test our apps regularly to mimic attempts to breach our security. We also have robust disaster recovery plans in place. Despite our best efforts, though, note that no security measures are perfect or 100 percent secure.
How we advertise to you

We don’t show you third parties’ ads on our apps. But we may use third-party advertising companies to serve you our ads on other sites based on the web pages you may have visited or your online activity. These are known as interest-based or personalized ads. They may also be known as targeted ads.

We (Aetna) show you these ads so you can see products and services that might interest you. We don’t direct ads to children. Or where we know a user is under 13 years old.

In order to serve up information related to our Services, the third-party companies may place or recognize a unique cookie on your browser (including through the use of pixel tags). We follow the guidelines of the Digital Advertising Alliance (DAA) Self-Regulatory Principles for Online Behavioral Advertising. These help you understand and have greater control over the ads you see based on your online behavior. The DAA has a web site where you can opt out from getting targeted ads from some or all of the companies in the program. Our apps don’t respond to “Do Not Track” signals from browsers.

We may use analytics providers that use cookies, pixel tags and other, similar technologies to collect information about your use of the Services and your use of other websites and online services. Aetna and these other parties use these details to understand your online activity. We also use it to deliver ads and web site content based on your interests.

This policy doesn’t apply to, and we aren’t responsible for, the cookies or web beacons, or other tracking methods used by third parties. You can check out the privacy policies of these other companies to learn more.

You can email us your questions

We welcome the comments and questions you send to the email address given in our apps. We’ll share them with our Member Services team and other employees who can best help you.

Keep your information safe. Don’t email us information you consider confidential. If you’re a health plan member, call us at the number on your member ID card instead. Or call the number in the app you’re using. There are also some secure areas of our apps to share this type of information.

Other websites and apps

The Services may contain links to, or otherwise make available, third-party websites, services, or other resources not operated by us or on our behalf (“Third-Party Services”). We aren’t responsible for the privacy practices, content or accuracy of websites or apps of the Third-Party Services. We also don’t review or endorse their content or the products or services they describe.

We are not responsible for the privacy or security of any information you provide to them or their handling of information. We recommend that you review the privacy policy of any third party to whom you provide personal information online.

In addition, we aren’t responsible for the information, collection, use, disclosure or security policies and practices of other organizations. These include companies such as Apple, Google, Microsoft, RIM, or any other app developer, app provider, operating system provider, wireless service provider, or device manufacturer.

We may update our Privacy Statement

We may change this Privacy Statement. You can find the date changes were last made at the bottom of the page. Any changes become effective when we post the revised Privacy Statement. Your use of our websites or mobile apps following these changes means you accept the revised version. This isn’t intended to, and doesn’t create, any contractual or other legal rights in, or on behalf of, any party.

Privacy Statement updated: 8/11/2021

Coverage may be underwritten or administered by one or more of the following companies: Aetna Better Health Inc., Aetna Health Inc., Aetna Health of California Inc., Aetna Health of Utah Inc., Aetna Health of Iowa Inc., Aetna Life Insurance Company, Coventry Health Care plans, Aetna Better Health plans, Coventry Health and Life Insurance Company, HealthAssurance Pennsylvania, Inc., Innovation Health plans, and Allina Health and Aetna Insurance Company. Mail order pharmacy services may be provided by Caremark, L.L.C. or one or more of its subsidiaries or affiliates.

Security highlights


Aetna takes information security seriously and we diligently safeguard your personal information.  Here are some ways Aetna protects your information and steps you can take to help.

Securing health information
A list of steps we take to secure your health information

17 steps for securing health information (PDF)
Our effort to reduce the use of SSNs

 

CMS to eliminate use of SSNs on Medicare cards

Personal identity theft affects a large and growing number of seniors. People age 65 or older are increasingly the victims of this type of crime. So, the Centers for Medicare & Medicaid Services (CMS) is starting a fraud prevention initiative that removes Social Security Numbers from Medicare cards. This will help fight identity theft and safeguard taxpayer dollars.

You'll get a new Medicare card and number

Between April 2018 and April 2019, CMS is removing Social Security numbers from Medicare cards and mailing each person a new red, white and blue Medicare card. This will include your new, unique Medicare number. Your new card and Medicare number won’t change your coverage or your Medicare benefits. Once you get the new card, you should destroy your old card and start using the new card right away.

This doesn't impact your Aetna ID card or number

Your current Aetna ID card will remain the same. You should continue to use your Aetna ID when you go to the doctor. This change is specific to your CMS issued red, white and blue Medicare card only.

How to get ready

You don’t need to do anything to get a new card. But, you should make sure your mailing address is up to date with CMS. You can update your mailing address by visiting www.ssa.gov/myaccount or calling 1-800-772-1213 (TTY: 1-800-325-0778). This number is an automated telephone service, available 24 hours a day. If you cannot handle your business through the automated services, you can speak to a Social Security representative between 8 AM and 7 PM Monday to Friday.

Protect yourself from scams

Medicare will never call uninvited and ask for your personal or private information to get a new Medicare Number and card. Scam artists may try to get personal information (like your current Medicare Number) by contacting you about your new card. If you are asked for information, for money, or someone threatens to cancel your health benefits if you don't share personal information, call 1-800-MEDICARE (1-800-633-4227).

We'll continue to accept the HICN through the transition period

Find identity theft resources for people with Medicare

Where to find more information

You can find more information on the CMS site. Please take a minute to familiarize yourself with the upcoming new Medicare card changes.

Protect your medical records and identity

Because we’re committed to protecting the privacy of our members, we’re moving away from the use of Social Security numbers whenever possible. Thieves often steal Social Security numbers when they hack websites and computers. A Social Security number is not required for health care services.

Here's how you can help

If you're a health care professional working with us:

  • Collect the patient's member ID number, rather than a Social Security number.
  • For your own transactions, use your Employer Identification Number (EIN), rather than a Social Security number.
If you're an Aetna member:
  • Give your member ID number -- not your Social Security number -- when you go to the doctor, dentist or hospital.
If you're an employer working with us:
  • Work with your Aetna Contact or Account Rep to reduce the transmission of SSNs.

 

Encryption to safeguard data

Protecting the privacy and security of sensitive information is one of our highest priorities. Accordingly, Aetna encrypts all Internet e-mails that contain member-specific health and financial information -- examples include, but aren't limited to, personal and demographic information (e.g., name, SSN, address), employment information, information about payment of benefits, provider information, diagnostic or treatment information, claims status information and information related to behavioral health and/or sexually transmitted disease services.

Use of encrypted e-mail enables us to send quick, reliable communications while maintaining our commitment to protecting the confidentiality of member-specific information.

What is encrypted e-mail?

Encrypted e-mail is scrambled by the sender's e-mail program, which renders it unreadable until it is descrambled or "decrypted" by the recipient. Unencrypted e-mail is similar to a postcard - the message can be viewed by anyone who picks it up. Encrypted e-mail is similar to a sealed letter -- the content cannot be viewed until the envelope is opened - except, in this case, the envelope has a lock on it to which only the recipient has a key.

How does Aetna's use of encrypted e-mail impact recipients?

  • Whenever Aetna transmits member-specific health or financial information via Internet e-mail, the e-mail includes a message indicating that the content has been secured via encryption.
  • Encrypted e-mails from Aetna include instructions on how to decrypt the message for viewing - this requires the recipient to perform a few simple clicks.
  • Anyone who receives an encrypted e-mail from Aetna is able to send an encrypted reply.
  • Third party messages that are sent to Aetna via the "Contact Us" feature on Aetna.com are also encrypted.

 

Who can receive member-specific health and financial information?

Aetna has strict procedures in place for determining if a third party can receive member health and financial information i.e., Aetna employees are required to verify whether a requestor is authorized to receive the information before it is released.

Whom can the recipient of an Aetna encrypted e-mail call with questions?

Each encrypted e-mail from Aetna includes instructions on how to open the message and view the secure content. In the event a recipient receives an error message while in the process of trying to open an Aetna-generated encrypted e-mail, the error message provides guidance for troubleshooting the problem. In addition, the error message includes the following contact information:

If you experience any problems, please contact 1-800-237-7476 (TTY: 711), option 4 (Secure Email) during normal business hours; 8AM to 6PM ET.

Medical identity theft

Medical identity theft happens when someone steals your personal or health insurance information. They use it to get medical care, prescriptions, insurance payouts, even surgery. It’s a lot like regular identify theft. It can damage your credit rating. Cost you money and take time to clear up. Even hurt your chances to get some jobs. And it's happening more and more in the United States.

Here are a few steps to protect yourself

Be careful with your member ID card

It could be used to get medical services or drugs. And these will be on your medical record permanently. If your card is missing, lost or stolen, notify Aetna Member Services right away.

Keep personal information personal

Don’t give out your insurance ID, Social Security or driver’s license numbers on the phone or by mail to just anyone. Make sure you initiated the contact. And make sure there is a valid reason for giving out the number.

Be on guard even if someone claims to be from Aetna

We avoid asking for your Social Security number. However, there are times we need it. For example, if you:

  • Sent us a form that requested your Social Security number but you didn’t provide it or it is not readable, we might call you to ask for it.
  • Left a voice mail for someone at Aetna that did not include enough information to identify you, we might ask for additional information when returning your call.

 

Review health care information

Take time to read mailed Explanation of Benefits (EOB) statements or online claims. Even if they are marked, “This is not a bill." Look for:

  • Wrong group or identification numbers
  • Unfamiliar provider offices or hospitals
  • Dates for services on which you did not receive care
  • Prescriptions you did not fill

 

Make sure "free" is free

If you visit a free clinic, make sure it’s free. Don’t show your ID card for any reason.

 

Check your credit report

Identity thieves can run up medical costs in your name. The bills can be mailed to another address. You won’t know unless you check your report. Or you get a call from a collection agency.

Find out how you can get a credit report for free. Visit the Federal Trade Commission website.

Privacy and security educational resources

Aetna Patient Access API Member Educational Resources Regarding Privacy and Security

Certain Aetna1 members have the right to direct Aetna to disclose their claims data, encounter data, and clinical data (collectively “health data”) held by Aetna or certain of its government program health plan subsidiaries and affiliates to a designated third-party application (app) through certain standardized technology.2

Aetna is also required by law to provide these educational resources, which you may use when making decisions about who you choose to share your health data with.

Currently, only Medicare Advantage plan members may direct Aetna are able to give consent to share their health data with third party apps via Aetna's Patient Access API. Patient Access API functionality for certain other Aetna members will be available in the first half of 2021.

Learn about the payer-to-payer data exchange
 
How you can help protect the privacy and security of your health data.
  • It is important for you to take an active role in protecting your own health data.
  • If you direct Aetna to share your health data with a third-party app, Aetna has no control over how the third-party app will use or share your health data. Aetna does not review or evaluate third-party apps or their privacy or security practices for your health data.
  • Some third-party apps may share your health data with other third parties.
  • Health data can be very sensitive, and you should be careful to choose apps with strong privacy and security standards to protect it.
  • Any app you choose to receive your health data should have an easy-to-read privacy policy that clearly explains how the app will use your data. If an app does not have a privacy policy, you should consider not using the app.
  • Before you direct Aetna to share your health data with an app, you should read carefully the app’s terms of use (sometimes this information is contained in the app’s “end user license agreement”) and privacy policy to understand how the app will use and share your health data.
  • Below are factors to consider when selecting an app to receive your health data. If an app’s privacy policy does not clearly answer these questions, you should reconsider allowing the app to access your health data.
Factors to consider when selecting a third-party app to receive your health data.
  • What health data will this app collect?
  • Will this app collect non-health data from my device, such as my location?
  • Will my data be stored in a de-identified or anonymized form?
  • How will this app use my data?
  • Will this app disclose my data to third parties?
  • Will this app sell my data for any reason, such as advertising or research?
  • Will this app share my data for any reason? If so, with whom? For what purpose?
  • How can I limit this app’s use and disclosure of my data?
  • What security measures does this app use to protect my data?
  • What impact could sharing my data with this app have on others, such as my family members?
  • How can I access my data and correct inaccuracies in data retrieved by this app?
  • Does this app have a process for collecting and responding to user complaints?
  • If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
  • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
  • How does this app inform users of changes that could affect its privacy practices?
What is the Health Insurance Portability and Accountability Act (HIPAA)?
  • The Health Insurance Portability and Accountability Act (HIPAA) is a federal law. One part of it helps protect personal health information. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.
  • You can find HIPAA FAQs for individuals from HHS here: https://www.hhs.gov/hipaa/for-individuals/faq/index.html.
Who must follow HIPAA?
  • Organizations and individuals who must follow HIPAA regulations are called “covered entities,” which can include:
    • Health plans, like health insurance companies, health maintenance organizations (HMOs), company health plans, and certain government programs that pay for health care, like Medicare and Medicaid
    • Many health care providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, health clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists
    • Health care clearinghouses
  • Additionally, “business associates” who provide certain services for covered entities must follow parts of the HIPAA regulations. Examples of business associates include billing companies, health care claims processors, companies that store or destroy medical records, and those that help administer health plans.
  • Many organizations that have health information about you do not need to follow HIPAA rules. Examples of these organizations may include life insurers, employers, workers compensation carriers, many schools and school districts, many state agencies, many law enforcement agencies, and many municipal offices.
  • You can find more information from HHS about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html.
Are third-party apps required to follow HIPAA rules?
  • Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act.
  • The FTC Act, among other things, protects against deceptive acts, for example, when an app shares personal data without a user’s permission, despite having a privacy policy that says it will not do so.
  • The FTC provides information about mobile app privacy and security for consumers here: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps.
HIPAA Privacy Complaints
  • If you think your HIPAA Privacy Rights have been violated, you can contact us using the toll-free Member Services number on your health plan ID card or you may contact the Aetna Privacy Office directly at the address below:
    • HIPAA Member Rights Team
      Aetna Inc.
      P.O. Box 14079
      Lexington, KY 40512-4079
  • You may also write the Secretary of the U.S. Department of Health and Human Services.
  • To learn more about filing a complaint with HHS OCR under HIPAA, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
  • Individuals can file a complaint with HHS OCR using the OCR complaint portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.
What should you do if you think an app has used your data inappropriately?

1 “Aetna” and the pronouns “we,” “us,” or “our” may refer to one or more of the Aetna group of subsidiary companies and their affiliates.

2 See The Centers for Medicare & Medicaid Services (“CMS”) Interoperability and Patient Access Final Rule (CMS-9115-F).