Privacy Policies of Bank of American and UnitedHealth Group

(Part 2)


2.2 UnitedHealth Group/UnitedHealthcare


UnitedHealth Group is a national leader and provider of health care benefits. According to mission statement posted on their corporate website UnitedHealth Group’s mission is to “help people live healthier lives” (UnitedHealth Group, 2011). Being a health plan provider UnitedHealth Group is required to remain in compliance with the Health Insurance Portability & Accountability Act (HIPAA). HIPPA like GLBA requires that relevant organizations provide customers with information that explains its privacy practices. UnitedHealth Group primary operating company UnitedHealthcare has an extensive privacy policy that explains how customer information is used, the organization rights in regard to the use of private information, the rights of the consumer regarding the information that UnitedHealthcare handles, and how one may exercise the rights surrounding the use private information. Keep in mind that the policy is composed of two notices one that addresses medical information and one that address financial information. In addition, is summarizes privacy in terms of what is allowed under federal law and what is applicable to state laws.

3. Privacy Policies
3.1 Bank of America


Bank of America in their privacy policy claims to collect and share information such as social security numbers, employment information, account balances, transaction histories, credit information, and medical information (Bank of America, 2011). According to the policy the bank “needs” to share these pieces of information in order to conducted their day to day operations (Bank of America, 2011). Although Bank of America expresses its need to share information it does explain to customers what information they have the ability to limit should they choose to do so. Below I have created summarized chart that illustrates what information is shared and whether or not the sharing of the information can be limited.
Purpose for sharing Shared Can be limited?


(Bank of America, 2011)


Bank of America also had an online privacy policy that explains how the bank collects and shares information when you visit the Bank of America or affiliate website. Currently the bank collects information that users provide via online forms, surveys, and applications (Bank of America, 2011). In addition, the bank collects browser preferences, history, operating system and physical computer information, and internet protocol addresses. The bank states that makes such information available to third-party organizations such as credit bureaus, insurance agencies, mortgage brokers, courts, government agencies, and etc. (Bank of America, 2011). Bank of America uses cookies, flash objects, and other technologies in order to collect information that aid them in providing relevant products and services, browser type and time spent on site(s), monitor visitor interaction with Bank of America advertisements (Bank of America, 2011). Child information online is protected by The Children’s Online Privacy Protection Act (COPPA). Bank of America claim not to knowingly collect information from minors younger than 13 years of age without consent from the child’s legal guardian (Bank of America, 2011). The policy strangely asks that if you are under 13 you should reframe from entering any personal information.


3.2 UnitedHealth Group/UnitedHealthcare


UnitedHealth Group’s operating company UnitedHeatlhcare has two documents available on the internet that explain its privacy policy and practices, these documents being its Privacy Policy (online) and Notice of Privacy Policy and Practices. The Privacy Policy starts by identifying the key privacy principles that the company operates by, these principles being respecting the privacy of enrollee’s, the right of enrollees to review and correct personal information, promised existence of data safeguards that protect against data leakage and misuse, a peace of mind that the organization does not and will not engage in the sale or trade of personal information, the requirement that affiliates adhere to UnitedHeatlhcare’s privacy principles, and its promise to enforce sanctions for those that are in violation of the principles. (UnitedHealthcare, 2011) UnitedHealth Group further down in the same policy explains to customers that electronic communication with the organization outside of its website (ex. Email) is not secured. The company asks that healthcare providers reframe from sending protected health information (PHI) unless is via a secure connection provided by UnitedHealth Group. Like Bank of America UnitedHealthcare also collects information online in order to conduct its day-to-day business. UnitedHealth Group collects contact information, personal information, records on-line transactions, internet protocol addresses and domain information, mouse click in order to evaluate site popularity, and workstation cookies (UnitedHealthcare, 2011). The organization claims that they only disclose information collected when it is required by law, to protect the organizations rights and property, to enforce their online agreement, in an attempt to protect the interest of enrollees or guest.
The Notice of Privacy and Practices explains how the organization handles health information and how such information is disclosed. According to the policy UnitedHealthcare must disclose health information to those that have legal right to act for you (the patient) and the Secretary of Health and Human Services when necessary. The organization has reserved right to disclose health information for the purpose of payment, treatment, health care operations, to provide information on relevant products and programs, for plan sponsors, and for reminders (UnitedHealthcare, 2011). The organization also outlines many cases where they “may” use or disclose health information under limitation in certain situations (ex. requirement by law, research purposes, data breach notification, and health oversight activities). The policy gives applicable individuals the right to restrict the disclosure of information to certain family members, obtain a copy of the information, have the information amended, receive relevant accounting information, receive confidential communications, and the right to receive the privacy policy in paper form.


3. Policy Recommendations
3.1 Bank of America Policy Recommendations


The privacy policies of Bank of America are concerning. I found that the collection of certain information to be unnecessary and the ability to limit the sharing of information to be unsatisfactory. The bank chooses to share personal information for marketing purposes; although this is understandable the bank does not allow consumers to limit the sharing of information for this purpose. I strongly believe that consumers should have the right to opt out of this type of information sharing because is not necessary to establish or maintain a relationship with the bank. The customer has the right to not be notified of product of services; vice versa. The sharing of personal information for marketing purposes with third parties puts consumer information at if it is mishandled by the third party. In the event that personal information is mishandled by or stolen from a third party who has a relationship with Bank of America I am lead to believe that the blame would reside with Bank of America because the information would not be present if they did not share it. I believe that the bank should allow customers to opt out of the sharing of this information to third parties. Those that accept the sharing of information assume the risk that comes along with the sharing. This action allows that bank to share the information free of the liabilities and consequences that would be normally be involved should the information be mishandled or compromised in anyway.

The way in which the bank collects information when one visits its sites questionable. The use of cookies and flash objects are typical amongst most internet sites, but, the collection of computer specifications and operating system detail is something that I think the bank should reframe from. Probing the hardware specifications and operating system of visitor’s computers might be seen as a violation of a visitor’s privacy. The bank gave explanation as to why the use of cookies and flash object were necessary but failed to explain why they would need to record hardware specifications and operating system information. The bank should make this known to visitors upon the initial visit to the site allowing the visitor to be aware of this before entry into the site. The visitor’s acceptance of the disclaimer prior to entry would then remove any liabilities that might come about for collecting such information from visitor’s computers.


3.2 UnitedHealthcare Policy Recommendations


UnitedHealthcare’s privacy policy in my opinion is very strong and has been crafted in a way that protects the consumer privacy, limits personal information collection abuse, and liabilities. With that being said there are areas of the policies that can be improved, areas which I will begin to discuss. UnitedHealthcare makes claim that will only disclose information collected online under specific circumstances, one the circumstances that was mentioned was when it is required by law. It is not a surprise that the organization has said this, what is disturbing is that the organization uses the term “in good faith” which makes one believe that information will be disclosed at the discretion of UnitedHealthcare in such a circumstance. I strongly feel that the release of such information should be done only due to the delivery of a court subpoena. The organization does mention that is such a case the customer will be contacted unless the law prohibits this action (UnitedHeathcare, 2011). UnitedHeathcare should change the policy so that the delievery of private information to law enforcement can only be done when delivered a court subpoena. Allowing the organization to determine whether information should be disclosed without a court can result in unwarranted release of information that can be harmful to the customer and the organization.

UnitedHealthcare shares certain health information with plan sponsors, these sponsors being employers who participate in health plans. Although they claim to provide only a summary of enrollment information and health information to plan administrators the relationship of these administrators (typically human resource personnel) are usually internal. Employers usually pay a percentage of employee health benefits; giving employers access to certain detail of an employee’s care can have a negative impact on the employee’s employment. For example, an employee that is diagnosed with a chronic disease if likely to be in need of both frequent and expensive medical care. An employer that can determine this might look to terminate this employee in fear that the employee will bring added cost or be unable to perform his or her job function effectively. UnitedHealthcare should require employers to use administrators that are not internal employees. These administrators should be an experienced and trusted third-party of the healthcare industry; through this administrator employers are to manage their health plans. The administrators are to release sensible information that is relevant to the employer while protecting the enrollee. This action ensures that enrollee information is protected and businesses can still access the information that necessary for them to operate.



Privacy Policies