Joint Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Church Pension Group Services Corporation, doing business as The Episcopal Church Medical Trust (Medical Trust), is the plan sponsor of certain group health plans (each a Plan and together the Plans) that are subject to the Health Insurance Portability and Accountability Act of 1996 and the regulations enacted thereunder (HIPAA).
HIPAA places certain restrictions on the use and disclosure of Protected Health Information (PHI) and requires the Medical Trust to provide this Joint Notice of Privacy Practices (the "Notice") to you. PHI is your individually identifiable health information that is created, received, transmitted or maintained by the Plans or its business associates, regardless of the form of the information. It does not include employment records held by your employer in its role as an employer. This Notice describes how your PHI may be used and disclosed by the Plans and by employees of the Medical Trust that are responsible for internal administration of the Plans.
It also describes your rights regarding the use and disclosure of such PHI and how you can gain access to it.
What This Notice Applies To
This Notice applies only to health benefits offered under the Plans. The health benefits offered under the Plans include, but may not be limited to, medical benefits, prescription drug benefits, dental benefits, the health care flexible spending account, and any health care or medical services offered under the employee assistance program benefit. This Notice does not apply to benefits offered under the Plans that are not health benefits. Some of the Plans provide benefits through the purchase of insurance. If you are enrolled in an insured Plan, you will also receive a separate notice from that Plan, which applies to your rights under that Plan.
Duties and Obligations of the Plans
The privacy of your PHI is protected by HIPAA. The Plans are required by law to:
- Maintain the privacy of your PHI
- Provide you with a notice of the Plans’ legal duties and privacy practices with respect to your PHI
- Abide by the terms of the Notice currently in effect
When the Plans May Use and Disclose Your PHI
The following categories describe the ways the Plans are required to use and disclose your PHI without obtaining your written authorization:
Disclosures to You. The Plans will disclose your PHI to you or your personal representative within the legally specified period following a request.
Government Audit. The Plans will make your PHI available to the U.S. Department of Health and Human Services when it requests information relating to the privacy of PHI.
As Required By Law. The Plans will disclose your PHI when required to do so by federal, state or local law. For example, the Plans may disclose your PHI when required by national security laws or public health disclosure laws.
The following categories describe the ways that the Plans may use and disclose your PHI without obtaining your written authorization:
- Treatment. The Plans may disclose your PHI to your providers for treatment, including the provision of care or the management of that care. For example, the Plans might disclose PHI to assist in diagnosing a medical condition or for pre-certification activities.
- Payment. The Plans may use and disclose your PHI to pay benefits. For example, the Plans might use or disclose PHI when processing payments, sending explanations of benefits (EOBs) to you, reviewing the medical necessity of services rendered, conducting claims appeals and coordinating the payment of benefits between multiple medical plans.
- Health Care Operations. The Plans may use and disclose your PHI for Plan operational purposes. For example, the Plans may use or disclose PHI for quality assessment and claim audits.
- Public Health Risks. The Plans may disclose your PHI for certain required public health activities (such as reporting disease outbreaks) or to prevent serious harm to you or other potential victims where abuse, neglect or domestic violence is involved.
- National Security and Intelligence Activities. The Plans may disclose your PHI for specialized government functions (such as national security and intelligence activities).
- Health Oversight Activities. The Plans may disclose your PHI to health oversight agencies for activities authorized by law (such as audits, inspections, investigations and licensure).
- Lawsuits and Disputes. The Plans may disclose your PHI in the course of any judicial or administrative proceeding in response to a court’s or administrative tribunal’s order, subpoena, discovery request or other lawful process.
- Law Enforcement. The Plans may disclose your PHI for a law enforcement purpose to a law enforcement official, if certain legal conditions are met (such as providing limited information to locate a missing person).
- Research. The Plans may disclose your PHI for research studies that meet all privacy law requirements (such as research related to the prevention of disease or disability).
- To Avert a Serious Threat to Health or Safety. The Plans may disclose your PHI to avert a serious threat to the health or safety of you or any other person.
- Workers’ Compensation. The Plans may disclose your PHI to the extent necessary to comply with laws and regulations related to workers’ compensation or similar programs.
- Coroners, Medical Examiners and Funeral Directors. The Plans may disclose your PHI to coroners, medical examiners or funeral directors for purposes of identifying a decedent, determining a cause of death or carrying out their respective duties with respect to a decedent.
- Organ and Tissue Donation. If you are an organ donor, the Plans may release your PHI to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
- Military and Veterans. If you are a member of the armed forces, the Plans may release your PHI as required by military command authorities.
- Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, the Plans may release your PHI to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
- Business Associates. The Plans may contract with other businesses for certain plan administrative services. The Plans may release your PHI to one or more of their business associates for plan administration if the business associate agrees in writing to protect the privacy of your information.
- Plan Sponsor. ECMT, as sponsor of the Plans, will have access to your PHI for plan administration purposes. Unless you authorize the Plans otherwise in writing (or your individual identifying data is deleted from the information), your PHI will be available only to the individuals who need this information to conduct these plan administration activities, but this release of your PHI will be limited to the minimum disclosure required, unless otherwise permitted or required by law.
The following categories describe the ways that the Plans may use and disclose your PHI upon obtaining your written authorization:
- Most uses and disclosures of psychotherapy notes;
- Uses and disclosures of PHI for marketing purposes; and
- Uses and disclosures that constitute a sale of PHI.
Any other use or disclosure of your PHI not identified in this section will be made only with your written authorization.
Authorizing Release of Your PHI
To authorize release of your PHI, you must complete a medical information authorization form. An authorization form is available at www.cpg.org or by calling (800) 480-9967. You have the right to limit the type of information that you authorize the Plans to disclose and the persons to whom it should be disclosed.
You may revoke your written authorization at any time. The revocation will be followed to the extent action on the authorization has not yet been taken.
Interaction with State Privacy Laws
If the state in which you reside provides more stringent privacy protections than HIPAA, the more stringent state law will still apply to protect your rights. If you have a question about your rights under any particular federal or state law, please contact the Church Pension Group Privacy Officer. Contact information is included at the end of this Notice.
The Plans may contact you to support their fundraising activities. You have the right to opt out of receiving such communications.
The Plans are prohibited from using or disclosing PHI that is genetic information for underwriting purposes.
Your Rights With Respect to Your PHI
You have the following rights regarding PHI the Plans maintain about you:
Right to Request Restrictions. You have the right to request that the Plans restrict their uses and disclosures of your PHI. You will be required to provide specific information as to the disclosures that you wish to restrict and the reasons for your request. The Plans are not required to agree to a requested restriction, but may in certain circumstances. To request a restriction, please write to the Church Pension Group Privacy Officer and provide specific information as to the disclosures that you wish to restrict and the reasons for your request.
Right to Request Confidential Communications. You have the right to request that the Plans’ confidential communications of your PHI be sent to another location or by alternative means. For example, you may ask that all EOBs be sent to your office rather than your home address. The Plans are not required to accommodate your request unless your request is reasonable and you state that the ordinary communication process could endanger you. To request confidential communications, please submit a written request to the Church Pension Group Privacy Officer.
Right to Inspect and Copy. You have the right to inspect and obtain a copy of the PHI held by the Plans. However, access to psychotherapy notes, information compiled in reasonable anticipation of or for use in legal proceedings, and under certain other, relatively unusual circumstances, may be denied. Your request should be made in writing to the Church Pension Group Privacy Officer. A reasonable fee may be imposed for copying and mailing the requested information. You may contact the Medical Trust Plan Administration at email@example.com for a full explanation of ECMT’s fee structure.
Right to Amend. You have the right to request that the Plans amend your PHI or record if you believe the information is incorrect or incomplete. To request an amendment, you must submit a written request to the Medical Trust Plan Administration at firstname.lastname@example.org. Your request must list the specific PHI you want amended and explain why it is incorrect or incomplete and be signed by you or your authorized representative. All amendment requests will be considered carefully. However, your request may be denied if the PHI or record that is subject to the request:
- Is not part of the medical information kept by or for the Plans;
- Was not created by or on behalf of the Plans or its third party administrators, unless the person or entity that created the information is no longer available to make the amendment;
- Is not part of the information that you are permitted to inspect and copy; or
- Is accurate and complete.
Right to an Accounting of Disclosures. You have the right to receive information about when your PHI has been disclosed to others. Certain exceptions apply to this rule. For example, a Plan does not need to account for disclosures made to you or with your written authorization, or for disclosures that occurred more than six years before your request. To request an accounting of disclosures, you must submit your request in writing to the Medical Trust-Plan Administration at email@example.com and indicate in what form you want the accounting (e.g., paper or electronic). Your request must state a time period of no longer than six years and may not include dates before your coverage became effective. The Medical Trust Plan Administrator will then notify you of any additional information required for the accounting request. A Plan will provide you with the date on which a disclosure was made, the name of the person or entity to whom PHI was disclosed, a description of the PHI that was disclosed, the reason for the disclosure and certain other information. If you request this accounting more than once in a 12-month period, you may be charged a reasonable, cost-based fee for responding to these additional requests. You may contact Medical Trust Plan Administration at firstname.lastname@example.org for a full explanation of the Medical Trust’s fee structure.
Breach Notification. You have the right to receive a notification from the Plans if there is a breach of your unsecured PHI.
Right to a Paper Copy of This Notice. You are entitled to get a paper copy of this Notice at any time, even if you have agreed to receive it electronically. To obtain a paper copy of this Notice, please contact the Church Pension Group Privacy Officer.
If You Are a Person in the European Union, the Following Provisions Will Also Be Applicable to You: For the purposes of the General Data Protection Regulation 2016/679 (the “GDPR”), the Data Controller is Church Pension Group Services Corporation registered in the State of Delaware in the United States with a registered address at 19 East 34th Street, New York, NY 10016.
You can request further information from our Privacy Officer at Privacy@cpg.org.
In addition to your rights with respect to your PHI addressed above, you may have additional or overlapping rights under the GDPR. GDPR rights regarding your PHI include the following:
- You may access and export a copy of PHI;
- You may request deletion of, and update to PHI;
- You have the right to be informed about any automated decision-making of PHI including the significance and consequences of such processing for you;
- You may also object to or restrict the Plans’ use of PHI. For example, you can object at any time to the Plans’ use of PHI for direct marketing purposes.
- If the Plans’ obtained your consent to use your PHI, you may withdraw that consent at any time.
We only retain PHI collected for a limited time period as long as we need it to fulfill the purposes for which have initially collected it, unless otherwise required by law.
We maintain servers in United States and Canada and your information may be processed on servers located in the United States and Canada. Data protection laws vary among countries, with some providing more protection than others. Regardless of where your information is processed, we apply the same protections described in this policy.
If You Believe Your Privacy Rights Have Been Violated
If you believe your privacy rights have been violated by any Plan, you may file a complaint with the Church Pension Group Privacy Officer and with the Secretary of the U.S. Department of Health and Human Services. All complaints must be filed in writing. You will not be retaliated against for filing a complaint.
To contact the Church Pension Group Privacy Officer:
The Church Pension Group
19 East 34th Street
New York, NY 10016
To contact the Secretary of the U.S. Department of Health and Human Services:
U.S. Department of Health and Human Services
Office of Civil Rights
200 Independence Avenue, SW
Washington, DC 20201
(877) 696-6775 (toll-free)
This Notice is effective as of August 29, 2018.
Each Plan sponsored by the Medical Trust reserves the right to change the terms of this Notice and information practices and to make the new provisions effective for all PHI it maintains, including any PHI it currently maintains as well as PHI it receives or holds in the future, as permitted by applicable law. Any material amendment to the terms of this Notice and these information practices will be provided to you via mail or electronically with your prior written consent.