Church Pension Group | HIPAA Privacy Notice

Joint Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.  PLEASE REVIEW IT CAREFULLY. 

Introduction

Church Pension Group Services Corporation, doing business as The Episcopal Church Medical Trust (“Medical Trust”), is the plan sponsor of certain group health plans (each a “Plan” and together the “Plans”) that are subject to the Health Insurance Portability and Accountability Act of 1996 and the regulations enacted thereunder (“HIPAA”).   

This Joint Notice of Privacy Practices (the ‘’Notice’’) is required by HIPAA to inform you of your rights regarding the use and disclosure of your PHI.  In particular, this Notice describes how the Plans, and employees of the Medical Trust that are responsible for internal administration of the Plans, may use and disclose your Protected Health Information (“PHI”).  It further describes how you can access and control this information.

PHI is your individually identifiable health information that is created, received, transmitted or maintained by the Plans or its business associates, regardless of the form of the information. PHI does not include employment records held by your employer in its role as an employer.

What This Notice Applies To

This Notice applies only to health benefits offered under the Plans. The health benefits offered under the Plans include, but may not be limited to, medical benefits, prescription drug benefits, dental benefits, the health care flexible spending account, and any health care or medical services offered under the employee assistance program benefit. This Notice does not apply to benefits offered under the Plans that are not health benefits.

Some of the Plans provide benefits through the purchase of insurance. If you are enrolled in an insured Plan, you will also receive a separate notice from that Plan, which applies to your rights under that Plan.

Duties and Obligations of the Plans

The privacy of your PHI is protected by HIPAA. The Plans are required by law to:

  • Maintain the privacy of your PHI
  • Provide you with a notice of the Plans’ legal duties and privacy practices with respect to your PHI
  • Abide by the terms of the Notice currently in effect

When the Plans May Use and Disclose Your PHI

The following categories describe the ways the Plans are required to use and disclose your PHI without obtaining your written authorization:

Disclosures to You. The Plans will disclose your PHI to you or your personal representative within the legally specified period following a request.

Government Audit. The Plans will make your PHI available to the U.S. Department of Health and Human Services when it requests information relating to the privacy of PHI.

As Required By Law. The Plans will disclose your PHI when required to do so by federal, state or local law. For example, the Plans may disclose your PHI when required by national security laws or public health disclosure laws.

The following categories describe the ways that the Plans may use and disclose your PHI without obtaining your written authorization:

  • Treatment. The Plans may disclose your PHI to your providers for treatment, including the provision of care or the management of that care. For example, the Plans might disclose PHI to assist in diagnosing a medical condition, for pre-certification activities, or to a specialist involved in your treatment.
  • Payment. The Plans may use and disclose your PHI to pay benefits. For example, the Plans might use or disclose PHI when processing payments, sending explanations of benefits (“EOBs”) to you, reviewing the medical necessity of services rendered, conducting claims appeals and coordinating the payment of benefits between multiple medical plans.
  • Health Care Operations. The Plans may use and disclose your PHI for Plan operational purposes. For example, the Plans may use or disclose PHI for quality assessment and claim audits.
  • Public Health Risks. The Plans may disclose your PHI for certain required public health activities (such as reporting disease outbreaks) or to prevent serious harm to you or other potential victims where abuse, neglect or domestic violence is involved.
  • National Security and Intelligence Activities. The Plans may disclose your PHI for specialized government functions (such as national security and intelligence activities).
  • Health Oversight Activities. The Plans may disclose your PHI to health oversight agencies for activities authorized by law (such as audits, inspections, investigations and licensure).
  • Lawsuits and Disputes. The Plans may disclose your PHI in the course of any judicial or administrative proceeding in response to a court’s or administrative tribunal’s order, subpoena, discovery request or other lawful process.
  • Law Enforcement. The Plans may disclose your PHI for a law enforcement purpose to a law enforcement official, if certain legal conditions are met (such as providing limited information to locate a missing person).
  • Research. The Plans may disclose your PHI for research studies that meet all privacy law requirements (such as research related to the prevention of disease or disability).
  • To Avert a Serious Threat to Health or Safety. The Plans may disclose your PHI to avert a serious threat to the health or safety of you or any other person.
  • Workers’ Compensation. The Plans may disclose your PHI to the extent necessary to comply with laws and regulations related to workers’ compensation or similar programs.
  • Coroners, Medical Examiners and Funeral Directors. The Plans may disclose your PHI to coroners, medical examiners or funeral directors for purposes of identifying a decedent, determining a cause of death or carrying out their respective duties with respect to a decedent.
  • Organ and Tissue Donation. If you are an organ donor, the Plans may release your PHI to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
  • Military and Veterans. If you are a member of the armed forces, the Plans may release your PHI as required by military command authorities.
  • Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, the Plans may release your PHI to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
  • Business Associates. The Plans may contract with other businesses for certain plan administrative services. The Plans may release your PHI to one or more of their business associates for plan administration if the business associate agrees in writing to protect the privacy of your information.
  • Plan Sponsor. ECMT, as sponsor of the Plans, will have access to your PHI for plan administration purposes. Unless you authorize the Plans otherwise in writing (or your individual identifying data is deleted from the information), your PHI will be available only to the individuals who need this information to conduct these plan administration activities, but this release of your PHI will be limited to the minimum disclosure required, unless otherwise permitted or required by law.

These uses and disclosures may be effectuated in an electronic format.

The following categories describe the ways that the Plans may use and disclose your PHI upon obtaining your written authorization:

  • Most uses and disclosures of psychotherapy notes;
  • Uses and disclosures of PHI for marketing purposes; and
  • Uses and disclosures that constitute a sale of PHI.

Any other use or disclosure of your PHI not identified in this section will be made only with your written authorization.

Authorizing Release of Your PHI

To authorize release of your PHI, you must complete a medical information authorization form. An authorization form is available at www.cpg.org or by calling (800) 480-9967. You have the right to limit the type of information that you authorize the Plans to disclose and the persons to whom it should be disclosed. You may revoke your written authorization at any time, provided that no action has already been taken based on the authorization.

Interaction with State Privacy Laws

If the state in which you reside provides more stringent privacy protections than HIPAA, and if such state laws apply to your participation in the Plans, the more stringent state law will still apply to protect your rights. If you have a question about your rights under any particular federal or state law, please contact the Church Pension Group Privacy Officer at the contact information provided at the end of this Notice.

Fundraising

The Plans may contact you to support their fundraising activities. We will not disclose your PHI to third parties (other than business associates) for fundraising activities without your explicit written authorization.  You have the right to opt out of receiving such communications. If you wish to opt out of fundraising communications, you may contact the Church Pension Group Privacy Officer or follow the instructions provided in the communication.

Underwriting

The Plans are prohibited from using or disclosing PHI that is genetic information for underwriting purposes.

Additional Privacy Rights for Reproductive Health Care

The Plans are prohibited from and will not use or disclose your PHI when it is sought to:

  • Conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or
  • Identify any person for the purpose of conducting such investigation or imposing such liability.

In the event that the Plans receive a request for information potentially related to reproductive health care, the Plans will obtain a signed attestation form from the requester that the use or disclosure is not for any prohibited purpose specified above.

For the purposes of this Notice, reproductive health care means health care that affects your health in all matters relating to the reproductive systems and to its functions and processes. This includes, but is not limited to, health care related to: contraception, including emergency contraception, preconception screening and counselling, management of a pregnancy and pregnancy related conditions, including pregnancy screening, prenatal care, miscarriage management of preeclampsia, hypertension during pregnancy, gestational diabetes, mola pregnancy, ectopic pregnancy, and or pregnancy termination, fertility and infertility diagnoses and treatment, including assisted reproductive technology like IVF, conditions that affect the reproductive system such as perimenopause, menopause, endometriosis, adenomyosis and other types of care, services and supplies used for the diagnosis and treatment of conditions related to your reproductive health system such as mammography.

For more information on these prohibited uses and disclosures and when the prohibition applies, see https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html.

Your Rights With Respect to Your PHI

You have the following rights regarding PHI the Plans maintain about you:

  1. Right to Request Restrictions. You have the right to request that the Plans restrict their uses and disclosures of your PHI. You will be required to provide specific information as to the disclosures that you wish to restrict and the reasons for your request. The Plans are not required to agree to a requested restriction, but may in certain circumstances. To request a restriction, please write to the Church Pension Group Privacy Officer and provide specific information as to the disclosures that you wish to restrict and the reasons for your request. You may also have the right to request that Providers and other Covered Entities restrict disclosure of your PHI to the Plans if you have paid in full for the services from which such PHI was derived.
  2. Right to Request Confidential Communications. You have the right to request that the Plans’ confidential communications of your PHI be sent to another location or by alternative means. For example, you may ask that all EOBs be sent to your office rather than your home address. The Plans are not required to accommodate your request unless your request is reasonable, and you state that the ordinary communication process could endanger you. To request confidential communications, please submit a written request to the Church Pension Group Privacy Officer.
  3. Right to Inspect and Copy. You have the right to inspect and obtain a copy of the PHI held by the Plans. However, access to psychotherapy notes, information compiled in reasonable anticipation of legal proceedings or for use in such proceedings, and under certain other, relatively unusual circumstances, may be denied. Your request should be made in writing to the Church Pension Group Privacy Officer. A reasonable fee may be imposed for copying and mailing the requested information. You may contact the Medical Trust Plan Administration at jservais@cpg.org for a full explanation of ECMT’s fee structure. You have the right to receive a copy of your PHI in an electronic format if it is maintained electronically. Additionally, if you request, we can transmit this electronic copy directly to another person or entity you designate.
  4. Right to Amend. You have the right to request that the Plans amend your PHI or record if you believe the information is incorrect or incomplete. To request an amendment, you must submit a written request to the Medical Trust Plan Administration at jservais@cpg.org. Your request must list the specific PHI you want amended and explain why it is incorrect or incomplete and be signed by you or your authorized representative. All amendment requests will be considered carefully. However, your request may be denied if the PHI or record that is subject to the request:
    • Is not part of the medical information kept by or for the Plans.
    • Was not created by or on behalf of the Plans or its third-party administrators, unless the person or entity that created the information is no longer available to make the amendment.
    • Is not part of the information that you are permitted to inspect and copy.
    • Is accurate and complete.
  5.  Right to an Accounting of Disclosures. You have the right to receive information about when your PHI has been disclosed to others. Certain exceptions apply. For example, a Plan does not need to account for disclosures made to you or with your written authorization, or for disclosures that occurred more than six years before your request. To request an accounting of disclosures, you must submit your request in writing to the Medical Trust Plan Administration at jservais@cpg.org and indicate in what form you want the accounting (e.g., paper or electronic). Your request must state a time period of no longer than six years and may not include dates before your coverage became effective. The Medical Trust Plan Administrator will then notify you of any additional information required for the accounting request. A Plan will provide you with the date on which a disclosure was made, the name of the person or entity to whom PHI was disclosed, a description of the PHI that was disclosed, the reason for the disclosure, and certain other information. If you request this accounting more than once in a 12-month period, you may be charged a reasonable, cost-based fee for responding to these additional requests. You may contact Medical Trust Plan Administration at jservais@cpg.org for a full explanation of the Medical Trust’s fee structure.
  6.  Breach Notification. You have the right to receive a notification from the Plans if there is a breach of your unsecured PHI. In the event of a breach of your unsecured PHI, we will notify you without unreasonable delay, but no later than 60 calendar days after discovering the breach. The notification will include a description of the breach, the types of information involved, steps you can take to protect yourself, and what we are doing to address the breach.
  7.  Right to a Paper Copy of This Notice. You are entitled to get a paper copy of this Notice at any time, even if you have agreed to receive it electronically. To obtain a paper copy of this Notice, please contact the Church Pension Group Privacy Officer.

If You Are a Person in the European Union, the Following Provisions Will Also Be Applicable to You: 

For the purposes of the General Data Protection Regulation 2016/679 (the “GDPR”), the Data Controller is Church Pension Group Services Corporation registered in the State of Delaware in the United States with a registered address at 19 East 34th Street, New York, NY 10016.

You can request further information from our Privacy Officer at Privacy@cpg.org.

Under the GDPR, you may have additional or overlapping rights. These include the right to:

  • Access and export your PHI;
  • Request deletion or updates to PHI;
  • Object to or restrict PHI usage;
  • Be informed about any automated decision-making of PHI, including the significance and consequences of such processing for you;
  • Object at any time to the Plans’ use of PHI for direct marketing purposes
    File a complaint to an EU Data Protection Authority if you believe the Plans have not complied with applicable laws; and
  • Withdraw your consent at any time, if the Plans obtained your consent to use your PHI.

Data Retention

We only retain PHI collected for a limited time period as long as we need it to fulfill the purposes for which it was initially collected, unless otherwise required by law.

Data Transfers

We maintain servers in the United States and Canada and your information may be processed on servers located in the United States and Canada. Data protection laws vary among countries, with some providing more protection than others. Regardless of where your information is processed, we apply the same protections described in this policy.

If You Believe Your Privacy Rights Have Been Violated

If you believe your privacy rights have been violated by any Plan, you may file a complaint with the Church Pension Group Privacy Officer and with the Secretary of the U.S. Department of Health and Human Services. All complaints must be filed in writing. To file a complaint with us, contact the Privacy Officer using the contact information provided below. To file a complaint with HHS, visit their website at www.hhs.gov/hipaa/filing-a-complaint or call 800-368-1019. You will not be retaliated against for filing a complaint.

To contact the Church Pension Group Privacy Officer:

Privacy Officer
The Church Pension Group
19 East 34th Street
New York, NY 10016
(212) 592-8365
privacy@cpg.org

To contact the Secretary of the U.S. Department of Health and Human Services:

U.S. Department of Health and Human Services
Office of Civil Rights
200 Independence Avenue, SW
Washington, DC 20201
(202) 619-0257 | (877) 696-6775 (toll-free)
hhs.gov/about/contact-us/index.html

Effective Date

This Notice is effective as of May 29, 2025.

Changes

Each Plan sponsored by the Medical Trust reserves the right to change the terms of this Notice and information practices and to make the new provisions effective for all PHI it maintains, including any previously acquired PHI that it currently maintains as well as PHI it receives or maintains in the future, as permitted by applicable law. Any material amendment to the terms of this Notice and these information practices will be communicated to you via postal mail or otherwise electronically with your prior written consent.


Download the HIPAA Privacy Notice.