The Panama Canal Area Benefit Plan (PCABP) is committed to educating plan members about healthcare issues that affect them. As a result, we are providing you with general information about the Privacy Rule, a Federal regulation of the Health Insurance Portability and

What is HIPAA and how does the Privacy Rule affect you?

The “Health Insurance Portability and Accountability Act” of 1996 (HIPAA) defines how health care information of patients and insured individuals is to be stored and sent by healthcare providers, insurers, medical benefit plans and third-party administrators of medical claims. While the PCABP is based in Panama, it is a health benefit plan for US Government Civil Service Retirees and as such the Plan must comply with HIPPA. HIPPA Law also applies to 3rd party companies and people who provide service to, or interact with, healthcare information of the PCABP. These relationships are governed under the “HIPAA Business Associates Agreement”.

The Privacy Rule of the HIPPA Law guarantees access of insured individuals and patients to their medical records. It also ensures the patient’s right to control how the health information is used, disclosed. As Plan Administrator, Redbridge is committed to upholding the privacy of the personal health information of all Plan members.

Your right to access your protected health information By law, you or your legal representative have the right to view and/or get copies of your protected health information from health care providers who treat you, or from health plans that pay for your care. You also have the right to have a provider or plan send copies of your information to a third party that you choose, such as other providers who treat you, a family member, a researcher, or a mobile application (“app”) you use to manage your personal health information.

This includes:

• Medical and billing records (except psychotherapy notes)

• Information related to your enrollment in health plans

• Claims and case management records

Any other records that contain information that doctors, or health plans use to make decisions about you or others.

Your providers and plans should have an easy process for you to ask for your health information, and you should be able to ask for it at a time and place that’s convenient for you. You may have to fill out a health information “request” form, and pay a reasonable, cost-based fee for copies. Your provider or plan must tell you about the fee when you make the request. The fee can only be for the labor to make the copies, copying supplies, and postage (if needed). In most cases, you shouldn’t be charged for viewing, searching, downloading, or sending your information through an electronic portal.

Generally, you can get your information on paper or electronically. If your providers or plans store your information electronically, they generally must give you electronic copies unless there are security concerns. However, you do have a right to get your records through unencrypted email if you prefer.

You have the right to get your information as quickly as possible, but it may take up to 30 days to file the request.

For more information, click Your Rights Under HIPAA. (redirect to the following link - https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html.

What is Protected Health Information (PHI)?

Is any identifying information about an individual’s health or health care history such as family medical history, details of a recent visit to his/her doctor, etc. that is maintained or transmitted by a covered entity.

What is Individually Identifiable Health Information (IIHI)?

Any health information you provide the Panama Canal Area Benefit Plan, including your mailing address. PHI is any information that is created and retained by our office or received by another healthcare provider that relates to treatment, payment and/or that identifies you as an individual.

What is the Notice of Privacy Practice?

The Panama Canal Area Benefit Plan has an official Notice of Privacy Practices posted in the front entrance of the offices informing the Panama Canal Area Benefit Plan members about their rights surrounding the protection of their PHI and our obligations concerning the use and disclosure of their PHI. This notice applies to all records created or retained by PCABP, the Panama Canal Area Benefit Plan administrators. We can update our Notice of Privacy Practices at any time. It will be posted in the front entrance of our offices, and you can ask for a copy of the current notice at any time.

The following categories describe the different ways in which we may use or disclose your IIHI:

• Treatment

• Payment

• Health Care Operations

• Treatment Options

• Disclosures Required by law

• Health-Related Benefits and Services

• Release of Information to authorized Family/Friends

The following categories describe unique situations in which we may use or disclose your IIHI:

• Public Health Risks

• Deceased Patients

• Military

• Law Enforcement

• Health Oversight Activities

• Organ and Tissue Donation

• National Security

• Research

• Lawsuits and Similar proceedings

• Serious threats to health or safety

• Workers’ Compensation

We will use your health information for plan administration.

Examples of Disclosure for Treatment, Payment and Health Care Operations.

What are your rights concerning Individually Identifiable Health Information (IIHI)?

You have rights regarding the PHI that we maintain about you. In our Notice of Privacy Practices, you can view the policies and procedures you will need to follow for the areas listed below.

1. Confidential communications

2. Requesting restrictions

3. Inspection and copies of your health record

4. Amendment of your health record

5. Accounting of disclosure of your health information

6. Right to a paper copy of this notice upon request

7. Right to file a complaint

8. Right to provide an authorization for other uses and disclosures

Breach of Privacy

When using personal health information a health information custodian must exercise the highest level of care and must take reasonable steps to ensure that the individual personal health information is as accurate, complete and up to date for the purpose which he / she uses the information.

Breaches of Privacy or misuse of PHI must be reported to the PCABP Chief Compliance Officer, who will notify members of breaches of privacy so that they can take appropriate protective steps, and will request affected members to complete a form for filling a complaint under the Personal Health Information Protection Act. The Chief Compliance Officer will attempt to mediate the members’ concerns and resolve the complaint.

The Chief Compliance Officer along with the Medical Director must investigate how the breach occurred, what information was disclosed, and device a corrective action plan on how to avoid same type of breach in the future. The Plan Administrator must maintain a log of all breaches and report them as needed to relevant oversight agencies, if any, with copy to AJAC.

Complaints about breach of privacy must be resolved no later than 30 days after receipt of written complaint by the Plan Administrator.

In addition, and if relevant, PCABP may post a notice on the Panama Canal Area Benefit Plan website if a privacy/security breach occurs.

Change of Administrators

In the event of a change in administrators, Panama Canal Area Benefit Plan member information, including email addresses and postal addresses, will be transferred to the new Plan Administrator. All enrolled members will be notified about any change in administration by AJAC’s Board.

Privacy/Security

PCABP has made significant changes to our information systems, operations policies and procedures and business practices in order to comply with HIPAA.

Data Security

Redbridge, as administrator of the Panama Canal Area Benefit Plan (PCABP) recognizes the confidential and privileged nature of information entrusted to them by their clients and is committed to ensuring the confidentiality, integrity, and availability of the data. It furthermore recognizes that security threats are always changing. To address this, PCABP maintains an effective and dynamic information security program. In addition to the requirements defined by Health Insurance Portability and Accountability Act (HIPAA), PCABP conducts annual risk analysis and has developed security guidelines following recommendations set forth by the National Institute of Standards and Technology (NIST). Other regulations and practices used by PCABP for the development of its security practices, evaluations, and threat identification are the following:

Gramm-Leach-Bliley Act of 1999 Payment Card Industry (PCI) Data Security Standard

PCABP’s information systems and data are hosted primarily within the Microsoft Azure cloud environment. Azure is an enterprise-grade cloud platform that provides advanced security, high availability, and resiliency. PCABP leverages Azure’s built-in security capabilities, including access controls, encryption of data at rest and in transit, monitoring, and redundancy, to protect sensitive information and support regulatory compliance.

For their versatility, superior technology, performance, and built-in security features, PCABP utilizes the following technologies and devices:

United States: Microsoft operating systems, WatchGuard firewalls, Edgewater routers, Polycom phones with VoIP technology, and Dell and Lenovo computing equipment.

Panama: Microsoft operating systems, WatchGuard firewalls, Edgewater routers, Polycom phones with VoIP technology, and Hewlett-Packard computing equipment.

Physical Security

The Panama Canal Area Benefit Plan utilizes a combination of physical, technical, and policy safeguards to maintain its environment. Access to the PCABP office is controlled by a key and lock system, with electronic code pad. Only authorized employees are issued keys; other employees use the keypad to gain entry. In our Panama office, this security is controlled by a program that is capable of providing a record history by gate in order to audit employees that enter and leave the premises. Computers are placed to minimize screen visibility from reception area and meeting rooms. Automatic password protected screen savers have been activated to prevent unauthorized access to unattended workstations. Guests are only allowed to visit the operations center if previously authorized by the management team.

In the USA, employees can only gain entrance to PCABP offices with individually assigned unique key cards. While on duty employees are required to display a Company issued ID at all times. All entrances to PCABP premises are monitored and videotaped 24/7. Visitors, contingent staff and vendors are only allowed access to the PCABP office once they are signed in and the employee being visited is charged with responsibility for the visitor for the duration of their visit. All visitors are issued numbered visitor badges that reflect the visitor's name and employee being visited and are required to visibly display the badge at all times while in the building. The PCABP Computer Room can be accessed only by authorized IT personnel with unique key cards assigned for that purpose.

When an enrollee calls or writes to our Customer Service Department in Panama, the PCABP collects contact information (name, phone number, mailing address or e-mail address) and only relevant information, as necessary, to assist an enrollee. This information is stored in a secured database system where it may be accessed by our designated agents for additional servicing.

PCABP takes every precaution to protect our members' information. Sensitive information received from members via our secure website, or by mail, is protected both online and offline. Information request or payment request forms used to collect information over the web, are secure pages. These forms are encrypted and protected with the best encryption software in the industry - SSL. Our registration form for example, displays the lock icon on the bottom of Web browsers to ensure they are secure pages. SSL is also usually indicated by “https://” as opposed to “http://.”

While we use SSL encryption to protect sensitive information in the web and the email address, we also do everything in our power to protect member information off-line. Information stored on tape is encrypted and stored off-line in a bank vault. Employee access to personally identifiable information is granted in accordance with PCABP guidelines. Employees’ access is granted based on the need to complete members’ requests.

All employees are kept up to date on any new security policy changes or updates. Policy changes are communicated by email, through our employee awareness training, or by posting on PCABP Intranet. Employees are constantly notified and/or reminded about the importance of PCABP practices on privacy. Users are also aware of their duties and obligations to keep members’ information confidential and secure and are trained on what they are expected to do to ensure our members' information is protected. Finally, PCABP servers housing individually Identifiable Health Information are kept in a secure and locked Computer Room that is restricted only to authorized personnel of the IT department.

PCABP reserves the right to change our practices and to make the new provisions effective for all protected health information we maintain. Should we change our information practices, we will post an announcement of the change online, in our member newsletters and in the front office of the PCABP.

Paper Copy of this Notice

This notice is available on our website at https://www.pcabp.org. However, you have a right to request and receive a paper copy of this notice and may receive a paper copy at any time. Please submit your request in writing to the address or email shown below.

If you have any questions regarding this notice or our health information privacy policies, please contact:

Redbridge Group, LLC

VP Compliance PCABP

2850 S. Douglas Rd. Suite 400

Coral Gables, FL 33134, FL

USA

Complaints to The Panama Canal Area Benefit Plan Administrator’s office or Secretary of Health and Human Services must: (1) be filed in writing, either on paper or electronically; (2) specific details such as personnel involved and the date and location of the event of concern to you; and (3) be filed within 180 days of when you knew or should have known that the act or omission complained of occurred. This time limit may be waived for good cause shown. Complaints to the Secretary of Health and Human Services may be filed only with respect to alleged violations occurring on or after April 14, 2003.

The Secretary of Health and Human Services has delegated to the Office of Civil Rights (OCR) the authority to receive and investigate complaints as they may relate to a violation of this federal regulation. Complaints can be filed in writing, fax or e-mail. You may visit the Secretary of Health and Human Services website at www.hhs.gov/ocr/office for complete details on how to file a complaint. Complaints may also be filed via e-mail at CRComplaint@hhs.gov. Individuals may, but are not required to, use OCR's Health Information Privacy Complaint Form. To obtain a copy of this form, or for more information about the Privacy Rule or how to file a complaint with OCR, contact any OCR office or go to www.hhs.gov/ocr/privacy.

Feedback

If you have questions or concerns about the Panama Canal Area Benefit Plan’s privacy policy, please e-mail us at: PCABP-Compliance@redbridge.cc.