Privacy & Security

Notice of Privacy Practices for the Panama Canal Area Benefit Plan

The Panama Canal Area Benefit Plan (PCABP) is committed to educating plan members about healthcare issues that affect them. As a result, we are providing you with general information about the Privacy Rule, a Federal regulation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) along with a brief overview of our Notice of Privacy. The Panama Canal Area Benefit Plan is complying with HIPAA’s regulations.

What is HIPAA and how does the Privacy Rule affect you?

When the “Health Insurance Portability and Accountability Act” (HIPAA) was passed in August of 1996, this gave the federal government the ability to mandate how healthcare plans, providers, and clearinghouses in United States store and send an individual’s personal information as it related to health care. The Privacy Rule was created to protect your rights as a member of the Panama Canal Area Benefit Plan. “Covered Entities” (including: healthcare providers, health plans and clearinghouses) are required by law to be compliant with this regulation. The Panama Canal Area Benefit Plan Administrator’s office in United States is responsible for a large volume of medical claims and medical assistance services, and governs it self as a “Covered Entity” under HIPAA. AXA Assistance USA and AXA Assistance Mexico Sucursal Panama, S.A., administrators of the PCABP has adopted the HIPAA standard to all lines of business involvement, including the Panama Canal Area Benefit Plan.

Under the Privacy Rule you are guaranteed access to your medical records, allowed control over how your protected health information is used and disclosed and allowed to take action if your privacy is compromised by following the Panama Canal Area Benefit Plan’s policy. Our practice is dedicated to maintaining the privacy of your personal information.

What is Protected Health Information (PHI)?

Is any identifying information about an individual’s health or health care history such as family medical history, details of a recent visit to his/her doctor, etc… that is maintained or transmitted by a covered entity.

What is individually Identifiable Health Information (IIHI)?

Any health information you provide the Panama Canal Area Benefit Plan, including your mailing address. PHI is any information that is created and retained by our office or received by another healthcare provider that relates to treatment, payment and/or that identifies you as an individual.

What is the Notice of Privacy Practice?

The Panama Canal Area Benefit Plan has an official Notice of Privacy Practice posted in the front entrance of the offices informing the Panama Canal Area Benefit members about their rights surrounding the protection of your PHI and our obligations concerning the use and disclosure of your PHI. This notice applies to all records created or retained by AXA Assistance, the Panama Canal Area Benefit Plan administrators. We can update our Notice of Privacy Practices at any time. It will be posted in the front entrance of our offices and you can ask for a copy of the current notice at any time.

The following categories describe the different ways in which we may use or disclose your IIHI:

The following categories describe unique situations in which we may use or disclose your identifiable health information:

We will use your health information for plan administration.

Examples of Disclosure for Treatment, Payment and Health Care Operations.

What are your rights concerning Individually Identifiable Health Information (IIHI)?
You have rights regarding the PHI that we maintain about you. In our Notice of Privacy you can view the policies and procedures you will need to follow for the areas listed below.

1. Confidential communications
2. Requesting restrictions
3. Inspection and copies of your health record
4. Amendment your health record
5. Accounting of disclosure of your health information
6. Right to a paper copy of this notice upon request
7. Right to file a complaint
8. Right to provide an authorization for other uses and disclosures

Breach of Privacy

When using personal health information a health information custodian must exercise the highest level of care and must take reasonable steps to ensure that the individual personal health information is as accurate, and complete and up to date for the purpose which he / she uses the information.

Breaches of Privacy or misuse of PHI must be directed to AXA Assistance’s Chief Compliance Officer, who will notify member of breaches of information so that you can take appropriate protective steps, and will request patient to complete a form for filling a a complaint under the Personal Health Information Protection Act. The Chief Compliance Officer will attempt to mediate the members concern to resolve complaint. The Chief Compliance Officer along with the Medical Director must give resolution and how information was disclosed and a measurable manner on how to avoid breaches of
privacy.

Complaint should be resolve no later than 30 days after receipt of the request.

In addition, AXA Assistance may post a notice on the Panama Canal Area Benefit Plan website if a security breach occurs.

Change of Administrators

In the event of a change in administrators, Panama Canal Area Benefit Plan member information, including email addresses and postal addresses, will be transferred to a separate entity. All registered members will be notified of any change in administration by the AJAC Board, and may choose to modify any of their enrollment information at that time.

Administrators will use the Personal Health Information Protection Act to direct information to the AJAC Board who will guide measurable process on the protection of patient health information.

Privacy/Security

AXA Assistance has made significant changes to our information systems, operations policies and procedures and business practices in order to comply with HIPAA.

Data Security:

AXA Assistance as administrator of the Panama Canal Area Benefit Plan (PCABP) recognizes the confidential and privileged nature of information entrusted to them by their clients and is committed to ensuring the confidentiality, integrity, and availability of the data. It furthermore recognizes that security threats are always changing. To address this, AXA Assistance maintains an effective and dynamic information security program. In addition to the requirements defined by Health Insurance Portability and Accountability Act (HIPAA), AXA Assistance conducts annual risk analysis and has developed security guidelines following recommendations set forth by the National Institute of Standards and Technology (NIST). Other regulations and practices used by AXA Assistance for the development of its security practices, evaluations, and threat identification are the following:

Gramm-Leach-Bliley Act of 1999
Payment Card Industry (PCI) Data Security Standard

For their versatility, superior technology and performance, and for the built in security features, AXA Assistance uses the following devices:

USA: SANS, Microsoft Operating systems, Cisco Routers and Phones, with VOIP technology, and Hewlett Packard computing devices.

PANAMA: 3Com, Microsoft Operating systems, Cisco Routers and Phones, with VOIP technology, and Hewlett Packard computing devices.

Physical Security:

AXA Assistance utilizes a combination of physical, technical, and policy safeguards to maintain its environment. Access to the Panama office is controlled by a key and lock system, with electronic code pad. Only authorized employees are issued keys, other employees use the key pad to gain entry. In our Panama office, this security is controlled by a program that is capable of providing a record history by gate in order to audit employees that enter and leave the premises. Computers are placed to minimized screen visibility from reception area and meeting rooms. Automatic password protected screen savers have been activated to prevent unauthorized access to unattended workstations. Guests are only allowed to visit the operations center if prior approval had been authorized by the management team.

In the USA, employees can only gain entrance to AXA offices with individually assigned unique key cards. While on duty employees are required to display a Company issued ID at all times. All entrances to AXA Assistance corporate premises are monitored and video taped 24/7. Visitors, contingent staff and vendors only allowed access to the AXA Assistance corporate office once they are signed in and the employee being visited is charged with their responsibility for the duration of their visit. All visitors are issued numbered visitor badges that reflect the visitor's name and employee being visited, and are required to visibly display the badge at all times while in the building. The Company Computer Room can be accessed only by authorized IT personnel with unique key cards assigned for that purpose.

When an enrollee calls or writes to our Customer Service Department in Panama, AXA Assistance collects contact information (name, phone number, mailing address or e-mail address) and only relevant information, as necessary, to assist an enrollee. This information is stored in Panama’s secured database system where it may be accessed by our designated agents for additional servicing.

AXA Assistance takes every precaution to protect our members' information. Sensitive information received from members via our secure website, or by mail, is protected both online and off-line. Information request or payment request forms used to collect information over the web, are secured pages. These forms are encrypted and protected with the best encryption software in the industry - SSL. Our registration form for example, displays the lock icon on the bottom of Web browsers to ensure they are secure pages. SSL is also usually indicated by “https://” as opposed to “http://.”

While we use SSL encryption to protect sensitive information in the web and the mail address, we also do everything in our power to protect member information off-line. Information stored on tape are encrypted and stored off-line in a bank vault. Employee access to personally identifiable information is granted in accordance with AXA Assistance’s need-to-know, need-to-use policy. Employees access is granted based on the need to complete members’ requests.

All employees are kept up-to-date on any new security policy changes or updates. Policy changes are communicated by email, through our employee awareness training, or by posting on Company’s Intranet. Employees are constantly notified and/or reminded about the importance AXA USA places on privacy. Users are also aware about their duties and obligations to keep members information confidential and secure, and are trained on what they are expected to do to ensure our members' information is protected. Finally, Company servers housing individually Identifiable Health Information are kept in a secure and locked Computer Room that is restricted only to authorized personnel of the IT department.

We reserve the right to change our practices and to make the new provisions effective for all protected health information we maintain. Should we change our information practices, we will post an announcement online, in our member newsletters and in the front office of the change.

Paper Copy of this Notice

This notice is available on our website at http://www.axa-assistance.com.pa. However, you have a right to a paper copy of this notice and may receive a paper copy at any time. Please submit your request in writing to the address or email shown below.

If you have any questions regarding this notice or our health information privacy policies, please contact:

AXA Assistance USA
Chief Compliance Officer
122 South Michigan Ave., Suite 1100
Chicago, Illinois 60603

Complaints to The Panama Canal Area Benefit Plan Administrator’s office or Secretary must: (1) be filed in writing, either on paper or electronically; (2) specific details such as personnel involved and the date and location of the event of concern to you; and (3) be filed within 180 days of when you knew or should have known that the act or omission complained of occurred. This time limit may be waived for good cause shown. Complaints to the Secretary of Health and Human Services may be filed only with respect to alleged violations occurring on or after April 14, 2003.

The Secretary of Health and Human Services has delegated to the Office of Civil Rights (OCR) the authority to receive and investigate complaints as they may relate to a violation of this federal regulation. Complaints should be addressed to the OCR Regional Office that is responsible for matters relating to the Privacy Rule arising in the State or jurisdiction where the covered entity is located. Click here for a complete listing. Complaints may also be filed via e-mail at CRComplaint@hhs.gov. Individuals may, but are not required to, use OCR's Health Information Privacy Complaint Form. To obtain a copy of this form, or for more information about the Privacy Rule or how to file a complaint with OCR, contact any OCR office or go to www.hhs.gov/ocr/hipaa.

Feedback

If you have questions or concerns about the Panama Canal Area Benefit Plan’s privacy policy, please e-mail us at: jacqueline.bonilla@axa-assistance.us.