Notice of Privacy Practices

The UCC Medical and Dental Benefits Plan Joint Notice of Privacy Practices

The Pension Boards—United Church of Christ, Inc. (“Pension Boards”) is the Plan sponsor of the UCC Medical and Dental Benefits Plan (“Plan”). The Plan is providing you with the enclosed Notice of Privacy Practices as required by law. If you received this Notice electronically, you are entitled to a paper copy of this Notice.

The Notice describes how medical information about you may be used and disclosed by the Plan and how you can get access to your information. Please review it carefully. If you have any questions about this notice, please contact the person listed in the “Questions and Complaints” section below.

How the Plan Will Use Your Information

The Plan may use, share, or disclose the personal health information it creates, receives, maintains, or transmits about you (called your “protected health information” or “PHI”) to pay health care benefits, operate the Plan for treatment by a health care provider, and for other purposes that are permitted or required by law. In addition, the Plan may use or disclose your information in other special circumstances described in the enclosed Notice. For any other purpose, the Plan will require your written authorization for the use or disclosure of your PHI.

Your Individual Rights

You have the right to inspect and copy certain of your protected health information, request an amendment of the information, request restrictions on the use and disclosure of the information, request that communications be made to you through alternative means or at an alternative location, and obtain an accounting of the information that the Plan has disclosed for reasons other than treatment, payment, health care operations, required or authorized disclosures. There are certain limitations on these rights as explained in the Notice.

Questions and Complaints

You may contact the following person for more information about the Plan’s privacy practices, to exercise your rights or to complain about how the Plan is handling your protected health information:

General Counsel and Corporate Secretary
The Pension Boards-United Church of Christ, Inc.
475 Riverside Drive
Room 1020
New York, NY 10115
212.729.2700

The Notice below describes the Plan’s privacy practices in more detail.
IMPORTANT:
Receipt of this Notice does not mean you are eligible or enrolled under any of the Plans. Eligibility and enrollment are determined by the Plan documents and your elections.
1. Why am I receiving this Notice?

The Pension Boards-United Church of Christ, Inc. (“Pension Boards”) sponsors group health plans (the “Plans”) that are subject to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). These plans include:

  • UCC Medical Benefits Plan (for individuals who are not eligible for Medicare)
  • UCC Medicare Advantage Plan with Rx (for individuals enrolled in Medicare Parts A and B)
  • UCC Dental Benefits Plan
  • UCC Vision Benefits Plan

To the extent you are enrolled in any insured arrangement or any insured option under a Plan, you may receive a separate privacy notice from your insured plan or option. That notice will apply to the insurer’s privacy practices. This Notice generally describes the Pension Boards’ privacy practices with respect to the Plans.

The privacy of your personal health information that is received, created, maintained, used, transmitted, or disclosed by the Plans is protected by HIPAA. The Plans are required by law to:

  • maintain the privacy of your protected health information (“PHI”);
  • provide you with this Notice of the Plans’ legal duties and privacy practices with respect to your PHI;
  • abide by the terms of this Notice; and
  • notify you in the event of a breach of your unsecured PHI.
2. What is Protected Health Information (PHI)?

PHI is health information created, received, maintained or transmitted by a Plan that identifies (or may be used to identify) an individual. The information may appear on paper or in any other form. It does not include employment records held by the Pension Boards in its role as employer.

3. When will the Plans use or disclose my PHI?

The Plans must:

  • disclose your PHI to you or your personal representative within the legally specified period following a request;
  • make your PHI available to the U.S. Department of Health and Human Services when it requests information relating to the privacy of PHI in the Plans; and
  • use or disclose your PHI where otherwise required by applicable law.

The Plans, and the individuals who administer them, may use, receive, or disclose your PHI for treatment, payment or health care operations without obtaining a written authorization from you.

These activities cover a broad range of functions, including:

  • Treatment. The Plans may use or disclose your PHI to facilitate medical treatment or services by a health care provider. We may disclose medical information about you to health care providers, including doctors, nurses, technicians, medical students, or other hospital personnel who are involved in taking care of you. For example, we might disclose information about you with physicians who are treating you.
  • Payment of Benefits. When and as appropriate, we may use and disclose medical information about you to determine your eligibility for the Plans’ benefits, to facilitate payment for the treatment and services you receive from health care providers, to determine benefit responsibility and coverage under the Plans, or to coordinate your coverage. For example, we may disclose information about your medical history to a physician (including your physician) to determine whether a particular treatment is experimental, investigational, or medically necessary, or to decide if the Plans will cover the treatment.

Additionally, we may share medical information with another entity to assist with the adjudication or subrogation of health claims, or with another health plan to coordinate benefit payments.

  • Health Care Operations. The Plans may use and disclose your PHI for certain operational purposes, as needed. For example, we may use medical information in connection with: conducting quality assessment and administration improvement; underwriting, premium rating, and other activities relating to coverage; submitting claims for stop loss (or excess loss) coverage; conducting or arranging for medical review, legal services, audit services, and fraud and abuse detection programs; business planning and development such as cost management; and business management and general administrative activities of the Plans. For example, we may use your information to review the effectiveness of wellness programs or in negotiating new arrangements with our current or new vendors. We will not use or disclose your genetic information for underwriting purposes.

If applicable to your circumstances, and to the extent provided now or in the future, the Plans may use and disclose your PHI to provide you with appointment (or treatment) reminders, information about treatment alternatives or information about other health- related benefits and services that may be relevant to your situation.

The Plans contract with other businesses and individuals for certain plan administrative services. Each of these “business associates” may create, receive, maintain, and transmit your health information for purposes of performing services for or on behalf of the Plans as long as the business associate agrees in writing to protect the privacy of your information and meet certain other specified requirements.

Certain business associates may also use and disclose PHI for their own management, administration and legal responsibilities (and for purposes of aggregating data with data obtained from other clients for evaluation of Plan design issues and other appropriate Plan purposes). Business associates maintain most of the PHI under the Plans and conduct most of the activities that involve PHI.

Under certain terms and conditions, the Plans (and the organizations offering benefits under the Plans) may disclose PHI to the Pension Boards, as the Plan sponsor. Ordinarily these disclosures are limited to enrollment information and information necessary for administration of the Plans.

A Plan may disclose PHI to other health plans, health care providers, and health care clearinghouses (which translate electronic health information from one format to another) for purposes of their own provision of treatment, payment, or certain health care operation services (such as quality assurance, case management, care coordination, licensing, credentialing and the detection of fraud and abuse). Where the disclosure is to another

Plan covered by this Notice, disclosure is permitted for additional services related to that Plan’s operations (such as enrollment, auditing, legal services, business planning and development, management and administrative activities, and customer service).

In all situations, the Plans will limit PHI use, disclosure, or request to the minimum necessary to accomplish the intended purpose.

4. Under what circumstances will I receive notice of a breach of my PHI?

Pursuant to changes to HIPAA required by the Health Information Technology for Economic and Clinical Health Act of 2009 and its implementing regulations (collectively, “HITECH Act”) under the American Recovery and Reinvestment Act of 2009 (“ARRA”), this Notice also reflects federal breach notification requirements imposed on the Plans in the event that your “unsecured” protected health information (as defined under the HITECH Act) is acquired by an unauthorized party.

We understand that medical information about you and your health is personal, and we are committed to protecting your medical information. Furthermore, we will notify you following the discovery of any “breach” of your unsecured protected health information as defined in the HITECH Act (the “Notice of Breach”). Your Notice of Breach will be in writing and provided via first-class mail, or alternatively, by email if you have previously agreed to receive such notices electronically. If the breach involves:

  • 10 or more individuals for whom we have insufficient or out-of-date contact information, then we will provide substitute individual Notice of Breach by either posting the notice on the Pension Boards website or by providing the notice in major print or broadcast media where the affected individuals likely reside.
  • Less than 10 individuals for whom we have insufficient or out-of-date contact information, then we will provide substitute Notice of Breach by an alternative form.

Your Notice of Breach shall be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and shall include, to the extent possible:

  • A description of the breach.
  • A description of the types of information that were involved in the breach.
  • The steps you should take to protect yourself from potential harm.
  • A brief description of what we are doing to investigate the breach, mitigate the harm, and prevent further breaches.
  • Our relevant contact information.

Additionally, for any substitute Notice of Breach provided via web posting or major print or broadcast media, the Notice of Breach shall include a toll-free number for you to contact us to determine if your protected health information was involved in the breach.

5. Under what other circumstances will my PHI be used or disclosed?

The Plans are also permitted to use or disclose your PHI, without obtaining a written authorization from you, in the following circumstances:

  • For certain required public health activities (such as reporting disease outbreaks);
  • To assist a relative, friend, or any other person you identify that is directly involved with your health care or payment for that care. For example, if a family member or caregiver calls us with prior knowledge of a claim and asks us to help verify the status of a claim, we may agree to help them confirm whether or not the claim has been received and paid;
  • To another health plan maintained by the Pension Boards for purposes of facilitating claims payments under the plan. In addition, medical information may be disclosed to the Pension Boards personnel solely for purposes of administering benefits under the Plans;
  • To prevent serious harm to you or other potential victims, where abuse, neglect or domestic violence is involved;
  • To a governmental agency for the purpose of conducting health oversight activities authorized by law;
  • In the course of any judicial or administrative proceeding in response to a court or administrative tribunal’s order, subpoena, discovery request or other lawful process;
  • For a law enforcement purpose (such as providing limited information to locate a missing person) to a law enforcement official if certain legal conditions are met;
  • To a coroner, medical examiner, or funeral director for purposes of carrying out his or her duties;
  • For certain organ, eye, or tissue donations;
  • For research studies (such as research related to the prevention of disease or disability) that meet other requirements designed to protect your privacy;
  • To avert a serious threat to the health or safety of you or any other person;
  • For specified government functions, such as intelligence activities and your care if you are imprisoned;
  • To the extent necessary to comply with laws and regulations related to workers’ compensation or similar programs; and
  • When otherwise required by law.
6. What if the circumstances described in items 4 and 5 do not apply?

If items 4 and 5 do not apply, the Plans may not use or disclose your PHI unless you authorize the use or disclosure in writing. As a result, uses and disclosures of PHI for marketing purposes and disclosures that constitute a sale of PHI will be made only with your express written authorization. Please note that the Plans do not use your PHI for marketing or fundraising purposes. However, if the data that identifies you in the PHI is appropriately removed, this non-identifiable information may then be used or disclosed without your authorization.

Please remember, if you have questions or a problem relating to a claim, a network provider or other matter pertaining to a particular benefit option, you will typically be directed to an appropriate contact person with the relevant business associate or other vendor to resolve the matter. If it is necessary for the Pension Boards to assist you directly in resolving the issue, you will usually be required to complete an authorization form.

Also keep in mind that your family members will not automatically be provided with access to your PHI on their request. However, on request, the Plan will provide your PHI to any family member or other person who demonstrates that he or she is your personal representative or whom you appropriately authorize to have access to your PHI. In addition, Explanations of Benefits (“EOBs”) and other claim denials will continue to be sent to the employee or former employee who enrolls in a Plan.

7. How do I authorize a release of my PHI from a Plan?

You will need to complete a prescribed written authorization form. An authorization form is available on the Pension Boards’ website (www.pbucc.org) or by calling Member Services toll-free at 1.800.642.6543. you may revoke your authorization, in writing, at any time, and the revocation will be followed to the extent action on the authorization has not yet been taken.

8. Do state privacy laws also apply to PHI?

The privacy laws of a particular state or other federal laws might impose a more stringent privacy standard. If these more stringent laws apply and are not superseded by federal preemption rules, the Plans will comply with the more stringent law.

9. Can my genetic information be used for the Plans’ underwriting purposes?

No, the Plans are prohibited from using or disclosing PHI that is genetic information for underwriting purposes.

10. What are my individual rights with respect to my PHI?

You have the right to:

  • Inspect and obtain a copy of certain of your own PHI held by a Plan. Where you request PHI that the Plan holds electronically, the Plan will provide PHI to you in the form you request if it can readily produce the information in that form. If you wish the Plan to send PHI to another person, the Plan will do so if you submit a clear designation in a signed, written statement that includes appropriate identification and contact information for the designated person. For certain types of PHI and in certain situations, your request may be denied. For example, you may not obtain access to information compiled in reasonable anticipation of a trial or administrative proceeding.
  • We may deny your request to inspect and copy your PHI in very limited circumstances. If you are denied access to your PHI, you may request that the denial be reviewed. If the Plans do not maintain health information, but know where it is maintained, you will be informed of where to direct your request.
  • Request that a Plan amend certain of your records if you believe the information is incorrect or incomplete. Your request must specify the reasons for the amendment.
  • Receive a list of instances in which your PHI has been disclosed to other individuals or entities for reasons other than treatment, payment, or health care operations. Certain other exceptions apply. For example, a Plan does not need to account for disclosures that were made to you, that you have authorized in writing, or that occurred either before the effective date of this Notice or more than six years before your request. Your request should indicate in what form you want the list (for example, paper or electronic).

Notwithstanding the foregoing, you may request an accounting of disclosures of any “electronic health record” (that is, an electronic record of health-related information about you that is created, gathered, managed, and consulted by authorized health care clinicians and staff). To do so, however, you must submit your request and state a time period, which may be no longer than three years prior to the date on which the accounting is requested. In the case of any electronic heath record created on your behalf on or before January 1, 2009, this paragraph shall apply to disclosures made on or after January 1, 2014. In the case of any electronic health record created on your behalf after January 1, 2009, this paragraph shall apply to disclosures made on or after the later of January 1, 2011, or the date we acquired the electronic health record.

  • Request a paper copy of this Notice at any time, even if you have previously received it electronically.
  • Request a Plan to restrict its uses and disclosures of your PHI. You will be required to provide specific information as to the disclosures that you wish to restrict and the reasons for your request. The Plan is not required to agree to a requested restriction unless the disclosure is to a health plan for purposes of carrying out payment or health care operations (not treatment) and the PHI pertains solely to a health care item or service for which you have paid the health care provider entirely out of your own pocket.
  • Request that a Plan’s confidential communications of your PHI be sent to another location or by alternative means. The Plan is not required to accommodate your request unless your request is reasonable, and you state clearly that the Plan’s ordinary communication process could endanger you. You will need to renew this request upon a change in your Plan options or administrators.

Certain administrative rules may apply to these individual rights. For example, you may be required to submit a request in writing or on a prescribed form, and you may be charged the cost of copying and postage. Your right to make a request does not necessarily mean that your request will be approved. Where a response to your request is appropriate, it will ordinarily be provided to you in writing.

To exercise your individual rights with respect to information held by the Plan administrator, you should write the Information Contact identified in item 11. We will not ask you the reason for any of these requests. We will accommodate all reasonable requests and your request should specify how or where you wish to be contacted.

Because most of your PHI under the Plans, particularly claims information, is held by your claims administrator, it will often make sense for you to contact that entity directly to obtain access to, amend, or receive an accounting of disclosures of your PHI.

11. How do I make a complaint if I think my rights have been violated?

You may file a complaint with the Plans’ Information Contact, identified below (see item 11), and with the Secretary of the U.S. Department of Health and Human Services if you believe your privacy rights have been violated. Their contact information is available below. All complaints must be filed in writing. Federal law prohibits retaliation against any employee for filing a complaint.

12. Who is the Plans’ Information Contact?

If you have any questions about this Notice or a complaint relating to how your PHI is handled, please contact the Information Contact:

General Counsel and Corporate Secretary
The Pension Boards-United Church of Christ, Inc.
475 Riverside Drive
Room 1020
New York, NY 10115
212.729.2700

13. How do I contact the federal government if I want to make a complaint or inquiry?

To contact the Secretary of the U.S. Department of Health and Human Services, you may write to the regional office of the U.S. Department of Health and Human Services.

14. What is the effective date of this Notice?

The effective date of this version of the Notice is August 1, 2022.

15. Can this Notice be changed?

Each Plan reserves the right to change the terms of this Notice with respect to its privacy and information practices and to make the new provisions effective for all PHI it maintains, consistent with legal requirements. You will be informed of any material revisions to this Notice.