Cooperative of American Physicians, Inc. and Mutual Protection Trust Statement of Privacy Obligations

  • March 1, 2016

This Statement of Privacy Obligations (“Statement”) sets forth the policy of the Cooperative of American Physicians, Inc., Mutual Protection Trust, and their respective departments, committees, subsidiaries and affiliates (collectively, “CAP”), to safeguard the privacy and security of protected health information disclosed to CAP by, or created, maintained, sent, or received by CAP on behalf of CAP Members and Participants, in accordance with the Standards for Privacy of Individually Identifiable Health Information (Privacy Regulations) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their amendments, regulations, and regulatory guidance (collectively, “the HIPAA rules”). Depending upon the circumstance, CAP may or may not be acting in the capacity of a “Business Associate” with respect to the use or disclosure of Protected Health Information (“PHI”) received from a CAP Member or Participant acting as a “Covered Entity.” (Capitalized terms herein are defined in the HIPAA rules.) This Statement is intended to apply in the circumstance where the HIPAA rules, in addition to other laws, apply. Notwithstanding the foregoing, CAP’s adoption of this Statement should not be construed as an admission by CAP that it is acting in the capacity of a Business Associate with respect to such PHI or as a waiver of CAP’s rights to object to such designation.

A. Permitted Uses and Disclosures of Protected Health Information

CAP provides services for the operations of CAP Members and Participants that may involve the use and disclosure of PHI. These services may include, among others, quality assessment, quality improvement, outcomes evaluation, protocol and clinical guidelines development, review of the competence or qualifications of healthcare professionals, evaluation of practitioner and provider performance, training programs to improve the skills of healthcare practitioners and providers, credentialing, performance or arrangement of medical reviews, arrangement or direct provision of legal services, performance or arrangement of audits to improve compliance, resolution of internal grievances, placement of stop-loss and excess of loss insurance, and other functions necessary to perform these services (collectively, “Services”). Except as otherwise specified herein, CAP may make any uses and disclosures of PHI necessary to perform their obligations under the MPT Agreement and to provide additional CAP benefits. All other uses or disclosures not authorized or permitted or required by law are prohibited. Moreover, CAP may disclose PHI for the purposes authorized by this Statement: (i) to its employees, subcontractors, and agents, in accordance with Section B.6 below; (ii) as directed by the CAP Members and Participants; or (iii) as otherwise permitted by the terms of this Statement.

On-Demand Webinar: Key Strategies for Ensuring a Profitable Independent Practice
During this one-hour program, practice management expert Debra Phairas discusses how various business models and operational enhancements can increase revenue to help your practice remain successful in today’s competitive marketplace.
Watch Now

Additionally, unless otherwise limited herein, CAP is permitted to make the following uses and disclosures:

  1. Use PHI in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of CAP, provided that such uses are permitted under state and federal confidentiality laws.
  2. Disclose PHI in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of CAP, provided that (i) the disclosures are required by law; or (ii) CAP has received from the third party written assurances regarding its confidential handling of such PHI as required under 45 C.F.R. §164.504(e)(4).
  3. Aggregate PHI of CAP Members and Participants that CAP has in its possession with PHI of other CAP Members and Participants, provided that the purpose of such aggregation is to provide the CAP Members and Participants with data analyses relating to the healthcare operations of the CAP Members and Participants. Under no circumstances may CAP disclose PHI of one CAP Member or Participant to another CAP Member or Participant absent the explicit authorization of the CAP Members and/or Participants concerned.
  4. De-identify any and all PHI provided that the de-identification conforms to the requirements of 45 C.F.R. § 164.514(b), and further provided that the CAP Member and/or Participant is sent the documentation required by 45 C.F.R. § 164.514(b), which shall be in the form of a written assurance from CAP. Pursuant to 45 C.F.R. § 164.502(d)(2), de-identified information does not constitute PHI and is not subject to the terms of this Statement.
B. Responsibilities of CAP

With regard to the use and/or disclosure of PHI, CAP hereby agrees to do the following:

  1. Use and/or disclose PHI only as permitted or required by the Agreement or this Statement or as otherwise required by law.
  2. Report to CAP Members and/or Participants in writing: (i) any use and/or disclosure of the PHI that is not provided for by the Agreement or this Statement of which CAP becomes aware; (ii) any breach of unsecured PHI that CAP discovers, as required by 45 CFR 164.410; and/or (iii) any Security Incident of which CAP becomes aware. The timing of the report will be consistent with CAP’s legal obligations under the Breach Notification Rule and applicable state law.
    This Statement constitutes ongoing notice to CAP Members and Participants of unsuccessful Security Incidents that do not represent substantial risks to PHI, such as pings on our firewall, unsuccessful log-on attempts, or access to encrypted information without access to a key, and no further reporting is required.
  3. Following the discovery of a breach of unsecured PHI as defined under the HIPAA Rules, cooperate with and assist the CAP Member or Participant of such breach in complying with the breach notification requirements under 45 CFR § 164.410 without unreasonable delay.
  4. Mitigate, to the extent practicable, any harmful effect that is known to CAP of an unauthorized use and/or disclosure of PHI by CAP.
  5. Use reasonable and appropriate administrative, technical, and physical safeguards that protect the confidentiality, integrity, and availability of electronic PHI that CAP creates, receives, maintains, or transmits on behalf of the CAP Members and Participants.
  6. To the extent commercially practicable, require all of its subcontractors and agents that undertake to perform the Services that CAP performs under the Agreement and that receive or use, or have access to PHI under the Agreement to agree, in writing, to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that CAP has adopted pursuant to this Statement.
  7. Unless prohibited by attorney-client and other applicable legal privileges or in violation of CAP’s contractual and other legal obligations to CAP Members and Participants, make available all records, books, agreements, policies, and procedures relating to the use and/or disclosure of PHI to the Secretary of HHS for purposes of determining compliance with the Privacy Regulations.
  8. Honor any request from a CAP Member or Participant for information to assist in responding to an individual’s request for an accounting of disclosures of PHI by CAP. However, should a CAP Member or Participant be asked for an accounting of the disclosures of an individual’s PHI in accordance with 45 C.F.R. § 164.528, such accounting shall not include any disclosures by CAP to carry out the CAP Member’s and/or Participant’s healthcare operations or any other excepted disclosures described in 45 C.F.R. § 164.528.
  9. Upon notification of individual’s request to a CAP Member or Participant for access and/or amendment of PHI disclosed to CAP, assist the CAP Member or Participant to comply with their duties to the extent applicable under 45 C.F.R. §§ 164.524 and 164.526. However, CAP recognizes that, in some instances, PHI in CAP’s possession is not part of a Designated Record Set as that term is defined by 45 C.F.R. § 164.501; and/ or the information is exempt from access and amendment under 45 C.F.R. §§ 164.524(a) and 164.526(a)(2); and/or a request for access would violate or conflict with other contractual and legal rights of the CAP Members and Participants; and/or the request for amendment could be considered tampering with evidence in a civil or administrative proceeding.
C. Obligations of CAP Members and Participants

Each CAP Member and Participant:

  1. Agrees to timely notify CAP, in writing, of any arrangements between the CAP Member and/or Participant and the individual that is the subject of PHI that may impact the Use and/or Disclosure of that PHI by CAP under this Statement.
  2. Shall not request CAP to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done directly by the CAP Member or Participant.
  3. Represents that, to the extent the CAP Member and/or Participant provides PHI to CAP, such PHI is the minimum necessary PHI for the accomplishment of CAP’s purpose.
  4. Represents that, to the extent the CAP Member and/or Participant provides PHI to CAP, the CAP Member and/or Participant has already obtained the consents, authorizations and/or other forms of legal permission required under the HIPAA Rules and any other applicable law.
  5. Has implemented reasonable and appropriate measures to ensure that PHI and electronic PHI are disclosed, provided, or transmitted to CAP only in a secure manner including through the use of a technology or methodology specified by the Secretary in the guidance issued pursuant to the HITECH Act, or if such guidance is not issued within the time specified in the HITECH Act, by a technology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals.
D. Terms and Termination
  1. Upon termination of the relationship with CAP, the protections of this Statement will remain in force and CAP shall:
    • Retain only that PHI which is necessary for CAP to continue its proper management and administration or to carry out its legal responsibilities;
    • Continue to use appropriate safeguards and comply with the HIPAA Rules with respect to electronic PHI to prevent use or disclosure of the PHI, for as long as CAP retains the PHI;
    • Not use or disclose the PHI retained by CAP other than for the purposes for which such PHI was retained and subject to the same conditions set forth in Section A above;
    • Return to the CAP Member or Participant, or where agreed upon, destroy the PHI retained by CAP when it is no longer needed by CAP for its proper management and administration or to carry out its legal or contractual responsibilities.
  2. The obligations of CAP under this Statement shall survive the termination of the relationship with CAP.