Privacy & Security

Privacy & Security

Notice of Privacy Practices of the Panama Canal Area Benefit Plan



The Panama Canal Area Benefit Plan (PCABP) is committed to educating plan members about healthcare issues that affect them. As a result, we are providing you with general information about the Privacy Rule, a Federal regulation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) along with a brief overview of our Notice of Privacy. The Panama Canal Area Benefit Plan is complying with HIPAA’s regulations.

What is HIPAA and how does the Privacy Rule affect you?

When the “Health Insurance Portability and Accountability Act” (HIPAA) was passed in August of 1996, this gave the federal government the ability to mandate how healthcare plans, providers, and clearinghouses in United States store and send an individual’s personal information as it related to health care. The Privacy Rule was created to protect your rights as a member of the Panama Canal Area Benefit Plan. The Panama Canal Area Benefit Plan is a “covered entity” and is required by law to be compliant with this regulation. Some parts of the law also apply to companies and persons, known as “business associates”, that provide services to healthcare providers, clearinghouses or health plans.

PCABP, as the administrators of the Panama Canal Area Benefit Plan and responsible for a large volume of medical claims and medical assistance services, is a business associate and is required to comply with HIPAA.

Under the Privacy Rule you are guaranteed access to your medical records, allowed control over how your protected health information is used and disclosed and allowed to take action if your privacy is compromised by following the Panama Canal Area Benefit Plan’s policy. Our practice is dedicated to maintaining the privacy of your personal information.

Your right to access your protected health information

By law, you or your legal representative has the right to view and/or get copies of your protected health information from health care providers who treat you, or by health plans that pay for your care. You also have the right to have a provider or plan send copies of your information to a third party that you choose, such as other providers who treat you, a family member, a researcher, or a mobile “app” you use to manage your personal health information.

This includes:

  • Medical and billing records (except psychotherapy notes)
  • Information related to your enrollment in health plans
  • Claims and case management records

Any other records that contain information that doctors or health plans use to make decisions about you or others.

Your providers and plans should have an easy process for you to ask for your health information, and you should be able to ask for it at a time and place that’s convenient for you. You may have to fill out a health information “request” form, and pay a reasonable, cost-based fee for copies. Your providers or plans must tell you about the fee when you make the request. The fee can only be for the labor to make the copies, copying supplies, and postage (if needed). In most cases, you shouldn’t be charged for viewing, searching, downloading, or sending your information through an electronic portal.

Generally, you can get your information on paper or electronically. If your providers or plans store your information electronically, they generally must give you electronic copies unless there are security concerns. However, you do have a right to get your records through unencrypted email if you prefer.

You have the right to get your information as quickly as possible, but it may take up to 30 days to fill the request.

For more information, click Your Rights Under HIPAA. (>redirect to the following link -

What is Protected Health Information (PHI)?

Is any identifying information about an individual’s health or health care history such as family medical history, details of a recent visit to his/her doctor, etc… that is maintained or transmitted by a covered entity.

What is individually Identifiable Health Information (IIHI)?

Any health information you provide the Panama Canal Area Benefit Plan, including your mailing address. PHI is any information that is created and retained by our office or received by another healthcare provider that relates to treatment, payment and/or that identifies you as an individual.

What is the Notice of Privacy Practice?

The Panama Canal Area Benefit Plan has an official Notice of Privacy Practice posted in the front entrance of the offices informing the Panama Canal Area Benefit members about their rights surrounding the protection of your PHI and our obligations concerning the use and disclosure of your PHI. This notice applies to all records created or retained by PCABP, the Panama Canal Area Benefit Plan administrators. We can update our Notice of Privacy Practices at any time. It will be posted in the front entrance of our offices and you can ask for a copy of the current notice at any time.

The following categories describe the different ways in which we may use or disclose your IIHI:

  • Treatment
  • Payment
  • Health Care Operations
  • Treatment Options
  • Disclosures Required by law
  • Health-Related Benefits and Services
  • Release of Information to authorized Family/Friends

The following categories describe unique situations in which we may use or disclose your identifiable health information:

  • Public Health Risks
  • Deceased Patients
  • Military
  • Law Enforcement
  • Health Oversight Activities
  • Organ and Tissue Donation
  • National Security Inmates
  • Research
  • Lawsuits and Similar proceedings
  • Serious threats to health or safety
  • Workers’ Compensation

We will use your health information for plan administration.

Examples of Disclosure for Treatment, Payment and Health Care Operations.

What are your rights concerning Individually Identifiable Health Information (IIHI)?
You have rights regarding the PHI that we maintain about you. In our Notice of Privacy you can view the policies and procedures you will need to follow for the areas listed below.

  1. Confidential communications
  2. Requesting restrictions
  3. Inspection and copies of your health record
  4. Amendment your health record
  5. Accounting of disclosure of your health information
  6. Right to a paper copy of this notice upon request
  7. Right to file a complaint
  8. Right to provide an authorization for other uses and disclosures

Breach of Privacy

When using personal health information a health information custodian must exercise the highest level of care and must take reasonable steps to ensure that the individual personal health information is as accurate, and complete and up to date for the purpose which he / she uses the information.

Breaches of Privacy or misuse of PHI must be directed to the PCABP Chief Compliance Officer, who will notify member of breaches of information so that you can take appropriate protective steps, and will request patient to complete a form for filling a a complaint under the Personal Health Information Protection Act. The Chief Compliance Officer will attempt to mediate the members concern to resolve complaint. The Chief Compliance Officer along with the Medical Director must give resolution and how information was disclosed and a measurable manner on how to avoid breaches of

Complaint should be resolve no later than 30 days after receipt of the request.

In addition, PCABP may post a notice on the Panama Canal Area Benefit Plan website if a security breach occurs.

Change of Administrators

In the event of a change in administrators, Panama Canal Area Benefit Plan member information, including email addresses and postal addresses, will be transferred to a separate entity. All registered members will be notified of any change in administration by the AJAC Board, and may choose to modify any of their enrollment information at that time.

Administrators will use the Personal Health Information Protection Act to direct information to the AJAC Board who will guide measurable process on the protection of patient health information.


PCABP has made significant changes to our information systems, operations policies and procedures and business practices in order to comply with HIPAA.

Data Security:

PCABP as administrator of the Panama Canal Area Benefit Plan (PCABP) recognizes the confidential and privileged nature of information entrusted to them by their clients and is committed to ensuring the confidentiality, integrity, and availability of the data. It furthermore recognizes that security threats are always changing. To address this, PCABP maintains an effective and dynamic information security program. In addition to the requirements defined by Health Insurance Portability and Accountability Act (HIPAA), PCABP conducts annual risk analysis and has developed security guidelines following recommendations set forth by the National Institute of Standards and Technology (NIST). Other regulations and practices used by PCABP for the development of its security practices, evaluations, and threat identification are the following:

Gramm-Leach-Bliley Act of 1999
Payment Card Industry (PCI) Data Security Standard

For their versatility, superior technology and performance, and for the built in security features, PCABP uses the following devices:

USA: SANS, Microsoft Operating systems, Cisco Routers and Phones, with VOIP technology, and Hewlett Packard computing devices.

PANAMA: 3Com, Microsoft Operating systems, Cisco Routers and Phones, with VOIP technology, and Hewlett Packard computing devices.

Physical Security:

The Panama Canal Area Benefit Plan utilizes a combination of physical, technical, and policy safeguards to maintain its environment. Access to the PCABP office is controlled by a key and lock system, with electronic code pad. Only authorized employees are issued keys, other employees use the key pad to gain entry. In our Panama office, this security is controlled by a program that is capable of providing a record history by gate in order to audit employees that enter and leave the premises. Computers are placed to minimized screen visibility from reception area and meeting rooms. Automatic password protected screen savers have been activated to prevent unauthorized access to unattended workstations. Guests are only allowed to visit the operations center if prior approval had been authorized by the management team.

In the USA, employees can only gain entrance to PCABP offices with individually assigned unique key cards. While on duty employees are required to display a Company issued ID at all times. All entrances to PCABP premises are monitored and video taped 24/7. Visitors, contingent staff and vendors only allowed access to the PCABP office once they are signed in and the employee being visited is charged with their responsibility for the duration of their visit. All visitors are issued numbered visitor badges that reflect the visitor's name and employee being visited, and are required to visibly display the badge at all times while in the building. The PCABP Computer Room can be accessed only by authorized IT personnel with unique key cards assigned for that purpose.

When an enrollee calls or writes to our Customer Service Department in Panama, the PCABP collects contact information (name, phone number, mailing address or e-mail address) and only relevant information, as necessary, to assist an enrollee. This information is stored in Panama’s secured database system where it may be accessed by our designated agents for additional servicing.

PCABP takes every precaution to protect our members' information. Sensitive information received from members via our secure website, or by mail, is protected both online and off-line. Information request or payment request forms used to collect information over the web, are secured pages. These forms are encrypted and protected with the best encryption software in the industry - SSL. Our registration form for example, displays the lock icon on the bottom of Web browsers to ensure they are secure pages. SSL is also usually indicated by “https://” as opposed to “http://.”

While we use SSL encryption to protect sensitive information in the web and the mail address, we also do everything in our power to protect member information off-line. Information stored on tape are encrypted and stored off-line in a bank vault. Employee access to personally identifiable information is granted in accordance with PCABP. Employees access is granted based on the need to complete members’ requests.

All employees are kept up-to-date on any new security policy changes or updates. Policy changes are communicated by email, through our employee awareness training, or by posting on PCABP Intranet. Employees are constantly notified and/or reminded about the importance of PCABP places on privacy. Users are also aware about their duties and obligations to keep members information confidential and secure, and are trained on what they are expected to do to ensure our members' information is protected. Finally, PCABP servers housing individually Identifiable Health Information are kept in a secure and locked Computer Room that is restricted only to authorized personnel of the IT department.

PCABP reserve the right to change our practices and to make the new provisions effective for all protected health information we maintain. Should we change our information practices, we will post an announcement online, in our member newsletters and in the front office of the change.

Paper Copy of this Notice

This notice is available on our website at However, you have a right to a paper copy of this notice and may receive a paper copy at any time. Please submit your request in writing to the address or email shown below.

If you have any questions regarding this notice or our health information privacy policies, please contact:

Chief Compliance Officer
122 South Michigan Ave., Suite 1100
Chicago, Illinois 60603

Complaints to The Panama Canal Area Benefit Plan Administrator’s office or Secretary must: (1) be filed in writing, either on paper or electronically; (2) specific details such as personnel involved and the date and location of the event of concern to you; and (3) be filed within 180 days of when you knew or should have known that the act or omission complained of occurred. This time limit may be waived for good cause shown. Complaints to the Secretary of Health and Human Services may be filed only with respect to alleged violations occurring on or after April 14, 2003.

The Secretary of Health and Human Services has delegated to the Office of Civil Rights (OCR) the authority to receive and investigate complaints as they may relate to a violation of this federal regulation.Complaints can be filed in writing, fax or e-mail. You may visit the Secretary of Health and Human Services website at for complete details on how to file a complaint. Complaints may also be filed via e-mail at Individuals may, but are not required to, use OCR's Health Information Privacy Complaint Form. To obtain a copy of this form, or for more information about the Privacy Rule or how to file a complaint with OCR, contact any OCR office or go to


If you have questions or concerns about the Panama Canal Area Benefit Plan’s privacy policy, please e-mail us at: