HIPAA Notice of Privacy Practices
Effective Date: September 30, 2024
Commonwealth Care Alliance, Inc., is required by law (i) to protect the privacy of your Medical Information (which includes behavioral health information); (ii) to provide you with this Notice of Privacy Practices explaining our legal duties and privacy practices with respect to Medical Information; and (iii) to notify you if your unencrypted Medical Information is affected by a breach.
We reserve the right to change this Notice and to make the changes effective for all Medical Information we maintain. If we make a material change to the Notice, we will (i) post the updated Notice on our website; (ii) post the updated Notice in each of Our Health Care Providers’ service locations; and (iii) make copies of the updated Notice available upon request. We will also send Our Health Plan Members information about the updated Notice and how to obtain the updated Notice (or a copy of the Notice) in the next annual mailing to Members. We are required to abide by the terms of the Notice that is currently in effect.
Contact Information: If you have questions about the information in this Notice or would like to exercise your rights or file a complaint, please contact:
Commonwealth Care Alliance, Inc.
Attention: Privacy and Security Officer
30 Winter Street, 11th Floor
Boston, MA 02108
Toll Free: 866-457-4953 (TTY 711)
SECTION 1: Companies to Which This Notice Applies
This Notice applies to Commonwealth Care Alliance, Inc., and its subsidiaries that are subject to the HIPAA Privacy Rule as “covered entities.” Some of these subsidiaries are “Our Health Plans”—companies that provide or pay for Medicare Advantage benefits, Medicaid benefits, or other health care benefits, such a health insurer or HMO. Other subsidiaries are Our Health Care Providers (“Our Providers”) that furnish treatment to patients, such as primary care clinics.
This Notice describes how all of these entities use and disclose your Medical Information and your rights with respect to that information. In most cases, Our Health Plans use and disclose your Medical Information in the same ways as Our Providers and your rights to your Medical Information are the same. When there are differences, however, this Notice will explain those differences by describing how we treat Medical Information about a Health Plan’s Member differently than Medical Information about a Provider’s Patient.
The Health Plans and Providers to which this Notice applies include:
Our Health Plans
- Commonwealth Care Alliance One Care
- Commonwealth Care Alliance Massachusetts, LLC
- CCA Health Rhode Island, Inc.
- CCA Health Plans of California, Inc.
- CCA Health Michigan, Inc.
Our Health Care Providers
- Commonwealth Clinical Alliance, Inc.
- Boston’s Community Medical Group, Inc. d/b/a CCA Primary Care
- CCA Health Physician Organization
- instED®
- Marie’s Place
- Community Intensive Care, Inc.
SECTION 2: Information We Collect and Protect:
Individuals are responsible for providing correct and complete Medical Information for Commonwealth Care Alliance, Inc., and its subsidiaries (CCA) to provide quality services. CCA is committed to protecting the confidentiality of individuals’ Medical Information that is collected or created, in physical, electronic, and oral form, as part of our operations and provision of services. When you interact with us through our services, we may collect Medical Information and other information from you, as described below.
Medical Information may include personal information, but it is all considered Medical Information when you provide it through or in connection with the services:
- We collect information, such as email addresses, personal, financial, or demographic information from you when you voluntarily provide us with such information, such as (but not limited to) when you contact us with inquiries, fill out online forms, respond to one of our surveys, respond to advertising or promotional material, register for access to our services, or use certain services.
Protected Health Information we collect, use, and may share includes your (PHI may be in oral, written or electronic form):
- Your name, social security number, address, and date of birth
- Sex assigned at birth
- Race/ethnicity
- Language
- Health history
- Enrollment information with CCA
- Gender identity
- Sexual orientation, and
- Preferred pronouns.
SECTION 3: How We Use and Disclose Your Medical Information
This section of our Notice explains how we may use and disclose your Medical Information to provide healthcare, pay for healthcare, obtain payment for healthcare, and operate our business efficiently. This section also describes other circumstances in which we may use or disclose your Medical Information.
Our model of care requires that Our Health Plans and Our Health Care Providers work together with other healthcare providers to provide medical services to you. Our professional staff, physicians, and other care providers (referred to as a “Care Team”) have access to your Medical Information and share your information with each other as needed to perform treatment, payment, and healthcare operations as permitted by law.
Treatment: Our Providers may use a Patient’s Medical Information and we may disclose Medical Information to provide, coordinate, or manage your healthcare and related services. This may include communicating with other healthcare providers regarding your treatment and coordinating and managing your healthcare with others.
Example: You are being discharged from a hospital. Our nurse practitioner may disclose your Medical Information to a home health agency to make sure you get the services you need after discharge from the hospital.
Example: You select a Primary Care Provider. We may give your Primary Care Provider some information about you such as your telephone number, address, and that you prefer to speak Spanish so the PCP can contact you to schedule care or provide reminders.
Payment: We may use and disclose your Medical Information to pay for healthcare services you have received and to obtain payment from others for those services.
Example: To process and pay claims for health care services and treatment you received.
Your doctor may send Our Health Plan a claim for healthcare services furnished to you. The Health Plan may use that information to pay your doctor’s claim and it may disclose the Medical Information to Medicare or MassHealth when the Health Plan seeks payment for the services.
Example: To give information to a doctor or hospital to confirm your benefits
Healthcare Operations: We may use and disclose your Medical Information to perform a variety of business activities that allow us to administer the benefits you are entitled to under Our Health Plan and the treatment furnished by Our Providers. For example, we may use or disclose your Medical Information to:
- Review and evaluate the skills, qualifications, and performance of healthcare providers treating you.
- Cooperate with other organizations that assess the quality of the care of others.
- Determine whether you are entitled to benefits under our coverage; however, we are prohibited by law from using your genetic information for underwriting purposes.
Some Examples of Ways We Use PHI:
- To review the quality of care and services you receive.
- To help you and provide you with educational and health improvement information and services, e.g. for conditions like diabetes.
- To inform you of additional services and programs that may be of interest to you and/or help you, e.g. a benefit to help pay for fitness classes.
- To remind you to get regular health assessments, screenings, or checkups.
- To develop quality improvement programs and initiatives, including creating, using, or sharing de-identified data as allowed by HIPAA.
- Investigating and prosecuting cases, such as for fraud, waste, or abuse
Joint Activities. Commonwealth Care Alliance, Inc., and its subsidiaries have an arrangement to work together to improve health and reduce costs. We may engage in similar arrangements with other health care providers and health plans. We may exchange your Medical Information with other participants in these arrangements for treatment, payment, and health care operations related to the joint activities of these “organized health care arrangements.”
Persons Involved in Your Care: We may disclose your Medical Information to a relative, close personal friend or any other person you identify as being involved in your care. For example, if you ask us to share your Medical Information with your spouse, we will disclose your Medical Information to your spouse. We may also disclose your Medical Information to these people if you are not available to agree and we determine it is in your best interests. In an emergency, we may use or disclose your Medical Information to a relative, another person involved in your care, or a disaster relief organization (such as the Red Cross), if we need to notify someone about your location or condition.
Required by Law: We will use and disclose your Medical Information whenever we are required by law to do so. For example:
- We will disclose Medical Information in response to a court order or in response to a subpoena.
- We will use or disclose Medical Information to help with a product recall or to report adverse reactions to medications.
- We will disclose Medical Information to a health oversight agency, which is an agency responsible for overseeing health plans, health care providers, the healthcare system generally, or certain government programs (such as Medicare and MassHealth).
- We will disclose an individual’s Medical Information to a person who qualifies as the individual’s Personal Representative. A “Personal Representative” has legal authority to act on behalf of the individual, such as a child’s parent or guardian, a person with a health care power of attorney, or a disabled individual’s court-appointed guardian.
Threat to health or safety: We may use or disclose your Medical Information if we believe it is necessary to prevent or lessen a serious threat to health or safety.
Public health activities: We may use or disclose your Medical Information for public health activities, such as investigating diseases, reporting child or domestic abuse and neglect, and monitoring drugs or devices regulated by the Food and Drug Administration.
Law enforcement: We may disclose Medical Information to a law enforcement official for specific, limited law enforcement purposes, such as disclosures of Medical Information about the victim of a crime or in response to a grand jury subpoena. We may also disclose Medical Information about an inmate to a correctional institution.
Coroners and others: We may disclose Medical Information to a coroner, medical examiner, or funeral director or to organizations that help with organ, eye, and tissue transplants.
Worker’s compensation: We may disclose Medical Information as authorized by and in compliance with workers’ compensation laws.
Research organizations: We may use or disclose your Medical Information for research that satisfies certain conditions about protecting the privacy of the Medical Information.
Certain government functions: We may use or disclose your Medical Information for certain government functions, including but not limited to military and veterans’ activities and national security and intelligence activities.
Business associates: We contract with vendors to perform functions on our behalf. We permit these “business associates” to collect, use, or disclose Medical Information on our behalf to perform these functions. We contractually obligate our business associates (and they are required by law) to provide the same privacy protections that we provide.
Fundraising Communications: We may use or disclose Medical Information for fundraising. If you receive a fundraising request from us (or on our behalf), you may opt out of future fundraising activities.
Additional Restrictions on Use and Disclosure Under State and Other Federal Laws: Some state or other federal laws may require special privacy protections that further restrict the use and disclosure of certain sensitive health information. Such laws may protect the following types of information:
- Alcohol and Substance Use Information
- Biometric Information
- Child or Adult Abuse or Neglect Information
- Domestic Violence Information
- Genetic Information
- HIV/AIDS Information
- Behavioral Health Information
- Reproductive Health and Abortion Information
- Sexually Transmitted Infection Information
Where stats or other federal laws offer you greater privacy protections, we will follow the more stringent requirements, where it applies to us.
SECTION 4: Other Uses and Disclosures Require Your Prior Authorization
Except as described above, we will not use or disclose your Medical Information without your written permission (“authorization”). We may contact you to ask you to sign an authorization form for our uses and disclosures or you may contact us to disclose your Medical Information to another person and we will need to ask you to sign an authorization form.
If you sign a written authorization, you may later revoke (or cancel) your authorization. If you would like to revoke your authorization, you must do so in writing (send this to us using the Contact Information at the beginning of this Notice). If you revoke your authorization, we will stop using or disclosing your Medical Information based on the authorization except to the extent we have acted in reliance on the authorization. The following are uses or disclosures of your Medical Information for which we would need your written authorization:
- Use or disclosure for “marketing” purposes: We may only use or disclose your Medical Information for “marketing” purposes if we have your written authorization. We may, however, send you information about certain health-related products and services without your written authorization, as long as no one pays us to send the information.
- Sale of your Medical Information: Commonwealth Care Alliance, Inc., will not sell your Medical Information. If we did, we would need your written authorization.
- Use and disclosure of psychotherapy notes: Except for certain treatment, payment, and health care operations activities or as required by law, we may only use or disclose your psychotherapy notes if we have your written authorization.
We will not impermissibly use your Race, Ethnicity, Language, Disability Status, Gender Identity, or Sexual Orientation to:
- Determine benefits
- Pay claims
- Determine your cost or eligibility for benefits
- Discriminate against members for any reason
- Determine health care or administrative service availability or access
SECTION 5: You Have Rights with Respect to Your Medical Information
You have certain rights with respect to your Medical Information. To exercise any of these rights, you may contact us using the Contact Information at the beginning of this Notice.
Right to a Copy of this Notice: You have a right to receive a paper copy of our Notice of Privacy Practices at any time, even if you agreed to receive the Notice electronically.
Right to Access to Inspect and Copy: You have the right to inspect (see or review) and receive a copy or summary of your Medical Information we maintain in a “designated record set.” If we maintain this information in electronic form, you may obtain an electronic copy of these records. You may also instruct Our Health Care Providers to send an electronic copy of information we maintain about you in an Electronic Medical Record to a third party. You must provide us with a request for this access in writing. We may charge you a reasonable, cost- based fee to cover the costs of a copy of your Medical Information. In accordance with the HIPAA Privacy Rule and in very limited circumstances, we may deny this request. We will provide a denial in writing to you no later than 30 calendar days after the request (or no more than 60 calendar days if we notified you of an extension).
Right to Request Medical Information be Amended: If you believe that Medical Information we have is either inaccurate or incomplete, you have the
right to request that we amend, correct, or add to your Medical Information. Your request must be in writing and include an explanation of why our information needs to be changed. If we agree, we will change your information. If we do not agree, we will provide an explanation with future disclosures of the information.
Right to an Accounting of Disclosures: You have the right to receive a list of certain disclosures we make of your Medical Information (“disclosure accounting”). The list will not include disclosures for treatment, payment, and healthcare operations, disclosures made more than six years ago, or certain other disclosures. We will provide one accounting each year for free but may charge a reasonable, cost-based fee if you ask for another one within 12 months. You must make a request for disclosure accounting in writing.
Right to Request Restrictions on Uses and Disclosures: You have the right to request that we limit how we use and disclose your Medical Information (i) for treatment, payment, and healthcare operations or (ii) to persons involved in your care. Except as described below, we do not have to agree to your requested restriction. If we do agree to your request, we will comply with your restrictions, unless the information is necessary for emergency treatment.
Our Health Care Providers must agree to your request to restrict disclosures of Medical Information if (i) the disclosures are for payment or healthcare operations (and are not required by law) and (ii) the information pertains solely to healthcare items or services for which you, or another person on your behalf (other than Our Health Plans) has paid in full.
Right to Request an Alternative Method of Contact: You have the right to request in writing that we contact you at a different location or using a different method. For example, you may prefer to have all written information mailed to your work address rather than to your home address or emailed to you.
Our Health Care Providers will agree to any reasonable request for alternative methods of contact.
SECTION 6: You May File a Complaint About Our Privacy Practices
If you believe your privacy rights have been violated, you may file a written complaint either with Commonwealth Care Alliance, Inc., or the U.S. Department of Health and Human Services.
Commonwealth Care Alliance, Inc., will not take any action against you or change the way we treat you in any way if you file a complaint.
To file a written complaint with or request more information from Commonwealth Care Alliance, Inc., contact us using the Contact Information at the beginning of this Notice.
SECTION 7: State-Specific Requirements
Massachusetts Immunization Information Systems: Our Providers are required to report vaccinations you receive to the Massachusetts Immunization Information System (MIIS). The MIIS is a statewide system to keep track of vaccination records and is managed by the Massachusetts Department of Public Health (MDPH). If you do not want your MIIS records shared with other healthcare providers, you must submit an Objection to Data Sharing Form to:
Massachusetts Immunization Information System (MIIS) Immunization Program
Massachusetts Department of Public Health
305 South Street
Jamaica Plain, MA 02130
SECTION 8: More Information on How CCA Implements Security Features on PHI
Commonwealth Care Alliance complies with the Health Insurance Privacy and Accountability Act (HIPAA) in our handling of member personal health information (PHI). The efforts below broadly describe the actions CCA takes to secure that sensitive information.
Administrative Safeguards :
- Policies & Procedures. CCA implements reasonable policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA Security Rule.
- Security management process. CCA implements policies and procedures to prevent, detect, contain, and correct security violations.
- Assigned security responsibility. The Chief Information Security Officer is responsible for the development and implementation of the security policies and procedures.
- Workforce security. Access to electronic PHI shall be restricted to only those Workforce members who need access to such records to perform their job responsibilities.
- Security awareness and training. CCA implements a privacy & security training, education, and awareness compliance program for all Workforce members (including board of directors).
- Security incident procedures. CCA implements policies and procedures to address privacy and security incidents.
- Contingency plan. CCA establishes policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic PHI, which include backups and business response plans.
Physical Safeguards:
- Facility access controls. CCA has implemented policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
- Workstation security. CCA implements physical safeguards for all workstations that access electronic PHI, to restrict access to authorized users.
- Device and media controls. CCA implements policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic PHI into and out of a facility, and the movement of these items within the facility.
Technical and Electronic Safeguards:
- Access control. CCA implements technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights.
- Audit controls. CCA implements hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI.
- Integrity. CCA implements policies and procedures to protect electronic PHI from improper alteration or destruction.
- Person or entity authentication. CCA implements procedures to verify that a person or entity seeking access to electronic PHI is the one claimed.
- Transmission security. CCA implements technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network.