Health and Welfare SPD / Article II / Overview and Administration >>
2.10 HIPAA Privacy
Background. The Plan's use and disclosure of health information is governed by HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"). Protected health information ("PHI") that is transmitted electronically is "Electronic PHI." The Plan is a "Hybrid Entity" under HIPAA because it provides health benefits and non-health benefits. The rules of this section apply only to health benefits.
Use and Disclosure of PHI. The Plan (including EISB) will use PHI and Electronic PHI only to the extent, and in accordance with, the uses and disclosures related to health care treatment, payment for health care and health care operations, and as required by law and permitted by authorization. "Payment" involves Plan activities to obtain premiums or determine or fulfill coverage or benefit responsibilities including, but not limited to, eligibility determinations, enrollment, coordination of benefits, claims adjudication, subrogation, employee contributions, risk adjusting, billing, collection (including reports to consumer reporting agencies related to collection), claims management and related data processing, obtaining payment under a reinsurance contract, reviews of medical necessity, care or charges, and utilization review. "Health care operations" include, but are not limited to, quality assessment, population-based activities to improve health or reduce health care costs, protocol development, case management, care coordination, disease management, communication regarding treatment alternatives, rating providers, rating plan performance, accreditation, certification, licensing, credentialing activities, underwriting, premium rating, creation, renewal or replacement of insurance including reinsurance, stop-loss and excess loss insurance, medical reviews, obtaining legal or auditing services, fraud and abuse detection, business planning, development and management, compliance with HIPAA administrative simplification, customer service, internal grievance resolution and compliance with ERISA (including preparation of required documents such as Forms 5500). The Plan (including EISB) will disclose PHI to the Board only pursuant to an authorization or for Plan administration after receipt of a certification from the Board that this document contains these provisions. Any Trustee that does not comply with these provisions will receive appropriate sanctions. With respect to PHI and Electronic PHI, the Board agrees to:
not use or further disclose the information other than as permitted or required by the Plan document or law;
ensure that any agents, including EISB, to whom the Board provides PHI and Electronic PHI agree to these restrictions and conditions;
not use or disclose the information for employment-related actions or decisions unless the use or disclosure is pursuant to an authorization;
not use or disclose the information in connection with any other benefit or employee benefit plan unless the use or disclosure is pursuant to an authorization;
report to the Plan any use or disclosure of the information that the Board is aware of and that is inconsistent with the allowable uses and disclosures;
make PHI and Electronic PHI available to the individual, for amendment, or for an accounting of non-routine disclosures in accordance with the requirements of HIPAA and HITECH;
incorporate amendments to PHI and Electronic PHI in accordance with HIPAA and HITECH;
report to affected individuals a breach of unsecured PHI;
make internal practices, books, and records relating to the use and disclosure of PHI and Electronic PHI received from the Plan available to the Secretary of Health and Human Services for the purpose of determining the Plan's compliance with HIPAA and HITECH;
ensure that the adequate separation between the Plan and the Board (i.e., the firewall) required by 45 CFR §504(f)(2)(iii) is established; and
if feasible, return or destroy all PHI and Electronic PHI received from the Plan (or copies) when the information is no longer needed; if not feasible, limit further use or disclosure to the purposes that make the return or destruction infeasible.
The Board further agrees that if it creates, receives, maintains, or transmits any Electronic PHI (other than information disclosed pursuant to a signed authorization that complies with the requirements of 45 CFR §164.508, which are not subject to these restrictions) on behalf of the Plan, it will:
implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of the Plan;
ensure that the firewall required by 45 CFR §504(f)(2)(iii) is supported by reasonable and appropriate security measures;
ensure that any agent, including a subcontractor, to whom it provides Electronic PHI agrees to implement reasonable and appropriate security measures to protect the information; and
appropriately address any security incident of which it becomes aware.