(a) Application. If
the medical expense reimbursement spending account under the plan is subject to
the Standards for Privacy of Individually Identifiable Health Information (45
Code of Federal Regulations Part 164, the "Privacy Standards"), then this
section shall apply,
(b) Disclosure
of Protected Health Information. The plan shall not disclose Protected Health
Information to any member of the employer's workforce unless each of the
conditions set out in this section are met. "Protected Health Information DEC
02 2021' shall have the same definition as set forth in the Privacy Standards
but generally shall mean individually identifiable information about the past,
present, or future physical or mental health or condition of an individual,
including information about treatment or payment for treatment,
(c) Protected Health Information disclosed
for administrative purposes. Protected Health Information disclosed to members
of the employer's workforce shall be used or disclosed by them only for
purposes of plan administrative functions. The plan's administrative functions
shall include all plan payment functions and health care operations, The terms
"payment" and "health care operations" shall have the same definitions as set
out in the Privacy Standards, but the term "payment" generally shall mean
activities taken to determine or fulfill plan responsibilities with respect to
eligibility, coverage, provision of benefits, or reimbursement for health care.
(d) Protected Health Information
disclosed to certain workforce members. The plan shall disclose Protected
Health Information only to members of the employer's workforce who are
authorized to receive the Protected Health Information, and only to the extent
and in the minimum amount necessary for that person to perform his or her
duties with respect to the plan. "Members of the employer's workforce DEC 02
2021' shall refer to all employees and other persons under the control of the
employer. The employer shall keep an updated list of those authorized to
receive Protected Health Information.
(1) An
authorized member of the employer's workforce who receives Protected Health
Information shall use or disclose the Protected Health Information only to the
extent necessary to perform his or her duties with respect to the
plan.
(2) In the event that any
member of the employer's workforce uses or discloses Protected Health
Information other than as permitted by this section and the Privacy Standards,
the incident shall be reported to the plan's privacy officer. The privacy
officer shall take appropriate action, including;
(A) Investigation of the incident to
determine whether the breach occurred inadvertently, through negligence or
deliberately,- whether there is a pattern of breaches; and the degree of harm
caused by the breach;
(B)
Appropriate sanctions against the persons causing the breach which, depending
upon the nature of the breach/ may include oral or written reprimand,
additional training, or termination of employment;
(C) Mitigation of any harm caused by the
breach, to the extent practicable; and
(D) Documentation of the incident and all
actions taken to resolve the issue and mitigate any damages-
(e) Certification- The
employer must provide certification to the plan that it agrees to:
(1) Not use or further disclose the
information other than as permitted or required by the plan documents or as
required by law;
(2) Ensure that
any agent or subcontractor, to whom it provides Protected Health Information
received from the plan, agrees to the same restrictions and conditions that
apply to the employer with respect to the information;
(3) Not use or disclose Protected Health
Information for employment-related actions and decisions or in connection with
any other benefit or employee benefit plan of the employer;
(4) Report to the plan any use or disclosure
of the Protected Health Information of which it becomes aware that is
inconsistent with the uses or disclosures permitted by this section, or
required by law;
(5) Make available
Protected Health Information to individual plan members in accordance with
Section 164,524 of the Privacy Standards;
(6) Make available Protected Health
Information for amendment by individual plan members and incorporate any
amendments to Protected Health Information in accordance with Section 164.526
of the Privacy Standards;
(7) Make
available the Protected Health Information required to provide an accounting of
disclosures to individual plan members in accordance with Section 164,528 of
the Privacy Standards;
(8) Make its
internal practices, books, and records relating to the use and disclosure of
Protected Health Information received from the plan available to the United
States Department of Health and Human Services for purposes of determining
compliance by the plan with the Privacy Standards;
(9) If feasible, return or destroy all
Protected Health Information received from the plan that the employer still
maintains in any form, and retain no copies of the information when no longer
needed for the purpose for which disclosure was made, except that, if the
return or destruction is not feasible, limit further uses and disclosures to
those purposes that make the return or destruction of the information
infeasible; and
(10) E(10) Ensure
the adequate separation between the plan and members of the employer's
workforce, as required by Section 164,504 (f) (2) (iii) of the Privacy
Standards and set out subsection (d),
