17.3 CONDITIONS OF DISCLOSURE FOR PLAN ADMINISTRATION PURPOSES
SPD Navigation
With respect to any Protected Health Information disclosed to it by the Plan (other than Summary Health Information and information disclosed pursuant to a signed authorization that complies with the requirements of 45 CFR 164.508, which are not subject to these restrictions), the Board of Trustees shall:
- Not use or further disclose the Protected Health Information other than as permitted or required by the Plan or as required by law;
- Ensure that any agents, including a subcontractor, to whom it provides Protected Health Information received from the Plan agree to the same restrictions and conditions that apply to the Board of Trustees with respect to such information;
- Not use or disclose the Protected Health Information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the Board of Trustees;
- Report to the Plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware;
- Make available Protected Health Information of an individual to that individual, as required by 45 CFR § 164.524;
- Make available Protected Health Information for amendment and incorporate any amendments to Protected Health Information in accordance with 45 CFR § 164.526;
- Make available the information required to provide an accounting of disclosures as required by 45 CFR § 164.528
- Make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from the Plan available to the Secretary of Health and Human Services for purposes of determining compliance by the Plan with the HIPAA privacy regulations;
- If feasible, return or destroy all Protected Health Information received from the Plan that the Board of Trustees still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and
- Ensure that the adequate separation required by 45 CFR § 164.504(f)(2)(iii) relating to the Plan and Board of Trustees is established.
Further, with respect to any Electronic Protected Health Information (other than Summary Health Information and information disclosed pursuant to a signed authorization that complies with the requirements of 45 CFR 164.508, which are not subject to these restrictions) that it creates, receives, maintains, or transmits on behalf of the Plan, the Board of Trustees shall:
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Plan;
- Ensure that the adequate separation required by 45 CFR § 164.504(f)(2)(iii) relating to the Plan and Board of Trustees is supported by reasonable and appropriate security measures;
- Ensure that any agents, including a subcontractor, to whom it provides Electronic Protected Health Information agree to implement reasonable and appropriate security measures to protect the information; and
- Report to the Plan any Security Incident of which it becomes aware.