(c) The employees, classes of employees, or other workforce members identified above will be subject to disciplinary action and sanctions, including if appropriate, termination of employment or affiliation with Plan Sponsor, for any use or disclosure of protected health information in non-compliance with the provisions of the Plan Document. The Plan Sponsor will impose appropriate disciplinary action or sanctions on each employee or other workforce member causing the non-compliance and will work to mitigate any deleterious effect of the non-compliance on any participant or beneficiary.
Security of Electronic Protected Health Information HIPAA also imposes certain obligations on the Plan Sponsor to secure protected health information when it is in an electronic format (called “ePHI”). In order for the Plan to disclose any ePHI to the Plan Sponsor, the Plan Sponsor must amend the Plan Document to incorporate certain provisions required under HIPAA. The Plan Sponsor hereby amends the Plan Document and agrees to be bound by the following requirements:
The Plan Sponsor implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the Plan in accordance with 45
F.R. Parts 160, 162, and 164.
The Plan Sponsor will make certain that the HIPAA privacy requirements, applicable to its employees and other workforce members under the control of the Plan Sponsor who are not allowed access to ePHI as part of their role in performing Plan administrative functions, are also supported by reasonable and appropriate security measures.
The Plan Sponsor will make certain that any third party administrators or other entities providing services to the Plan (called business associates) and their subcontractors agree to implement reasonable and appropriate security measures to safeguard the ePHI in their possession or control.
The Plan Sponsor will report any incident involving the security of ePHI to the Plan’s Security Official as soon as reasonably possible.