 |
164.504(f)(2) |
|
 |
|
|
|
|
Plan documents of a group health plan
must be amended to incorporate provisions to:
|
10.6.2.1.
|
Establish permitted and required uses/disclosures
of health information by the plan sponsor in keeping with
the requirements of the regulations;
|
|
10.6.2.2.
|
Provide that the group health plan will
not disclose PHI to the plan sponsor until receipt of a certification
from the plan sponsor that the plan documents have been amended
to incorporate the following provisions and that the plan
sponsor agrees to:
|
10.6.2.2.1.
|
Only use or disclose the information
as permitted or required by law;
|
|
10.6.2.2.2.
|
Ensure that any agents/subcontractors
agree to the same restrictions and conditions relating
to PHI;
|
|
10.6.2.2.3.
|
Not use/disclose PHI for employment
related actions/decisions or in connection with other
benefit or employee benefit plan of the plan sponsor;
|
|
10.6.2.2.4.
|
Report to the group health plan
any unauthorized uses/disclosures of which it becomes
aware;
|
|
10.6.2.2.5.
|
Make PHI available: for individual's
access in accordance with 164.524 [¶ 8.1.], and
for amendment in accordance with 164.526 [¶ 8.3.];
|
|
10.6.2.2.6.
|
Make necessary information available
for accounting of disclosures in accordance with 164.528
[¶ 11.2.];
|
|
10.6.2.2.7.
|
Make internal practices and records
relating to use/disclosure of PHI received from the
group health plan available to Secretary of HHS for
compliance review of group health plan;
|
|
10.6.2.2.8.
|
If feasible, return or destroy
all PHI received once no longer needed, and if not feasible
to return or destroy, ensure that further use/disclosure
is limited to purposes making return/destruction not
feasible;
|
|
10.6.2.2.9.
|
Ensure establishment of adequate
separation pursuant to 164.504(f)(2)(iii) [¶ 10.6.2.3.].
|
|
|
10.6.2.3.
|
Provide for adequate separation between
the group health plan and the plan sponsor; plan documents
must:
|
10.6.2.3.1.
|
Describe employees or classes of
employees or persons under control of plan sponsor to
be given access to PHI; must include all employees or
persons who receive PHI relating to payment or other
matters in the usual course of business;
|
|
10.6.2.3.2.
|
Restrict access and use of PHI
to plan administration functions performed on behalf
of the group health plan, and;
|
|
10.6.2.3.3.
|
Provide effective mechanism for
resolving issues of noncompliance by such employees.
|
|
|
|
| 164.504(f)(3) |
|
|
|
| |
10.6.3.
|
Uses and disclosures by group health plans
(GHP). GHPs are:
|
10.6.3.1.
|
Permitted to disclose PHI to plan sponsor
to carry out plan administration functions consistent with
the provisions of 164.504(f)(2) [¶ 10.6.2.];
|
|
10.6.3.2.
|
Not to permit a health insurance issuer
or HMO for the group health plan to disclose PHI to plan sponsor
except as permitted hereunder;
|
|
10.6.3.3.
|
Not to disclose or permit health insurance
issuer or HMO to disclose PHI to plan sponsor as otherwise
permitted hereunder unless statement of such disclosure, as
required by 164.520(b)(1)(iii)(C), is included in privacy
notice [¶ 4.2.3.3.];
|
|
10.6.3.4.
|
Not to disclose PHI to plan sponsor for
purpose of employment related actions/decisions or in connection
with any other benefit or employee benefit plan of the plan
sponsor.
|
|
|
| 164.504(g) |
|
|
|
|
|
Requirements for CE with Multiple Covered
Functions: CE that performs multiple covered functions that would
make the entity any combination of a health plan, a provider or
a health care clearinghouse:
|
|
| |
|
|
|
| |
10.7.1.
|
Must comply with the standards, requirements,
and implementation specifications of the regulations as applicable
to the covered functions performed, and;
|
| |
10.7.2.
|
May use or disclose PHI of individuals who
receive the services of the health plan or provider, but not both,
only for purposes related to the appropriate function being performed.
|
|
| |
|
|
|
|
| |
|
|
|
|
