HIPAA also imposes certain obligations on the Plan Sponsor to secure protected health information when it is in an electronic format (called "ePHI"). In order for the Plan to disclose any ePHI to the Plan Sponsor, the Plan Sponsor must amend the Plan Document to incorporate certain provisions required under HIPAA. The Plan Sponsor hereby amends the Plan Document and agrees to be bound by the following requirements:
The Plan Sponsor implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the Plan in accordance with 45 C.F.R. Parts 160, 162 and 164.
The Plan Sponsor will make certain that the HIPAA privacy requirements, applicable to its employees and other workforce members under the control of the Plan Sponsor who are not allowed access to ePHI as part of their role in performing Plan administrative functions, are also supported by reasonable and appropriate security measures.
The Plan Sponsor will make certain that any third-party administrators or other entities providing services to the Plan (called business associates) and their subcontractors agree to implement reasonable and appropriate security measures to safeguard the ePHI in their possession or control.
The Plan Sponsor will report any incident involving the security of ePHI to the Plan's Security Official as soon as reasonably possible.
In the event of a breach of "unsecured" PHI, the Plan Sponsor will provide notification of the breach of unsecured PHI without unreasonable delay, and in no case later than 60 days, after discovery of the breach. Unsecured PHI is defined as PHI that is not secured using Secretary of Health and Human Services-approved standards.