2023 Archdiocese of Atlanta Meritain Group Plan Doc - Manual / Resource - Page 29
HIPAA SECURITY PRACTICES
Disclosure of Electronic Protected Health Information (“Electronic PHI”) to the Health Care Plan Sponsor
for Health Care Plan Administration Functions
In accordance with HIPAA’s standards for security (the “security standards”), to enable the Health Care Plan
Sponsor to receive and use Electronic PHI for Health Care Plan administration functions (as defined in 45 CFR
§ 164.504(a)), the Health Care Plan Sponsor agrees to:
(1)
Implement and maintain administrative, physical and technical safeguards that reasonably and appropriately
protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or
transmits on behalf of the Health Care Plan.
(2)
Ensure that adequate separation between the Health Care Plan and the Health Care Plan Sponsor, as
required in 45 CFR § 164.504(f)(2)(iii), is supported by reasonable and appropriate Security Measures.
(3)
Ensure that any agent, including any business associate or subcontractor, to whom the Health Care Plan
Sponsor provides Electronic PHI created, received, maintained or transmitted on behalf of the Health Care
Plan, agrees to implement reasonable and appropriate Security Measures to protect the Electronic PHI.
(4)
Report to the Health Care Plan any Security Incident of which it becomes aware.
(5)
The Health Care Plan Sponsor will promptly report to the Health Care Plan any breach of unsecured Protected
Health Information of which it becomes aware in a manner that will facilitate the Health Care Plan’s compliance
with the breach reporting requirements of the HITECH Act, based on regulations or other applicable guidance
issued by the Department of Health and Human Services.
Any terms not otherwise defined in this section shall have the meanings set forth in the security standards.
25