Impact of Privacy Rules on Plan Documents

An employer who views Protected Health Information (PHI) must abide by a number of privacy rules. In addition, plan documents must be amended to reflect these requirements, which include:

1. An explanation of the permitted and required uses and disclosures of PHI.

2. A statement that the plan sponsor agrees to:

  • A. Not use or further disclose PHI other than as permitted or required by the plan document or as required by law.
  • B. Ensure that any agents, including subcontractors, to whom it provides PHI agree to the same restrictions and conditions that apply to the plan sponsor.
  • C. Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor.
  • D. Be vigilant of any use or disclosure of PHI that is inconsistent with the permitted or required uses or disclosures.
  • E. Make PHI available to individuals.
  • F. Provide individuals with the opportunity to amend PHI.
  • G. Provide individuals with an accounting of the disclosure of their PHI.
  • H. Make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for compliance purposes.
  • I. Return or destroy all PHI, if feasible.
  • J. Ensure that adequate separation exists between employees who are authorized to use PHI and those who are not. Describe those employees or classes of employees to be given access to the PHI. Restrict the access to and use by these employees. Provide an effective mechanism for resolving any issues of noncompliance by persons who have access to PHI.
  • K. The plan sponsor is required to provide a certification to the group health plan that the plan document has been amended to incorporate the above provisions. It appears that the plan sponsor must certify to itself that the plan documents have been amended.

Requirements for plan documents - ยง164.504(f)(2)