The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
and
HIPAA Security Compliance of 2006
SUMMARY PLAN DESCRIPTION
EFFECTIVE APRIL 21, 2006
Employer Information
Plan Sponsor:Oak Ridge Associated Universities
Address:P.O. Box 117
Oak Ridge, TN 37831-0117
Privacy Official:Philip H. Sartell, Director, Compensation,Benefits, and HRIS
Security Official:Dennis L. Lindsey, Cyber Security Program Manager
Telephone Number(865) 576-3167
Employer ID Number62-0476816
Plan Number:501
Plan Providers Under
HIPAA:Blue Cross Blue Shield of Tennessee
Cariten
COBRAssist
Delta Dental
HealthCare 21
Vision Service Plan
Oak Ridge Associated Universities
Welfare Benefit Plan
Amendment to Plan Document and Summary Plan Description
to comply with the
Standards for Privacy of Individually Identifiable Health Information (the Privacy Standards) and
Standards for Security of Individually Identifiable Health Information (the Security Standards)
issued pursuant to
The Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA)
Effective: April 21, 2006
The Welfare Benefit Plan for Oak Ridge Associated Universities (the Plan), Plan Document and Summary Plan Description (the Plan Documents) are hereby amended to comply with HIPAA’s Privacy and Security Standards as follows:
1.Disclosure of Certain Enrollment Information to Designated ORAU Representatives
The Plan may disclose to Designated ORAU Representatives information on whether an individual is participating in the Plan, is enrolled in or has disenrolled from a health insurance issuer offered by the Plan.
2.Disclosure of Summary Health Information to Designated ORAU Representatives
The Plan may disclose Summary Health Information to Designated ORAU Representatives, provided the Summary Health Information is for the purpose of (a) obtaining premium bids from health plans for providing health insurance coverage under the Plan; or (b) modifying, amending, or terminating the Plan.
Summary Health Information means: information that (a) summarizes the claims history, claims expenses or type of claims experienced by individuals for whom a plan sponsor had provided health benefits under a Health Plan; and (b) from which the information described at 42 CFR 164.514(b)(2)(i) has been deleted, except that the geographic information described in 42 CFR 164.514(b)(2)(i)(B) need only be aggregated to the level of a five-digit zip code.
3.Permitted and Required Uses and Disclosure of Protected Health Information (PHI) for Plan Administrative Purposes
Unless otherwise permitted by law, and subject to the conditions of disclosure described in paragraph 4 and obtaining written certification pursuant to paragraph 6, the Plan (or a health insurance issuer on behalf of the Plan) may disclose PHI to Designated ORAU Representative, provided this PHI informationis used or disclosed only forPlan administration purposes. Plan administration purposes mean administration functions performed by Designated ORAU Representativeson behalf of the Plan, such as quality assurance, claims processing, auditing, and monitoring. Plan administration functions do not include functions performed by ORAUin connection with any other benefit or benefit plan of ORAU, and they do not include any employment-related functions.
Notwithstanding the provisions of this Plan to the contrary, in no event shall ORAU be permitted to use or disclose PHI in a manner that is inconsistent with 45 CFR 164.504(f).
4.Conditions of Disclosure for Plan Administration Purposes
ORAU agrees that with respect to any PHI (other than enrollment/disenrollment information and Summary Health Information, which are not subject to these restrictions) disclosed to it by the Plan (or a health insurance issuer on behalf of the Plan), Designated ORAURepresentatives shall:
a.Not use or further disclose PHI other than as permitted or required by the Plan or as Required by Law;
b.Ensure that any agent, including a subcontractor, to whom it provides PHI received from the Plan agrees to the same restrictions and conditions that apply to ORAU with respect to PHI;
c.Not use or disclose the PHI for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of ORAU, except pursuant to an authorization which meets the requirements of the Privacy Standards;
d.Report to the Plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware;
e.Make available PHI to comply with HIPAA’s right to access in accordance with 45 CFR 164.524;
f.Make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 CFR 164.526;
g.Make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528;
h.Make its internal practices, books and records relating to the use and disclosure of PHI received from the Plan available to the Secretary of the U.S. Department of Health and Human Services (DHHS) for purposes of determining compliance by the Plan with HIPAA’s privacy requirements;
i.If feasible, return or destroy all PHI received from the Plan thatDesignated ORAURepresentatives still maintain in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and
j.Ensure that the adequate separation between Plan and Designated ORAU Representatives (i.e.,the firewall), required in 45 CFR 164.504(f)(2)(iii), is satisfied.
ORAU further agrees that if it creates, receives, maintains, or transmits any electronic PHI (ePHI) (other than enrollment/disenrollment information and Summary Health Information, which are not subject to these restrictions) on behalf of the covered entity, it will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI, and it will ensure that any agents (including subcontractors) to whom it provides such ePHI agree to implement reasonable and appropriate security measures to protect the information. ORAUwill report to the Plan any security incident of which it becomes aware.
5.Adequate Separation Between Plan and ORAU
Designated ORAU Representatives in the following employee classificationswill be allowed access to PHI:
Corporate Director, Human ResourcesDirector, Business Support Services
Director, Compensation & Benefits Director, Education & Training
Director, Financial OperationsDirector, Information Services
VP Business Operations / CFOGeneral Counsel
Senior Benefits SpecialistChief Audit Officer
ControllerAccountant 2 (Payroll)
HR Assistant 2 (OCC Health)Auditor 2
HR Assistant 3 (CBIS)Occupational Health Nurse
Director, Employee Relations & DiversityHR Specialist 2
Cyber Security Program ManagerManager, Facilities Services
Administrative Clerk 2 (FM)Administrative Clerk 3 (FM)
No other persons shall have access to PHI. These Designated ORAU Representatives shall only have access to and use PHI to the extent necessary to perform the plan administration functions. In the event that any of these designated representatives do not comply with the provisions of this Section, that employee shall be subject to disciplinary action by ORAU for non-compliance pursuant to policy ORAU HR-900, Employee Corrective Action that includes discipline and termination procedures.
ORAU will ensure that the provisions of this paragraph 5 are supported by reasonable and appropriate security measures to the extent that the designees have access to ePHI.
6.Certification of ORAU
The Plan (or health insurance issuer with respect to the Plan) shall disclose PHI to Designated ORAU Representatives only upon receipt of a certification by ORAU that the Plan has been amended to incorporate the provisions of 45 CFR 164.504(f)(2)(ii), and that ORAU agrees to the conditions of disclosure set forth in paragraph 4 of this Section.
7.Other Disclosures and Uses of PHI
With respect to all other uses and disclosures of PHI, the Plan shall comply with the Privacy and Security Standards.
This Plan Amendment shall take effect the 21stday of April, 2006, and has been adopted by:
______
Philip H. Sartell, Director Compensation, Benefits, and HRISDate
1