HIPAA Addendum to Plan Document Health FSA Plan

Insert Company Logo

HIPAA Addendum to Plan Document – Health FSA Plan

This Addendum is made this day of ______, 20__, (“Effective Date”) by and between ______(“Plan Sponsor”) and the Flexible Spending Account Administrator (“FSA Administrator”) of Plan Sponsor.

WHEREAS, Plan Sponsor has created a Flexible Spending Account to provide for pre-tax deferral of eligible health care and dependent care expenses for its employees and is therefore the Plan Sponsor of said Flexible Spending Account; and

WHEREAS, the creation of said Flexible Spending Account is evidenced by the Plan Document; and

WHEREAS, the FSA Administrator intends to disclose and allow the use of Protected Health Information (PHI) by the Plan Sponsor in order for the Plan Sponsor to carry out administrative functions associated with the Flexible Spending Account; and

WHEREAS, the Plan Sponsor desires to ensure that, with respect to the duties and obligations of the FSA Administrator and the Plan Sponsor, the minimum standards of privacy for each individual utilizing the services of the Flexible Spending Account are adhered to, pursuant to the Health Insurance Portability and Accountability Act of 1996 (referred to herein as “HIPAA”), and any applicable state laws.

In consideration of the promises and the mutual covenants and undertakings set forth in this Addendum, the FSA Administrator and the Plan Sponsor have executed this Addendum as of the date noted above.

1.Definitions

All capitalized terms contained in this Addendum shall have the meaning ascribed to them in the Addendum unless otherwise defined herein. In the event of any conflict between a definition as contained in this Addendum and a definition contained in 45 CFR 160.103, 45 CFR 164.501, 164.502 and 45 CFR 164.504 the definition contained in 45 CFR 160.103, 45 CFR 164.501, 164.502 and 45 CFR 164.504 shall govern.

a) Disclosure: “Disclosure” means the release, transfer, provision of access to or divulging in any other manner of information outside the entity holding the information for purposes other than treatment, payment or health care operations

b) Flexible Spending Account: “Flexible Spending Account” shall have the same meaning as the term “health plan” in 45 CFR 160.103.

c) Individual: “Individual” shall have the same meaning as the term “individual” in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

d) Plan Administration Functions: “Plan Administration Functions” means administration functions performed by the Plan Sponsor of a group health plan on behalf of the group health plan and excludes functions performed by the Plan Sponsor in connection with any other benefit or benefit plan of the Plan Sponsor (45 CFR 164.504).

e) Plan Document: means the document or documents that created the Flexible Spending Account.

f) Plan Sponsor: “Plan Sponsor” shall have the same meaning as the term “plan sponsor” in 45 CFR 164.

g) Privacy Rule: “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

h) Protected Health Information: “Protected Health Information” shall have the

same meaning as the term “protected health information” in 45 CFR 164.501,

limited to the information created or received by Business Associate from or on

behalf of Covered Entity.

i) Required By Law: “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 164.501.

j) Secretary: “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.

k) Use: “Use” means the means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information

2.Obligations of the Plan Sponsor

The Plan Sponsor may Use PHI received from the FSA Administrator for the purpose of carrying out Flexible Spending Account administrative functions and only in a manner consistent with the following provisions:

a) The Plan Sponsor shall not Use or further Disclose PHI other than as permitted or required by the plan documents or as required by law;

b) The Plan Sponsor shall ensure that any agents, including a subcontractor, to whom it provides PHI received from the FSA Administrator agree to the same restrictions and conditions that apply to the plan sponsor with respect to such information;

c) The Plan Sponsor shall not Use or Disclose PHI for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the Plan Sponsor;

d) The Plan Sponsor shall report to the FSA Administrator any Use or Disclosure of information that is inconsistent with the Uses or Disclosures provided for of which it becomes aware;

e) The Plan Sponsor shall make available PHI to Individuals in accordance with the Privacy Rule (§ 164.524);

f) The Plan Sponsor shall make available PHI for amendment and incorporate any amendments to PHI in accordance with the Privacy Rule (§164.526);

g) The Plan Sponsor shall make available the information required to provide an accounting of disclosures in accordance with the Privacy Rule (§ 164.528);

h) The Plan Sponsor shall make its internal practices, books, and records relating to the Use and Disclosure of PHI received from the FSA Administrator available to the Secretary for purposes of determining compliance by the Flexible Spending Account with the Privacy Rule;

i) If feasible, the Plan Sponsor shall return or destroy all PHI received from the FSA Administrator that the Plan Sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which Disclosure was made, except that, if such return or destruction is not feasible, limit further Uses and Disclosures to those purposes that make the return or destruction of the information infeasible;

j) The Plan Sponsor shall ensure that the adequate separation exists between the FSA Administrator and the plan sponsor; and

k) In no event shall the Plan Sponsor Use or Disclose PHI in a manner that is inconsistent with the provisions of the Privacy Rule.

l)The Plan Sponsor will comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and its implementing regulations to provide notification to affected individuals, Health and Human Services, and the media (when required) if we or one of our business associates discovers a breach of unsecured protected health information.

3.Obligations of the FSA Administrator

a) The FSA Administrator shall Disclose PHI to the Plan Sponsor to carry out plan administration functions that the Plan Sponsor performs only pursuant to the provisions of this Addendum and the Privacy Rule;

b) The FSA Administrator shall not Disclose PHI to the Plan Sponsor for the purpose of employment related actions or decisions or in connection with any other benefit or employee benefit plan of the Plan Sponsor; and

c) The FSA Administrator shall Disclose PHI to the Plan Sponsor only upon receipt of a certification from the Plan Sponsor that the plan documents have been amended to incorporate the relevant provisions of the Privacy Rule.

4.Separation Between the FSA Administrator and the Plan Sponsor

The employees or classes of employees or other persons under control of the Plan Sponsor set forth in Exhibit A of this Addendum are to be given access to the PHI to be disclosed to the Plan Sponsor. This description includes any and all employees of the Plan Sponsor who receive PHI from the FSA Administrator relating to payment under, health care operations of, or other matters pertaining to the FSA Administrator in the ordinary course of business.

The access of the employees or classes of employees or other person under control of the Plan Sponsor as set forth in Exhibit A of this Addendum shall be restricted to the plan administration functions that the Plan Sponsor performs on behalf of the FSA Administrator.

Non Compliance with this Addendum

If any of the employees identified in Exhibit A of this Addendum are found to have violated any of the provisions of this Addendum or of the Privacy Rule with respect to the Flexible Spending Account, or to have otherwise not complied with this Addendum or the Privacy Rule, then the Plan Sponsor shall amend Exhibit A to exclude such violating or non-compliant employee(s) from those persons who are authorized to access PHI on behalf of the Plan Sponsor. Alternatively, the Plan Sponsor may terminate any violating or non-compliant employee(s).

Upon learning of any violation or non-compliant action by an employee identified in Exhibit A of this Addendum, the Plan Sponsor shall take appropriate steps to mitigate any disclosure of PHI contrary to the provisions of this Addendum or the Privacy Rule that may have occurred as a result of said violation or non compliant actions.

IN WITNESS WHEREOF, the FSA Administrator and the Plan Sponsor have caused this Addendum to be executed as of the date first referenced above.

Health Plan / Plan Sponsor
Signature / Signature
Name / Name
Title / Title
Date / Date