HIPAA ADMINISTRATIVE SIMPLIFICATION MEDICAL PRIVACY AND SECURITY PROVISION USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION UNDER HIPAA PRIVACY AND SECURITY REGULATIONS This Plan will Use a Covered Person’s Protected Health Information (PHI) to the extent of and in accordance with the Uses and Disclosures permitted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Specifically, this Plan will Use and Disclose a Covered Person’s PHI for purposes related to health care Treatment, Payment for health care, and Health Care Operations. Additionally, this Plan will Use and Disclose a Covered Person’s PHI as required by law and as permitted by authorization. This section establishes the terms under which the Plan may share a Covered Person’s PHI with the Plan Sponsor, and limits the Uses and Disclosures that the Plan Sponsor may make of a Covered Person’s PHI. This Plan will Disclose a Covered Person’s PHI to the Plan Sponsor only to the extent necessary for the purposes of the administrative functions of Treatment, Payment for health care, or Health Care Operations. The Plan Sponsor will Use and/or Disclose a Covered Person’s PHI only to the extent necessary for the administrative functions of Treatment, Payment for health care, or Health Care Operations that it performs on behalf of this Plan. This Plan agrees that it will Disclose a Covered Person’s PHI to the Plan Sponsor only upon receipt of a certification from the Plan Sponsor that the terms of this section have been adopted and that the Plan Sponsor agrees to abide by these terms. The Plan Sponsor is subject to all of the following restrictions that apply to the Use and Disclosure of a Covered Person’s PHI: • The Plan Sponsor will Use and Disclose a Covered Person's PHI (including Electronic PHI) only for Plan Administrative Functions, as required by law or as permitted under the HIPAA regulations. This Plan’s Notice of Privacy Practices also contains more information about permitted Uses and Disclosures of PHI under HIPAA; • The Plan Sponsor will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of the Plan; • The Plan Sponsor will require each of its subcontractors or agents to whom the Plan Sponsor may provide a Covered Person's PHI to agree to the same restrictions and conditions imposed on the Plan Sponsor with regard to a Covered Person's PHI; • The Plan Sponsor will ensure that each of its subcontractors or agents to whom the Plan Sponsor may provide Electronic PHI agree to implement reasonable and appropriate security measures to protect Electronic PHI; • The Plan Sponsor will not Use or Disclose PHI for employment-related actions and decisions or in connection with any other of the Plan Sponsor's benefits or Employee benefit plans; • The Plan Sponsor will promptly report to this Plan any breach or impermissible or improper Use or Disclosure of PHI not authorized by the Plan documents; • The Plan Sponsor will report to the Plan any breach or security incident with respect to Electronic PHI of which the Plan Sponsor becomes aware; -110- 7670-00-413597