• The Plan Sponsor and the Plan will not use genetic information for underwriting purposes. For example, underwriting purposes will include determining eligibility, coverage, or payment under the Plan, with the exception of determining medical appropriateness of a treatment; • The Plan Sponsor will allow a Covered Person or this Plan to inspect and copy any PHI about the Covered Person contained in the Designated Record Set that is in the Plan Sponsor’s custody or control. The HIPAA Privacy Regulations set forth the rules that the Covered Person and the Plan must follow and also sets forth exceptions; • The Plan Sponsor will amend or correct, or make available to the Plan to amend or correct, any portion of the Covered Person’s PHI contained in the Designated Record Set to the extent permitted or required under the HIPAA Privacy Regulations; • The Plan Sponsor will keep a Disclosure log for certain types of Disclosures set forth in the HIPAA Regulations. Each Covered Person has the right to see the Disclosure log. The Plan Sponsor does not have to maintain a log if Disclosures are for certain Plan-related purposes such as Payment of benefits or Health Care Operations; • The Plan Sponsor will make its internal practices, books, and records related to the Use and Disclosure of a Covered Person’s PHI available to this Plan and to the Department of Health and Human Services or its designee for the purpose of determining this Plan's compliance with HIPAA; • The Plan Sponsor must, if feasible, return to this Plan or destroy all of a Covered Person’s PHI that the Plan Sponsor received from or on behalf of this Plan when the Plan Sponsor no longer needs the Covered Person’s PHI to administer this Plan. This includes all copies in any form, including any compilations derived from the PHI. If return or destruction is not feasible, the Plan Sponsor agrees to restrict and limit further Uses and Disclosures to the purposes that make the return or destruction infeasible; • The Plan Sponsor will provide that adequate separation exists between this Plan and the Plan Sponsor so that a Covered Person’s PHI (including Electronic PHI) will be used only for the purpose of Plan administration; and • The Plan Sponsor will use reasonable efforts to request only the minimum necessary type and amount of a Covered Person’s PHI to carry out functions for which the information is requested. The following Employees, classes of Employees, or other workforce members under the control of the Plan Sponsor may be given access to a Covered Person’s PHI for Plan Administrative Functions that the Plan Sponsor performs on behalf of the Plan as set forth in this section: Executive Director / Human Resources; Benefits Administrator This list includes every Employee, class of Employees, or other workforce members under the control of the Plan Sponsor who may receive a Covered Person’s PHI. If any of these Employees or workforce members Use or Disclose a Covered Person’s PHI in violation of the terms set forth in this section, the Employees or workforce members will be subject to disciplinary action and sanctions, including the possibility of termination of employment. If the Plan Sponsor becomes aware of any such violation, the Plan Sponsor will promptly report the violation to this Plan and will cooperate with the Plan to correct the violation, to impose the appropriate sanctions, and to mitigate any harmful effects to the Covered Person. DEFINITIONS Administrative Simplification is the section of the law that addresses electronic transactions, privacy, and security. The goals are to: • Improve efficiency and effectiveness of the health care system; • Standardize electronic data interchange of certain administrative transactions; -111- 7670-00-413597