(A) As used in this rule:
(1) "Electronic protected health information" means protected health information that is transmitted by electronic media or maintained in electronic media.
(2) "Enrollment/disenrollment information" means information on whether the individual is participating in the health plan, or is enrolled in or has disenrolled from a health insurance issuer, health maintenance organization, or health insuring corporation offered by the plan.
(3) "Plan" means any health plan maintained by the Ohio public employees retirement system under the authority granted in section 145.58 of the Revised Code.
(4) "Plan administration functions" means administrative functions performed by the plan sponsor of a health plan on behalf of the health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor.
(5) "Plan sponsor" means the Ohio public employees retirement system.
(6) "Protected health information" means individually identifiable health information that is transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form or medium.
(7) "Summary health information" means information (a) that summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health coverage under the plan; and (b) from which the information described at 42 C.F.R. Section 164.514(b)(2)(i), 67 F.R. 53270 (2002), has been deleted, except that the geographic information described in 42 C.F.R. Section 164.514(b)(2)(i)(B) need only be aggregated to the level of a five-digit ZIP code.
(B) The plan may disclose to the plan sponsor enrollment/disenrollment information at any time.
(C) The plan (or a health insurance issuer, health maintenance organization, or health insuring corporation with respect to the plan) may disclose summary health information to the plan sponsor, provided that the plan sponsor requests the summary health information for the purpose of (1) obtaining premium bids from health plans for providing health insurance coverage under the plan; or (2) modifying, amending, or terminating the plan.
(D)
(1) Unless otherwise permitted by law, and subject to the conditions of disclosure described in paragraph (E) of this rule and obtaining written certification pursuant to paragraph (G) of this rule, the plan (or a health insurance issuer, health maintenance organization, or health insuring corporation on behalf of the plan) may disclose protected health information and electronic protected health information to the plan sponsor, provided that the plan sponsor uses or discloses such protected health information and electronic protected health information only for plan administrative purposes. "Plan administration purposes" means administration functions performed by the plan sponsor on behalf of the plan, such as quality assurance, claims processing, auditing, and monitoring and other administrative services related to the plan. Plan administration functions do not include functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor or any employment-related actions or decisions.
(2) Notwithstanding any provisions of this plan to the contrary, in no event shall the plan sponsor be permitted to use or disclose protected health information or electronic protected health information in a manner that is inconsistent with 45 C.F.R. Section 164.504(f), 68 F.R. 8381 (2003).
(E)
(1) Plan sponsor agrees that with respect to any protected health information (other than enrollment/disenrollment information and summary health information, and information disclosed pursuant to a signed authorization that complies with the requirements of 45 C.F.R. Section 164.508, 67 F.R. 53268 (2002), which are not subject to these restrictions) disclosed to it by the plan (or a health insurance issuer, health maintenance organization, or health insuring corporation on behalf of the plan), plan sponsor shall:
(a) Not use or further disclose the protected health information other than as permitted or required by the plan or as required by law;
(b) Ensure that any agent, including a subcontractor, to whom it provides protected health information received from the plan agrees to the same restrictions and conditions that apply to the plan sponsor with respect to protected health information;
(c) Not use or disclose the protected health information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor;
(d) Report to the plan any use or disclosure of the protected health information of which it becomes aware that is inconsistent with the uses or disclosures provided for;
(e) Make available protected health information to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") right to access in accordance with 45 C.F.R. Section 164.524, 67 F.R. 53271 (2002);
(f) Make available protected health information for amendment, and incorporate any amendments to protected health information, in accordance with 45 C.F.R. Section 164.526, 65 F.R. 82802 (2002);
(g) Make available the information required to provide an accounting of disclosures in accordance with 45 C.F.R. Section 164.528;
(h) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from the plan available to the secretary of health and human services for purposes of determining compliance by the plan with HIPAA's privacy requirements;
(i) If feasible, return or destroy all protected health information received from the plan that the plan sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and
(j) Ensure that the adequate separation between plan and plan sponsor (i.e., the firewall), required by 45 C.F.R. Section 164.504(f)(2)(iii), is established.
(2) Plan sponsor further agrees that if it creates, receives, maintains, or transmits any electronic protected health information (other than enrollment/disenrollment information and summary health information, and information disclosed pursuant to a signed authorization that complies with the requirements of 45 C.F.R. Section 164.508, which are not subject to these restrictions) on behalf of the plan, it will:
(a) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the plan;
(b) Ensure that the adequate separation between the plan and plan sponsor (i.e., the firewall), required by 45 C.F.R. Section 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
(c) Ensure that any agent, including a subcontractor, to whom it provides electronic protected health information agrees to implement reasonable and appropriate security measures to protect the information; and
(d) Report to the plan any security incident of which it becomes aware, as follows: plan sponsor will report to the plan, with such frequency and at such times as agreed, the aggregate number of unsuccessful, unauthorized attempts to access, use, disclose, modify, or destroy electronic protected health information or to interfere with systems operations in an information system containing electronic protected health information; in addition, plan sponsor will report to the plan as soon as feasible any successful unauthorized access, use, disclosure, modification, or destruction of electronic protected health information or interference with systems operations in an information system containing electronic protected health information.
(F)
(1) The plan sponsor shall allow only those employees or other persons under the control of the plan sponsor who are involved in the administration of the health plan access to the protected health information. No other persons shall have access to protected health information. These specified employees (or classes of employees) shall only have access to and use of protected health information to the extent necessary to perform the plan administration functions that the plan sponsor performs for the plan. In the event that any of these specified employees does not comply with the provisions of this rule, that employee shall be subject to disciplinary action by the plan sponsor for non-compliance pursuant to the plan sponsor's employee discipline and termination procedures.
(2) The plan sponsor shall ensure that the provisions of this rule are supported by reasonable and appropriate security measures to the extent that the persons designated above create, receive, maintain, or transmit electronic protected health information on behalf of the plan.
(G) The plan (or a health insurance issuer, health maintenance organization, or health insuring corporation with respect to the plan) shall disclose protected health information to the plan sponsor only upon the receipt of a certification by the plan sponsor that the plan has been amended to incorporate the provisions of 45 C.F.R. Section 164.504(f)(2)(ii), and that the plan sponsor agrees to the conditions of disclosure set forth in paragraph (E) of this rule.