Laserfiche WebLink
<br />perform his or her duties with respect to the Plan. "Members of the Employer's <br />workforce" shall refer to all employees and other persons under the control of the <br />Employer. The Employer shall keep an updated list of those authorized to receive <br />Protected Health Information. <br /> <br />(1) An authorized member of the Employer's workforce who receives <br />Protected Health Information shall use or disclose the Protected Health <br />Information only to the extent necessary to perform his or her duties with <br />respect to the Plan. <br /> <br />(2) In the event that any member of the Employer's workforce uses or <br />discloses Protected Health Information other than as permitted by this <br />Section and the Privacy Standards, the incident shall be reported to the <br />Plan's privacy officer. The privacy officer shall take appropriate action, <br />including: <br /> <br />(i) investigation of the incident to determine whether the <br />breach occurred inadvertently, through negligence or deliberately; <br />whether there is a pattern of breaches; and the degree of harm <br />caused by the breach; <br /> <br />(ii) appropriate sanctions against the persons causing the <br />breach which, depending upon the nature of the breach, may <br />include oral or written reprimand, additional training, or termination <br />of employment; <br /> <br />(iii) mitigation of any harm caused by the breach, to the <br />extent practicable; and <br /> <br />(iv) documentation of the incident and all actions taken to <br />resolve the issue and mitigate any damages. <br /> <br />(e) Certification. The Employer must provide certification to the Plan <br />that it agrees to: <br /> <br />(1) Not use or further disclose the information other than as permitted <br />or required by the Plan documents or as required by law; <br /> <br />(2) Ensure that any agent or subcontractor, to whom it provides <br />Protected Health Information received from the Plan, agrees to the same <br />restrictions and conditions that apply to the Employer with respect to such <br />information; <br /> <br />(3) Not use or disclose Protected Health Information for employment- <br />related actions and decisions or in connection with any other benefit or <br />employee benefit plan of the Employer; <br /> <br />(4) Report to the Plan any use or disclosure of the Protected Health <br />Information of which it becomes aware that is inconsistent with the uses <br />or disclosures permitted by this Section, or required by law; <br /> <br />(5) Make available Protected Health Information to individual Plan <br />members in accordance with Section 164.524 of the Privacy Standards; <br /> <br />28 <br />