|“12.08
|HIPAA Privacy and Security Rules. The provisions of this Section 12.08 are effective April 14, 2003 with respect to the Privacy Rules (as defined below), and are effective April 20, 2005 with respect to the Security Rules (as defined below). This Section 12.08 contains the Plan provisions required by the Standards for
Page 1 of 3
|Privacy of Individually Identifiable Health Information contained in 45 CFR §164.102 et. seq. (the “Privacy Rules”) and Security Standards for the Protection of Electronic Protected Health Information contained in 45 CFR §164.302 et. seq. (the “Security Rules”), each promulgated pursuant to Title II of the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). The Privacy Rules relate to the permitted use and disclosure of protected health information (“PHI”), as that term is defined in the Privacy Rules, by the Plan, or by certain health maintenance organizations or health insurers with respect to the Plan, to the Company (or any successor in interest thereto). The Security Rules relate to the security of PHI that is transmitted by electronic media or is maintained in electronic media (“Electronic PHI”), that is created, received, maintained, or transmitted on behalf of the Plan. Notwithstanding anything in this Plan to the contrary, the Plan shall be operated in accordance with HIPAA.”
|“(1)
|The Plan may disclose to the Company “summary health information,” as that term is defined in the Privacy Rules, for the purpose of allowing the Company to (i) obtain bids from insurers for providing health insurance coverage under the Plan; or (ii) amend or terminate the Plan.”
|“(3)
|The Plan may disclose an individual’s PHI to the Company if authorized by the individual to make such disclosure in accordance with the Privacy Rules.”
|“(f)
|Security of Electronic PHI. The Plan will disclose PHI to the Company only if the Company agrees with respect to any Electronic PHI, that the Company will:
|(1)
|implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of the Plan;
|(2)
|ensure that the adequate separation as required by the HIPAA Privacy Rules and as set forth in 45 CFR §164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
Page 2 of 3
|(3)
|ensure that any agent, including a subcontractor, to whom the Company may provide this information agrees to implement reasonable and appropriate security measures to protect the information; and
|(4)
|report to the Plan any security incident of which the Company becomes aware.”
|RAI Employee Benefits Committee
|By:
|/s/ McDara P. Folan, III
|
Secretary
Page 3 of 3