Northwest Carpenters Health and Security Plan
HIPAA Privacy Plan Amendment
The Board of Trustees of the Northwest Carpenters Health and Security Plan hereby adopts the following amendment to all benefit plans maintained by the Trust. This amendment is intended to meet the requirements of 45 CFR § 164.504(f) which requires plan documents of group health plans be amended in order to disclose Protected Health Information to the Board of Trustees as plan sponsor, and 45 CFR § 164.314(b)(1) and (2) which require that plan documents ensure that the Board of Trustees as plan sponsor will reasonably and appropriately safeguard electronic Protected Health Information. Protected Health Information is information about a participant’s past, present or future physical or mental condition. The amendment shall be construed in accordance with the applicable laws and regulations. If the terms and conditions of any plan conflict with the amendment, the terms of the amendment shall control.
Use and Disclosure of Protected Health Information by Trustees
Trustees shall use and/or disclose Protected Health Information only to the extent necessary to perform the following plan administration functions, which are performed on behalf of the plan: to make or obtain payment; to facilitate treatment; to conduct health care operations; in connection with claims appeals, judicial and administrative proceedings; when legally required for law enforcement purposes; to consider plan amendments; to conduct plan oversight activities, including determination of proper funding, levels of reserves and contributions needed; to agencies to conduct public health and health oversight activities; to prevent or lessen a serious threat to health or safety; for specified government functions; to comply with laws related to workers’ compensation; or to a personal representative.
Disclosure of Protected Health Information to Trustees
The Trust shall disclose Protected Health Information to the Board of Trustees only to the extent necessary to perform the plan administrative functions; which may include any of the functions listed above.
Certification as to Electronic Protected Health Information
The Trustees certify to the following regarding electronic Protected Health Information:
- The Trustees will reasonably and appropriately safeguard electronic Protected Health Information created, received, maintained, or transmitted to or by the Trustees on behalf of the Trust.
- The Trustees will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information that the Trustees create, receive, maintain, or transmit on behalf of the Trust.
- The Trustees will ensure that adequate separation required by 45 CFR § 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures.
- The Trustees shall require that each of its subcontractors or agents that may create, receive, maintain or transmit electronic Protected Health Information agree to written contractual provisions which impose at least the same obligations in regard to electronic Protected Health Information as apply to the Trust, and agree to otherwise meet the requirements established by 45 CFR § 164.314(a).
- The Trustees collectively, and each Trustee individually, shall report to the Trust any security incident which it or the individual Trustee becomes aware.
Trustee Certification as to Use and Disclosure by Trustees
The Trust agrees that it will disclose Protected Health Information to the Board of Trustees only upon receipt of a Certification that this Amendment has been adopted and the Board of Trustees, as plan sponsor, agree to abide by such conditions. The Board of Trustees agrees to the following:
- Prohibition On Unauthorized Use or Disclosure of Protected Health Information. The Board of Trustees, as plan sponsor and each Trustee individually, agree to not use or disclose any Protected Health Information received from the plan, except as permitted in this Amendment or required by law.
- Subcontractors and Agents. The Board of Trustees will require each of their subcontractors or agents to whom they may provide Protected Health Information to agree to written contractual provisions that impose at least the same obligations to protect the use and disclosure of Protected Health Information as are imposed on the Board of Trustees.
- Permitted Purposes. The Board of Trustees, collectively and as individuals, will not use or disclose Protected Health Information for employment-related actions and decisions or in connection with any unrelated benefit or other employee benefit plan.
- Reporting. The Board of Trustees will, collectively or individually, report to the plan and its Privacy Officer any known impermissible or improper use or disclosure of Protected Health Information not authorized by this Amendment of which it becomes aware.
- Disclosure To Government Agencies. The Board of Trustees will make their internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the plan and to the Department of Health and Human Services (DHHS) or its designee for the purpose of determining the plan’s compliance with HIPAA.
- Return or Destruction of Health Information. When the Protected Health Information is no longer needed for the purpose for which disclosure was made, the Board of Trustees will, if feasible, return to the plan or destroy all Protected Health Information that the Board of Trustees, individually or collectively, received from or on behalf of the plan. This includes all copies in any form, including any compilations derived from the Protected Health Information. If return or destruction is not feasible, the Board of Trustees, individually and collectively, agree to restrict and limit further uses and disclosures to the purposes that make the return or destruction infeasible. This provision shall be interpreted in accordance with the record retention requirements of ERISA and Section 164.530(j)(2) of the Privacy Rule.
- Minimum Necessary Requests. The Board of Trustees will use its best efforts to request only the minimum necessary type and amount of Protected Health Information to carry out the functions for which the information is requested.
Trustee Certification as to Participant Rights
The Board of Trustees also certifies it will observe the following in regard to plan participants and their Protected Health Information:
- Access To Protected Health Information By Participants. The Board of Trustees will make Protected Health Information available to the plan to permit participants to inspect and copy their Protected Health Information contained in a designated record set.
- Amendment of Protected Health Information. The Board of Trustees will make a participant’s Protected Health Information available to the plan to permit participants to amend or correct Protected Health Information contained in a designated record set that is inaccurate or incomplete and the Trustees will incorporate amendments provided by the plan.
- Accounting of Protected Health Information. The Board of Trustees will make a participant’s Protected Health Information available to permit the plan to provide an accounting of disclosures.
- Adequate Separation. The Board of Trustees represent that adequate separation exists between the plan and the Board of Trustees, and that reasonable and appropriate security measures have been taken to ensure this separation, so that Protected Health Information will be used only for plan administration purposes. The following persons under the control of the Board of Trustees will have access to participants’ Protected Health Information for the purposes set forth under paragraph 1 above:
- Employees of the Trust with responsibility for claims administration.
- Employees with oversight responsibility for claims administration.
- Restriction To Access and Adequate Separation Certification. The Board of Trustees certifies that the individuals and entities identified above are the only ones that will have access to and use of participants’ Protected Health Information in regard to the uses and disclosure related to the plan sponsor’s function set forth in paragraph 1.
- Effective Mechanism For Resolving Issues of Noncompliance. The Board of Trustees certifies that any individual or entity described in paragraph 5(d) who suspects an improper use or disclosure of Protected Health Information or the occurrence of any security incident in regard to the creation, receipt, maintenance or transmittal of electronic Protected Health Information may report the occurrence to the plan’s Privacy Official at:
Carpenters Health and Security Trust of Western Washington
PO Box 1929
Seattle, WA 98111-1929
Last Updated: 01/03/2022