FIFTH
AMENDMENT TO
DYNEGY INC.
COMPREHENSIVE WELFARE BENEFITS PLAN
WHEREAS,
Dynegy Inc.
(“Dynegy”) and certain of its affiliates have
previously adopted the Dynegy Inc. Comprehensive Welfare Benefits
Plan (the “Plan”) which includes components that are
“group health plans” for purposes of the protected
health information privacy rules enacted under the Health Insurance
Portability and Accountability Act of 1996 (the “Act”)
and the regulations promulgated thereunder (the
“Regulations”); and
WHEREAS,
Dynegy
desires to amend the Plan with regard to certain privacy
requirements imposed under the Act and Regulations on behalf of
itself and all affiliates; and
WHEREAS,
the Plan is
a “hybrid entity,” as such term is defined in section
164.103 of the Regulations, which has designated those of its
components that constitute “health care components,” as
such term is defined in section 164.103 of the Regulations, has
documented such designation as required pursuant to section
164.105(c)(1) of the Regulations and has established adequate
separation between such health care components and the non-health
care components as required by section 164.504 of the Regulations
such that the terms of this Plan amendment shall only apply with
respect to the designated health care components of the Plan;
and
WHEREAS,
such
designated health care components of the Plan consist of the
following (as such components are identified on Appendix B to
the Plan document): the Dynegy Inc. Group Medical Plan, the Dynegy
Inc. Employee Assistance Plan, the Dynegy Inc. Health Care Spending
Account Program; the Dynegy Inc. Health Care Spending Account
Program for Employees Covered Under a Collective Bargaining
Agreement; and the medical benefits program of Medical and Group
Term Life Insurance Plan for Retirees and Surviving
Spouses;
NOW,
THEREFORE, the Plan
shall be and hereby is amended as follows, effective as hereinafter
provided:
1. Effective
as of April 14, 2003, Article XIV of the Plan is hereby
amended in its entirety to provide as follows:
“
ARTICLE XIV
RESTRICTIONS REGARDING
PROTECTED HEALTH INFORMATION
14.1
Purpose of Article. The purpose
of this Article XIV is to cause the Plan to comply with the
Act and the Regulations. This Article is to be construed and
interpreted in accordance with such purposes. Terms used in this
Article shall have the meanings set forth in the Regulations. In
the event of a conflict between a Plan definition of a term and
that provided in the Regulations, the definition in the Regulations
shall govern for purposes of this Article XIV.
14.2
Definitions. For
purposes of this Article XIV, the following terms shall have
the following meanings:
|
|
(A)
|
|
Act: The Health Insurance Portability
and Accountability Act of 1996.
|
|
|
|
|
|
|
|
(B)
|
|
Benefit Plans
Committee: The Dynegy Inc. Benefit Plans
Committee.
|
|
|
|
|
|
|
|
(C)
|
|
Business Associate
:
individual or entity,
other than an employee of the Employer, that provides services to
the Plan, such as a third party administrator, COBRA vendor or
utilization review organization.
|
|
|
|
|
|
|
|
(D)
|
|
Contact Person:
The person appointed to
serve as contact person pursuant to Section 14.8 and
Article III of the Manual for purposes of
complaints.
|
|
|
|
|
|
|
|
(E)
|
|
Health Component:
Any of the health
components of the Plan designated as such by the Benefit Plans
Committee consisting of: the Dynegy Inc. Group Medical Plan; the
Dynegy Inc. Employee Assistance Plan; the Dynegy Inc. Health Care
Spending Account Program; the Dynegy Inc. Health Care Spending
Account Program for Employees Covered Under a Collective Bargaining
Agreement; the medical benefits program of Medical and Group Term
Life Insurance Plan for Retirees and Surviving Spouses; and any
health maintenance organization offered as a benefit alternative
under the Plan.
|
|
|
|
|
|
|
|
(F)
|
|
Manual: The Dynegy Inc. Comprehensive
Welfare Benefits Plan Protected Health Information Policies and
Procedures.
|
-2-
|
|
(G)
|
|
Non-Health
Components: Components of the Plan other than
the Health Components.
|
|
|
|
|
|
|
|
(H)
|
|
PHI: Individually identifiable health
information which is protected pursuant to the Act and the
Regulations.
|
|
|
|
|
|
|
|
(H)
|
|
Privacy Officer:
The individual or
entity appointed to serve as the Plan’s Privacy Officer
pursuant to Section 14.7 and Article III of the
Manual.
|
|
|
|
|
|
|
|
(I)
|
|
Regulations:
The regulations
promulgated pursuant to the Act at 45 C.F.R. Parts 160 and 164,
Subpart E and, effective as of April 20, 2005, Subpart
C.
|
|
|
|
|
|
|
|
(J)
|
|
Security Officer:
Effective as of
April 20, 2005, the individual or entity appointed to serve as
the Plan’s Security Officer pursuant to
Section 14.10.
|
|
|
|
|
|
|
|
(K)
|
|
SHI: Information that summarizes the
claims history, claims expense or type of claims experienced by
covered persons under the Plan as such term is described in
Section 164.504 of the Regulations.
|
14.3
Provision of Information to the Employer Pursuant to
Authorization .
A Health
Component may at any time disclose to and the Employer may receive
from a Health Component PHI if such disclosure and use is pursuant
to and in accordance with a valid authorization from the individual
who is the subject of such information.
14.4
Provision of Summary Health Information to
Employer. The
Employer may receive from a Health Component and use PHI if the
information consists solely of SHI and only if the Employer
certifies to the fiduciaries of the Plan that the information is
being requested for one or more of the following:
|
|
(A)
|
|
For the purpose of enabling the
Employer to obtain premium bids from health insurers for providing
health insurance coverage under the Health Component;
|
|
|
|
|
|
|
|
(B)
|
|
For purposes of determining whether
and, if so, how to modify or amend the Health Component;
or
|
|
|
|
|
|
|
|
(C)
|
|
For purposes of determining whether
and, if so, how to terminate the Health Component, in whole or in
part.
|
-3-
14.5
General Provision of Health Information to
Employer. The
Employer may receive from a Health Component and use PHI if
(i) the Employer certifies in writing to the Plan’s
fiduciaries that the Plan incorporates the restrictive provisions
described in items (A) through (L) below with respect to
its Health Components and the separation requirements described in
Section 14.6 below and (ii) the Employer agrees to comply
with the following restrictions and requirements regarding the PHI
which is provided by a Health Component to the Employer:
|
|
(A)
|
|
The Employer will not use or
further disclose the information other than as permitted or
required by the Plan documents or as required by law or the
Regulations as set forth in the Manual;
|
|
|
|
|
|
|
|
(B)
|
|
The Employer will ensure that any
agents, including a subcontractor, to whom it provides PHI received
from a Health Component agree to the same restriction and
conditions that apply to the Employer with respect to such
information;
|
|
|
|
|
|
|
|
(C)
|
|
The Employer will not use or
disclose the information for employment-related actions and
decisions or in connection with any other benefit or employee
benefit plan of the Employer;
|
|
|
|
|
|
|
|
(D)
|
|
The Employer will report to the
Plan any use or disclosure of the information that is inconsistent
with the uses or disclosures provided for of which it becomes
aware;
|
|
|
|
|
|
|
|
(E)
|
|
The Employer will make PHI
available to Participants in accordance with Section 164.524 of the
Regulations as set forth in the Manual;
|
|
|
|
|
|
|
|
(F)
|
|
The Employer will provide
Participants with the right to amend their PHI and will incorporate
any amendments to PHI in accordance with Section 164.526 of
the Regulations as set forth in the Manual;
|
|
|
|
|
|
|
|
(G)
|
|
The Employer will provide to
Participants an accounting of disclosures of their PHI for reasons
other than treatment, payment or health’ care operations or
pursuant to an authorization in accordance with
Section 164.528 of the Regulations as set forth in the
Manual;
|
-4-
|
|
(H)
|
|
The Employer will make its internal
practices, books and records relating to the use and disclosure of
PHI received from a Health Component available to the Secretary of
Health and Human Services for purposes of determining compliance by
the Health Component with the Regulations;
|
|
|
|
|
|
|
|
(I)
|
|
If feasible, the Employer will
return or destroy all PHI received from a Health Component that the
Employer still maintains in any form and retain no copies of such
information when no longer needed for the purpose for which
disclosure was made or if such return or destruction is not
feasible, the Employer will limit further uses and disclosures to
those purposes that make the return or destruction of the
information infeasible;
|
|
|
|
|
|
|
|
(J)
|
|
The Employer will ensure the
adequate separation required pursuant to Section 14.6
below;
|
|
|
|
|
|
|
|
(K)
|
|
Effective as of April 20,
2005, the Employer will implement administrative, physical, and
technical safeguards that reasonably and appropriately protect the
confidentiality, integrity, and availability of the electronic PHI
that it creates, receives, maintains or transmits on behalf of the
Plan (except with respect to enrollment and disenrollment
information, SHI and PHI disclosed pursuant to an authorization
under Section 164.508 of the Regulations) and shall ensure
that any agents (including subcontractors) to whom it provides such
electronic PHI agree to implement reasonable and appropriate
security measures to protect such information; and
|
|
|
|
|
|
|
|
(L)
|
|
Effective as of April 20,
2005, the Employer will report to the Plan any security incident of
which it becomes aware.
|
14.6
Adequate Separation .
At all
times, there shall be adequate separation between (i) the Health
Components and the Employer and (ii) the Health Components and
the Non-Health Components in accordance with the requirements
imposed pursuant to Section 164.504(f)(2)(iii) and
Section 164.105(a)(2)(ii) of the Regulations. In order to
comply with such adequate separation requirements:
|
|
(A)
|
|
The only employees, classes of
employees or other persons under the control of the Employer to be
given access to PHI disclosed to the Employer or who receive PHI
relating to treatment, payment under, health care operations of, or
other matters pertaining to a Health Component in the ordinary
course of business are those identified in new Appendix C to
the Plan, a copy of which is attached hereto. Appendix C to
the Plan may be revised and updated at the direction of the Privacy
Officer. Effective as of April 20, 2005, the Employer will
ensure that the provisions of this Section 14.5 are supported
by reasonable and appropriate security measures to the extent that
the designees have access to electronic PHI.
|
-5-
|
|
(B)
|
|
The access to and use by the
Employer and the other individuals and entities described in item
(A) above is restricted to (i) the Plan sponsor functions
with respect to which the Firm is entitled to receive SHI pursuant
to Section 14.4 above, (ii) uses and disclosures
described in an authorization by a Plan Participant,
(iii) uses and disclosures that are described to Plan
Participants in the Plan’s notice of privacy practices and
(iv) the Health Component administration functions that the
Employer performs in connection with the operation and
administration of the Health Component consisting of:
|
(i) Any
of the following activities of the Health Component:
|
|
(1)
|
|
conducting quality assessment and
improvement activities (provided that the obtaining of
generalizable knowledge is not the primary purpose of any studies
resulting from such activities) and related functions that do not
include medical treatment;
|
|
|
|
|
|
|
|
(2)
|
|
evaluating health plan
performance;
|
|
|
|
|
|
|
|
(3)
|
|
underwriting, premium rating, and
other activities relating to the creation, renewal or replacement
of a contract of health insurance or health benefits, and ceding,
securing, or placing a contract for reinsurance of risk relating to
claims for health care (including stop-loss insurance and excess of
loss insurance), provided that the requirements of
Section 164.514 of the Regulations are met, if
applicable;
|
-6-
|
|
(4)
|
|
conducting or arranging for medical
review, legal services, and auditing functions, including fraud and
abuse detection and compliance programs;
|
|
|
|
|
|
|
|
(5)
|
|
business planning and development,
such as conducting cost-management and planning-related analyses
related to managing and operating the Health Component, including
development or improvement of methods of payment or coverage
policies; and
|
|
|
|
|
|
|
|
(6)
|
|
business management and general
administrative activities of the Health Component, including, but
not limited to management activities relating to implementation of
and compliance with the requirements of the Act and the
Regulations; Health Component participant service activities,
including the provision of data analyses, provided that protected
health information is not disclosed unless such disclosure is
permissible under the Act and the Regulations; resolution of
internal grievances; consistent with the applicable requirements of
Section 164.514 of the Regulations, creation of deidentified
health information.
|
(ii) Activities
undertaken by the Health Component to obtain premiums or to
determine or fulfill its responsibility for coverage and provision
of benefits under the Health Component; or to obtain or provide
reimbursement for the provision of health care; and the following
activities to the extent they relate to the individual(s) to whom
health care is provided by the Health Component:
|
|
(1)
|
|
determinations of eligibility or
coverage (including coordination of benefits or the determination
of cost sharing amounts), and adjudication or subrogation of health
benefit claims;
|
-7-
|
|
(2)
|
|
risk adjusting amounts due based on
enrollee health status and demographic characteristics;
|
|
|
|
|
|
|
|
(3)
|
|
billing, claims management,
collection activities, obtaining payment under a contract for
reinsurance (including stop-loss insurance and excess of loss
insurance), and related health care data processing;
|
|
|
|
|
|
|
|
(4)
|
|
review of health care services with
respect to medical necessity, coverage under the Health Component,
appropriateness of care, or justification of charges;
|
|
|
|
|
|
|
|
(5)
|
|
utilization review activities,
including precertification and preauthorization of services,
concurrent and retrospective review of services; and
|
|
|
|
|
|
|
|
(6)
|
|
disclosure to consumer reporting
agencies of any of the following protected health information
relating to collection of premiums or reimbursement; name and
address; date of birth; social security number; payment history;
account number; and name and address of the health care provider
and/or the Health Component.
|
|
|
(C)
|
|
In the event that any person
described in item (A) of this section fails to comply with any
of the requirements of this section or of section 14.5 above, the
noncompliance shall be reported to the Plan’s Privacy Officer
in a report describing the name of the noncompliant person and a
summary of the details regarding such person’s noncompliance.
Upon receipt of such report, the Plan’s Privacy Officer shall
solicit a res
|
|
