-
"Breach" means the acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of such information as described in 45 C.F.R. § 164.402, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. It also includes, except as provided elsewhere in this paragraph 1.a., the unintentional loss or inadvertent disclosure of Personal Information, or the attempted or successful unauthorized access, use, disclosure, modification, destruction or transfer of Personal Information, or any other type of information security breach, loss, corruption or interference with system operations involving Personal Information. Breach does not include: (i) any unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of Supplier if such acquisition, access or use was made in good faith and within the course and scope of such employee's or individual's authority and does not result in further use or disclosure by any person in a manner not permitted by 45 C.F.R. § 164 Subpart E; or (ii) any inadvertent disclosure by an individual who is authorized to access PHI at a facility operated by Supplier to another individual authorized to access PHI at the same facility and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted by 45 C.F.R. § 164 Subpart E.
-
"Breach Notification Rule" means the final regulatory provisions set forth at 45 C.F.R., Parts 160 and 164, Subparts A and D.
-
"CMS" means the Center for Medicare and Medicaid Services.
-
"Covered Entity Client" shall mean each of LSC Communications' clients that qualifies as a "Covered Entity" under 45 C.F.R. § 160.103.
-
"Designated Record Set" shall have the meaning as the term is defined in 45 C.F.R. § 164.501.
-
"Downstream Entity" means any party that enters into an agreement with a Delegated Entity or with another Downstream Entity for purposes of providing administrative or health care services related to the agreement between the Delegated Entity and the QHP Issuer. The term Downstream Entity is intended to reach the entity that directly provides administrative services or health care services to qualified individuals, qualified employers, or qualified employees and their dependents.
-
"Electronic PHI" means information that comes within paragraphs 1(i) or 1(ii) of the definition of PHI as defined in 45 C.F.R. § 160.103, limited to the information created or received by Supplier from or on behalf of LSC Communications.
-
"Exchange" means a governmental agency or non-profit entity that meets the applicable standards of 45 C.F.R. §155, subpart D and makes QHPs (as defined below) available to individuals and employers. This term includes both state and Federally-facilitated Exchanges
-
"GLBA" means the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) and the regulations promulgated from time to time thereunder.
-
"HIPAA" means the Health Insurance Portability and Accountability Act of 1996 and the final regulations promulgated by the U.S. Department of Health and Human Services from time to time thereunder.
-
"HITECH" means the Health Information Technology for Economic and Clinical Health Act as set forth in Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 and the final regulations promulgated by the U.S. Department of Health and Human Services from time to time thereunder.
-
"Individual" has the same meaning as the term "individual" in 45 CFR § 160.103 and shall include persons who qualify as a personal representative in accordance with 45 C.F.R. § 164.502(g).
-
"Massachusetts Data Security Law" means Massachusetts General Law Chapter 93H and the regulations promulgated from time to time thereunder.
-
"Personal Information" means any non-public information - whether in paper or electronic form supplied by LSC Communications that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, address, social security number, driver's license or state identification card number, insurance policy number, financial or credit or account numbers (with or without any required security code, access code, personal identification number or password) or any other non public personally identifiable information as defined by any Privacy Law .
-
"Privacy Laws" means HIPAA, HITECH, GLBA, the Massachusetts Data Security Law, the Privacy Principles and any other applicable privacy or data security laws, rules or regulations.
-
"Privacy Rule" means the final federal privacy regulations issued pursuant to HIPAA, as amended from time to time, codified at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
-
"Privacy Principles" means the EU-U.S. Privacy Shield Framework Principles issued by the U.S. Department of Commerce, the text of which may be available at ec.europa.eu/justice/data-protection/files/privacy.
-
"Protected Health Information" or "PHI" shall have the same meaning as the term "PHI" in 45 C.F.R. § 164.103, limited to the information created or received by Supplier from or on behalf of LSC Communications.
-
"Qualified Health Plan" or QHP means a health plan that has been certified that it meets the standards described in 45 C.F.R. § 156, subpart C, or that has been approved by the state Exchange through which such plan is offered.
-
"Required By Law" shall have the same meaning as the term "required by law" in 45 C.F.R. § 164.103.
-
"Security Rule" means the final federal security regulations issued pursuant to HIPAA as amended from time to time, codified at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
-
"Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by guidance issued by the Secretary of the Department of Health and Human Services (the "Secretary").
All terms used in these Specifications that are not otherwise defined herein have the same meaning as those terms under the Privacy Laws. A reference in these Specifications to a section in a Privacy Law means the section as in effect or as amended from time to time.