DEL MONTE CORPORATION EXECUTIVE MEDICAL REIMBURSEMENT PLAN
Exhibit 10.68
DEL MONTE CORPORATION
EXECUTIVE MEDICAL REIMBURSEMENT PLAN
As amended and restated
Effective as of January 1, 2006
DEL MONTE CORPORATION
EXECUTIVE MEDICAL REIMBURSEMENT PLAN
The Del Monte Executive Medical Reimbursement Plan (the Plan) provides group health care benefits to certain, eligible executives and former executives of Del Monte Corporation and its parent, Del Monte Foods Company (the Company), as designated by the Compensation Committee of the Board of Directors of the Company. The plan year of the Plan is the calendar year.
This is a restatement of the Plan effective as of January 1, 2006. The Plan is intended to be a top hat welfare benefit plan providing benefits for a select group of management or highly compensated employees under DOL Reg. §2520.104-24.
The provisions of the Plan are contained in the following appendices, and the documents referenced therein, which are attached hereto and incorporated herein by reference:
| Appendix A - Administration, Amendment and Definitions |
| Appendix B - Plan Structure, Contributions and Funding |
| Appendix C - Construction and General Provisions |
| Appendix D - Eligibility and Participation |
| Appendix E - Component Plans |
| Appendix F - Annual Changes and Premiums |
| Appendix G - HIPAA Privacy Amendments |
This Plan has been approved by the Compensation Committee of the Board of Directors of the Company and the duly authorized officer executing this Plan as of this 28th day of June, 2006.
DEL MONTE CORPORATION | ||
By: | /s/ Mark J. Buxton | |
Title: | Vice President, Human Resources |
2
APPENDIX A
ADMINISTRATION AND AMENDMENT
1. Plan Administrator
(a) The Del Monte Corporation Compensation and Benefits Committee (Committee) shall be the plan administrator and shall have complete control of the administration of the Plan hereunder, with all powers necessary to enable it properly to carry out its duties as set forth by the Board and in the Plan and its documents.
(b) The Committee shall have the following duties and responsibilities, without limitation:
(1) to amend or modify the Plan or to undertake any correction of terms or actions regarding the Plan that may not have been in compliance, to bring the Benefit Plan into compliance with applicable law, including without limitation statutes, regulations, administrative pronouncements or judicial decisions;
(2) to cause the filing of all tax returns and other filings required by any government agency with respect to the Plan, to cause any communications to participants and beneficiaries required by law to be made, and to direct legal compliance of each Benefit Plan generally;
(3) to determine the eligibility for and benefits delivered under the Plan, and in connection therewith, to interpret the terms of the Plan, and to establish, revise and monitor procedures for determination of claims for benefits, and to make the final decision under any such claims procedure, unless otherwise duly delegated to another person or body;
(4) to engage service providers for the Plan, including, actuaries, accountants, insurance carriers, record keepers, third party administrators, consultants and other professionals;
(5) to modify, amend, terminate, merge or otherwise administer the Plan to comply with and carry out the terms and conditions of any written contract or agreement of sale or acquisition, duly authorized by the Board, of any subsidiary, division, line of business or other portion of the assets of the Company;
(6) to implement any decision of the Board to establish, modify or amend the Plan;
3
(7) to implement any decision of the Board to terminate the Plan, in whole or in part;
(8) to advise the Board with respect to changes in the Plan, including decreases or increases to benefits, the overall level of coverage or benefits, the benefit forms or options, the level of participant contribution rates, and the Companys contributions or funding, as necessary or appropriate;
(9) to delegate to the appropriate persons, committee, officer, manager or employee of the Company such of its duties and responsibilities as it may deem appropriate, including, without limitation, authority for all routine, normal and administrative actions for the Plan; and
(10) to take all other actions requested or directed by the Board in the furtherance of the duties and responsibilities delegated thereunder.
(c) The Committee shall conduct its business in accordance with rules and procedures it has established and in accordance with the directions of the Board.
2. Third Party Administrator and Insurers
(a) The Committee may appoint a third party administrator that is not an affiliate of the Company (the TPA) to act as an agent of the Plan, with such authority and duties with respect to the administration of the Plan as may be set forth in any written agreement with the TPA.
(b) To the extent that the Plans benefits are provided through a contract of insurance with an insurance company (an Insurer), the Committees discretionary and final authority with respect to benefits and claims for benefits shall be limited to issues, benefits and determinations not covered in the insurance contract, specifically not provided by the Insurer, or specifically reserved to the Committee or the Company under the insurance contract.
4
3. Indemnification. The Company shall indemnify each member of the Board, the Committee, and any other person to whom any fiduciary responsibility with respect to the Plan is allocated or delegated, from and against any and all liabilities, costs and expenses incurred by such persons as a result of any act or omission to act in connection with the performance of their fiduciary duties, responsibilities and obligations under the Plan and under law, except for liabilities and claims arising from such persons willful misconduct or gross negligence. For such purpose, the Company may obtain, pay for and keep current a policy or policies of insurance, which insurance, shall not, however, release the Company of liability under this provision.
4. Amendment; Appendix F. The Committee has the right at any time in its sole discretion to modify, alter, amend or terminate the Plan in whole or in part. Approval by the Committee of premium rates and other material changes for a plan year shall be approval of an amendment to Appendix F for such plan year without further action of the Committee.
5. Definitions. In addition to the definitions below, other terms are defined in the text of this Plan and in the Benefit Booklet incorporated herein by reference.
(a) COBRA : The Consolidated Omnibus Budget Reconciliation Act of 1985, as amended from time to time.
(b) Code: The Internal Revenue Code of 1986, as amended from time to time.
(c) Company: Del Monte Corporation. For purposes of Appendix D, reference to Company means Del Monte Corporation and any entity affiliated with the Company pursuant to Code Sections 414(b), (c), (m), (n) or (o) that may be an employer of a designated executive.
(d) Executive: an individual who is (1) classified as an employee by the Company and (2) receiving remuneration for personal services rendered in the United States or on a leave of absence authorized by the Company or on assignment outside the United States but covered by group health insurance written or administered in the United States, and (3) a select officer, member of management or highly compensated individual designated for coverage under this Plan by the Committee.
(e) HIPAA: Health Insurance Portability and Accountability Act of 1966, as amended.
(f) Benefit Booklet: A description, including any related summary or modification prepared and distributed to eligible Executives describing the Plan, its terms and conditions.
5
APPENDIX B
PLAN STRUCTURE, CONTRIBUTIONS AND FUNDING
1. Insured Plan The Plan consists of one or more Component Plans, as set forth in Appendix E. A Component Plan may be an Insured Plan. The Plan Administrator designates each plan or arrangement under the Plan that is a Component Plan. For purposes of the Plan:
(a) An Insured Plan means a plan that provides group health benefits on a basis that is considered insurance under a contract issued in accordance with applicable state insurance laws.
(b) A Self-Insured Plan means a plan that provides group health benefits on a basis that is considered self-insurance pursuant to Code section 105(h).
(c) A Component Plan means an Insured Plan, or a portion thereof that provides for eligibility and/or participation requirements separately from another plan or group, as designated by the Committee.
2. Supplemental Plan. The Plan is designed to supplement benefit provided to the Executive and covered dependents after group health benefits have been provided under any of the Companys group health plans or a group health plan covering any dependents. The Plan provides benefits for covered services and supplies as medically necessary, as provided under the Component Plan, without payment of deductible, co-pay and not subject to annual limits.
3. Contributions and Funding
(a) The premium and other cost of each Component Plan shall be paid by the Company, subject to contributions made by participants, if any are required. Cost includes expenses for benefits and administration. Participant contributions, if any, shall be expended before Company contributions. The method of funding each Component Plan will be determined by the Company.
(b) For each Plan Year or other designated period applicable to a Component Plan, the Company will establish the level of participant contributions, if any. In addition, the Company will also establish the level of contributions for COBRA coverage within the applicable rules under COBRA. Participant contribution levels, if and as required, are set forth on Appendix F.
6
APPENDIX C
CONSTRUCTION AND GENERAL PROVISIONS
1. Construction of the Plan. This Plan will be construed in accordance with this section.
(a) Applicable Law: The provisions of the Plan will be construed and administered according to, and its validity and enforceability determined under ERISA. In the event ERISA does not preempt state law in a particular circumstance, the laws of the State of California shall govern.
(b) Order of Application: In determining and construing the provisions of the Plan applicable to any particular person or situation, the following shall be used in order of descending precedence:
(i) This Plan document, to the extent it addresses a matter not addressed in the applicable Benefit Booklet or to the extent it supplements or clarifies the applicable Benefit Booklet;
(ii) The applicable insurance policy;
(iii) The applicable Benefit Booklet;
(iv) Annual enrollment materials, as recognized for this purpose by the Plan Administrator (Recognized Enrollment Materials);
(v) The records of the Employer for factual matters;
(vi) The Plan Administrators prior decisions and interpretations; and
(vii) The procedures, polices and guidelines of the applicable claims or contract administrator.
Notwithstanding the foregoing, Recognized Enrollment Materials shall take precedence over the applicable Benefit Booklet when:
(A) such Benefit Booklet has not yet been updated to reflect changes in benefits or procedures applicable to the period of coverage in which the event or condition occurs;
(B) the Recognized Enrollment Materials have been updated for the applicable period of coverage in which the event or condition occurs; and
(C) the Recognized Enrollment Materials describe a clear alteration of benefits or procedures relative to the applicable Benefit Booklet.
7
(c) Severability: If any provision of this Plan is, or is hereafter declared to be, void, voidable, invalid or otherwise unlawful, the remainder of the Plan will not be affected thereby.
(d) Amendment: Notwithstanding any other provision of the Plan, it is expressly permissible for the Company to clarify the terms of this Plan, even retroactively, by an amendment accomplishing a good faith correction of any typographical error, omission or inadvertent ambiguity.
2. Facilitating Payments. If a guardian, conservator or other legal representative has been duly appointed for a Participant who is entitled to any payment under the Plan, any such payment may be made to the legal representative making the claim, and such payment shall be in complete discharge of any further obligation of the Plan and the Company in connection with said claim. If any benefits of this Plan shall be payable to the estate of a Participant or to an individual who is a minor or otherwise not competent to give a valid release, the Plan may pay such benefits to any relative or other person or persons whom the Plan determines to have accepted competent responsibility for the care of such individual or otherwise required by law. Any payment made by the Plan in good faith pursuant to this provision shall fully discharge the Plan and the Company in connection with such benefit.
3. Legal Compliance. To the extent required by law, the Plan is intended to comply with COBRA, including providing continuation coverage, with HIPPA, including providing certificates of creditable coverage, privacy procedures and electronic transmission of data and to comply with all other applicable federal and state laws. The Plan will honor a valid qualified medical child support order (QMCSO) and shall establish procedures for the determination of such.
4. No Employment Contract. Nothing in this Plan shall be construed as a contract of employment or any promise of continued employment for any Executive or individual and in no way interferes with the Companys right to terminate any Executives employment at any time.
8
APPENDIX D
ELIGIBILITY AND PARTICIPATION
1. General Eligibility
(1) An individual is eligible to participate in the Plan if the individual:
(i) is an Executive of the Company or any affiliate, designated by the Committee;
(ii) is eligible for the Plan under the terms of the Benefit Booklet or enrollment materials;
(iii) has made the proper elections for participation and contributions, if any, to the Plan.
(2) An individual who is a dependent of an eligible Executive may be covered by the Plan in accordance with the terms of the Benefit Booklet.
2. Ineligible Individuals. No person is eligible for the Plan unless specifically designated by the Committee and unless the person is, or has been, an Executive. All other employees and individuals are not eligible for the Plan.
4. Participation. Participation is conditioned on an eligible Executives cooperation with the Committee and any TPA. Either the Committee or any TPA may suspend benefits or participation for any participant or dependent who fails to cooperate.
5. Special Participation. To the extent provided in a severance pay plan of the Company or the Companys employment or termination agreement with a Participant providing for severance pay and/or a general release of claims against the Company (Severance Pay Arrangement), a Participant who qualifies for participation in such Severance Pay Arrangement may be covered under this Plan beyond the date such Participant would otherwise have terminated participation.
6. Participation on Acquisition or Divestiture. To the extent provided in the written agreement(s) of acquisition or sale of a business between the Company and a third party with respect to the participation and benefits (including, for example, any adjustment for deductibles or annual limits), the Plan shall be deemed to have been amended by such written agreement(s).
7. COBRA Coverage and Workers Compensation. To the extent required by law, an individual who is eligible for COBRA coverage and who properly elects and maintains COBRA Coverage participates in the Plan. This Plan is separate from and does not affect or provide for coverage under any state workers compensation insurance laws.
9
APPENDIX E
PLAN BENEFITS
5. The Plan is intended to pay benefits after the applicable group health plan(s) covering the Executive and/or the Executives spouse and dependents have determined and paid group health benefits. The coverage terms of the Plan are described in a Benefit Booklet, issued from time to time by the insurer, as identified below. Each Benefit Booklet is incorporated in the Plan by reference.
6. Plan as of January 1, 2006: Benefit Booklet dated January 1, 2006, designated WL23692-1 1205 by the insurer; Insurance policy WL 23692-1 issued by BC Life & Health Insurance Company.
10
APPENDIX F
ANNUAL CHANGES AND PREMIUMS
1. The enrollment materials and employee announcements incorporated by reference into this Appendix F for the year indicated set forth the premiums, if any, and terms of a Component Plan not set forth in that Component Plans Benefit Booklet.
2. 2006 Materials: as retained by the Manager, Benefits Administration for 2006 enrollments, Benefits Booklet dated January 1, 2006.
11
APPENDIX G
HIPAA PRIVACY AMENDMENTS
1. General. The Plan shall comply with the standards for privacy of individually identifiable health information as set forth under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations issued thereunder (referred to herein as the Privacy Rule) and shall comply with the standards for security of electronic protected health information as set forth under HIPAA and the regulations thereunder (referred to herein as the Security Rule). This Appendix G was first effective as of April 14, 2003 and, as revised, is effective as of April 20, 2005.
2. Definitions. The following words and phrases, with the initial letter of each word capitalized, shall have the meanings indicated below for purposes of this Appendix.
(a) Electronic Protected Health Information or Electronic PHI means PHI that is transmitted by or maintained in electronic media.
(b) Employee Health Plan, as defined under 45 C.F.R. § 160.103, shall mean an employee welfare benefit plan to the extent that the plan provides medical care to employees or their dependents directly or through insurance, reimbursement, or otherwise, that (1) has 50 or more participants, or (2) is administered by an entity other than the employer that established and maintains the plan.
(c) Health Care Operations, as defined under 45 C.F.R. § 160.501, shall mean any of the following activities to the extent that they are related to an Employee Health Plans covered functions:
(1) | Conducting quality assessment and improvement activities; population-based activities related to health improvement, reduction of health care costs, case management and care coordination; contacting health care providers and patients regarding treatment alternatives; and related functions that do not include treatment; |
(2) | Reviewing competence or qualifications of health care professionals and evaluating provider and Employee Health Plan performance; |
(3) | Underwriting and other activities that relate to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance); |
(4) | Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; |
12
(5) | Business planning and development, such as cost-management and planning-related analysis related to managing and operating the Employee Health Plan, and development or improvement of coverage policies; and |
(6) | Business management and general administrative activities, including, but not limited to: (i) management activities related to implementation of and compliance with the requirements of the Privacy Rule; (ii) customer service, including the provision of data analyses for the Employee Health Plan sponsor, provided that PHI is not disclosed to the Employee Health Plan sponsor; (iii) resolution of internal grievances; (iv) due diligence related to the sale, transfer, merger, or consolidation of all or part of a Employee Health Plan with another entity directly regulated under the Privacy Rule, or an entity that, following such activity, will be subject to the Privacy Rule; and (v) consistent with applicable requirements of the Privacy Rule, creating de-identified information, as defined in 45 C.F.R. § 164.514(b)(2), or a limited data set, as defined under 45 C.F.R. § 164.514(d)(2). |
(d) Health Plan shall mean each Employee Health Plan sponsored by the Employer to provide health care benefits for employees and dependents of the Employer.
(e) HIPAA means the Health Insurance Portability and Accountability Act of 1996, as codified in Section 9801, et seq., of the Code and Section 701, et seq., of ERISA, as amended from time to time and the applicable regulations issued and effective thereunder.
(f) Payment, as defined under 45 C.F.R. § 160.501, shall mean activities undertaken by an Employee Health Plan to obtain contributions or to determine or fulfill its responsibility for coverage and provision of benefits, or to obtain or provide reimbursement for the provision of health care. Such activities include, but are not limited to:
(1) | Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims; |
(2) | Risk adjusting amounts due based on enrollee health status and demographic characteristics; |
(3) | Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing; |
(4) | Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; |
13
(5) | Utilization review activities, including precertification and preauthorization of services, and concurrent and retrospective review of services; and |
(6) | Disclosure to consumer reporting agencies of necessary information relating to collection of premiums or reimbursement. |
(g) Policy shall mean the Del Monte Corporation HIPAA Privacy Policy for Group Health Plans, as amended from time to time.
(h) Protected Health Information or PHI shall mean individually identifiable health information that (1) relates to the past, present, or future physical or mental condition of a current or former Participant, provision of health care to a Participant, or payment for such health care; (2) can either identify the Participant, or there is a reasonable basis to believe the information can be used to identify the Participant; and (3) is received or created by or on behalf of a Health Plan.
(i) Responsible Employee shall mean an employee (including a contract, temporary, or leased employee) of the Health Plans or of the Employer whose duties (1) require that the employee have access to PHI for purposes of Health Plan Payment or Health Care Operations, or (2) make it likely that he or she will receive or have access to PHI. Persons designated as Responsible Employees are described in Section III. Responsible Employee shall also include any other employee (other than a designated Responsible Employee) who creates or receives PHI on behalf of a Health Plan, even though his or her duties do not (or are not expected to) include creating or receiving PHI. Responsible Employees are within the Employers HIPAA firewall when they perform Health Plan functions.
(j) Security Incident means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.
3. Responsible Employees. Only Responsible Employees shall be permitted to use, disclose, create, receive, access, maintain, or transmit PHI, including Electronic PHI, on behalf of a Health Plan. The use or disclosure of PHI by Responsible Employees shall be restricted to the Health Plan administration functions that the Employer performs on behalf of a Health Plan, pursuant to Section IV.
(a) Employees who perform the following functions on behalf of the Health Plans are Responsible Employees:
(1) | claims determination and processing functions; |
(2) | Health Plan vendor relations functions; |
(3) | benefits education and information functions; |
14
(4) | global information systems and human resources information systems support activities; and |
(5) | legal department activities. |
(b) In addition to those individuals described in Section III(a) above, senior human resources leadership who perform claims appeals and other decision-making functions on behalf of the Health Plans, the Health Plans HIPAA privacy officer and HIPAA security officer, and employees of the Employer to whom the Health Plans HIPAA privacy officer has delegated any of the following responsibilities shall also be Responsible Employees:
(1) | implementation, interpretation, and amendment of the Policy; |
(2) | Privacy Rule or Security Rule training for employees of the Employer; |
(3) | investigation of and response to complaints by Participants and/or employees; |
(4) | preparation and maintenance of the Plans privacy notice; |
(5) | distribution of the Plans privacy notice; |
(6) | response to requests by Participants to inspect or copy PHI; |
(7) | response to requests by Participants to restrict the use or disclosure of their PHI; |
(8) | response to requests by Participants to receive communications of their PHI by alternate means or in an alternate manner; |
(9) | amendment and response to requests to amend Participants PHI; |
(10) | response to requests by Participants for an accounting of disclosures of their PHI; |
(11) | response to requests for information by the Department of Health and Human Services; |
(12) | approval of disclosures to law enforcement or to the military for government purposes; |
(13) | maintenance of records and other documentation required by the Privacy Rule or Security Rule; |
15
(14) | negotiation of Privacy Rule and Security Rule provisions and/or reasonable security provisions into contracts with third party service providers; |
(15) | maintenance of Health Plan PHI security documentation; or |
(16) | approval of access to Electronic PHI. |
4. Permitted Uses and Disclosures. Responsible Employees may access, request, receive, use, disclose, create, and/or transmit PHI only to perform certain permitted and required functions on behalf of the Plan, consistent with the Policy. This includes:
(a) uses and disclosures for the Plans own Payment and Health Care Operations functions;
(b) uses and disclosures for another Health Plans Payment and Health Care Operations functions;
(c) disclosures to a health care provider, as defined under 45 C.F.R. § 160.103, for the health care providers treatment activities;
(d) disclosures to the Employer, acting in its role as Plan sponsor, (1) of summary health information for purposes of obtaining health insurance coverage or premium bids for the Plan or for making decisions to modify, amend, or terminate the Plan, or (2) of enrollment or disenrollment information;
(e) disclosures of a Participants PHI to the Participant or his or her personal representative, as defined under 45 C.F.R. § 164.502(g);
(f) disclosures to an Employee Health Plan not sponsored by the Employer for the other Employee Health Plans Payment or Health Care Operations activities;
(g) disclosures to a Participants family members or friends involved in the Participants health care or payment for the Participants health care, or to notify a Participants family in the event of an emergency or disaster relief situation;
(h) uses and disclosures to comply with workers compensation laws;
(i) uses and disclosures for legal and law enforcement purposes, such as to comply with a court order;
(j) disclosures to the Secretary of Health and Human Services to demonstrate the Plans compliance with the Privacy Rule or Security Rule;
(k) uses and disclosures for other governmental purposes, such as for national security purposes;
16
(l) uses and disclosures for certain health and safety purposes, such as to prevent or lessen a threat to public health, to report suspected cases of abuse, neglect, or domestic violence, or relating to a claim for public benefits or services;
(m) uses and disclosures to identify a decedent or cause of death, or for tissue donation purposes;
(n) uses and disclosures required by other applicable laws; and
(o) uses and disclosures pursuant to the Participants authorization that satisfies the requirements of 45 C.F.R. § 164.508.
5. Certification Requirement. The Plan shall disclose PHI, including Electronic PHI, to Responsible Employees only upon receipt of a certification by the Employer that the Employer agrees:
(a) not to use or further disclose PHI other than as permitted or required by this Appendix and the Policy or as required by law;
(b) to take reasonable steps to ensure that any agents, including subcontractors, to whom the Employer provides PHI, including Electronic PHI, received from the Plan agree to:
(i) | the same restrictions and conditions that apply to the Employer with respect to such PHI; |
(ii) | implement reasonable and appropriate security measures to protect such Electronic PHI. |
(c) not to use or disclose PHI for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the Employer other than another Health Plan;
(d) to report to the Plan any use or disclosure of PHI, including Electronic PHI, or Security Incident that is inconsistent with the uses or disclosures described in Section IV of which the Employer becomes aware;
(e) to make available PHI for inspection and copying in accordance with 45 § C.F.R. 164.524;
(f) to make available PHI for amendment, and to incorporate any amendments to PHI in accordance with 45 C.F.R. § 164.526;
(g) to make available PHI required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528;
17
(h) to make its internal practices, books, and records relating to the use and disclosure of PHI, including Electronic PHI, received on behalf of the Plan available to the Secretary of Health and Human Services for purposes of determining compliance by the Plan with the Privacy Rule or the Security Rule;
(i) if feasible, to return or destroy all PHI, including Electronic PHI, received from the Plan that the Employer still maintains in any form and retain no copies of such PHI when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of PHI, including Electronic PHI, infeasible;
(j) to take reasonable steps to ensure that the adequate separation between the Plan and the Employers activities in its role as Plan sponsor and employer; and
(k) to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that the Employer creates, receives, maintains or transmits on behalf of the Health Plan.
6. Mitigation. In the event of non-compliance with any of the provisions set forth in this Appendix,
(a) the Health Plans HIPAA privacy officer shall address any complaint promptly and confidentially or, with respect to alleged violations of the Security Rule, shall defer to the HIPAA security officer who shall address such complaint. The HIPAA privacy officer or security officer, as applicable, first will investigate the complaint and document his or her investigation efforts and findings.
(b) if PHI, including Electronic PHI, has been used or disclosed in violation of the Policy or Security Rule or inconsistent with this Appendix, the HIPAA privacy officer or security officer, as appropriate, shall take immediate steps to mitigate any harm caused by the violation and to minimize the possibility that such a violation will recur.
(c) if a Responsible Employee or other employee of an Employer is found to have violated the Privacy Policy or Security Rule, such personnel shall be subject to disciplinary action in accordance with the Employers disciplinary policy.
18