TRIPLE. S shall review and revise, as necessary, all of its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information (45 C.F.R. Part 160 and Subparts A, C and E of Part 164, the “Privacy Rule” and the “Security Rule”). TRIPLE-S’s policies and procedures shall include, but not be limited to, the minimum content set forth in section V.E.
TRIPLE. S shall provide such policies and procedures, consistent with paragraph 1 above, to HHS within 60 days of receipt of HHS’ approval of the risk management plan required by paragraph V.A above. Upon receiving any recommended changes to such policies and procedures from HHS, TRIPLE-S shall have 30 days to revise such policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval.
TRIPLE. S shall implement such policies and procedures within 30 days of receipt of HHS’ approval.
TRIPLE. S shall assess, update, and revise, as necessary, the policies and procedures at least annually. TRIPLE-S shall provide such revised policies and procedures to HHS for review and approval. Within thirty (30) days of the effective date of any approved revisions, TRIPLE-S shall distribute such revised policies and procedures to all workforce members and business associates, and shall require new compliance certifications.
TRIPLE. S shall not provide access to PHI to any workforce member or business associate if that workforce member has not signed or provided the written or electronic certification required by paragraphs 2 & 3 of this section within a reasonable period of time after distribution of such policies and procedures.
TRIPLE. S shall distribute the policies and procedures identified in section V.C. to all workforce members within thirty (30) days of HHS approval of such policies. TRIPLE-S shall distribute such policies and procedures to all new workforce members within thirty (30) days of the commencement of each such workforce member’s service. Triple S shall also distribute such policies and procedures to all of its business associates who utilize Triple S ePHI in carrying out contractual or work responsibilities.
TRIPLE. S shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by TRIPLE-S and TRIPLE-S Business Associates, and document the security measures TRIPLE-S implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level.
TRIPLE. S shall review the training annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.
TRIPLE. S shall not provide access to ePHI to any workforce member if that workforce member has not signed or provided the written or electronic certification required by paragraph V.G.4 within a reasonable period of time after completion of such training.
TRIPLE. A One Surety Bond. Triple-A One hereby assigns to the Collateral Agent the right of Triple-A One to make drawings under the Surety Bond naming Triple-A One as beneficiary. The Collateral Agent hereby agrees to make, on a timely basis, all drawings (including, without limitation, drawings in respect of any Avoided Payment, as such term is defined in such Surety Bond) permitted to be made by delivery of a Notice for Payment under such Surety Bond.
