The Use and Disclosure of Protected Health Information

A. Use and Disclosure of Protected Health Information (PHI)

The Health Plan of Marathon Ashland Petroleum LLC (the “Plan”) will use protected health information (PHI) to the extent of and in accordance with the uses and disclosures permitted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Specifically, the Plan will use and disclose PHI for purposes related to health care treatment, payment for health care and health care operations.

Payment includes activities undertaken by the Plan to obtain employee contributions or determine or fulfill its responsibility for coverage and provision of plan benefits that relate to an individual to whom health care is provided. These activities include, but are not limited to, the following:

• Determination of eligibility, coverage and cost sharing amounts (for example, cost of a benefit, plan maximums and co payments as determined for an individual’s claim);
  
• Coordination of benefits;
  
• Adjudication of health benefit claims (including appeals and other payment disputes);
  
• Subrogation of health benefit claims or recovery of Plan overpayments;
  
• Establishing employee contributions;
  
• Risk adjusting amounts due based on enrollee health status and demographic characteristics;
• Billing, collection activities and related health care data processing;
  
• Claims management and related health care data processing, including auditing payments, investigating and resolving payment disputes and responding to participant inquiries about payments;
  
• Obtaining payment under a contract for reinsurance (including stop-loss and excess of loss insurance);
  
• Medical necessity reviews or reviews of appropriateness of care or justification of charges;
  
• Utilization review, including precertification, preauthorization, concurrent review and retrospective review;
  
• Disclosure to consumer reporting agencies related to the collection of employee contributions or reimbursement (the following PHI may be disclosed for payment purposes: name and address, date of birth, Social Security number, payment history, account number and name and address of the provider and/or health plan); and
  
• Reimbursement to the Plan;

Health Care Operations include, but are not limited to, the following activities:

• Quality assessment;
  
• Population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, disease management, contacting health care providers and patients with information about treatment alternatives and related functions;
  
• Rating provider and Plan performance, including accreditation, certification, licensing or credentialing activities;
  
• Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to health care claims (including stop-loss insurance and excess of loss insurance);
  
• Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs.
  
• Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the Plan, including formulary development and administration, development or improvement of payment methods or coverage policies.
  
• Business management and general administrative activities of the Plan, including, but not limited to:

1. management activities relating to the implementation of and compliance with HIPAA’s administrative simplification requirements, or
   
2. customer service, including the provision of data analysis for policyholders, plan sponsors or other customers;
   

• Resolution of internal grievances; and
  
• Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a “covered entity” under HIPAA or, following completion of the sale or transfer, will become a covered entity.

B. The Plan Will Use and Disclose PHI as Required by Law and as Permitted by Authorization of the Participant or Beneficiary

With an authorization, the Plan will disclose PHI to other employee benefit plans and programs for purposes relating to administration of these plans and programs including, but not limited to, workers’ compensation programs and insurers, the Long Term Disability Plan, the Accidental Death and Dismemberment Plan, other health and dental plans in which the individual participates, and the Company’s sick pay and leave of absence plans and programs.

• For Purposes of this Section, Marathon Ashland Petroleum LLC is the Plan Sponsor.
  
• The Plan will disclose PHI to the Plan Sponsor only upon receipt of a certification from the Plan Sponsor that the plan documents have been amended to incorporate the provisions contained in Section D below.

C. With Respect to PHI, the Plan Sponsor Agrees to Certain Conditions

The Plan Sponsor agrees to:

• Not use or further disclose PHI other than as permitted or required by the Plan document or as required by law;
  
• Ensure that any agents, including a subcontractor, to whom the Plan Sponsor provides PHI received from the Plan agree to the same restrictions and conditions that apply to the Plan Sponsor with respect to such PHI;
  
• Not use or disclose PHI for employment-related actions and decisions unless authorized by an individual;
  
• Not use or disclose PHI in connection with any other benefit or employee benefit plan of the Plan Sponsor unless authorized by the individual(s);
  
• Report to the Plan any PHI use or disclosure that is inconsistent with the uses or disclosures provided for of which it becomes aware;
  
• Make PHI available to an individual in accordance with HIPAA’s access requirements;
  
• Make PHI available for amendment and incorporate any amendments to PHI in accordance with HIPAA;
  
• Make available the information required to provide an accounting of disclosures;
  
• Make internal practices, books and records relating to the use and disclosure of PHI received from the Plan available to the HHS Secretary for the purposes of determining the Plan’s compliance with HIPAA; and
  
• If feasible, return or destroy all PHI received from the Plan that the Plan Sponsor still maintains in any form, and retain no copies of such PHI when no longer needed for the purposes for which disclosure was made (or if return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction infeasible).

D. Adequate Separation Between the Plan and the Plan Sponsor Must Be Maintained

In accordance with HIPAA, only the employees of the Plan Sponsor retained by Benefits Administration to directly administer employee benefit plans and programs as may be given access to PHI. Individuals with access to PHI may include:

• The benefits manager;
  
• Staff designated by the benefits manager
  
• Auditors directly employed by the Plan Sponsor
  
• Law organization employees responsible for enforcing the plan’s subrogation and overpayment recovery provisions, and providing legal advice regarding the administration of the Plan, and
  
• If they are also employees of the Plan Sponsor, the Plan Administrator, Assistant Plan Administrators, and the Privacy Officer.
  

E. Limitations of PHI Access and Disclosure

The persons described in Section E may only have access to and use and disclose PHI for plan administration functions that the Plan Sponsor performs for the Plan.

F. Noncompliance Issues

If the persons described in section E do not comply with this Plan document, the Plan Sponsor shall provide a mechanism for resolving issues of noncompliance, including disciplinary sanctions.