Independent Contractor - 2018 - Health Insurance - Business Associate Agreement - 6/28/2018 40 1111
((helon
Echelon Group
BUSINESS ASSOCIATE AGREEMENT
This BUSINESS ASSOCIATE AGREEMENT (this "Agreement') is entered into by and
between City of Eagle whose principal place of business is 660 E Civic Lane, Eagle, Idaho 83616
(the "Company'), on behalf of its Plans (as defined below), and Echelon Group, Inc , whose principal
place of business is 408 E Parkcenter Blvd, Suite 330, Boise, ID 83706 ("Business Associate,"and
with Company, each a "Party"and together the "Parties') This Agreement supersedes and replaces
any prior Business Associate Agreements and related amendments thereto between the Parties
RECITALS.
WHEREAS, Company maintains certain health care benefit plans which provide health plan
benefits to certain of Company's members, employees and/or retirees, and their eligible dependents,
if any (collectively, the "Plans"),
WHEREAS, Business Associate has entered into a Consulting Agreement with Company
dated as of June 21, 2018 (the "Effective Date'), for the purposes of performing certain
administrative & consulting services for Company and the Plans (the terms and conditions of such
agreement between the Parties hereinafter referred to as the "Consulting Services Agreement'),
WHEREAS, pursuant to the Administrative Simplification provisions of the Health Insurance
Portability and Accountability Act of 1996 ("HIPAA'), the Department of Health and Human Services
("HHS') has promulgated regulations at 45 C F R Parts 160-64, implementing the privacy
requirements set forth in HIPAA(the "Privacy Rule') and the electronic security requirements set
forth in HIPAA("Security Rule'), each as amended by the "Health Information Technology for
Economic and Clinical Health Act," part of the "American Recovery and Reinvestment Act of 2009"
("HITECH Act'),
WHEREAS, the Privacy Rule provides, among other things, that before a health plan is
permitted to disclose Protected Health Information (as defined below) to a business associate and to
allow the business associate to obtain and receive Protected Health Information, the health plan
must obtain satisfactory assurances in the form of a written contract that the business associate will
appropriately safeguard the Protected Health Information,
WHEREAS, the Security Rule provides, among other requirements, for a health plan to
obtain additional assurances from a business associate with respect to Protected Health Information
that is transmitted by or maintained in electronic media,
WHEREAS, Business Associate will have access to, create and/or receive certain Protected
Health Information in conjunction with the services being provided under the Services Agreement,
thus necessitating a written agreement that meets the applicable requirements of the Privacy Rule,
and may maintain Protected Health Information in electronic media, thus necessitating a written
agreement that meets the applicable requirements of the Security Rule, and
WHEREAS, Business Associate and Company, on behalf of the Plans, have mutually agreed
to satisfy the foregoing regulatory requirements through this Agreement
6/21/2018 Business Associate Agreement Page 1
' • •
NOW THEREFORE, Business Associate and Company, on behalf of the Plans, agree as
follows
1 Definitions
Terms used, but not otherwise defined, in this Agreement shall have the same meaning as
those terms in the HIPAA Privacy and Security Rules and the final Omnibus Rule issued by the
Department of Health and Human Services on January 17, 2013, effective March 26, 2013 The
following terms shall have the following meaning when used in this Agreement
a Breach means that term as set forth in 45 C F R § 164 402
b Business Associate shall generally have the same meaning as the term "business
associate" at 45 C F R § 160 103, and in reference to the party to this Agreement shall
mean Echelon Group, Inc
c Covered Entity shall generally have the same meaning as the term "covered entity" at 45
C F R § 160 103, and in reference to the party to this Agreement, shall mean Echelon
Group, Inc
d Designated Record Set means that term as set forth in 45 C F R § 164 501
e Electronic Protected Health Information means Protected Health Information that is
transmitted or maintained in electronic media, including, but not limited to, hard drives,
disks, on the Internet, or on an intranet
f HIPAA Rules mans the Privacy Security, Breach Notification, and Enforcement Rules
at 45 C F R part 160 and part 164
g Individual means that term as set forth in 45 C F R § 160 103, and includes a person
who qualifies as a personal representative in accordance with 45 C F R § 164 502(g)
h Omnibus Rule means the Health Insurance Portability and Accountability Act rule
issued by the Department of Health and Human Services and published in the Federal
Register on January 25, 2013 at 78 Fed Reg 5566
i Privacy Rule means the Standards of Privacy of Individually Identifiable Health
Information at 45 C F R part 160 and part 164, subparts A and E
1 Protected Health Information means that term as set forth in 45 C F R § 160 103,
except limited to the information created or received by Business Associate from or on
behalf of The Plans
k Required By Law means that term as set forth in 45 C F R § 164 103
I Secretary means the Secretary of the Department of Health and Human Services or
his/her designee
m Security Rule means the Security Standards for the Protection of Electronic Protected
Health Information at 45 C F R part 160 and part 164, subparts A and C
n Subcontractor means a person to whom a business associate delegates a function,
activity, or service, other than in the capacity of a member of the workforce of such
business associate
6/21/2018 Business Associate Agreement Page 2
( . 0
o Unsecured Protected Health Information means that term as set forth in 45 C F R §
164 402
Any capitalized term not specifically defined herein shall have the same meaning as set forth
in 45 C F R Parts 160 and 164, and the Omnibus Rule issued on January 17, 2013, effective
March 26, 2013, where applicable The terms "use," disclose" and "discovery," or derivations
thereof, although not capitalized, shall also have the same meanings set forth in HIPAA and
its implementing regulations
2 Obligations and Activities of Business Associate
a Business Associate agrees not to use or disclose Protected Health Information other
than as permitted or required by this Agreement or as Required By Law
b Business Associate agrees to document and use appropriate administrative, technical
and physical safeguards to prevent use or disclosure of the Protected Health
Information other than as provided for by this Agreement and in compliance with the
Security Rule
c Business Associate agrees to establish procedures for mitigating, and shall follow
those procedures and so mitigate, to the extent practicable, any harmful effect that is
known to Business Associate of a use or disclosure of Protected Health Information by
Business Associate in violation of the requirements of this Agreement
d Business Associate agrees to report to the Plans' privacy officer in writing within fifteen
(15) business days the names and addresses of any subcontractor(s)that the
Business Associate uses in connection with this Agreement
e Business Associate agrees that it will report to the Plans within three (3) business days
after discovering, as defined in 45 C F R § 164 410, any Breach of Unsecured
Protected Health Information, and that it will provide to the Plans within five (5) days
(i) a list of all Individuals whose Unsecured Protected Health Information has been, or
is reasonably believed by the Business Associate to have been, accessed, acquired,
used, or disclosed during the Breach, and (ii) any other available information that the
Plans is required to include in notifications to such Individuals pursuant to 45 C F R §
164 404(c), and to the Secretary
f In the event of any Breach referred to in the preceding paragraph, Business Associate
agrees to cooperate with the Plans to notify, at the Business Associate's expense (i)
Individuals whose Unsecured Protected Health Information has been, or is reasonably
believed by Business Associate to have been, accessed, acquired, used, or disclosed,
(ii)the media, as required pursuant to 45 C F R § 164 406, and (iii)the Secretary, as
required by 45 C F R § 164 408(b), if the legal requirements for media or HHS
notification are triggered by the circumstances of such Breach, provided that Business
Associate shall not initiate any such notifications without the express written approval
of the Plans
g In accordance with 45 C F R §§ 164 502(e)(1)(ii) and 164 308(b)(2) Business
Associate agrees to ensure that any agent, including a subcontractor, to whom it
provides Protected Health Information received from, or created or received by
Business Associate on behalf of the Plans, agrees in writing to the same restrictions
and conditions that apply through this Agreement to Business Associate with respect
to such information Business Associate shall provide copies of such agreements to
the Plans upon request
6/21/2018 Business Associate Agreement Page 3
110 •
h Business Associate agrees to provide, within fifteen (15) days of receiving a
request from the Plans or from an Individual in the manner reasonably
requested by the Plans, access to Protected Health Information in a Designated
Record Set, to the Plans or, as directed by the Plans, to an Individual, in order for
the Plans to fulfill their obligations under 45 C F R § 164 524 to provide access
and copies of Protected Health Information to an Individual
i Business Associate agrees to make available to the Plans, within fifteen (15)
days of receiving a request from the Plans or from an Individual, in the manner
reasonably requested by the Plans, such information as the Plans may require to
fulfill in a timely manner the Plans' obligations pursuant to 45 C F R § 164 526 to
amend Protected Health Information that Business Associate maintains in a
Designated Record Set, and if so notified by the Plans, to incorporate any
amendments to which the Plans have agreed
1 Business Associate agrees to make its internal practices, books, and records,
including policies and procedures relating to the use and disclosure of Protected
Health Information received from, or created or received by Business Associate on
behalf of, the Plans, available to the Plans, or to the Secretary, for purposes of the
Secretary determining the Plans' compliance with the Privacy Rule If Business
Associate directly receives a request from the Secretary, then Business Associate
agrees to notify the Plans promptly of such request
k Business Associate agrees to document such disclosures of Protected Health
Information and information related to such disclosures as would be required for the
Plans to respond to a request by an Individual for an accounting of disclosures of
Protected Health Information in accordance with 45 C F R § 164 528
I Business Associate agrees to provide to the Plans or an Individual, as soon as
practicable and in the manner reasonably requested by the Plans or Individual,
information collected in accordance with Section 2(i) of this Agreement, to permit the
Plans to respond in a timely manner to a request by an Individual for an accounting of
disclosures of Protected Health Information in accordance with 45 C F R § 164 528
m Business Associate will comply with all obligations applicable to business associates
as set forth in the Omnibus Rule located at 78 Fed Reg 5566 (January 25, 2013), as
of the date that compliance with each such obligation is required pursuant to the
Omnibus Rule
3 Permitted Uses and Disclosures by Business Associate
a Except as otherwise limited in this Agreement, Business Associate may use or disclose
Protected Health Information to perform functions, activities, or services for, or on behalf of,
the Plans as specified in the Services Agreement, provided that such use or disclosure
would not violate the Privacy Rule if done by the Plans or the minimum necessary policies
and procedures of the Plans
b Except as otherwise limited in this Agreement, Business Associate may use or
disclose Protected Health Information only if such use or disclosure is in full
compliance with 45 C F R § 164 504(e) The additional requirements of the HITECH
Act that relate to privacy and that are made applicable to covered entities shall also
apply to Business Associate and are hereby incorporated into this Agreement
6/21/2018 Business Associate Agreement Page 4
• 9
c Except as otherwise limited in this Agreement, Business Associate may use Protected
Health Information for the proper management and administration of the Business
Associate or to carry out the legal responsibilities of the Business Associate
d Except as otherwise limited in this Agreement or any other arrangement between Business
Associate and the Plans, Business Associate may use Protected Health Information to
provide data aggregation services as permitted by 45 C F R § 164 504(e)(2)(i)(B) (i e , the
combining of Protected Health Information received from the Plans with protected health
information received by Business Associate in its capacity as the business associate of
other group health plans, to permit data analyses that relate to the health care operations of
various group health plans )
e Business Associate may use Protected Health Information to report violations of law to the
appropriate Federal and State authorities, consistent with 45 C F R § 164 5020)(1)
4 Security Standards
a Business Associate shall implement Administrative, Physical and Technical Safeguards that
reasonably and appropriately protect the Confidentiality, Integrity and Availability of
Electronic Protected Health Information that it creates, receives, maintains or transmits on
behalf of the Plans
b With respect to the Safeguards required by Section 5(a) above, 45 C F R § 164 308
(administrative safeguards), § 164 310 (physical safeguards), § 164 312 (technical
safeguards) and § 164 316 (policies and procedures and documentation requirements),
shall apply to Business Associate in the same manner that such sections apply to the
Plans The additional requirements of the HITECH Act that relate to security and that are
made applicable to covered entities shall also apply to Business Associate, and are hereby
incorporated into this Agreement Business Associate shall be liable under the civil and
criminal enforcement provisions set forth at 45 C F R § 160 402 and 42 U S C § 1320d-5
and 1320d-6, as amended from time to time, for failure to comply with the safeguards and
any guidance issued by the Secretary with respect to such requirements
c Business Associate shall ensure that any agent, including a subcontractor, to whom it
provides Electronic Protected Health Information, agrees in writing to implement reasonable
and appropriate safeguards to protect such Electronic Protected Health Information and to
comply with the Security Rule and 45 C F R §§ 164 502(e)(1)(ii) and 164 308(b)(2)
d Without limiting the provisions of Section 2 above, Business Associate shall report in writing
to the Plans within three (3) business days of becoming aware of any Security Incident
involving Electronic Protected Health Information, including breaches of unsecured
protected health information as required by 45 C F R § 164 410 and security incidents
involving subcontractors and as reasonably appropriate, shall advise the Plans of measures
Business Associate will be taking to mitigate harm from such Security Incident, and to
prevent similar future incidents
e Business Associate shall make its policies and procedures and documentation required by
the Security Rule relating to the Safeguards described in subsection (a) above, available to
the Plans and to the Secretary for purposes of determining the Plans' compliance with the
Security Rule, and Business Associate's compliance with the HITECH Act
6/21/2018 Business Associate Agreement Page 5
! !
5 Security Breach
a Business Associate agrees to report to the Plans' Privacy Officer any potential Breach of
Unsecured PHI without unreasonable delay and in no case later than three (3) business
days after discovery of a Breach Such notice shall include, to the extent the details are
available (i)the identification of each Individual whose Unsecured PHI has been, or is
reasonably believed by Business Associate, to have been, accessed, acquired, or
disclosed, and (ii) a brief description of the event, and (iii)the date of the potential Breach,
and (iv)the date of discovery, and (v)the type of PHI involved, and (vi) any preliminary
steps taken to mitigate the damage caused by the Breach, and (vii) a description of any
investigatory steps taken In the event that the details of the Breach are not known at the
time of the initial notification to Plans, Business Associate shall promptly follow up with
Plans' privacy officer with the details as such become available In addition, Business
Associate shall provide any additional information reasonably requested by Plans for
purposes of investigating the Breach Without limiting any of the provisions of this Section
3, Business Associate's notification of a Breach under this Section 3 shall comply in all
respects with each applicable provision of Section 13400 of the HITECH Act, Subpart D of
45 C F R 164 and related regulations and guidance issued by the Secretary from time to
time
b In addition to the foregoing, Business Associate agrees that in the event of such a Breach,
Plans shall have the sole right to determine (i)whether notice is to be provided to any
Individuals, regulators, law enforcement agencies, consumer reporting agencies, and/or
media or others as required by law or regulation, in Plans' discretion, whether such
notice(s) shall be sent out directly by Business Associate or by Plans, whether such
notice(s) shall be sent under the letterhead of Plans or that of Business Associate, the
contents of such notice(s), whether any type of remediation may be offered to affected
persons, and the nature and extent of any such remediation (which remediation shall
include, but not be limited to, credit monitoring by nationally recognized credit monitoring
companies) Business Associate shall bear the sole expense of the preparation and
sending of such notices and the remediation for such Breach In the event that Plans send
out such notice(s) directly and/or directly incurs the expense of such remediation, Business
Associate shall promptly reimburse Plans its reasonable costs of preparation and mailing of
such notice(s), its actual costs for providing remediation, and reasonable costs and
expenses of Plans' investigation of the Breach by Business Associate (or that of Business
Associate's subcontractors or agents)
6 Term and Termination
a This Agreement shall terminate when all of the Protected Health Information provided
by the Plans to Business Associate, or created or received by Business Associate on
behalf of the Plans, is destroyed or returned to the Plans, or, if it is infeasible to return
or destroy Protected Health Information protections are extended to such information,
in accordance with Section 7(c)
b Upon the Plans' knowledge of a material breach of this Agreement by Business
Associate, the Plans shall, at their election, either
i Provide an opportunity for Business Associate to cure the breach or end the
violation, and terminate this Agreement and the Services Agreement if
Business Associate does not cure the breach or end the violation within the
time specified by the Plans,
6/21/2018 Business Associate Agreement Page 6
• •
ii Immediately terminate this Agreement and the Services Agreement if Business
Associate has breached a material term of this Agreement and cure is not
possible, or
iii If neither termination nor cure is feasible, the Plans shall report the violation to
the Secretary
c Effect of Termination
i Except as provided in Section 7(c)(ii), upon termination of this Agreement or
the Services Agreement for any reason, Business Associate shall return all
Protected Health Information received from the Plans, or created or received by
Business Associate on behalf of the Plans, or, at the election of the Plans,
Business Associate may alternatively certify in writing to the Plans that it has
destroyed all Protected Health Information This provision shall apply to
Protected Health Information that is in the possession of subcontractors or
agents of Business Associate Business Associate shall retain no copies of the
Protected Health Information, including no electronic copies
ii In the event that Business Associate determines that returning or destroying
the Protected Health Information is infeasible, Business Associate shall provide
to the Plans notification of the conditions that make return or destruction
infeasible Upon Business Associate's establishing to the Plans' reasonable
satisfaction that return or destruction of Protected Health Information is
infeasible, Business Associate shall extend the protections of this Agreement to
such Protected Health Information and limit further uses and disclosures of
such Protected Health Information to those purposes that make the return or
destruction infeasible, for so long as Business Associate maintains such
Protected Health Information
7 Miscellaneous
a Regulatory References A reference in this Agreement to a section in the Privacy
Rule, the Security Rule, or to any other regulation promulgated under HIPAA means
the section as in effect or as amended
b Indemnification. Business Associate agrees during and after the term of this
Agreement to hold the Plans and the Company, and their respective trustees, officers,
directors, employees, agents and affiliates, harmless from, and indemnify each of them
against any and all claims, losses, liabilities penalties, fines, costs, damages and
expenses, including reasonable attorneys' fees, incurred by or imposed upon any of
them as a result of Business Associate's breach of this Agreement, HIPAA, the Privacy
Rule or the Security Rule
c Survival. The respective rights and obligations of the Parties under Sections 2, 5, 7(c)
and 8 of this Agreement shall survive the termination of this Agreement
d Interpretation Any ambiguity in this Agreement shall be resolved to permit the Plans
to comply with the Privacy Rule, Security Rule and other provisions of HIPAA,
including, but not limited to, any regulations promulgated under the HITECH Act
e Governing Law The construction, interpretation and performance of this Agreement
and all transactions under this Agreement shall be governed and enforced pursuant to
the laws of the State of Idaho, except as such laws are preempted by any provision of
6/21/2018 Business Associate Agreement Page 7
• •
federal law, including by ERISA or HIPAA Any action or proceeding arising out of or
relating to this Agreement shall be brought and tried in a federal or state court of
competent jurisdiction located in Idaho, and in no other forum or venue
f No Third Party Beneficiary Nothing express or implied in this Agreement is intended
to confer, nor shall anything herein confer, upon any person other than the Parties and
the respective successors or assigns of the Parties, any rights, remedies, obligations,
or liabilities whatsoever
g Controlling Provisions In the event that it is impossible to comply with both the
Services Agreement and this Agreement, the provisions of this Agreement shall control
with respect to those provisions of each agreement that expressly conflict
h Effect This Agreement shall be binding upon, and shall inure to the benefit of, the
Parties hereto and their respective successors, assigns, heirs, executors,
administrators and other legal representatives
Severability. In the event any provision of this Agreement is rendered invalid or
unenforceable under any new or existing law or regulation, or declared null and void by
any court of competent jurisdiction, the remainder of the provisions of this Agreement
shall remain in full force and effect if it reasonably can be given effect
Counterparts This Agreement may be executed in any number of counterparts, each
of which shall be deemed an original Facsimile copies thereof shall be deemed to be
originals
k Notices. All notices to be given pursuant to the terms of this Agreement shall be in
writing and shall be deemed given four(4) business days after being sent by certified
mail, return receipt requested, postage prepaid or one (1) business day after being
sent by reputable overnight mail delivery to the other Party, at the address set forth
above or at such other address as a Party may designate from time to time by notice
pursuant to this Section 8(k)
Amendment The Parties agree to take such action as is necessary to amend this
Agreement from time to time as is necessary for the Plans to comply with the
requirements of the HIPAA Privacy, EDI and Security Rules, and any other provisions
of HIPAA including, but not limited to, any regulations promulgated under the HITECH
Act
IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement as of the
Effective Date
COMPANY BUSINESS ASSOCIATE
By By
Name STD ikaeteut Name Donald L Reiman
Title �/ Title President/Founder
Date 6-2 a Date
6/21/2018 Business Associate Agreement Page 8