Loading...
Independent Contractor - 2018 - Health Insurance - Business Associate Agreement - 6/28/2018 40 1111 ((helon Echelon Group BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT (this "Agreement') is entered into by and between City of Eagle whose principal place of business is 660 E Civic Lane, Eagle, Idaho 83616 (the "Company'), on behalf of its Plans (as defined below), and Echelon Group, Inc , whose principal place of business is 408 E Parkcenter Blvd, Suite 330, Boise, ID 83706 ("Business Associate,"and with Company, each a "Party"and together the "Parties') This Agreement supersedes and replaces any prior Business Associate Agreements and related amendments thereto between the Parties RECITALS. WHEREAS, Company maintains certain health care benefit plans which provide health plan benefits to certain of Company's members, employees and/or retirees, and their eligible dependents, if any (collectively, the "Plans"), WHEREAS, Business Associate has entered into a Consulting Agreement with Company dated as of June 21, 2018 (the "Effective Date'), for the purposes of performing certain administrative & consulting services for Company and the Plans (the terms and conditions of such agreement between the Parties hereinafter referred to as the "Consulting Services Agreement'), WHEREAS, pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA'), the Department of Health and Human Services ("HHS') has promulgated regulations at 45 C F R Parts 160-64, implementing the privacy requirements set forth in HIPAA(the "Privacy Rule') and the electronic security requirements set forth in HIPAA("Security Rule'), each as amended by the "Health Information Technology for Economic and Clinical Health Act," part of the "American Recovery and Reinvestment Act of 2009" ("HITECH Act'), WHEREAS, the Privacy Rule provides, among other things, that before a health plan is permitted to disclose Protected Health Information (as defined below) to a business associate and to allow the business associate to obtain and receive Protected Health Information, the health plan must obtain satisfactory assurances in the form of a written contract that the business associate will appropriately safeguard the Protected Health Information, WHEREAS, the Security Rule provides, among other requirements, for a health plan to obtain additional assurances from a business associate with respect to Protected Health Information that is transmitted by or maintained in electronic media, WHEREAS, Business Associate will have access to, create and/or receive certain Protected Health Information in conjunction with the services being provided under the Services Agreement, thus necessitating a written agreement that meets the applicable requirements of the Privacy Rule, and may maintain Protected Health Information in electronic media, thus necessitating a written agreement that meets the applicable requirements of the Security Rule, and WHEREAS, Business Associate and Company, on behalf of the Plans, have mutually agreed to satisfy the foregoing regulatory requirements through this Agreement 6/21/2018 Business Associate Agreement Page 1 ' • • NOW THEREFORE, Business Associate and Company, on behalf of the Plans, agree as follows 1 Definitions Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy and Security Rules and the final Omnibus Rule issued by the Department of Health and Human Services on January 17, 2013, effective March 26, 2013 The following terms shall have the following meaning when used in this Agreement a Breach means that term as set forth in 45 C F R § 164 402 b Business Associate shall generally have the same meaning as the term "business associate" at 45 C F R § 160 103, and in reference to the party to this Agreement shall mean Echelon Group, Inc c Covered Entity shall generally have the same meaning as the term "covered entity" at 45 C F R § 160 103, and in reference to the party to this Agreement, shall mean Echelon Group, Inc d Designated Record Set means that term as set forth in 45 C F R § 164 501 e Electronic Protected Health Information means Protected Health Information that is transmitted or maintained in electronic media, including, but not limited to, hard drives, disks, on the Internet, or on an intranet f HIPAA Rules mans the Privacy Security, Breach Notification, and Enforcement Rules at 45 C F R part 160 and part 164 g Individual means that term as set forth in 45 C F R § 160 103, and includes a person who qualifies as a personal representative in accordance with 45 C F R § 164 502(g) h Omnibus Rule means the Health Insurance Portability and Accountability Act rule issued by the Department of Health and Human Services and published in the Federal Register on January 25, 2013 at 78 Fed Reg 5566 i Privacy Rule means the Standards of Privacy of Individually Identifiable Health Information at 45 C F R part 160 and part 164, subparts A and E 1 Protected Health Information means that term as set forth in 45 C F R § 160 103, except limited to the information created or received by Business Associate from or on behalf of The Plans k Required By Law means that term as set forth in 45 C F R § 164 103 I Secretary means the Secretary of the Department of Health and Human Services or his/her designee m Security Rule means the Security Standards for the Protection of Electronic Protected Health Information at 45 C F R part 160 and part 164, subparts A and C n Subcontractor means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate 6/21/2018 Business Associate Agreement Page 2 ( . 0 o Unsecured Protected Health Information means that term as set forth in 45 C F R § 164 402 Any capitalized term not specifically defined herein shall have the same meaning as set forth in 45 C F R Parts 160 and 164, and the Omnibus Rule issued on January 17, 2013, effective March 26, 2013, where applicable The terms "use," disclose" and "discovery," or derivations thereof, although not capitalized, shall also have the same meanings set forth in HIPAA and its implementing regulations 2 Obligations and Activities of Business Associate a Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law b Business Associate agrees to document and use appropriate administrative, technical and physical safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement and in compliance with the Security Rule c Business Associate agrees to establish procedures for mitigating, and shall follow those procedures and so mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement d Business Associate agrees to report to the Plans' privacy officer in writing within fifteen (15) business days the names and addresses of any subcontractor(s)that the Business Associate uses in connection with this Agreement e Business Associate agrees that it will report to the Plans within three (3) business days after discovering, as defined in 45 C F R § 164 410, any Breach of Unsecured Protected Health Information, and that it will provide to the Plans within five (5) days (i) a list of all Individuals whose Unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach, and (ii) any other available information that the Plans is required to include in notifications to such Individuals pursuant to 45 C F R § 164 404(c), and to the Secretary f In the event of any Breach referred to in the preceding paragraph, Business Associate agrees to cooperate with the Plans to notify, at the Business Associate's expense (i) Individuals whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed, (ii)the media, as required pursuant to 45 C F R § 164 406, and (iii)the Secretary, as required by 45 C F R § 164 408(b), if the legal requirements for media or HHS notification are triggered by the circumstances of such Breach, provided that Business Associate shall not initiate any such notifications without the express written approval of the Plans g In accordance with 45 C F R §§ 164 502(e)(1)(ii) and 164 308(b)(2) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of the Plans, agrees in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information Business Associate shall provide copies of such agreements to the Plans upon request 6/21/2018 Business Associate Agreement Page 3 110 • h Business Associate agrees to provide, within fifteen (15) days of receiving a request from the Plans or from an Individual in the manner reasonably requested by the Plans, access to Protected Health Information in a Designated Record Set, to the Plans or, as directed by the Plans, to an Individual, in order for the Plans to fulfill their obligations under 45 C F R § 164 524 to provide access and copies of Protected Health Information to an Individual i Business Associate agrees to make available to the Plans, within fifteen (15) days of receiving a request from the Plans or from an Individual, in the manner reasonably requested by the Plans, such information as the Plans may require to fulfill in a timely manner the Plans' obligations pursuant to 45 C F R § 164 526 to amend Protected Health Information that Business Associate maintains in a Designated Record Set, and if so notified by the Plans, to incorporate any amendments to which the Plans have agreed 1 Business Associate agrees to make its internal practices, books, and records, including policies and procedures relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, the Plans, available to the Plans, or to the Secretary, for purposes of the Secretary determining the Plans' compliance with the Privacy Rule If Business Associate directly receives a request from the Secretary, then Business Associate agrees to notify the Plans promptly of such request k Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for the Plans to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C F R § 164 528 I Business Associate agrees to provide to the Plans or an Individual, as soon as practicable and in the manner reasonably requested by the Plans or Individual, information collected in accordance with Section 2(i) of this Agreement, to permit the Plans to respond in a timely manner to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C F R § 164 528 m Business Associate will comply with all obligations applicable to business associates as set forth in the Omnibus Rule located at 78 Fed Reg 5566 (January 25, 2013), as of the date that compliance with each such obligation is required pursuant to the Omnibus Rule 3 Permitted Uses and Disclosures by Business Associate a Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, the Plans as specified in the Services Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by the Plans or the minimum necessary policies and procedures of the Plans b Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information only if such use or disclosure is in full compliance with 45 C F R § 164 504(e) The additional requirements of the HITECH Act that relate to privacy and that are made applicable to covered entities shall also apply to Business Associate and are hereby incorporated into this Agreement 6/21/2018 Business Associate Agreement Page 4 • 9 c Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate d Except as otherwise limited in this Agreement or any other arrangement between Business Associate and the Plans, Business Associate may use Protected Health Information to provide data aggregation services as permitted by 45 C F R § 164 504(e)(2)(i)(B) (i e , the combining of Protected Health Information received from the Plans with protected health information received by Business Associate in its capacity as the business associate of other group health plans, to permit data analyses that relate to the health care operations of various group health plans ) e Business Associate may use Protected Health Information to report violations of law to the appropriate Federal and State authorities, consistent with 45 C F R § 164 5020)(1) 4 Security Standards a Business Associate shall implement Administrative, Physical and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of Electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of the Plans b With respect to the Safeguards required by Section 5(a) above, 45 C F R § 164 308 (administrative safeguards), § 164 310 (physical safeguards), § 164 312 (technical safeguards) and § 164 316 (policies and procedures and documentation requirements), shall apply to Business Associate in the same manner that such sections apply to the Plans The additional requirements of the HITECH Act that relate to security and that are made applicable to covered entities shall also apply to Business Associate, and are hereby incorporated into this Agreement Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 45 C F R § 160 402 and 42 U S C § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards and any guidance issued by the Secretary with respect to such requirements c Business Associate shall ensure that any agent, including a subcontractor, to whom it provides Electronic Protected Health Information, agrees in writing to implement reasonable and appropriate safeguards to protect such Electronic Protected Health Information and to comply with the Security Rule and 45 C F R §§ 164 502(e)(1)(ii) and 164 308(b)(2) d Without limiting the provisions of Section 2 above, Business Associate shall report in writing to the Plans within three (3) business days of becoming aware of any Security Incident involving Electronic Protected Health Information, including breaches of unsecured protected health information as required by 45 C F R § 164 410 and security incidents involving subcontractors and as reasonably appropriate, shall advise the Plans of measures Business Associate will be taking to mitigate harm from such Security Incident, and to prevent similar future incidents e Business Associate shall make its policies and procedures and documentation required by the Security Rule relating to the Safeguards described in subsection (a) above, available to the Plans and to the Secretary for purposes of determining the Plans' compliance with the Security Rule, and Business Associate's compliance with the HITECH Act 6/21/2018 Business Associate Agreement Page 5 ! ! 5 Security Breach a Business Associate agrees to report to the Plans' Privacy Officer any potential Breach of Unsecured PHI without unreasonable delay and in no case later than three (3) business days after discovery of a Breach Such notice shall include, to the extent the details are available (i)the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate, to have been, accessed, acquired, or disclosed, and (ii) a brief description of the event, and (iii)the date of the potential Breach, and (iv)the date of discovery, and (v)the type of PHI involved, and (vi) any preliminary steps taken to mitigate the damage caused by the Breach, and (vii) a description of any investigatory steps taken In the event that the details of the Breach are not known at the time of the initial notification to Plans, Business Associate shall promptly follow up with Plans' privacy officer with the details as such become available In addition, Business Associate shall provide any additional information reasonably requested by Plans for purposes of investigating the Breach Without limiting any of the provisions of this Section 3, Business Associate's notification of a Breach under this Section 3 shall comply in all respects with each applicable provision of Section 13400 of the HITECH Act, Subpart D of 45 C F R 164 and related regulations and guidance issued by the Secretary from time to time b In addition to the foregoing, Business Associate agrees that in the event of such a Breach, Plans shall have the sole right to determine (i)whether notice is to be provided to any Individuals, regulators, law enforcement agencies, consumer reporting agencies, and/or media or others as required by law or regulation, in Plans' discretion, whether such notice(s) shall be sent out directly by Business Associate or by Plans, whether such notice(s) shall be sent under the letterhead of Plans or that of Business Associate, the contents of such notice(s), whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation (which remediation shall include, but not be limited to, credit monitoring by nationally recognized credit monitoring companies) Business Associate shall bear the sole expense of the preparation and sending of such notices and the remediation for such Breach In the event that Plans send out such notice(s) directly and/or directly incurs the expense of such remediation, Business Associate shall promptly reimburse Plans its reasonable costs of preparation and mailing of such notice(s), its actual costs for providing remediation, and reasonable costs and expenses of Plans' investigation of the Breach by Business Associate (or that of Business Associate's subcontractors or agents) 6 Term and Termination a This Agreement shall terminate when all of the Protected Health Information provided by the Plans to Business Associate, or created or received by Business Associate on behalf of the Plans, is destroyed or returned to the Plans, or, if it is infeasible to return or destroy Protected Health Information protections are extended to such information, in accordance with Section 7(c) b Upon the Plans' knowledge of a material breach of this Agreement by Business Associate, the Plans shall, at their election, either i Provide an opportunity for Business Associate to cure the breach or end the violation, and terminate this Agreement and the Services Agreement if Business Associate does not cure the breach or end the violation within the time specified by the Plans, 6/21/2018 Business Associate Agreement Page 6 • • ii Immediately terminate this Agreement and the Services Agreement if Business Associate has breached a material term of this Agreement and cure is not possible, or iii If neither termination nor cure is feasible, the Plans shall report the violation to the Secretary c Effect of Termination i Except as provided in Section 7(c)(ii), upon termination of this Agreement or the Services Agreement for any reason, Business Associate shall return all Protected Health Information received from the Plans, or created or received by Business Associate on behalf of the Plans, or, at the election of the Plans, Business Associate may alternatively certify in writing to the Plans that it has destroyed all Protected Health Information This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate Business Associate shall retain no copies of the Protected Health Information, including no electronic copies ii In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to the Plans notification of the conditions that make return or destruction infeasible Upon Business Associate's establishing to the Plans' reasonable satisfaction that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information 7 Miscellaneous a Regulatory References A reference in this Agreement to a section in the Privacy Rule, the Security Rule, or to any other regulation promulgated under HIPAA means the section as in effect or as amended b Indemnification. Business Associate agrees during and after the term of this Agreement to hold the Plans and the Company, and their respective trustees, officers, directors, employees, agents and affiliates, harmless from, and indemnify each of them against any and all claims, losses, liabilities penalties, fines, costs, damages and expenses, including reasonable attorneys' fees, incurred by or imposed upon any of them as a result of Business Associate's breach of this Agreement, HIPAA, the Privacy Rule or the Security Rule c Survival. The respective rights and obligations of the Parties under Sections 2, 5, 7(c) and 8 of this Agreement shall survive the termination of this Agreement d Interpretation Any ambiguity in this Agreement shall be resolved to permit the Plans to comply with the Privacy Rule, Security Rule and other provisions of HIPAA, including, but not limited to, any regulations promulgated under the HITECH Act e Governing Law The construction, interpretation and performance of this Agreement and all transactions under this Agreement shall be governed and enforced pursuant to the laws of the State of Idaho, except as such laws are preempted by any provision of 6/21/2018 Business Associate Agreement Page 7 • • federal law, including by ERISA or HIPAA Any action or proceeding arising out of or relating to this Agreement shall be brought and tried in a federal or state court of competent jurisdiction located in Idaho, and in no other forum or venue f No Third Party Beneficiary Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever g Controlling Provisions In the event that it is impossible to comply with both the Services Agreement and this Agreement, the provisions of this Agreement shall control with respect to those provisions of each agreement that expressly conflict h Effect This Agreement shall be binding upon, and shall inure to the benefit of, the Parties hereto and their respective successors, assigns, heirs, executors, administrators and other legal representatives Severability. In the event any provision of this Agreement is rendered invalid or unenforceable under any new or existing law or regulation, or declared null and void by any court of competent jurisdiction, the remainder of the provisions of this Agreement shall remain in full force and effect if it reasonably can be given effect Counterparts This Agreement may be executed in any number of counterparts, each of which shall be deemed an original Facsimile copies thereof shall be deemed to be originals k Notices. All notices to be given pursuant to the terms of this Agreement shall be in writing and shall be deemed given four(4) business days after being sent by certified mail, return receipt requested, postage prepaid or one (1) business day after being sent by reputable overnight mail delivery to the other Party, at the address set forth above or at such other address as a Party may designate from time to time by notice pursuant to this Section 8(k) Amendment The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Plans to comply with the requirements of the HIPAA Privacy, EDI and Security Rules, and any other provisions of HIPAA including, but not limited to, any regulations promulgated under the HITECH Act IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement as of the Effective Date COMPANY BUSINESS ASSOCIATE By By Name STD ikaeteut Name Donald L Reiman Title �/ Title President/Founder Date 6-2 a Date 6/21/2018 Business Associate Agreement Page 8