The URL can be used to link to this page

Home My WebLink AboutCAG2003-0526 - Other - NorthStar Administrators - Business Associate Addendum to Administrative Service Contract for Erisa Groups - 04/14/2003 BUSINESS ASSOCIATE ADDENDUM TO ADMINISTRATIVE SERVICE CONTRACT FOR ERISA GROUPS An Administrative Service Contract(the "Agreement") was entered into by and between NorthStar Administrators (the"Claims Administrator") and City of Kent(the "Plan Sponsor") on January 1, 2003. This Business Associate Addendum(the "Addendum") shall be entered into by and between the Claims Administrator, the Plan Sponsor and the Group Health Plan(the "GHP") (as defined below) effective on April 14, 2003 (the"Effective Date"), and shall be incorporated into and be made a part of the Agreement. Recitals. 1. In 1996, Congress enacted the Health Insurance Portability and Accountability Act ("HIPAA"),which required, among other things, the promulgation of privacy rules governing the use and disclosure of protected health information. 2. In pertinent part, the HIPAA privacy rules, codified at 45 C.F.R. Parts 160 and 164, subparts A and E, and as amended(the "Privacy Rule") require that covered entities, including the GHP,maintain business associate agreements with third parties that provide certain services for and on behalf of the GHP, including the Claims Administrator, and outline specific contractual requirements to be incorporated into the business associate agreements. 3. In addition to being the business associate of the GHP, the Claims Administrator is a member of a holding system of health plans that includes covered entities, as defined in the Privacy Rule, and as such has policies, procedures and practices in place,which are applied consistently to each member of the holding system, in order to ensure compliance with the Privacy Rule. 4. Because the Claims Administrator is regulated under other state and federal privacy laws, it has adopted the term"protected personal information' or"PPI" (as defined below) and will apply the obligations contained in this Addendum to that information. 5. Thus, the Plan Sponsor, the GHP and the Claims Administrator mutually agree to amend the Agreement to incorporate the terms of this Addendum to comply with the Privacy Rule. NOW, THEREFORE, in consideration of these premises and the mutual promises and agreements hereinafter set forth,the Plan Sponsor,the GHP and the Claims Administrator hereby agree as follows: 1. Definitions. The following definitions shall apply in interpreting this Agreement. Terms used, but not otherwise defined shall have the same meaning as those terms in the Privacy Rule (as defined below): 1.1 Group Health Plan or GHP. The GHP shall be defined consistent with 45 CFR 164.103, and as amended. 1.2 Individual. "Individual'shall mean the person who is the subject of the PPI or their personal representative (as defined in §164.502(g) of the Privacy Rule). 1.3 Protected Personal Information or PPI. "PPI" shall mean any and all information created or received by the Claims Administrator,that identifies or can readily be associated with the identity of an Individual, whether oral or recorded in any form or medium, that directly related to: (1)the past, present or future physical, mental or behavioral health or condition of an Individual; (2) the past, present or future payment for the provision of health care to an Individual; (3) the provision of health care to an Individual; and (4)the past, present or future finances of an Individual, including,without limitation, an Individual's name, address,telephone number, Social Security Number, subscriber number or wage information. 1.4 Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. 2. GHP. The Claims Administrator, Plan Sponsor and GHP all agree to add the GHP as a party to the Agreement and acknowledge that the GHP's obligations under the Agreement are contained completely in this Addendum. 3. Safeeuard of PPI. The Claims Administrator will maintain reasonable and appropriate administrative, technical and physical safeguards, as required by applicable laws to protect against reasonably anticipated threats or hazards to, and to ensure,the security and integrity of PPI,to protect against reasonably anticipated unauthorized use or disclosure of PPI and to reasonably safeguard PPI from an safe uar intentional or unintentional Y use or disclosure in violation of the Addendum. 4. Permitted Uses and Disclosures of PPI by the Claims Administrator. 4.1 Functions and Activities on the GHP's Behalf. The Claims Administrator shall be permitted to use and disclose PPI for(a)the management, operation and administration of the GHP and (b) as otherwise necessary to provide the services set forth in the Agreement, including,but not limited to activities related to Payment and Health Care Operations as defined in §164.501 of the Privacy Rule. 4.2 Disclosures to the Plan Sponsor, the GHP or other Business Associates of the GHP. Except as otherwise permitted by this Addendum or another written directive from GHP, the Claims Administrator, will not disclose PPI to the Plan Sponsor,the GHP or to another business associate of the GHP. The Claims Administrator, may disclose PPI only to those individuals employed by the GHP, Plan Sponsor or other business associates of the GHP, including, without limitation, the GHP's broker, identified in Exhibit G-1, which is attached hereto and incorporated herein. The GHP must promptly notify the Claims Administrator of any changes to Exhibit G-1. 4.3 Functions and Activities on the Claims Administrator's Behalf. The Claims Administrator shall be permitted to use PPI as necessary for the Claims Administrator's management and administration or to carry out its legal responsibilities as permitted or required by law. The Claims Administrator shall also be permitted to disclose PPI to its business associates, subcontractors or other third parties as necessary for proper management and administration of the Claims Administrator, or to carry out the Claims Administrator's legal responsibilities (a) if the disclosure is required by law or (b) if before the disclosure is made, the Claims Administrator, obtains a contract from the entity to which the disclosure is to be made containing reasonable assurances that the entity will also comply with the Privacy Rule's business associate requirements. 5. Minimum Necessary. The GHP and the Plan Sponsor will make reasonable efforts to request from the Claims Administrator only the minimum amount of PPI necessary for its needed purpose. In addition,the GHP and the Plan Sponsor will make reasonable efforts to only disclose to the Claims Administrator the minimum amount of PPI necessary for the Claims Administrator to perform the services identified in the Agreement and other functions and activities referenced in Section 3 of this Addendum. Finally, the Claims Administrator will make reasonable efforts to use, disclose, or request only the minimum amount of PPI necessary from any third party to perform the services identified in the Agreement and other functions and activities referenced in Section 3 of this Addendum. 6. Other Privacy Obligations of the Claims Administrator. The Claims Administrator shall: 6.1 Not use or further disclose PPI other than as permitted or required by the Agreement, the Addendum or law; 6.2 Report to GHP any actual use or disclosure of PPI concerning GHP's Participants, Dependents and Beneficiaries not permitted or required by the Agreement, the Addendum or law of which it becomes aware; 6.3 Ensure that any agents, including a subcontractor,to whom it provides PPI received from, or created or received by the business associate on behalf of,the GHP agree to the same restrictions and conditions as outlined in the Privacy Rule that apply to a business associate with respect to such information; 6.4 Make available PPI as required by §164.524; 6.5 Make available PPI for amendment and incorporate any amendments to PPI as required by §164.526; 6.6 Make available the information required to provide an accounting of disclosures as required by §164.528; 6.7 Make its internal practices, books, and records relating to the use and disclosure of PPI received from, or created or received by the Claims Administrator on behalf of, the GHP available to the Secretary for purposes of determining the GHP's compliance with the Privacy Rule; and 6.8 Restrict the use and disclosure of PPI in accordance with §164.522 and consistent with the Claims Administrator's policies, procedures and practices. 7. The Claims Administrator's Privacy-Related Services Regarding Requests by Individuals. Upon receipt, the GHP shall immediately provide notice to and forward any and all individual requests received pursuant to §164.522, §164.524, §164.526 or §164.528 of the Privacy Rule(collectively referred to as the "Requests") consistent with Exhibit G-2. Upon the Claims Administrator's receipt of the Requests, either from the GHP or directly from the Individual, the Claims Administrator shall: 7.1 Evaluate each request consistent with the Privacy Rule and the Claims Administrator's policies, procedures and practices; 7.2 For Requests that may affect the policies,procedures or practices of the GHP, coordinate with the GHP about evaluation of the Requests and mutually agree on the result; 7.3 For Requests that may involve the GHP's other business associates, request information from the business associates identified by the GHP necessary for fulfilling the Requests; 7.4 Communicate the result of the evaluation directly to the Individual within the legal timeframes established for each type of request; and 7.5 Notify the GHP of the outcome of each Request identified by the GHP at the time of notice to the Claims Administrator; and 7.6 Implement each Request that is granted. For providing such services,the GHP shall compensate the Claims Administrator pursuant to the Fee Schedule attached as Exhibit G-3. 8. GHP's Notice of Privacy Practices. 8.1 Preparation of the GHP's Notice of Privacy Practices. Claims Administrator will provide the GHP a copy of notice of privacy practices as it relates to the Claims Administrator's functions and activities contained in the Agreement and this Addendum,which the GHP shall incorporate into the GHP's Notice of Privacy Practices(the "Privacy Notice"). 8.2 Amendment of the GHP's Privacy Notice. the GHP shall be responsible for modifying the Privacy Notice in the event that the GHP,the Plan Sponsor or the Claims Administrator materially changes its privacy policies, procedures or practices that affect the Privacy Notice. The party necessitating the change to the Privacy Notice shall bear any reasonable costs associated with revising and distributing the Privacy Notice. The GHP, the Plan Sponsor and the Claims Administrator will not institute such material change before the effective date of the GHP's revised Privacy Notice. 8.3 Distribution of the GHP's Privacy Notice of Privacy Practices. The GHP shall be responsible for the distribution of its Privacy Notice, and any revisions to its Privacy Notice within a reasonable time. 9. Term and Termination. 9.1 Term. The Term of this Addendum shall begin as of the Effective Date contained herein and shall remain in effect for the duration of the Agreement. 9.2 Termination for Breach of Privacy Obliizations. The GHP will have the right to terminate the Agreement if the Claims Administrator has engaged in a pattern of activity or practice that constitutes a material breach or violation of the Claims Administrator's obligations regarding PPI under this Addendum. The contractual requirements for termination are outlined in the Agreement. 9.3 Effect of Termination. a. Return or Destruction of PPI Upon Termination of Agreement. Upon cancellation, termination, expiration or other conclusion of the Agreement,the Claims Administrator will, if feasible, return to the GHP or else destroy PPI, in whatever form or medium that the Claims Administrator,created or received for or from the GHP, including all copies of and any data or compilations derived from such PPI that allow identification of any Individual. The Claims Administrator will complete such return or destruction as promptly as practical, but not later than sixty days after the effective date of the cancellation, termination, expiration or other conclusion of the Agreement. b. Reimbursement. The Plan Sponsor will reimburse the Claims Administrator's reasonable costs and expenses incurred in returning or destroying such PPI. C. Disposition When Return or Destruction of PPI is Not Feasible. In the event that returning or destroying the PPI is not feasible as determined by the Claims Administrator, the Claims Administrator will limit further use or disclosure of the PPI to those purposes that make their return to the GHP or destruction infeasible and shall extend the privacy protections contained herein to that PPI for as long as the Claims Administrator retains it. 10. Order of Precedence. This Addendum shall supercede and replace any and all provisions in the Agreement concerning confidentiality or privacy. In addition,the notice provisions of this Addendum shall prevail over the Agreement only to the extent that such notice is related to the obligations contained herein. Except as otherwise provided in this section, in the event that any other terms or conditions contained in this Addendum conflict or are inconsistent with the Agreement,the terms and conditions of the Agreement shall prevail. IN WITNESS WHEREOF, the parties have signed this Addendum effective as of the date indicated above. CLAIMS ADMINISTRATOR pig/ Its: President PLAN SPONSOR SIGNATURE /Signature Printed Its: Dated: 4- 9 -o3 GHP Signature Printed Its: Dated: I EXHIBIT G-1 GHP's Authorized Representatives GHP authorizes the Claims Administrator to disclose PPI to achieve the purpose(s) as outlined below to the following people that are (a)employed by the GHP, (b) employed by the Plan Sponsor or (c) employed by a business associate of the GHP: Date Entity Name Purpose for Disclosure (mm/dd/yy) (GHP or Plan Sponsor) o� 3 EXHIBIT G-2 Notification Requirements Privacy-Related Services Regarding Requests All notices required under Section 7 this Addendum shall be given in writing, delivered by facsimile or in person, and addressed as follows: GHP: (Name) (Department) (Telephone Number) (Fax Number) Claims Administrator: NorthStar Administrators Complaints and Appeals Department P.O. Box 91102 Seattle, WA 98 1 1 1-9202 Telephone: 1.800.345.6784 Fax: 425.918.5592 EXHIBIT G-3 Fee Schedule for Privacy-Related Services Administration of requests from individuals will be based on a per request basis.