Loading...
HomeMy WebLinkAboutES05-315 - Other - Premera Blue Cross - Business Associate Agreement - 01/10/2005 • 4 " PREMERA BLUE CROSS BUSINESS ASSOCIATE AGREEMENT FOR GROUPS NOT SUBJECT TO ERISA This Business Associate Agreement(the"Agreement")shall be entered into by and between Premera Blue Cross (the "Claims Administrator"),and_City Of Kent_, the"Plan Sponsor"and the" Health Plan" (the"HP")(as defined below)effective_January 1, 2005_, and shall be made part of the Administrative Services Contract(the"Contract")between the Claims Administrator and the Plan Sponsor. Recitals. 1. In 1996, Congress enacted the Health Insurance Portability and Accountability Act("HIPAA"), which required, among other things,the promulgation of privacy rules governing the use and disclosure of protected health information. 2. In pertinent part, the HIPAA privacy rules,codified at 45 C.F.R. Parts 160 and 164, subparts A and E, and as amended(the"Privacy Rule")require that covered entities, including the HP, maintain business associate agreements with third parties that provide certain services for and on behalf of the HP, including the Claims Administrator, and outline specific contractual requirements to be incorporated into the business associate agreements. 3. In addition to being the business associate of the HP, the Claims Administrator is also a covered entity, as defined in the Privacy Rule, and has policies, procedures and practices in place to ensure compliance with the Privacy Rule. 4. Because the Claims Administrator is regulated under other state and federal privacy laws, it has adopted the term "protected personal information"or"PPI"(as defined below)and will apply the obligations contained in this Agreement to that information. NOW,THEREFORE, in consideration of these premises and the mutual promises and agreements hereinafter set forth, the Plan Sponsor,the HP and the Claims Administrator hereby agree as follows: 1. Definitions. The following definitions shall apply in interpreting this Agreement. Terms used, but not otherwise defined shall have the same meaning as those terms in the Privacy Rule(as defined below): 1.1 Health Plan or HP. The HP shall be defined consistent with 45 CFR 160.103, and as amended. 1.2 Individual. "Individual"shall mean the person who is the subject of the PPI or their personal representative(as defined in§164.502(g)of the Privacy Rule). 1.3 Protected Personal InkMation or PPI. "PPI"shall mean any and all information created or received by the Claims Administrator,that identifies or can readily be associated with the identity of an Individual,whether oral or recorded in any form or medium,that directly related to: (1)the past, present or future physical, mental or behavioral health or condition of an Individual; (2)the past, present or future payment for the provision of health care to an Individual; (3)the provision of health care to an Individual, and(4)the past, present or future finances of an Individual, including,without limitation, an Individual's name, address,telephone number, Social Security Number, subscriber number or wage information. Q 1.4 Secrets . "Secretary'shall mean the Secretary of the Department of Health and Human Services or his designee. 2. HP. The Claims Administrator, Plan Sponsor and HP all agree to add the HP as a party to the Contract and acknowledge that the HP's obligations under the Contract are contained completely in this Agreement. 3. Safeauard of PPI. The Claims Administrator will maintain reasonable and appropriate administrative, technical and physical safeguards, as required by applicable laws to protect against reasonably anticipated threats or hazards to, and to ensure, the security and integrity of PPI,to protect against reasonably anticipated unauthorized use or disclosure of PPI, and to reasonably safeguard PPI from any intentional or unintentional use or disclosure in violation of the Agreement. 4. Permitted Uses and Disclosures of PPI by the Claims Administrator. 4.1 Functions and Activities on the HP's Behalf. The Claims Administrator shall be permitted to use and disclose PPI for (a)the management,operation and administration of the HP and (b)as otherwise necessary to provide the services set forth in the Contract, including, but not limited to activities related to Payment and Health Care Operations as defined in §164.501 of the Privacy Rule. 42 Disclosures to the Plan Sponsor.the HP or other Business Associates of the HP. Except as otherwise permitted by written directive from HP,the Claims Administrator will not disclose PPI to the Plan Sponsor,the HP or to another business associate of the HP. The Claims Administrator, may disclose PPI only to those individuals employed by the HP or business associates of the HP, including, without limitation, the HP's broker The HP, identified in writing by the HP as individuals to whom PPI can be disclosed The HP must provide this written directive to the Claims Administrator as soon as possible but in any event no later than the effective date of the Contract. The HP must promptly notify the Claims Administrator of any changes to the written directive 4.3 Functions and Activities on the Claims Administrator's Behalf. The Claims Administrator shall be permitted to use PPI as necessary for the Claims Administrator's management and administration or to carry out its legal responsibilities as permitted or required by law The Claims Administrator shall also be permitted to disclose PPI to its business associates, subcontractors or other third parties as necessary for proper management and administration of the Claims Administrator, or to carry out the Claims Administrator's legal responsibilities(a)if the disclosure is required by law or(b)if before the disclosure is made, the Claims Administrator, obtains a contract from the entity to which the disclosure is to be made containing reasonable assurances that the entity will also comply with the Privacy Rule's business associate requirements. 5. Minimum Necessary. The HP and the Plan Sponsor will make reasonable efforts to request from the Claims Administrator only the minimum amount of PPI necessary for its needed purpose. In addition, the HP and the Plan Sponsor will make reasonable efforts to only disclose to the Claims Administrator the minimum amount of PPI necessary for the Claims Administrator to perform the services identified in the Contract and other functions and activities referenced in Section 4 of this Agreement. Finally, the Claims Administrator will make reasonable efforts to use, disclose,or request only the minimum amount of PPI necessary from any third party to perform the services identified in the Contract and other functions and activities referenced in Section 4 of this Agreement. 6. Other Privacy Obtiaationji of the Claims Administrator. The Claims Administrator shall, a ' 6.1 Not use or further disclose PPI other than as permitted or required by the Contract, the Agreement or law; 6.2 Report to HP any actual use or disclosure of PPI concerning HP's Members not permitted or required by the Contract,the Agreement or law of which it becomes aware; 6.3 Ensure that any agents, including a subcontractor,to whom it provides PPI received from, or created or received by the business associate on behalf of, the HP agree to the same restrictions and conditions as outlined in the Privacy Rule that apply to a business associate with respect to such information; 6.4 Make available PPI as required by§164.524; 6.5 Make available PPI for amendment and incorporate any amendments to PPI as required by§164.526; 6.6 Make available the information required to provide an accounting of disclosures as required by§164.528; 6.7 Make its internal practices, books, and records relating to the use and disclosure of PPI received from, or created or received by the Claims Administrator on behalf of, the HP available to the Secretary for purposes of determining the HP's compliance with the Privacy Rule; and 6.8 Restrict the use and disclosure of PPI in accordance with §164 522 and consistent with the Claims Administrator's policies, procedures and practices. 7. The Claims Administrator's Privacy-Related Services Reaardina Reauests by Individuals Upon receipt,the HP shall immediately provide notice to and forward any and all individual requests received pursuant to§164.522, §164.524, §164.526 or§164 528 of the Privacy Rule (collectively referred to as the"Requests")consistent with Exhibit D-1 Upon the Claims Administrator's receipt of the Requests, either from the HP or directly from the Individual, the Claims Administrator shall. 7.1 Evaluate each request consistent with the Privacy Rule and the Claims Administrator's policies, procedures and practices; 7.2 For Requests that may affect the policies, procedures or practices of the HP, coordinate with the HP about evaluation of the Requests and mutually agree on the result; 7.3 For Requests that may involve the HP's other business associates, request information from the business associates identified by the HP necessary for fulfilling the Requests; 7.4 Communicate the result of the evaluation directly to the Individual within the legal timeframes established for each type of request; and 7.5 Notify the HP of the outcome of each Request identified by the HP at the time of notice to the Claims Administrator; and 7.6 Implement each Request that is granted. Such services shall be included in the Claims Administrator's Administration Fee set forth in Attachment C in the Contract 8. HP's Notice of Privacy Practices. 11 .�. 8.1 Preparation of the HP'$ N9ft of Privacy Practices. Claims Administrator will provide the HP a copy of notice of privacy practices as it relates to the Claims Administrator's functions and activities contained in the Contract and this Agreement, which the HP shall incorporate into the HP's Notice of Privacy Practices(the"Privacy Notice"). 8.2 Amendment of the HP's Privacy Notice. the HP shall be responsible for modifying the Privacy Notice in the event that the HP,the Plan Sponsor or the Claims Administrator materially changes its privacy policies, procedures or practices that affect the Privacy Notice. The party necessitating the change to the Privacy Notice shall bear any reasonable costs associated with revising and distributing the Privacy Notice. The HP, the Plan Sponsor and the Claims Administrator will not institute such material change before the effective date of the HP's revised Privacy Notice. 8.3 Distribution of the HP's Privacy Notice of Privacy Practices. The HP shall be responsible for the distribution of its Privacy Notice, and any revisions to its Privacy Notice within a reasonable time. 9. Term and Termination. 9.1 Term. The Term of this Agreement shall begin as of the Effective Date contained herein and shall remain in effect for the duration of the Contract. 9.2 'Termination for Breach of Privacy Obligations. The HP will have the right to terminate the Contract if the Claims Administrator has engaged in a pattern of activity or practice that constitutes a material breach or violation of the Claims Administrator's obligations regarding PPI under this Agreement. The contractual requirements for termination are outlined in the Contract. 9.3 Effect of Termination. a. Return or Destruction of PPI Upon Termination of Contract. Upon cancellation, termination, expiration or other conclusion of the Contract, the Claims Administrator will, if feasible, return to the HP or else destroy PPI, in whatever form or medium that the Claims Administrator, created or received for or from the HP, including all copies of and any data or compilations derived from such PPI that allow identification of any Individual. The Claims Administrator will complete such return or destruction as promptly as practical, but not later than sixty days after the effective date of the cancellation, termination, expiration or other conclusion of the Contract. b. Reimbursement. The Plan Sponsor will reimburse the Claims Administrator's reasonable costs and expenses incurred in returning or destroying such PPI. C. Disposition When Return or Destruction of PPI is Not Feasible. In the event that returning or destroying the PPI is not feasible as determined by the Claims Administrator,the Claims Administrator will limit further use or disclosure of the PPI to those purposes that make their return to the HP or destruction infeasible and shall extend the privacy protections contained herein to that PPI for as long as the Claims Administrator retains it. a , 10. Order of Precedence. This Agreement shall supersede and replace any and all provisions in the Contract concerning confidentiality or privacy. In addition, the notice provisions of this Agreement shall prevail over the Contract only to the extent that such notice is related to the obligations contained herein. Except as otherwise provided in this section, in the event that any other terms or conditions contained in this Agreement conflict or are inconsistent with the Contract, the terms and conditions of the Contract shall prevail. IN WITNESS WHEREOF,the partles have signed this Agreement effective as of the date indicated above. CLAIMS ADMINISTRATOR / ,.�. XAAIM [�/ Its: President and Chief Executive Officer PLAN SPONSOR .9 Its: I Dated: I-1 O-OS HP Its: Dated: Order of Precedence. This Agreement shall supersede and replace any and all provisions in the Contract concerning confidentiality or privacy. In addition,the notice provisions of this Agreement shall prevail over the Contract only to the extent that such notice is related to the obligations contained herein. Except as otherwise provided in this section, in the event that any other terms or conditions contained in this Agreement conflict or are inconsistent with the Contract,the terms and conditions of the Contract shall prevail. T - EXHIBIT D-1 NON-ERISA GROUP BUSINESS ASSOCIATE AGREEMENT Notification Requirements Privacy-Related Services Regarding Requests All notices required under Section 7 this Agreement shall be given in writing, delivered by facsimile or in person, and addressed as follows: HP: Lt&Name) (Department) - ° (Telephone Number) e253- �3`310- fo.2`I (Fax Number) Claims Administrator: Premera Blue Cross Complaints and Appeals Department P.O. Box 91102 Seattle,WA 98111-9202 Telephone. 1.800.345.6784 Fax-425.918 5592 � k k EL A ■ 2 E k \ � \ 2 a ƒ ƒ \ CD ■ 7 2 a ■ � e o> a ccƒƒ\ . L: $ E - ( O c kto 0 § § � k ¥ '0B CL k � . ° c e V e t ■ ) } 2 N 2 a � O 2 ® o / ) % ] c 7 k k $ � § ■ 2 § e 5 E � E » < I kP ) D § GECl m 2 � § o � OD — § \ 7 / 0 (D & £ § om aa,0 A fJ G { § § 7 Ra § � uj § ) k }o § � � 2 c m j E / i a / © » 2 z % E 0 -0 2 ; k ; ff % � co 0 1 co e- � ■ � \ • k 0k w § ■ .. % E � 0 2 0 / a § 0ia f / k \