The URL can be used to link to this page

Home My WebLink AboutES05-315 - Other - Premera Blue Cross - Addendum to Business Associate Agreement - 04/14/2005 s PREMERA BLUE CROSS '9 Cevep ADDENDUM TO BUSINESS ASSOCIATE AGREEMENT FOR GROUPS NOT SUBJECT TO ERISA Wtl MAR 18 A Business Associate Agreement("the Agreement")was entered into by and between Premera ,MAN RE,gpV Cross(the"Claims Administrator"), City of Kent (the"Plan Sponsor")and the Health OF1(0i Plan(the"HP"). The Agreement was made part of the Administrative Services Contract(the"Contract") between the Claims Administrator and the Plan Sponsor that was effective January 1. 2005. This Addendum ("Addendum")is made effective as of April 20, 2005,and shall be incorporated into and be made a part of the Agreement,which is in turn made a part of the Contract. Recitals. 1. In pertinent part,the HIPAA security rule,codified at 45 C.F.R. Parts 160, 162 and 164, Subparts A and C, and as amended(the"Security Rule"), requires that a covered entity, such as the HP, incorporate specific requirements regarding the protection of electronic protected health information("EPHI")(as defined below) into agreements with its business associates that handle EPHI. 2. Certain obligations of Claims Administrator with regard to PPI (as defined in the Agreement)are outlined in the Agreement. PHI and EPHI (as defined below)are subsets of PPI. To comply with the Security Rule,the HP and the Claims Administrator agree to amend the Agreement to incorporate the terms of this Addendum,which imposes additional obligations on Claims Administrator with regard to EPHI. NOW,THEREFORE,In consideration of these premises and the mutual promises and agreements hereinafter set forth,the Plan Sponsor, HP and the Claims Administrator agree as follows: 1. Definitions. 1.1 EPHI. "EPHI"(Electronic Protected Health Information)shall mean any and all PHI transmitted by or maintained in electronic media. 1.2 Individual. "Individual"shall have the same meaning as the term"individual"in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). 1.3 PHI. "PHI"(Protected Health Information)shall mean any and all information created or received by Claims Administrator from or on behalf of HP that identifies or can readily be associated with the identity of an Individual,whether oral or recorded in any form or mecum,that directly relates to: (1)the past, present or future physical, mental or behaWor81 health orc ondition of an Individual; (2)the past,present or future payment for the provision of health care to an individual; or(3)the provision of health care to an Individual. 1.4 Sew Incident. "Security Incident"shall have the meaning ascribed to it in the Security Rule, including any subsequent modifications thereto. "Securely Incident"is currently defined as the attempted or successful unauthorized access, use, disclosure, modification,or destruction of information or interference with system operations in an information system 1.5 Secretary. "Secretary"shall mean the Secretary of the Department of Health and Human Services or his duly appointed designee. 2. Safeauard of EPHI. The Claims Administrator must implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the EPHI that it creates,receives, maintains,or transmits on behalf of the HP. PBC NON-ERISA SECURITY BAA April 20, 2005 3. Claimer Administrator's Agents. Claims Administrator shall ensure that any agent, including a subcontractor,to whom it provide EPHI,agrees to implement reasonable and appropriate safeguards to protect it. 4. Reporting of Security Incidents. Claims Administrator agrees to notify the GHP of any Security Incident of which it becomes aware. However,the obligation to report a Security Incident shall not include immaterial incidents,such as unsuccessful attempts to penetrate Claims Administrator's Information Systems. 5. Policies, Procedures and Documentation. Claims Administrator agrees to make its policies, procedures and documentation relating to safeguards required by this Addendum available to the Secretary for purposes of determining the HP's compliance with the Security Rule. 6. Tenn and Termination. 6.1. Term. The Term of this Addendum shall begin as of the Effective Date contained herein and shall remain in effect for the duration of the Contract. 6.2. Termination for Breach of Security Obligations. The HP will have the right to terminate the Contract if the Claims Administrator has engaged in a pattern of activity or practice that constitutes a material breach or violation of the Claims Administrator's obligations regarding EPHI under this Addendum. The contractual requirements for termination are outlined in the Contract. 7. Effect on Privacy Obligations in_Ameement Claims Administrator acknowledges and agrees that this Addendum shall supplement, not supersede,the provisions of the Agreement. IN WITNESS WHEREOF,the parties have signed this Addendum effective as of April 20,2005. CLAIMS ADMINISTRATOR Its: Vice President,Information Technology Infrastructure and Information Security Officer PLAN SPONSOR Its: Dated: HP Its: Dated: PBC NOWERISA SECURITY BAA 2 April 20,2006