Loading...
HomeMy WebLinkAboutES06-062 - Other - Flex-Plan Services, Inc. - HIPPA Compliance - 02/17/2010 Records Ma- erne KENT WASHINGTOM _ _ , y Document CONTRACT COVER SHEET This is to be completed by the Contract Manager prior to submission to City Clerks Office. All portions are to be completed. If you have questions, please contact City Clerk's Office. Vendor Name: FLnX - ?LPirt4 ��RV l CAS Vendor Number: 339 8 JD Edwards Number Contract Number: l�5o6,d & - This is assigned by City Clerk's Office Project Name: Description: ❑ Interlocal Agreement ❑ Change Order ❑ Amendment ❑ Contract UOther: J4kj?C?A RLlSIN'SS Ar-SOP, 14G2�s-�MP&Tf- Contract Effective Date: eP-11 - LD Termination Date: Contract Renewal Notice (Days): Number of days required notice for termination or renewal or amendment Contract Manager: Department: FamPlA`f��.�����G I[�S Detail: (i.e. address, location, parcel number, tax id, etc.): S:Public\RecordsManagement\Forms\ContractCover\adcc7832 1 11/08 P t BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the"Agreement') is entered into between Flex-Plan Services, Inc and City of Kent (Company Name)acting on behalf of the City of Kent Flexible Benefits Plan effective as of 02)17n0 (Effective Date or Date Signed) The parties intend to use this Agreement to satisfy the Business Associate Contract requirements in the regulations at 45 CFR 164 502(e)and 164 504(e), issued under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA")and any requirements relating to Business Associates contained in the regulations issued pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009("HITECH") Any prospective amendment to the laws referenced shall automatically amend this agreement to incorporate said changes without further action I. Definitions 1 1 Terms used but not otherwise defined in this Agreement shall have the same meaning as the meaning ascribed to those terms in HIPAA, HITECH, and any current and future regulations or official guidance promulgated under HIPAA or HITECH 12 Breach `Breach"shall have the same meaning as the term"breach"in 45 CFR 164 402. 1 3 Business Associate "Business Associate"shall mean Flex-Plan Services, Inc ("Flex-Plan") 1 4 Covered Entity "Covered Entity' shall mean City of Kent Flexible Benefits Plan 1 5 Electronic Protected Health Information "Electronic Protected Health Information" ("EPHI") shall have the same meaning as the term "electronic Protected Health Information" in 45 CFR 160 103 1 6 Individual 'Individual'shall have the same meaning as the term"individual"in 45 CFR 160 103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164 502(g) 1 7 Privacy Rule "Privacy Rule'shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E. 1 8 Protected Health Information "Protected Health Information" ("PHI")shall have the same meaning as the term"protected health information" in 45 CFR 160 103, limited to the information created or received by Business Associate from or on behalf of Covered Entity 19 Required by Law "Required by Law"shall have the same meaning as the term"Required by Law"in 45 CFR 164 103 1.10 Secretary "Secretary' shall mean the U S Secretary of the Department of Health and Human Services or his or her designee 1 11 Security Incident "Security Incident"shall have the same meaning as the term"security incident" in 45 CFR 164 304 1.12 Security Rule "Security Rule"shall mean the Security Standards and Implementation Specifications at 45 CFR Part 160 and Part 164, subpart C 1.13 Standards for Electronic Transactions Rule "Standards for Electronic Transactions Rule' means the final regulations issued by HHS concerning standard transactions and code sets under the Administration Simplification provisions of HIPAA,45 CFR Part 160 and Part 162 1 14 Unsecured Protected Health Information "Unsecured Protected Health Information"shall mean Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in regulations or as otherwise defined in section 13402(h)of HITECH 1 020210.1 r II. Obligations and Activities of Flex-Plan 2.1 Flex-Plan agrees to not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law 22 Flex-Plan agrees to take reasonable steps to limit the use, disclosure, and requests for, PHI to the Minimum Necessary to accomplish the intended purpose The Minimum Necessary standard does not apply to 1) disclosures or requests by a health care provider for treatment purposes, (2) disclosures to the Individual who is the subject of the information, (3) uses or disclosures made pursuant to an Individual's authorization, (4) uses or disclosures required for compliance with HIPAA, (5) disclosures to the Department of Health and Human Services ("HHS")when disclosure of information is required under the Privacy Rule for enforcement purposes, (6) uses or disclosures that are required by other law 2.3 Flex-Plan agrees to develop, implement, maintain, and use appropriate administrative, technical,and physical safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement Flex-Plan will implement administrative, physical, and technical safeguards(including written policies and procedures)that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI that Flex-Plan, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule 2.4 Flex-Plan shall notify Covered Entity of any Breach of Unsecured PHI of which it becomes aware Such notice shall include, to the extent possible, the information listed in 2 4 2 A Breach shall be treated as discovered as of the first day on which such Breach is known to Flex-Plan, other than the individual committing the Breach, or should reasonably have been known to Flex-Plan to have occurred 2 4 1 Notice shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a Breach by Flex-Plan 242 Notice of a Breach shall include,to the extent possible the following (1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known (n) A description of the types of Unsecured PHI that were involved in the Breach (such as full name, Social Security number, date of birth, home address, or account number) (m) The steps Individuals should take to protect themselves from potential harm resulting from the Breach (iv) A brief description of any action taken to investigate the Breach, mitigate losses, and to protect against any further Breaches (v) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address,Web site, or postal address 2.43 If a law enforcement official determines that a notification or notice would impede a criminal investigation or cause damage to national security, such notification, notice or posting shall be delayed in the same manner as provided under 45 CFR 164 528(a)(2) 244 Flex-Plan will provide notice of Breach to the Individual(s)affected and such notice shall include,to the extent possible,the information listed in 2 4 2, unless, upon occurrence of a Breach, Covered Entity requests to disseminate or Flex-Plan and Covered Entity an—t` ' Covered Entity will disseminate the notice(s) Any notice provided by Coverec Individual(s)shall comply with the content requirements listed in section 2 4 2 as well as any requirements provided under HIPAA, HITECH, and other applicable government guidance 2.5 Flex-Plan agrees to report to Covered Entity any use or disclosure of the PHI not provided for by this Agreement and/or any Security Incident of which it becomes aware 2 0202101 26 Flex-Plan agrees to obtain reasonable assurances that any agent, including a subcontractor,to whom it provides PHI received from, or created or received by Flex-Plan on behalf of, Covered Entity agrees to be bound by the same restrictions and conditions that apply to Flex-Plan,with respect to such information Moreover, Flex-Plan shall ensure that any such agent or subcontractor agrees to implement reasonable and appropriate safeguards to protect Covered Entity's PHI 27 Flex-Plan agrees to make internal practices, books, and records, including policies and procedures and PHI relating to the use and disclosure of PHI received from, or created or received by Flex-Plan on behalf of, the Covered Entity available to the Secretary,within ten (10) business days after receipt of written request or otherwise as designated by the Secretary for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule 28 Flex-Plan agrees to document disclosures of PHI and information related to such disclosures as required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164 528 Flex-Plan will not be obligated to record disclosures of PHI or otherwise account for disclosures if Covered Entity need not account for such disclosures 29 Flex-Plan agrees to provide to Covered Entity or to an Individual,within ten (10) business days after receipt of written request, information collected in accordance with Section 2 8 of this Agreement, in order to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164 528 210 Flex-Plan agrees to provide access, at the request of Covered Entity and within ten(10) business days after receipt of written request,to PHI in a Designated Record Set,to Covered Entity or, as directed by Covered Entity,to an Individual in order to meet the requirements under 45 CFR 164524. 2.11 Flex-Plan agrees to make any amendment(s)to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164 526 at the request of Covered Entity or an Individual within ten (10) business days after receipt of written request 2.12 In the event that Flex-Plan transmits or receives any Covered Electronic Transaction on behalf of the Covered Entity, it shall comply with all applicable provisions of the Standards for Electronic Transactions Rule to the extent Required by Law, and shall ensure that any agents that assist Flex- Plan in conducting Covered Electronic Transactions on behalf of the Covered Entity agree in writing to comply with the Standards for Electronic Transactions Rule to the extent Required by Law 213 Flex-Plan shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual unless the Covered Entity obtained from the Individual, in accordance with 45 CFR 164 508, a valid authorization that includes a specification whether the PHI can be further exchanged for remuneration by the entity receiving PHI III. Permitted Uses and Disclosures by Business Associate 31 Except as otherwise limited in this Agreement, Flex-Plan may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity related to The Administrative Services Agreement between Flex-Plan and Covered Entity 32 Except as otherwise limited in this agreement, Flex-Plan may disclose PHI for the proper management and administration of Flex-Plan, provided that such disclosures are Required by Law, or Flex-Plan obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Flex-Plan of any instance of which it is aware in which the confidentially of the information has been Breached 33 Except as otherwise limited in this agreement, Flex-Plan may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR 164 504(e)(2)(i)(B). 34 Except as otherwise limited in this Agreement, Flex-Plan may use PHI for the proper management and administration of Flex-Plan or to carry out the legal responsibilities of Flex-Plan 35 Flex-Plan may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 164 5020)(1) 3 020210 1 r IV. Obligations of Covered Entity 41 Covered Entity shall notify Flex-Plan of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164 520, to the extent that such limitation may affect Flex-Plan's use or disclosure of PHI 42 Covered Entity shall notify Flex-Plan of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Flex-Plan's use or disclosure of PHI. 43 Covered Entity shall notify Flex-Plan of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164 522, to the extent that such restriction may affect Flex-Plan's use or disclosure of PHI V. Permissible Requests by Covered Entity 5.1 Covered Entity shall not request Flex-Plan to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except for uses or disclosures for the purposes of data aggregation, management, and administrative activities of Flex-Plan VI. Term and Termination 61 Term This Agreement shall be effective as of the date that it is entered into, and shall terminate when all of the PHI provided by Covered Entity to Flex-Plan or created or received by Flex-Plan on behalf of Covered Entity, is destroyed or returned to Covered Entity, or if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section 62 Termination for Cause Upon Covered Entity's knowledge of a material Breach of the terms hereof by Flex-Plan, Covered Entity shall provide written notice to Flex-Plan of the Breach, and Flex-Plan shall have the opportunity to cure that Breach within the time period reasonably required to cure that Breach In the event that Flex-Plan does not cure the Breach or end the violation within that time period,then Covered Entity shall be entitled to provide notice of termination of the terms hereof 63 Effect of Termination 6 3 1 It is agreed that due to the manner in which PHI is retained and the retention requirements of the Internal Revenue Service, returning or destroying all of the PHI received from Covered Entity or created or received by Flex-Plan on behalf of Covered Entity, is infeasible Therefore, Flex-Plan shall extend the protections of this Agreement to such PHI, and shall limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Flex-Plan maintains such PHI VII. Miscellaneous 7.1 Definitions Terms used, but not otherwise defined in this Agreement shall have the meaning specified under HIPAA, including its statute, regulations and other official government guidance 72 Regulatory References A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended 7.3 Amendment This Agreement shall automatically amend to incorporate changes by Congressional act or by regulations of the Secretary of HHS that affect Business Associate or Covered Entity's obligations under this Agreement 74 Survival The respective rights and obligations of Flex-Plan under Section 6 3 1 of this Agreement shall survive the termination of the term of this Agreement 75 No Third-Party Rights Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever 76 Governing Law This Agreement shall be governed by and construed in accordance with the laws of the State of Washington to the extent not preempted by the Privacy and Security Rules or other applicable federal law 4 0202101 IN WITNESS WHEREOF,the Parties hereto have executed this Agreement effective as of the date first stated above Flex-Plan Services, Inc. By Tina Shozen Title Privacy Officer Date 2/2/2010 Covered Entity: City of Kent on behalf of the City of Kent Flexible Benefits Plan By Becky Fowler Title Benefits Manager Date February 17, 2010 5 020210 1