Loading...
HomeMy WebLinkAboutES09-352 - Other - Premera Blue Cross - Attachment E - Business Associate Agreement - 04/20/2005 O Records M _ gemenf. KENT - = Document WASHINOTON tea CONTRACT COVER SHEET This is to be completed by the Contract Manager prior to submission to City Clerks Office. All portions are to be completed. If you have questions, please contact City Clerk's Office. Vendor Name: Vendor Number: JD Edwards Number Contract Number: C?- This is assigned by City Clerk's Offnnic�-e Project Name: LPIDF� �oVll`AL�lA4� > Description: ❑ Interlocal Agreement ❑ Change Order ❑ Amendment ❑ Contract I$Other: Contract Effective Date: AP62R t, QMS' Termination Date: Contract Renewal Notice (Days): _ A Number of days required notice for termination or renewal or amendment Contract Manager: ��4 J;D Department: �G/Y��UJ`t��i U lc i✓S Detail: (i.e. address, location, parcel number, tax id, etc.): S•Publlc\RecordsManagement\Forms\ContractCover\adcc7832 1 11/08 PREMERA 10 BUSINESS ASSOCIATE AGREEMENT FOR GROUPS NOT SUBJECT TO ERISA BETWEEN PREMERA BLUE CROSS AND CITY OF KENT EFFECTIVE APRIL 20, 2005 This Business Associate Agreement(the"Agreement")shall be entered into by and between Premera Blue Cross (the"Claims Administrator"), and and the group named above (the"Plan Sponsor" and the "Health Plan (HP)"as defined below) The Agreement shall be effective on the date shown above and shall be made part of the Administrative Services Contract(the"Contract") between the Claims Administrator and the Plan Sponsor Recitals 1. In 1996, Congress enacted the Health Insurance Portability and Accountability Act("HIPAA"), which required, among other things, the promulgation of privacy rules governing the use and disclosure of protected health information ("PHI") (as defined below),and the protection of electronic protected health Information ("EPHI") (as defined below) 2 In pertinent part, the implementation regulations for HIPAA, codified at 45 C F R Parts 160, 162 and 164, subparts A, C and E, and as amended (collectively referred to as the"HIPAA Rules") require covered entities, such as the HP, to maintain a written agreement with specific provisions concerning PHI and EPHI with Its Business Associates (as defined in 45 C F R 160 103 and as amended) 3 In addition to being the business associate of the HP, the Claims Administrator is also a covered entity, as defined In the HIPAA Rules, and has policies, procedures and practices in place to ensure compliance with the HIPAA Rules as well as other state and federal privacy laws, which protect personal financial, health and other information, that apply to the Company(collectively referred to as the"Privacy Laws") 4. The Claims Administrator has adopted the term"protected personal Information"or"PPI"(as defined below) to encompass PHI and the additional information protected by the Privacy Laws, and will apply the requirements of the HIPAA privacy rules to PPI NOW, THEREFORE, in consideration of these premises and the mutual promises and agreements hereinafter set forth, the Plan Sponsor, the HP and the Claims Administrator hereby agree as follows 1 Definitions. The following definitions shall apply in interpreting this Agreement Terms used, but not otherwise defined shall have the same meaning as those terms in the Privacy Rule(as defined below) 1 1 EPHI "EPHI" (Electronic Protected Health Information)shall mean any and all PHI transmitted by or maintained in electronic media 12 Health Plan or HP The HP shall be defined consistent with 45 CFR 160 103, and as amended BUSINESS ASSOCIATE AGREEMENT -1 - 012190(05-2008) An Independent Licensee of the Blue Cross Blue Shield Association 13 Individual "Individual" shall mean the person who is the subject of the PPI or their personal representative(as defined in 45 CFR 164 502(g)) 14 PHI "PHI" (Protected Health Information) shall mean any and all Information created or received by Claims Administrator from or on behalf of HP that Identifies or can readily be associated with the Identity of an Individual, whether oral or recorded in any form or medium, that directly relates to (1)the past, present or future physical, mental or behavioral health or condition of an Individual, (2)the past, present or future payment for the provision of health care to an Individual, or(3)the provision of health care to an Individual 15 Protected Personal Information or PPI 'PPI"shall mean PHI and any and all Information created or received by the Claims Administrator from or on behalf of HP that Identifies or can readily be associated with the identity of an Individual, whether oral or recorded in any form or medium, that directly relates to the past, present or future finances of an Individual, including,without limitation, an Individual's name, address, telephone number, Social Security Number, subscriber number or wage information 16 Secretary "Secretary'shall mean the Secretary of the Department of Health and Human Services or his duly appointed designee 17 Security Incident "Security Incident"shall have the same meaning as the term"security incident" in 45 CFR 164 304, including any subsequent modifications thereto 2. HP. The Claims Administrator and the Plan Sponsor and HP all agree that the HP shall be added as a party to the Contract and acknowledge that the HP's obligations under the Contract are contained completely in this Agreement The signature of the Plan Sponsor to this Agreement shall be agreed to be the signature of the HP and binding on behalf of both the Plan Sponsor and the HP 3. Permitted Uses and Disclosures of PPI by the Claims Administrator. 31 Functions and Activities on the HP's Behalf The Claims Administrator shall be permitted to use and disclose PPI for(a)the management, operation and administration of the HP and (b)as otherwise necessary to provide the services set forth in the Contract, including, but not limited to activities related to Payment and Health Care Operations as defined in 45 CFR 164 501 32 Disclosures to the Plan Sponsor,the HP or other Business Associates of the HP Except as otherwise permitted by written directive from HP,the Claims Administrator will not disclose PPI to the Plan Sponsor, the HP or to another business associate of the HP The Claims Administrator may disclose PPI only to those individuals employed by the HP or business associates of the HP, including, without limitation, the HP's broker, identified in writing by the HP as individuals to whom PPI can be disclosed The HP must provide this written directive to the Claims Administrator as soon as possible but in any event no later than the effective date of the Contract The HP must promptly notify the Claims Administrator of any changes to the written directive 33 Functions and Activities on the Claims Administrator's Behalf The Claims Administrator shall be permitted to use PPI as necessary for the Claims Administrator's management and administration or to carry out its legal responsibilities as permitted or required by law The Claims Administrator shall also be permitted to disclose PPI to its Business Associates, subcontractors or other third parties as necessary for proper management and administration of the Claims Administrator, or to carry out the Claims Administrator's legal responsibilities (a) if the disclosure is required by law or(b) if before the disclosure BUSINESS ASSOCIATE AGREEMENT -2- 012190(05-2008) is made, the Claims Administrator, obtains a contract from the entity to which the disclosure is to be made containing reasonable assurances that the entity will also comply with the HIPAA Rules' business associate requirements 4. Minimum Necessary. The HP and the Plan Sponsor will make reasonable efforts to request from the Claims Administrator only the minimum amount of PPI necessary for its needed purpose In addition, the HP and the Plan Sponsor will make reasonable efforts to only disclose to the Claims Administrator the minimum amount of PPI necessary for the Claims Administrator to perform the services identified in the Contract and other functions and activities referenced in Section 3 of this Agreement Finally, the Claims Administrator will make reasonable efforts to use, disclose, or request only the minimum amount of PPI necessary from any third party to perform the services identified in the Contract and other functions and activities referenced in Section 3 of this Agreement S. Other Privacy Obligations of the Claims Administrator The Claims Administrator shall 51 Not use or further disclose PPI other than as permitted or required by the Contract,the Agreement or law and use appropriate safeguards to prevent any unauthorized use or disclosure of PPI, 52 Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the EPHI that the Claims Administrator creates, receives, maintains, or transmits on behalf of the HP, 53 Report to HP any actual use or disclosure of PPI concerning HP's members not permitted or required by the Contract, the Agreement or law of which it becomes aware, 54 Notify the HP of any Security Incident of which it becomes aware, provided, however,the obligation to report a Security Incident shall not include Immaterial incidents, such as unsuccessful attempts to penetrate Claims Administrator's Information systems 55 Ensure that any agents, including a subcontractor, to whom It provides PPI and/or EPHI received from, or created or received by the Claims Administrator on behalf of, the HP, agree to the same restrictions and conditions as outlined In the HIPAA Rules that apply to a Business Associate with respect to such Information, 56 Make available PPI as required by 45 CFR 164 524, 57 Make available PPI for amendment and Incorporate any amendments to PPI as required by 45 CFR 164 526, 58 Make available the information required to provide an accounting of disclosures as required by 45 CFR 164 528, 59 Make Its internal practices, policies, procedures, books, and records relating to the use and disclosure of PPI or PHI and/or the protection of EPHI received from, or created or received by the Claims Administrator on behalf of, the HP available to the Secretary for purposes of determining the HP's compliance with the HIPAA Rules, and 510 Restrict the use and disclosure of PPI in accordance with 45 CFR 164 522 and consistent with the Claims Administrator's policies, procedures and practices 6. The Claims Administrator's Privacy-Related Services Regarding Requests by Individuals Upon receipt,the HP shall immediately provide notice to and forward any and all individual requests received pursuant to 45 CFR Sections 164 522, 164 524, 164 526 or 164 528 of the BUSINESS ASSOCIATE AGREEMENT -3- 012190(05-2008) HIPAA Rules (collectively referred to as the"Requests")consistent with Exhibit D-1 Upon the Claims Administrator's receipt of the Requests, either from the HP or directly from the Individual, the Claims Administrator shall 61 Evaluate each request consistent with the HIPAA Rules and the Claims Administrator's policies, procedures and practices, 62 For Requests that may affect the policies, procedures or practices of the HP, coordinate with the HP about evaluation of the Requests and mutually agree on the result, 63 For Requests that may involve the HP's other Business Associates, request information from the Business Associates identified by the HP necessary for fulfilling the Requests, 64 Communicate the result of the evaluation directly to the Individual within the legal timeframes established for each type of request, and 65 Notify the HP of the outcome of each Request identified by the HP at the time of notice to the Claims Administrator, and 66 Implement each Request that is granted Such services shall be included in the Claims Administrator's Administration Fee set forth in Attachment C in the Contract 7. HP's Notice of Privacy Practices 71 Preparation of the HP's Notice of Privacy Practices Claims Administrator will provide the HP a copy of notice of privacy practices as it relates to the Claims Administrator's functions and activities contained in the Contract and this Agreement, which the HP shall incorporate into the HP's Notice of Privacy Practices (the"Privacy Notice"), 72 Amendment of the HP's Privacy Notice the HP shall be responsible for modifying the Privacy Notice in the event that the HP, the Plan Sponsor or the Claims Administrator materially changes its privacy policies, procedures or practices that affect the Privacy Notice The party necessitating the change to the Privacy Notice shall bear any reasonable costs associated with revising and distributing the Privacy Notice The HP, the Plan Sponsor and the Claims Administrator will not institute such material change before the effective date of the HP's revised Privacy Notice 7.3 Distribution of the HP's Privacy Notice of Privacy Practices The HP shall be responsible for the distribution of its Privacy Notice, and any revisions to its Privacy Notice within a reasonable time 8. Term and Termination 81 Term The Term of this Agreement shall begin as of the Effective Date contained herein and shall remain in effect for the duration of the Contract This Agreement shall automatically renew for the additional terms of any Contract renewal or subsequent Administrative Services Contract between Claims Administrator and the Plan Sponsor 82 Termination for Breach of Privacy Obligations The HP will have the right to terminate the Contract if the Claims Administrator has engaged in a pattern of activity or practice that constitutes a material breach or violation of the Claims Administrator's obligations regarding PPI under this Agreement The contractual requirements for termination are outlined in the Contract BUSINESS ASSOCIATE AGREEMENT -4- 012190(05-2008) 83 Effect of Termination a Return or Destruction of PPI Upon Termination of Contract Upon cancellation, termination, expiration or other conclusion of the Contract, the Claims Administrator will, if feasible, return to the HP or else destroy PPI, in whatever form or medium that the Claims Administrator, created or received for or from the HP, including all copies of and any data or compilations derived from such PPI that allow identification of any Individual The Claims Administrator will complete such return or destruction as promptly as practical, but not later than sixty days after the effective date of the cancellation, termination, expiration or other conclusion of the Contract b. Reimbursement The Plan Sponsor will reimburse the Claims Administrator's reasonable costs and expenses incurred in returning or destroying such PPI c Disposition When Return or Destruction of PPI Is Not Feasible I n the event that returning or destroying the PPI is not feasible as determined by the Claims Administrator, the Claims Administrator will limit further use or disclosure of the PPI to those purposes that make their return to the HP or destruction infeasible and shall extend the privacy protections contained herein to that PPI for as long as the Claims Administrator retains it 9. Order of Precedence. This Agreement shall supersede and replace any and all provisions in the Contract concerning confidentiality or privacy of PPI In addition, the notice provisions of this Agreement shall prevail over the Contract only to the extent that such notice is related to the obligations contained herein Except as otherwise provided in this section, in the event that any other terms or conditions contained in this Agreement conflict or are inconsistent with the Contract, the terms and conditions of the Contract shall prevail IN WITNESS WHEREOF,the parties have signed this Agreement effective as of the date indicated above CLAIMS ADMINISTRATOR Its: President and Chief Executive Officer PLAN SPONSOR AND HEALTH PLAN (HP) Its: Dated: o?'CVa` a BUSINESS ASSOCIATE AGREEMENT -5- 012190(05-2008) EXHIBIT D-1 NON-ERISA GROUP BUSINESS ASSOCIATE AGREEMENT Notification Requirements Privacy-Related Services Regarding Requests All notices required under Section 6 of this Agreement shall be given In writing, delivered by facsimile or In person, and addressed as follows HP: Name ��`GE'�-t`( F)w Lte, Department jDyl"LoLi i_- tr %5 t.2w Low Telephone Number a.Z51-43 -95LD-sc;n0 Fax Number a53-Es 0 - Loa-70 Claims Administrator: Premera Blue Cross Complaints and Appeals Department P O Box 91102 Seattle, WA 98111-9202 Telephone 1 800 345 6784 Fax 425 918 5592 BUSINESS ASSOCIATE AGREEMENT -6- 012190(05-2008) BUSINESS ASSOCIATE AGREEMENT AMENDMENT CHANGES QUESTION ANSWER Why are the business associate agreements being A 2009 federal law, the Health Information Technology amended for Economic and Clinical Health Act (HITECH) made changes to the HIPAA privacy regulations The HITECH Act supports the goal of creating a nationwide system to electronically exchange protected health information (PHI) The law extends the reach of some current privacy requirements and adds new rights, responsibilities and enforcement provisions The law requires HIPAA covered entities to send notice to affected individual of unauthorized disclosures or uses of PHI that has not been encrypted or otherwise secured (these are called "breaches") if they are determined to poses the risk of serious harm to the affected individual Depending on how many individuals are affected by the breach, additional parties may also need to be notified The primary purpose of the amendment is to enumerate our notice and reporting responsibilities as your business associate under the HITECH Act in regard to any breaches of unsecured PHI made by us or one of our subcontractors In addition, interim regulations implementing the Genetic Information and Nondiscrimination Act of 2008 (GINA) also amended the privacy rules to provide that genetic information be included in the definition of protected health information These changes must be reflected in covered entities' business associate agreements What changes have been made to the agreements? • Technical corrections to HIPAA citations have been made • The definition of"PHI" has been revised to refer directly to the regulation This is to accommodate the GINA changes to the HIPAA regulations in order to make sure that genetic information is protected as PHI • Language has been add to the"Minimum Necessary" provision to set forth the requirement that limited data sets be used whenever feasible • New language regarding breaches of unsecured PHI has been added to section 5, "Other Privacy Obligations of the Claims Administrator" • The subsection called "Termination for Breach of Privacy Obligations" has been rewritten to clarify that either party has the right to terminate the administrative services contract if the other party has engaged in a pattern of activity that materially breaches its obligations regarding PHI What is the"limited data set"mentioned above? A"limited data set"omits all but two of the 18 identifiers of PHI This means the data does not include identifiers like names, social security, numbers, street addresses or medical record numbers However, because dates(such as date of birth or of death) and zip codes are allowed to be retained in a limited data set, the information is not considered to be de-identified as required by HIPAA It is still PHI and must be secured against unauthorized access in some other way, such as by encryption Does use of a limited data set change the information No Our reports already meet limited data set you provide in your monthly and annual reports to us? requirements What is the effective date of the amendment? February 17, 2010 However, the breach notice requirements for both covered entities and business associates were effective as of September 23, 2009, by regulation PREMERA 10 AMENDMENT TO THE BUSINESS ASSOCIATE AGREEMENT FOR GROUPS NOT SUBJECT TO ERISA BETWEEN PREMERA BLUE CROSS AND CITY OF KENT This Amendment to the Business Associate Agreement("the Agreement") shall be entered Into by and between Premera Blue Cross (the"Claims Administrator")and the group named above (the"Plan Sponsor"and the"Health Plan (HP))" The Amendment shall be effective on February 17, 2010, except the changes to subsection 5 15, which shall have a later effective date as prescribed by law This Amendment shall be made part of the Administrative Services Contract (the "Contract") between the Claims Administrator and the Plan Sponsor Recitals 1 In February 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act (the"HITECH Act"), which amended the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations codified at 45 CFR Parts 160 and 164(collectively"HIPAA") 2 The HITECH Act requires Covered Entities to amend existing Business Associate agreements 3 The Plan Sponsor, the HP and the Claims Administrator previously executed the Agreement to cover activities performed by Claims Administrator under the Contract The Claims Administrator, the HP and the Plan Sponsor desire to amend the Agreement to comply with the HITECH Act NOW, THEREFORE, in consideration of these premises and the mutual promises and agreements hereinafter set forth, the Plan Sponsor, the HP and the Claims Administrator hereby agree to amend the Agreement as follows 1 Delete the reference to subparts A, C, and E in Recital 2 The recital shall now read "In pertinent part, the implementation regulations for HIPAA, codified at 45 C F R Parts 160, 162 and 164, and as amended (collectively referred to as the"HIPAA Rules") require covered entities, such as the HP, to maintain a written agreement with specific provisions concerning PHI and EPHI with its Business Associates (as defined in 45 C F.R 160 103 and as amended) " 2 Delete the second sentence of Section 1 and replace it with "Capitalized terms used, but not otherwise defined herein, shall have the same meaning as those terms in the HITECH Act or 45 CFR Parts 160 and 164" 3 Delete the definition of"PHI" in Section 1 and replace it with the following "PHI 'PHI' (Protected Health Information) shall mean information that meets the requirements in 45 CFR 160 103 or as amended " 4 Add a sentence to the end of Section 4 stating "When feasible, as determined by the party maintaining PPI, the HP, Plan Sponsor and Claims Administrator shall create, use or disclose a Limited Data Set " 5 Add a clause to the end of subsection 5 9 stating ", including documentation sufficient to meet the administrative requirements of 45 CFR§164 414 for breach notifications described in subsection 5 11, below," 6 Add a new subsection 5 11 stating "Report promptly information to the HP about any use or disclosure of Unsecure PHI of the HP's members not permitted or required by the Contract, the Agreement, or law caused by the Claims Administrator or one of its subcontractors for which it becomes aware and that Claims Administrator determines Compromises the Security or Privacy of the PHI (collectively referred to as a"Claims Administrator Breach"), and" 7 Add a new subsection 5 12 stating "Notify, or direct its subcontractor to notify, an Individual as required by 45 CFR§164 404, the media as required by 45 CFR§164 406, and the Secretary as required by§164 408(b)for a Claims Administrator Breach reported to the HP under subsection 5 11, above", and 8 Add a new subsection 5 13 stating "Provide the HP with the information necessary about any Claims Administrator Breach in order for the HP to include such information in the HP's log of Breaches that must be filed annually with the Secretary as required by 45 CFR§164 408(c), and" 021112(10-2009) An Independent Licensee of the Blue Cross Blue Shield Association 9 Add anew subsection 5 14 stating "Comply with the following HIPAA provisions administrative safeguards(45 CFR§164 308), physical safeguards (45 CFR§164 310), technical safeguards (45 CFR§164 312), policies and procedures and documentation requirements (45 CFR§164 316), and Business Associate requirements (45 CFR §164 502(e)(2) and 45 CFR§164 504(e)), and" 10 Add anew subsection 5 15 stating "Comply with Accounting for Disclosure(45 CFR§164 528) in the event that Department of Health and Human Services rules clarify that the HP has one or more Electronic Health Records that Claims Administrator creates, accesses, uses or maintains" 11 Subsection 8 2 shall be deleted in its entirety and replaced with `Termination for Breach of Privacy Obligations Either Party shall have the right to terminate the Contract as outlined in the Contract if the other party has engaged in a pattern of activity or practice that constitutes a material breach or violation of its obligations regarding PPI under this Agreement, the Contract or law In the event that the breach cannot be cured and both parties determine that termination is not feasible, the nonbreaching party may report such breach to the Secretary The HP agrees that the signature of the Plan Sponsor to this Amendment shall bind both the Plan Sponsor and the HP IN WITNESS WHEREOF, the parties have signed this Amendment effective as of the dates indicated above CLAIMS ADMINISTRATOR XAM-� Its- President and Chief Executive Officer Dated: November 20, 2009 PLAN SPONSOR AND HEALTH PLAN (HP) Its: Dated: C2 021112(10-2009)