HomeMy WebLinkAboutContracts & Agreements_221-2013_CCv0001.pdf BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into this 5th
day of November, 2013 ("Effective Date") between the City of Redlands (the
"Covered Entity") and USI of Southern California Insurance Services, Inc. (--USI").
Whereas, USI has been retained by Covered Entity as its insurance
broker and will perform certain services on behalf of the Covered Entity, in its
capacity as a broker, consultant, or other service provider with respect to
activities of Covered Entity as a "group health plan" as defined in 45 C.F.R.
§ 160.103; and
Whereas, in connection with the provision of such services by USI,
Covered Entity may disclose to USI certain Protected Health Information (as
defined below), concerning Covered Entity and its activities; and
Whereas, USI and Covered Entity desire to enter into a business
associate agreement for the purpose of addressing the Privacy Rule, the Security
Rule, and the Electronic Transaction Rule, (as those terms are defined below),
for addressing the privacy and security provisions set forth in the Health
Information Technology for Economic and Clinical Health Act (the "HITECH Act'),
contained in Title XIII, Subtitle D, of the American Recovery and Reinvestment
Act of 2009, and for making appropriate updates in accordance with final
regulations issued in January 2013;
Now, Therefore, in consideration of the mutual promises confirmed
herein, and such other good and valuable consideration, the receipt and
sufficiency of which is hereby acknowledged, USI and the Covered Entity agree
as follows:
ARTICLE 1. DEFINITIONS
1.1. "Agreement" shall mean this document, including all exhibits, attachments,
and properly executed amendments and addendums.
1.2 "Breach" shall have the same meaning as the term "breach" in 45 C.F.R. §
164.402.
1.3 "Electronic Health Record' shall have the same meaning as the term
"electronic health record" in § 13400(5) of the American Recovery and
Reinvestment Act of 2009.
1.4 "Electronic Protected Health Information" shall have the same meaning as
the term "electronic protected health information" in 45 C.F.R. § 160.103.
1
1Aca\djm\Agreements\US1.SoCa1.Ins.doc
1.5 "Electronic Transaction Rule" shall mean the final regulations issued by
the U.S. Department of Health and Human Services concerning standard
transactions and code sets under 45 C.F.R. Parts 160 and 162.
1.6 "Individual" shall mean the person who is the subject of the Protected
Health Information or a person who qualifies as the personal
representative of the individual in accordance with 45 C.F.R. § 164.502(g).
1.7 "Privacy Rule" shall mean the Standards for Privacy of Individually
Identifiable Health Information at 45 C.F.R. Part 160 and Part 164,
Subparts A and E.
1.8 "Protected Health Information" shall mean any information, including
genetic information, that: (a) relates to the past, present, or future physical
or mental health or condition of an Individual; (b) the provision of health
care to an Individual; (c) or the past, present, or future payment for the
provision of health care to an Individual; and that identifies the Individual
or with respect to which there is a reasonable basis to believe the
information can be used to identify the Individual.
1.9 "Required By Law" shall have the same meaning as the term "required by
law" in 45 C.F.R. § 164.103.
1.10 "Secretary"shall mean the Secretary of the Department of Health and
Human Services ("HHS") and any other officer or employee of HHS to
whom authority has been delegated.
1.11 "Security Incident" shall have the same meaning as the term "security
incident" in 45 C.F.R. § 164.304.
1.12 "Security Rule" shall mean the Security Standards and Implementation
Specifications at 45 C.F.R. Parts 160 and 164, Subparts A and C.
1.13 "Transaction" shall have the same meaning as the term "transaction" in 45
C.F.R. § 160.103.
1.14 "Unsecured Protected Health Information" shall have the same meaning
as the term "unsecured protected health information" in 45 C.F.R. §
164.402.
ARTICLE 2. SAFEGUARDING PRIVACY AND SECURITY OF PROTECTED
HEALTH INFORMATION
2.1 Permitted Uses and Disclosures. USI hereby agrees that it shall be
prohibited from using or disclosing Protected Health Information provided
or made available by Covered Entity (or another business associate of
2
1Aca\djm\Agreements\US1.SoCa1.Ins.doc
Covered Entity) for any purpose other than as expressly permitted or
required by this Agreement.
a. Functions and Activities on Covered Entity's Behalf. Except as
otherwise set forth in this Agreement, the parties hereby agree that
USI shall be permitted to use and/or disclose Protected Health
Information provided or made available by Covered Entity(or
another business associate of Covered Entity) only for the purpose
of conducting the transactions contemplated under this Agreement
and only for purposes within the scope of UST's representation of
Covered Entity.
b. Business Operations. USI is permitted to use and/or disclose
Protected Health Information if necessary for the proper
management and administration of UST's representation of
Covered Entity, or to carry out any legal responsibilities of USI,
provided that, with respect to any disclosure of Protected Health
Information, either:
(1) the disclosure is Required By Law; or
(2) USI obtains reasonable assurances from the person to
whom the Protected Health Information is disclosed that: (a)
the Protected Health Information will be held in confidence
and used or further disclosed only as for the purposes for
which USI disclosed the Protected Health Information to the
person or as Required by Law; (b) the person will use
appropriate safeguards to prevent use or disclosure of the
Protected Health Information, and (c) the person
immediately notifies USI of any instance of which it is aware
in which the confidentiality of the Protected Health
Information has been breached.
C. Data Aggregation Services. USI is permitted to use or disclose
Protected Health Information to provide data aggregation services,
as that term is defined by 45 C.F.R. § 164.501, relating to health
care operations of Covered Entity.
d. Minimum Necessary. USI will, in its performance of the functions,
activities, services, and operations specified above, make
reasonable efforts to use, to disclose, and to request only the
minimum amount of Covered Entity's Protected Health Information
reasonably necessary to accomplish the intended purpose of the
use, disclosure or request, except that USI will not be obligated to
comply with this minimum-necessary limitation if neither USI nor
Covered Entity is required to limit its use, disclosure or request to
3
1:\ca\djm\Agreements\USI.SoCal.Ins.doe
the minimum necessary. USI and Covered Entity acknowledge that
the phrase "minimum necessary" shall be interpreted in accordance
with the HITECH Act and HHS guidance.
2.2 information Safeguards.
a. Privacy of Covered Entity's Protected Health Information. USI will
develop, implement, maintain, and use appropriate administrative,
technical, and physical safeguards to protect the privacy of
Covered Entity's Protected Health Information. The safeguards
must reasonably protect Covered Entity's Protected Health
Information from any intentional or unintentional use or disclosure
in violation of the Privacy Rule and limit incidental uses or
disclosures made pursuant to a use or disclosure otherwise
permitted by this Agreement.
b. Security of Covered Entity's Electronic Protected Health
Information. USI will develop, implement, maintain, and use
administrative, technical, and physical safeguards that reasonably
and appropriately protect the confidentiality, integrity, and
availability of Electronic Protected Health Information that USI
creates, receives, maintains, or transmits on Covered Entity's
behalf as required by the Security Rule.
2.3 Subcontractors and Agents. USI will require any of its subcontractors and
agents to which USE is permitted by this Agreement, or in writing by
Covered Entity, to disclose Covered Entity's Protected Health Information
and/or Electronic Protected Health Information, to provide satisfactory
assurances through a written agreement that meets the applicable
requirements of 45 C.F.R. § 164.504(e) that such subcontractor or agent
will comply with the same privacy and security safeguard obligations with
respect to Covered Entity's Protected Health Information and/or Electronic
Protected Health Information that are applicable to USI under this
Agreement.
2.4 Prohibition on Sale of Records. USI shall not directly or indirectly receive
remuneration in exchange for any Protected Health Information of an
Individual unless the Covered Entity or USI obtains from the Individual, in
accordance with 45 C.F.R. § 164.508, a valid authorization that includes a
specification of whether the Protected Health Information can be further
exchanged for remuneration by the entity receiving Protected Health
Information of that Individual, except as otherwise allowed under the
HITECH Act.
4
1:\ca\djm\Agreements\USI.SoCal.Ins.doc
2.5 Penalties For Noncompliance. USI acknowledges that it is subject to civil
and criminal enforcement for failure to comply with the Privacy Rule and
Security Rule, as amended by the HITECH Act.
ARTICLE 3. COMPLIANCE WITH ELECTRONIC TRANSACTION RULE
If USI conducts in whole or part electronic Transactions on behalf of Covered
Entity for which HHS has established standards, USI will comply, and will require
any subcontractor or agent it involves with the conduct of such Transactions to
comply, with each applicable requirement of the Electronic Transaction Rule. USI
shall also comply with the National Provider Identifier requirements, if and to the
extent applicable.
ARTICLE 4. INDIVIDUAL RIGHTS
4.1 Access. USI will make available to Covered Entity or, at Covered Entity's
direction, to an Individual (or the Individual's personal representative)for
inspection and obtaining copies Covered Entity's Protected Health
Information about the Individual that is in UST's custody or control, so that
Covered Entity may meet its access obligations under 45 C.F.R.
§ 164.524. If the Protected Health Information is held in an Electronic
Health Record, then the Individual shall have a right to obtain from USI a
copy of such information in an electronic format. USI shall provide such a
copy to Covered Entity or, alternatively, to the Individual directly, if such
alternative choice is clearly, conspicuously, and specifically made by the
Individual or Covered Entity.
4.2 Amendment. USI will, upon receipt of written notice from Covered Entity,
promptly amend or permit Covered Entity access to amend any portion of
Covered Entity's Protected Health Information, so that Covered Entity may
meet its amendment obligations under 45 C.F.R. § 164.526.
4.3 Disclosure Accounting. To allow Covered Entity to meet its disclosure
accounting obligations under 45 C.F.R. § 164.528:
a. Disclosures Subject to Accounting. USI will record the information
specified below("Disclosure Information")for each disclosure of
Covered Entity's Protected Health Information, not excepted from
disclosure accounting as specified below, that US[ makes to
Covered Entity or to a third party.
b. Disclosures Not Subject to Accounting. USI will not be obligated to
record Disclosure Information or otherwise account for disclosures
of Covered Entity's Protected Health Information if Covered Entity
need not account for such disclosures.
5
1:\ca\djm\Agreements\USI.SoCal.ins.doc
C. Disclosure Information. With respect to any disclosure by USI of
Covered Entity's Protected Health Information that is not excepted
from disclosure accounting, USI will record the following Disclosure
Information as applicable to the type of accountable disclosure
made:
(1) Disclosure Information Generally. Except for repetitive
disclosures of Covered Entity's Protected Health Information
as specified below, the Disclosure Information that USI must
record for each accountable disclosure is (i) the disclosure
date, (ii) the name and (if known) address of the entity to
which USI made the disclosure, (iii) a brief description of
Covered Entity's Protected Health Information disclosed, and
(iv) a brief statement of the purpose of the disclosure.
(2) Disclosure Information for Repetitive Disclosures. For
repetitive disclosures of Covered Entity's Protected Health
Information that USI makes for a single purpose to the same
person or entity (including Covered Entity), the Disclosure
Information that USI must record is either the Disclosure
Information specified above for each accountable disclosure,
or(i) the Disclosure Information specified above for the first
of the repetitive accountable disclosures; (ii) the frequency,
periodicity, or number of the repetitive accountable
disclosures; and (iii) the date of the last of the repetitive
accountable disclosures.
d. Availability of Disclosure Information. USI will maintain the
Disclosure Information for at least 6 years following the date of the
accountable disclosure to which the Disclosure Information relates
(3 years for disclosures related to an Electronic Health Record,
starting with the date specified by HHS). USI will make the
Disclosure Information available to Covered Entity within 15
calendar days following Covered Entity's request for such
Disclosure Information to comply with an Individual's request for
disclosure accounting. With respect to disclosures related to an
Electronic Health Record, USI shall provide the accounting directly
to an Individual making such a disclosure request, if a direct
response is requested by the Individual.
4.4 Restriction Agreements and Confidential Communications. USI will comply
with any agreement that Covered Entity makes that either(i) restricts use
or disclosure of Covered Entity's Protected Health Information pursuant to
45 C.F.R. § 164.522(a), or(ii) requires confidential communication about
Covered Entity's Protected Health Information pursuant to 45 C.F.R. §
164.522(b), provided that Covered Entity notifies USI in writing of the
6
1:\ca\djm\Agreements\USI.SoCal.ins.doc
restriction or confidential communication obligations that USI must follow.
Covered Entity will promptly notify USI in writing of the termination of any
such restriction agreement or confidential communication requirement
and, with respect to termination of any such restriction agreement, instruct
USI whether any of Covered Entity's Protected Health Information will
remain subject to the terms of the restriction agreement. USI will comply
with any restriction request if: (i) except as otherwise Required by Law, the
disclosure is to a health plan for purposes of carrying out payment or
health care operations (and is not for purposes of carrying out treatment);
and (ii)the Protected Health Information pertains solely to a health care
item or service for which the health care provider involved has been paid
out-of-pocket in full.
ARTICLE 5. BREACHES
5.1 Privacy or Security Breach. USI will report to Covered Entity any use or
disclosure of Covered Entity's Protected Health Information not permitted
by this Agreement along with any Breach of Covered Entity's Unsecured
Protected Health Information. USI will treat the Breach as being
discovered in accordance with 45 CFR §164.410. USI will make the report
to the Covered Entity not more than 15 calendar days after USI learns of
such non-permitted use or disclosure. If a delay is requested by a law-
enforcement official in accordance with 45 CFR §164.412, USI may delay
notifying Covered Entity for the applicable time period. UST's report will at
least:
a. Identify the nature of the Breach or other non-permitted use or
disclosure, which will include a brief description of what happened,
including the date of any Breach and the date of the discovery of
any Breach;
b. Identify Covered Entity's Protected Health Information that was
subject to the non-permitted use or disclosure or Breach (such as
whether full name, social security number, date of birth, home
address, account number or other information were involved)on an
individual basis;
C. Identify who made the non-permitted use or disclosure and who
received the non-permitted disclosure,
d. Identify what corrective or investigational action US[ took or will
take to prevent further non-permitted uses or disclosures, to
mitigate harmful effects and to protect against any further
Breaches;
7
1:1ca\djm\Agreements\USI.SoCal.Ins.doc
e. Identify what steps the Individuals who were subject to a Breach
should take to protect themselves;
f. Provide such other information, including a written report, as
Covered Entity may reasonably request.
5.2 Security Incidents. USI will report to Covered Entity any attempted or
successful (A) unauthorized access, use, disclosure, modification, or
destruction of Covered Entity's Electronic Protected Health Information or
(B) interference with Business Associate's system operations in Business
Associate's information systems, of which USI becomes aware. USI will
make this report once per month, except if any such Security Incident
resulted in a disclosure not permitted by this Agreement or Breach of
Covered Entity's Unsecured Protected Health Information, Business
Associate will make the report in accordance with the provisions set forth
in Section 5.1.
ARTICLE 6. TERM AND TERMINATION
6.1 Term. This Agreement shall commence on its Effective Date and shall
terminate when all Protected Health Information provided by Covered
Entity to USI, or created or received by USI on behalf of Covered Entity, is
destroyed or returned to Covered Entity, or, if it is infeasible to return or
destroy Protected Health Information, protections are extended to such
information, in accordance with the termination provisions in this section.
6.2 Eight to Terminate for Cause. Covered Entity may terminate this
Agreement if it determines, in its sole discretion, that USI has breached
any provision of this Agreement, and upon written notice to USI of the
Breach, USI fails to cure the Breach within 30 calendar days after receipt
of the notice. Any such termination will be effective immediately or at such
other date specified in Covered Entity's notice of termination.
6.3 Return or Destruction of Covered Entity's Protected Health Information.
Upon termination of this Agreement for any reason, USI, with respect to
Protected Health Information received from the Covered Entity, or created,
maintained, or received by USI on behalf of Covered Entity, shall:
1. retain only that Protected Health Information which is necessary for
USI to continue its proper management and administration or to carry
out its legal responsibilities;
2. return to Covered Entity or, if agreed to by Covered Entity, destroy the
remaining Protected Health Information that USI still maintains in any
form;
3. continue to use appropriate safeguards and comply with Subpart C of
45 C.F.R. Part 164 with respect to Electronic Protected Health
8
1:\ca\djm\Agreements\USI.SoCal.ins.doc
Information to prevent use or disclosure of the Protected Health
Information, other than as provided for in this section, for as long as
USI retains the Protected Health Information;
4. not use or disclose the Protected Health Information retained by USI
other than for the purposes for which such Protected Health
Information was retained and subject to the same conditions set out at
Section 2.1(b) which applied prior to termination; and
5. return to Covered Entity or, if agreed to by Covered Entity, destroy the
Protected Health Information retained by USI when it is no longer
needed by USI for its proper management and administration or to
carry out its legal responsibilities.
Upon Covered Entity's direction, USI will transmit the Protected Health
Information to another business associate of the Covered Entity at
termination, and/or could add terms regarding UST's obligations to obtain
or ensure the destruction of Protected Health Information created,
received, or maintained by subcontractors.
6.4 Continuing Privacy and Security Obligation. If return or destruction of the
Protected Health Information is not feasible, USI agrees to extend the
protections of this Agreement for as long as necessary to protect the
Protected Health Information and to limit any further use or disclosure so
as to be consistent with the intent of this Agreement.
ARTICLE 7. GENERAL PROVISIONS
7.1 Access to Books and Records. USI hereby agrees to make its internal
practices, books and records relating to the use, disclosure, and
safeguards for Protected Health Information received from, or created or
received by USI on behalf of Covered Entity, available to the Secretary or
the Secretary's designee for purposes of determining compliance with the
Privacy Rule and/or the Security Rule.
7.2 Mitigation Procedures. USI agrees to have procedures in place for
mitigating, to the extent practicable, any deleterious effect from the use or
disclosure of Protected Health Information received from, or created or
received by USI on behalf of Covered Entity, in a manner contrary to this
Agreement or the Privacy Rule.
7.3 Amendment to Agreement. Upon the compliance date of any final
regulation or amendment to final regulation promulgated by HHS that
affects USI or Covered Entity's obligations under this Agreement, this
Agreement will be automatically amended such that the obligations
imposed on USI or Covered Entity remain in compliance with the final
regulation or amendment to final regulation.
9
1:1ca\dlmlAgreements\USI.SoCal.Ins.doc
7.4 'Choice of Law. Except to the extent superseded by the federal law, this
Agreement shall be governed by the law of the State of California;
provided, however, that for the purposes of privacy rights of Individuals,
the law of the state in which the Individual resided during the event(s)
giving rise to the need to determine the rights under this Agreement shall
apply.
7.5 Injunctive Relief. Notwithstanding any rights or remedies provided for in
this Agreement, Covered Entity retains all rights to seek injunctive relief to
prevent or stop the unauthorized use or disclosure of Protected Health
Information by USI or any agent, contractor, or third party that received
Protected Health Information from USI.
7.6 Notices. Whenever under this Agreement one party is required to give
notice to the other, such notice shall be deemed given if mailed by First
Class United States mail, postage prepaid, and addressed as follows:
Covered Entity:
City of Redlands
35 Cajon Street, Suite 10
Redlands, CA 92373
USI:
USI of Southern California Insurance Services, Inc.
29A Technology Drive, Suite 100
Irvine, CA 92618
7.7 Binding Nature and Assignment. This Agreement shall be binding on USI
and Covered Entity and their successors and assigns, but neither USI nor
Covered Entity may assign this Agreement without the prior written
consent of the other, which consent shall not be unreasonably withheld.
7.8 Headings. The headings in this Agreement are for reference and
convenience only, and shall not enter into the interpretation of this
Agreement.
7.9 Force Majeure. USI shall be excused from performance under this
Agreement for any period USI is prevented from performing any services
pursuant hereto, in whole or in part, as a result of an act of God, war, civil
disturbance, court order, labor dispute or other cause beyond its
reasonable control, and such non-performance shall not be grounds for
termination.
10
1Aca\djm\Agreements\US1.SoCaL I ns.doc
7.10 Attorneys' Fees. In the event any action or other proceeding is brought for
the enforcement of this Agreement, or because of an alleged dispute,
breach, default, misrepresentation, or injunctive action, in connection with
any of the provisions of this Agreement, the prevailing party in such action
or proceeding, in addition to its costs and other relief, shall be entitled to
recover its reasonable attorneys' fees.
7.11 Entire Agreement. This Agreement constitutes the entire agreement
between the parties and shall replace any previous business associate
agreement between the parties. There are no understandings or
agreements relating to this Agreement which are not fully expressed in
this Agreement and no change, waiver, or discharge of any obligation(s)
arising under this Agreement shall be valid unless in writing and executed
by the party against whom such change, waiver, or discharge is sought to
be enforced.
IN WITNESS WHEREOF, USI and Covered Entity have caused this
Agreement to be signed and delivered by their duly authorized representatives as
of the Effective Date set forth above.
Covered Entity
By:
Print Name:
Title:
Date:
USI
By:
Print Name: Thom Lewis
Title: 'Regional CEO & Employee Benefits Practice Leader
Date: September 6, 2013
11
1:\ca\djm\Agreements\USI.SoCal.Ins.doc