The URL can be used to link to this page

Home My Public Portal About142-2014 - HR - ELAP Services - Hipaa AgreementHIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement (this "Agreement") dated January 1, 2015 is by and between City of Richmond having its principal office located at 50 North 5d' Street, Richmond, IN 47374 ("Covered Entity") and ELAP Services, LLC, located at 961 Pottstown Pike, Chester Springs, Pennsylvania 19425 ("Business Associate") related to the work to be performed as described below (Covered Entity and Business Associate, each a "Party" and collectively, the "Parties"). BACKGROUND Covered Entity has engaged Business Associate for the purpose of assisting Covered Entity, pursuant to the contract between the Parties made as of January 1, 2015 entitled ["Claim Review And Audit Service Agreement"] (hereinafter, the `BA Services Contract"), in providing certain functions and activities for and on behalf of Covered Entity (the `BA Services"). II. Covered Entity wishes to disclose information to Business Associate pursuant to the terms of this Agreement, some of which may constitute Protected Health Information ("PHI"), including electronic protected health information ("e-PHI") (PHI and a -PHI are, collectively, referred to hereinafter as "Covered Entity's PHI") in order for Business Associate to perform the BA Services. III. Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed to Business Associate in connection with the BA Services Contract and pursuant to this Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended (the "HIPAA Statute"), and its related "Privacy Rule" (45 CFR Parts 160 and 164, Subpart E) and "Security Rule" (45 CFR Part 160 and 164, Subpart C) promulgated by the Secretary of Health and Human Services ("HHS") (collectively, the HIPAA Statute, the Privacy Rule and the Security Rule and are referred to, hereinafter, as "HIPAA"), all as amended by the Health Information Technology for Economic and Clinical Health Act enacted on February 17, 2009 (the "HITECH Statute"), and any regulations promulgated thereunder (collectively, the "HITECH Rules," and together with the HITECH Statute, referred to hereinafter as "HITECH"), the Genetic Information Nondiscrimination Act of 2008, as may be amended (hereinafter, "GINA"), as well as any other applicable laws concerning the privacy and security of health information. Together, HIPAA and HITECH are at times referred to hereinafter as "HIPAA and HITECH." IV. Under HIPAA, Covered Entity must document the required satisfactory assurances through a written agreement with Business Associate that meets the applicable requirements of HIPAA, as well as incorporate into such agreement those requirements under HITECH that relate to privacy or security and are applicable to Business Associate, and the Parties now wish to enter into the Agreement in order to comply with such LV 1 1182409v2 07/01 / 10 LV11468200009/16/11 Contract #142-2014 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 2 of 14 requirements and to set forth more specifically each Party's respective obligations in connection therewith. In consideration of the mutual promises below and the exchange of information provided for herein, the Parties agree as follows: TERMS A. Incorporation of Background. The "Background" paragraphs set forth above are incorporated herein and made a part of the terms of this Agreement as if set forth herein in full. B. Effective Date. Except as specifically stated otherwise in this Agreement, the Effective Date shall be the date that first appears above in the introductory paragraph to this Agreement. C. Definitions. Any capitalized terms not otherwise specifically defined in this Agreement shall have the meanings ascribed to them in HIPAA and HITECH. D. Obligations of Covered Entity. Covered Entity shall be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of Covered Entity's PHI transmitted to Business Associate pursuant to this Agreement, in accordance with the standards and requirements of HIPAA and HITECH, until such PHI is received by Business Associate. E. Obligations of Business Associate. 1) Permitted Uses and Disclosures. Business Associate may use and/or disclose any and all of Covered Entity's PHI received by Business Associate from Covered Entity, or created or obtained by Business Associate on behalf of Covered Entity as follows: a) Purpose: Business Associate may use Covered Entity's PHI to provide or perform the BA Services, as set forth in the BA Services Contract. b) Type of Information: Business Associate may use any and all information made available by Covered Entity and necessary for Business Associate to provide the BA Services to Covered Entity. c) Scope of Use: Business Associate may use and further disclose Covered Entity's PHI to the extent permitted by and in accordance with this Agreement, HIPAA and HITECH, or as otherwise required by law. d) Minimum Necessary. After the effective date of the HHS guidance document on what constitutes "minimum necessary" (the "Minimum Necessary Guidance"), Business Associate shall use/disclosure/request LV 1 1468200v1 09/16/11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 3 of 14 only the minimum necessary amount of Covered Entity's PHI as set forth in such Minimum Necessary Guidance. Until such effective date of the Minimum Necessary Guidance, Business Associate shall comply with Covered Entity's policy regarding what constitutes the "minimum necessary" to accomplish the intended purpose of Business Associate's use or disclosure of Covered Entity's PHI. e) Use for Management and Administration: Business Associate may use Covered Entity's PHI for the proper management and administration of Business Associate, if such disclosure is necessary (1) for the proper management and administration of Business Associate or (2) to carry out the legal responsibilities of Business Associate. f) Disclosure or Management and Administration: Business Associate may disclose Covered Entity's PHI for the proper management and administration of Business Associate if: (1) the disclosure is required by law, or (2) Business Associate discloses Covered Entity's PHI to a third party as permitted under the BA Services Agreement, and Business Associate obtains from the third party a written agreement with Business Associate that meets the applicable requirements of HIPAA, as well as incorporate into such agreement those requirements under HITECH that relate to privacy or security and are applicable to Business Associate. In no event, however, shall Business Associate disclose Covered Entity's PHI for the foregoing purposes to any such third party not within the borders and jurisdiction of the United States of America without the prior written consent of Covered Entity, which may be withheld in Covered Entity's sole and unfettered discretion. g) Uses or Disclosures Requiring, Prior Authorization: Business Associate agrees and understands that, except as expressly provided in this Agreement, or permitted under HIPAA, HITECH, and state law, it shall not use or disclose Covered Entity's PHI to any other person or entity without first having received a HIPAA-compliant authorization. Business Associate shall retain a copy of each authorization obtained, and the information provided in response to the authorization, for six (6) years. h) Nondisclosure: Business Associate shall not use or further disclose Covered Entity's PHI other than as permitted or required by this Agreement, or as otherwise required or permitted by law. LV1 14682000 09/16/11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 4 of 14 2) Security Safeguards a) General. Business Associate shall, as of the Effective Date of this Agreement, implement and use appropriate administrative, physical and technical safeguards to provide for the security of Covered Entity's PHI, including: • Implementing policies and procedures to prevent, detect and contain, and correct security violations; • Limiting physical access to electronic information systems that maintain PHI and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed; and • Implementing technical policies and procedures for electronic information systems that maintain PHI to allow access only to those persons or software programs that have been granted access rights as specified in 45 CFR 164.308(a)(4). b) Compliance Deadline for HITECH. In addition to the foregoing, Business Associate shall meet all of the administrative, technical and physical safeguard Standards as set forth in § 164.308, § 164.310, § 164.312 of the Security Rule and as follows: (i) Administrative Sa eguards. Business Associate shall implement and maintain a written security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of Business Associate's operations and the nature and scope of its activities. (ii) Implementation Speci tcations. Business Associate shall implement all of the "Required" and "Addressable" (as such terms are defined in the Security Rule) Implementation Specifications in the Security Rule, unless Business Associate and Covered Entity agree otherwise, and Business Associate documents: (i) the rationale why a particular Addressable Implementation Specification is not "reasonable and appropriate," and (ii) Business Associate implements an alternative measure agreed to in writing by Covered Entity. (iii) Documentation. Business Associate shall maintain the policies and procedures implemented to comply with the Security Rule in written (which may be electronic) form; and to the extent that an action, activity or assessment that relates to this Agreement is required under the Security Rule to be documented, Business LV 1 1468200v 1 09/16/ 11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 5 of 14 Associate shall maintain a written (which may be electronic) record of the action, activity or assessment. Any such documentation created shall be retained by Business Associate and made available to Covered Entity upon request for a period of six (6) years from the date of its creation, or the date when it last was in effect, whichever is later. (iv) Annual HHS Guidance. Business Associate shall, by no later than any applicable deadlines, implement and comply with any requirements set forth in the annual guidance issued by HHS pursuant to § 13401(c) of HITECH concerning the most effective Technical Safeguards for use in carrying out compliance with the Security Rule. 3) Accounting of Disclosures through an EHR. a) Accounting by Business Associate. If Covered Entity receives a request from an individual for an Accounting of disclosures made through an EHR, Covered Entity may furnish Business Associate's contact information (e.g., mailing address, telephone number, and e-mail address) to such individual in order for such individual to obtain an Accounting of Business Associate's disclosures directly from Business Associate. Business Associate shall provide an Accounting directly to the individual in accordance with HIPAA and § 13405(c) of HITECH (including an Accounting for treatment disclosures for the prior 3 years) upon such individual's making the Accounting request directly to Business Associate 4) Access Rights to PHI Maintained in an EHR. a) Electronic Copies. If Covered Entity's PHI is maintained in or used in connection with an EHR, Business Associate shall also make available copies of such information in an electronic format upon an individual's request for access to the same under HIP" and, if the individual requests, to transmit such electronic copy of the individual's PHI directly to an entity or person designated by the individual, provided that any such request by the individual is clear, conspicuous and specific. b) Copy Fees. Business Associate's compliance with such "access rights" requirements under HITECH shall be at Business Associate's cost. Notwithstanding the immediately preceding sentence, Business Associate may, with Covered Entity's written consent, which shall not be unreasonably withheld, charge a "copy/labor fee" to the individual as otherwise permitted under HIPAA and HITECH and State law. LV 1 14682000 09/16/11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 6 of 14 5) Requested Restrictions. Business Associate acknowledges that Covered Entity is required under § 13405(a) of HITECH to comply with an individual's requested restriction regarding his or her PHI (unless the disclosure is otherwise required by law) if: a) The disclosure is to a health plan for purposes of carrying out payment or health care operations (but not treatment), and b) Covered Entity's PHI pertains solely to a health care item or service for which the health care provider has been paid out-of-pocket in full by the individual. Business Associate shall comply with any such requested restriction that applies to Business Associate's further use or disclosure of Covered Entity's PHI and of which Business Associate is made aware in writing by Covered Entity. 6) Availability of Information to Covered Entity. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity's obligations to provide access to, provide a copy of, and account for disclosures with respect to Covered Entity's PHI pursuant to HIPAA and HITECH, including, but not limited to, 45 CFR § 164.524 and § 164.528. Nothing in this provision shall be construed to preclude or limit Business Associate's obligations under the law, specifically with respect to the provision of access to individuals of their PHI and the provision of an accounting of disclosures to individuals of their PHI. 7) Amendment of PHI. Business Associate shall make Covered Entity's PHI available to Covered Entity as Covered Entity may require to fulfill Covered Entity's obligations to amend Covered Entity's PHI pursuant to HIPAA and HITECH, including, but not limited to, 45 CFR §164.526, and Business Associate shall, as directed by Covered Entity, incorporate any amendments to Covered Entity's PHI into copies of such PHI maintained by Business Associate. Nothing in this provision shall be construed to preclude or limit Business Associate's obligations under the law, specifically with respect to the amendment of Covered Entity's PHI by Business Associate. 8) Business Associate's Agents. Business Associate shall ensure that any agents, including subcontractors, to whom it provides Covered Entity's PHI, agree in writing to the same restrictions and conditions that apply to Business Associate with respect to Covered Entity's PHI. Business Associate shall not disclose any of Covered Entity's PHI to any agent or subcontractor that is not within the borders and jurisdiction of the United States of America without the prior written consent of Covered Entity, which may be withheld in Covered Entity's sole and unfettered discretion. LV 1 1468200vI 09/16/11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 7 of 14 9) Internal Practices. Business Associate shall make its internal practices, books and records relating to the use and disclosure of Covered Entity's PHI available to the HHS for purposes of determining Covered Entity's compliance with HIPAA and HITECH. 10) Security Breach Notification. a) Compliance. Business Associate shall comply with the standards and requirements that relate to notifications required in the event of a breach of information in accordance with the Breach Notification Laws (as defined hereinbelow). For purposes of this Agreement, the term "Breach Notification Laws" shall include, collectively, those provisions concerning breach notification obligations set forth in HITECH and its related regulations, including the Final Rule for Breach Notification for Unsecured Protected Health Information (45 CFR Parts 160 and 164). b) Securing PHI. Business Associate shall secure any and all of Covered Entity's PHI that it accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses for or on behalf of Covered Entity by implementing such technologies and methodologies (e.g., encryption) that are specifically set forth in the Breach Notification Laws and recognized by the Secretary of HHS in its guidance document on such topic released annually pursuant to HITECH, and which render Covered Entity's PHI unusable, unreadable and indecipherable. If Business Associate and Covered Entity otherwise agree that it is not reasonable or possible for Business Associate to implement such technologies and methodologies to secure certain of Covered Entity's PHI, then Business Associate shall implement reasonable alternative methods, as agreed to in writing by Covered Entity in its sole and unfettered discretion, to safeguard the information, and in such instance shall comply in full with the Breach Notification Laws in the event of a Breach (as such term is defined under the Breach Notification Laws) of any unsecured PHI. c) Business Associate's Oblations In The Event of a Breach. (i) Duty to Discover and Report Breaches to Covered Entity. Business Associate shall promptly notify Covered Entity of any Breach of Covered Entity's PHI, irrespective of the medium in which the Breach occurred (e.g., electronic, paper or oral), that Business Associate discovers, or should reasonably have discovered, including through any employee, agent or contractor of Business Associate. Business Associate shall take all reasonable steps (e.g., audits; anonymous internal reporting, etc.) to allow it to discover Breaches involving Covered Entity's PHI. LV 1 1468200v 1 09/16/11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 8 of 14 (ii) Reporting Contact. Business Associate shall notify Covered Entity's Privacy Officer and/or Security Officer, or their designee, either in person or by telephone at a number to be provided by Covered Entity of any discovered Breach. (iii) Information To Be Provided. Business Associate shall provide Covered Entity with the following information in connection with the Breach: • a brief description of what happened; • the date of the Breach and the date of discovery of the Breach, if known; • what type of unsecured PHI was involved in the Breach (e.g., name; SSN, etc.); • identification of each individual whose unsecured PHI has been, or reasonably believed by Business Associate to have been, breached; • what Business Associate is doing to investigate, mitigate and protect against further Breaches of a similar or dissimilar nature; • contact information at Business Associate (specific for the Breach), including toll -free number, e-mail address, Web site, or postal address where individuals may contact Business Associate directly for further information about the Breach; and • any additional information that Covered Entity may require for purposes of furnishing required notices under the Breach Notification Laws. In the event that some or all of the foregoing information is not readily available when the Breach is discovered, Business Associate shall still promptly notify Covered Entity of the Breach and may provide the additional information required under this paragraph (iii) as soon as possible thereafter, but without unreasonable delay and in no case longer than thirty (30) days after the Breach is discovered. d) Agreement to Cooperate and Assist. Business Associate shall cooperate with Covered Entity and provide such assistance as Covered Entity may need in order to comply with the Breach Notification Laws. With respect to any Breach of Covered Entity's PHI that results from an act or omission of Business Associate, including any of Business Associate's employees, owners, directors, agents, independent contractors or affiliates, Business Associate shall provide administrative support and other resources as may LV 1 1468200v 1 09/16/ 11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 9 of 14 be requested by Covered Entity in order to furnish written notices to individuals affected by the Breach and otherwise comply with the Breach Notification Laws. Covered Entity agrees to consult with Business Associate in the preparation of the written notices to individuals affected by the Breach. In the event that Business Associate does not provide such requested assistance and resources in a timely manner, as determined by Covered Entity in its sole and unfettered discretion, then Business Associate shall reimburse Covered Entity for all costs and expenses (e.g., postage, supplies, administrative staff time, etc.) incurred by Covered Entity in its efforts to comply with the notification requirements under the Breach Notification Laws. 11) Prohibition on "Sale" of PHI. a) Effective Date of Compliance. Business Associate shall comply with § 13405(d) of HITECH, this subparagraph 11) (a), and the additional restrictions HHS promulgates by regulation concerning prohibitions under HIPAA and HITECH on "sale" of PHI. b) General Prohibition. Business Associate shall not directly or indirectly receive remuneration in exchange for any of Covered Entity's PHI unless Business Associate obtained from the individual a valid authorization that includes, in accordance with HITECH, a specification that Covered Entity's PHI can be further exchanged for remuneration by Business Associate, except that Business Associate may accept such remuneration in exchange for Covered Entity's PHI for the following limited purposes: (i) Public Health Activities; (ii) Research, but only if the price charged reflects the costs of preparation and transmittal of the data for such purpose; (iii) Treatment (subject to future HHS regulation restricting inappropriate exchanges under this exception); (iv) Health Care Operations related to the sale, transfer, merger or consolidation of all or part of Business Associate with another Business Associate, but only with the prior written consent of Covered Entity, which shall not be unreasonably withheld; (v) Performance of services or functions by Business Associate for or on behalf of Covered Entity (e.g., pursuant to the BA Services Agreement); (vi) Providing an individual with Access to a copy of his or her PHI; or (vii) As may be determined by HHS in future regulations to be similarly necessary and appropriate. 12) Health Care Operations That Are Not "Marketing". Business Associate may use or disclose Covered Entity's PHI to make a communication about a product or LV 1 1468200v 1 09/ 16/ 11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 10 of 14 service and that encourages recipients of the communication to purchase or use the product or service only if the communication is made by Business Associate on behalf of Covered Entity and is consistent with the terms of the BA Services Agreement and is otherwise pursuant to and in accordance with this Agreement, HIPAA and HITECH. F) State Law. Business Associate shall comply with any provision or requirement concerning privacy or security of information under applicable State law that is more stringent than a similar provision or requirement under HITECH and this Agreement. G) Red Flags Rule. With respect to Business Associate's access to, use or handling of information in connection with Covered Entity's "Covered Accounts" (as defined under the Federal Trade Commission's Red Flags Rule (the "Red Flags Rule") and identified by Covered Entity), Business Associate shall, as of the Effective Date of this Agreement: I) Implement reasonable administrative, physical and technical policies and procedures to detect, prevent and mitigate the risk of identity theft at Business Associate; 2) Cooperate with and take such steps as are reasonably necessary to assist Covered Entity with compliance with its Identity Theft Prevention Program; and 3) Promptly report to Covered Entity any specific Red Flags, as identified in Covered Entity's Red Flag policies, which Business Associate detects, and, as appropriate, respond to, or reasonably assist Covered Entity in responding to, such Red Flags in accordance with Covered Entity's policies and procedures. H) Audits Inspection and Enforcement. Covered Entity may, upon reasonable notice, inspect the facilities, systems, books and records of Business Associate to monitor compliance with this Agreement. Business Associate shall promptly remedy any violation of any term of this Agreement and notify Covered Entity of the outcome. I) Termination 1) Noncompliance. If either Party notifies (the "Notifying Party") the other Party regarding an activity or practice that constitutes a material breach or violation of such other Party's obligation under this Agreement, HIPAA and HITECH (the "Breaching Party"), and such Breaching Party does not take reasonable steps to or otherwise does not successfully cure the breach or end the violation, as applicable, within a reasonable timeframe as agreed to by the Parties, the Notifying Party is permitted to either: (a) If feasible, terminate this Agreement and the BA Services Contract; or (b) If termination is not feasible, report the problem to HHS. LV 1 1468200v 1 09/16/11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 11 of 14 2) Judicial or Administrative Proceedings. Either Party may terminate this Agreement and the BA Services Contract, effective immediately, if (a the other Party is named as a defendant in a criminal proceeding for a violation of HIPAA and HITECH, or (b) a finding or stipulation that the other Party has violated any standard or requirement of HIPAA and HITECH or other security or privacy laws is made in any administrative or civil proceeding in which the Party has been joined. 3) Effect of Termination. Upon termination of the BA Services Contract for any reason, Business Associate shall return to Covered Entity and destroy all of Covered Entity's PHI that Business Associate still maintains in any form, and shall retain no copies of such PHI, or if return or destruction is not feasible, Business Associate agrees, at Covered Entity's reasonable expense, to continue to extend the protections of this Agreement to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. J) Indemnification. Covered Entity and Business Associate will indemnify, hold harmless and defend the other Party to this Agreement from and against any and all claims, losses, liabilities, costs and other expenses, including court costs and reasonable attorneys fees and disbursements, incurred as a result of, or arising directly or indirectly out of or in connection with: 1) any misrepresentation, breach of warranty or non -fulfillment of any undertaking on the part of the Party under this Agreement; and 2) any claims, demands, awards, judgments, actions and proceedings made by any person or organization arising out of or in any way connected with the Party's performance under this Agreement. K) Disclaimer. Covered Entity makes no warranty or representation that compliance by Business Associate with this Agreement, HIPAA and HITECH will be adequate or satisfactory for Business Associate's own purposes or that any information in Business Associate's possession or control, or transmitted or received by Business Associate, is or will be secure from unauthorized use or disclosure. Business Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI. L) Amendment. The Parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. The Parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA and HITECH and other applicable laws relating to LVI 14682000 09/16/11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 12 of 14 the security or confidentiality of PHI. The Parties understand and agree that Covered Entity must receive satisfactory written assurance from Business Associate that Business Associate will adequately safeguard all PHI that it receives or creates pursuant to the delivery of BA Services and this Agreement. Upon either Party's request, both Parties agree to promptly enter into negotiations concerning the terms of an amendment to this Agreement embodying written assurances consistent with the standards and requirements of HIPAA and HITECH or other applicable laws. Either Party may terminate the BA Services upon 30 days written notice in the event 1) the other Party does not promptly enter into negotiations to amend this Agreement when requested by a Party pursuant to this Section or 2) the other Party does not enter into an amendment to this Agreement providing assurances regarding the safeguarding of PHI sufficient to satisfy the standards and requirements of HIPAA and HITECH. M) No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, the Covered Entity Affiliates and Business Associate and their respective heirs, representatives, successors and assigns, any rights, remedies, obligations or liabilities whatsoever, whether as creditor beneficiary, donor beneficiary or otherwise. N) Interpretation. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and HITECH and applicable state laws. O) Independent Contractor. Nothing contained herein shall be deemed or construed by the Parties hereto or by any third party as creating the relationship of employer and employee, principal and agent, partners, joint venturers or any similar relationship, between the Parties hereto. Covered Entity and Business Associate acknowledge and agree that Business Associate is an independent contractor, and not an agent of Covered Entity, and Business Associate shall be solely liable for the payment of all income, unemployment, workers compensation, Social Security insurance or similar taxes or assessments on the fees or other remuneration paid or to be paid to Business Associate by Covered Entity. P) Miscellaneous. 1) Entire Agreement. This Agreement supersedes all previous agreements between Covered Entity and Business Associate and contains the entire understanding and agreement between the Parties with respect to the subject matter hereof. 2) Headiness. The headings in this Agreement are for convenience of reference only and shall not be used to interpret or construe its provisions. LV 11468200v 1 09/16/11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 13 of 14 3) Governing Law. This Agreement shall be construed in accordance with and governed by the laws of Pennsylvania without regard to conflicts of laws principles. 4) Binding Effect. This Agreement shall be binding upon, and inure to the benefit of, each Party hereto and their respective successors and assigns. 5) Mutual Negotiation. Each and every provision of this Agreement has been mutually negotiated, prepared and drafted and, in connection with the construction of any provisions hereof, no consideration shall be given to the issue of which Party actually prepared, drafted, requested or negotiated any provision of this Agreement, or its deletion. 6) Notices. All notices, demands and other communications to be made hereunder ("Notice") shall be given in writing and shall be deemed to have been duly given if personally delivered or sent by confirmed facsimile transmission, recognized overnight courier service which provides a receipt against delivery, or certified or registered mail, postage prepaid, return receipt requested, to the other Party at the address set forth in the first paragraph of this Agreement. Notice shall be deemed effective, if personally delivered, when delivered; if sent by confirmed facsimile transmission, when sent; if sent via overnight delivery, on the first business day after being sent, and if mailed, at midnight on the third business day after deposit in the U.S. mail. 7) liModi rcation. This Agreement may be amended, superseded, terminated or extended, and the terms hereof may be waived, only by a written instrument signed by all of the Parties or, in the case of a waiver, signed by the Party waiving compliance. 8) Preservation of Rights. No delay on the part of any Party in exercising any right, power or privilege hereunder shall operate as a waiver thereof, nor shall any waiver on the part of any Party of any such right, power or privilege, nor any single or partial exercise of any right, power or privilege, preclude any further exercise thereof or the exercise of any other such right, power or privilege. The rights and remedies herein provided are cumulative and are not exclusive of any rights or remedies that any Party may otherwise have at law, in equity or otherwise. 9) Provisions Severable. The provisions of this Agreement are independent of and severable from each other. No provisions will be affected or rendered invalid or unenforceable by virtue of the fact that for any reason any one or more of any of the provisions hereof may be invalid or unenforceable in whole or in part. 10) Counterparts. This Agreement may be executed by the Parties hereto in separate counterparts, each of which when so executed and delivered shall be an original, but all such counterparts shall together constitute one and the same instrument. LV 1 1468200v 109/16/11 Update for Final Rule 2013 HIPAA Business Associate Agreement Page 14 of 14 Each counterpart may consist of a number of copies hereof each signed by less than all, but together signed by all of the Parties hereto. 11) Interpretation. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA and HITECH. IN WITNESS WHEREOF, the Parties hereto have duly executed this Agreement on the day and year below written: City of Richmond By: Print Nam : Soberson Date: (Z`z-u � / T EIN: 35 - 660 l k `-1 LV 1 1468200v1 09/16/11 Update for Final Rule 2013 ELAP Serv' , LLC %r By: Print Name: Stiphen P. It lly Date: j �� EIN: 27-1535821