The URL can be used to link to this page

Home My Public Portal About030-2019 - Finance - Horan Associates - Business Associate AgreementBUSINESS ASSOCIATE AGREEMENT WHEREAS, pursuant to the Health insurance Portability and AccountabilityAct.of 1996,P.ub.L. 194- 191, 110 Stat 2024 (Aug. 21, 1996) CMP"j, the Office of the Secretary of the. Department of -Health " and Human Seryfees has issued: (1) regulations providing Standards for Privacy of Individually Identifiable entifiable ' Health Information* at 45 CFR Part 160 and Subparts A and E of Part 164 ("Privacy Rule");(2) regulations providing Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Subpart C of Part 164 (the "Security Rule"); and (3) regulati modifying the P�Iyacy Rule, Security Rule. % .. Ions ..curi Enforcement and Breach.Notifidation Rules; and, WHEREAS, the privacy and security provisions of HIPAA have been amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) provisions, of the American Recovery and Reinvestment Act of 2009, and any and all references in this Agreement to the "HIPAA Rules" shall be deemed to inchide the Privacy Rule, the Security Rule, HITEC4,- the Enforcement and Breach Notification Rules, and all existing and future implementing regulations, as they become effective; and WHEREAS,. the HIPAA Rules provide overed.Entity is permitted ih among other .. i .that a �,C. to. T99 . . I 1� disclose Pf6tedted Health. Info a Business.Asso.e-We and.,allo t i Health. WO Assoc! to Information CTIT) to P. I�Yipxicss obtain, receive, and create '4 b6half,,94 Entity-pbtains, satisfacipry, on. the Covered Entity ly if the' (�Qvcre _d a assurances' in the form '01 fwritten contract, that the Business Associate will appropriately s4egug.0 the PM;, and WHEREAS,. City of Richmond, Indiana (the "Plan Sponsor') maintains more -Health Plans ("Plans")*and has engaged HORAN Associates, Inc. (`Bueiness Associate.) to pqrfqrm services, which may be described in a separate contract (the "Services Arrangemenfj and Business Associate may receive PHI, or create and receive, such ' information iu the performance ofservices on behalf of such Plans. Plan Sponsor and, Business Associate desire to determine the terms under which they shall comply with the HIPAA Rules; NOW THEREFORE, the Plans, Plan Sponsor, and -Business Assooiate.agree as follows: 1. GENERAL HIPAA COMPLIANCE PROVISIONS this 1,.I. H0?AA.Def1nitiojts!.E otherwise In S Aqqpt as, q.,erwise proyi0co. -Agreement all capitalized terms contained in this Agreement shall have the'meanings set forth in the HIPAA Rules. 12 AN POA&CS& Business agrees011 .,be f4ily compliant with. *e pthat it. w . ss Associate requirement ts that ap ess.Associates s under, p to Busi4 by, the cqmp iahce datq�,�m. tab ished, such rules to,'the e1Gtt Necessary to,enable the Plans to comply with their obligationsunder t.h.e. WAA dies; 1.5. Changes in Law. Business Associate 4grM. th it will'..c.0iiaply AnZ P,_ at i with:any Chan ysiju the. HIPAA Miles by the compliance date established for any such . fi . -changes. If, due to such a change,. either or all of the partle o jpn&p . u , to-,t. t PHI in for in,this Agreemcqt, the parties shall ..4 are n, rjq red Street p r SW occur p Pannqr�provx. renegotiai6iiils.Asr subject to. "the r w- f $p fiqp15,,_An -,such, pew I .00t, st q pments 0 q Any,such soon as practicable following the occurrence ofahe change 1.4..Na es Nature; �J"F4ip The.p i acknowle* that+. 1.43. Each Plan is a Gtoup.-Heplth.Plim, and .a. 9vored Entity; 1 A.2.. Oqsihm_.Assooi;tte.isa.Busine�*AssoclatO.9foneofmore. 0 thqP14ns and 10 Contract No. 30-2019 1.4.3. City of Richmond, Indiana is the Plan Sponsor (as defined in section 3(16)(b) of Employee Retirement Income Security Act of 1974 29 USC § 1001 et seq., as amended (" ERISA`�) of each Plan, is not a Covered Entity, and acts in the capacity of a plan sponsor as defined in the HIPAA Rules. 1.4.4. Whenever reference is made in this Agreement to actions or undertakings of a Plan, to reports or information provided by the Business Associate to a PIan, or to instructions to the Business Associate from a Plan, the reference to the Plan shall be to the person or entity designated in such, Plan's documents as having responsibility for Plan administration or, if no .designation is made therein, the Plan Sponsor. 1.4.5. The relationship of the Business Associate to any Plan (or the Plan Sponsor) is solely. a contractual relationship and nothing in the Services Arrangement or this Agreement shall be interpreted as creating an agency relationship with the Business Associate under Federal common law. 2. TREATMENT OF PHI 2.1. Permitted Uses and Disclosures of PHI. 2.1.1. Uses and Disclosures on Behalf of the Plan. The Business Associate shall. be permitted to:use and.disclose PHI for th'e°services Business Associate is providing to the Plan .or PIan Sponsor pursuant to the Services Arrangement, which may include but not be limited to Treatment,. Payment, activities and/or Health Card Operations, and as otherwise required to perforin'its obligations under this Agreement and the Services Arrangement. 2.1.2. Other Permitted Uses and Disclosures. In addition to the uses and disclosures set forth in Section 2,.1.1, Business Associate may use or" disclose PHI received from,. or created or received on behalf of, the Plan under the following circumstances: 2.1.2.1. Disclosures to the Plan Sponsor. Business Associate may provide: i. Summary Health Information to the Plan Sponsor upon Plan Sponsor's written request which specifies that the purpose of the request is either- (a) to obtain premium bids for' roviding health insurance coverage to a Plan; and/or (b) to modify, amend or terminate a Plan; ii. information to the Plan Sponsor on whether an individual is participating in a Plan ovis enrolled or has disenrolled from any insurance coverage"offered by the Plan; and7777'.:' iii. PHI to the Plan Sponsor for purposes, of Plan Administration Functions, provided that the. Plan Sponsor has provided to Business Associate (a) a copy of Plainporasor's certrcation to the applicablePlan under 45 CFI254.504(f)(2) relating to the required` ameridmenfi of such. Pian'splan ' documents (tlie "Certification"), -and (b) a list of employees of or descnptiotrs of positions with Plan. Sponsor who are authorized in accordance with the applicable plan documents to receive PHI from the,Business. Associate in connection with Plan Administration Functions 'of such Plan 2.I.2:2.-" fiJse of PIiI `fore ' Matiagenient, "Adnn#nistrafion, And. Leg Responsibilities. Business Associate -is perrnitted to `use PHI if necessaryfor the prober inanagepient and administration of Business Associate or to carry out its legal responsibilities: 2.1.2:3. Disclosure ,of 1PHI For 1Vlanagement, :Adz`mnistrat on, 'and Legal Responsibilities. Business Associate is permitted to.disclose PHI if necessary for the propermanagernent and administration of Business Associate; `or to carryout its `legal responsibilities, provided tliati the disclosure is required by law, or Business Associate obtains reasonable assurances from the person to .whom. the PHI is disclosed that it.will l elield confidentially and" used dr hirther disclosed only as required by law'or for the 11 purposes for which it was disclosed to the person; the person will use appropriate safeguards to prevent use or disclosure of the information, and the person will notify Business Associate immediately of any instance of which it is aware in which the confidentiality of the PHI has been -'breached. 2.1.2.4. Data Aggregation Services. Business Associate is permitted to use or disclose PHI to provide data aggregation services, as that term is defined by 45 CFR § 164.501, relating to the health care operations of a Plan. 2.1.2.5. De -identification. Business Associate is permitted to use PHI to de - identify the information in accordance with 45 CFR § 164.514. Once de -identified, the information is no longer PHI or subject to -the terms of this Agreement and may be used or disclosed by the Business Associate as long as the information does not include a key or other mechanism that would enable the information to be identified. 2.i3. Further Uses Prohibited. Except as provided in Sections 2.1.1 and Section 2.1.2, Business Associate is prohibited from further using or disclosing any infoniationYeceived.from the Plan, or from anyother Business Associate of the Plan, for any commercial purposes of Business Associate. Business Associate shall not. use or disclose Genetic Information. for underwriting purposes in violation of the HIPAA Rules. 2.2: Minimum Necessary. Business Associate shall only request, use, and disclose the minimum amount of PHI necessary to accomplish the purposes of the request, use, or disclosure. Business Associate and PIan Sponsor acknowledge that the phrase "minimum necessary" shall be interpreted in accordance with the HIPAA Rules. 2.3. Prohibited, Unlawful, or Unauthorized Use and Disclosure of P.M. Business Associate shall not use or further disclose any PHI received from, or created or received on behalf of, a Plan, in a manner that would violate the requirements of the Privacy Rule if done by the Plan. 2.4.'. Required Safeguards. Business Associate will develop, implement; maintain, and use appropriate safeguards to pmvent_use or disclosure of PHI received from, or created or received on behalf of; a Plan or other than as provided for in this Agreement or as required by law, including adopting policies and procedures regarding the safeguarding of PHI; and providing training to relevant employees on such policies and procedures1d'prevent the improperuse: or disclosure of PHL' To .the extent:Business Associate will cant' out one or more of°Plan_Sponsdes obligations under the Privacy Rule,'the Business Associate will comply with the requirements of the Privacy Rules that apply to the Plan Sponsor in -the performapce of such obligations. 2'15. Mitigation.of Improper Uses or Disclosures.Business Associate shall mitigate; to the Extent practicable any bannfdl effect°that:is known to BusinessAssooiate of a use dr disclosure ofPHI,liy`Business Associate in violation of the requirements of this -Agreement ' 16.. Reporting. -of Unauthorized'Uses and Disclosures. Business Associate shall promptly report in writing to the applicable Ilan any use or disclosure of PHI not provided,for under this Agreement;, of which Business Associate b.ecome's aware: 23 Security Rule 2:7..1 > - Security Safeguards. 'Business Associate agrees to-iniplernent administrative. — physical, and technical safeguards set forth in the Security Rule that reasonably`and' "appropriately ,ptotect.the' confidentiality; integrity, acid ,availability .of the Electronic PHI. that Business Associate. creates; receives,. maintains, or transmits on behalf of any Plan or Plan Sponsor. .2.7.2:. Security Incidents. Business Associate- agrees-to:report.to-the Plans and Plan Sponsor any unauthorized access, use,` disclosure, modifications or: destruction' of information .or.interference 12. with information system operations which affect Electronic PHI created,. received, maintained,. or transmitted on behalf of any.Plan of which Business Associate becomes. aware.- Business Associate agrees to also report to the Plan and Plan Sponsor any . attempted unauthorized access affecting Electronic PIE created, received, maintained, or transmitted on behalf of any Plan of which Business Associate becomes aware; provided that Business Associate determines that the attempted access was material and credible. 2.8. Breach Notifications. Business Associate agrees to notify the applicable Plan and the Plan Sponsor of any Breach of Unsecured PHI within 10 days from the date of discovery. 2:8.1. Information About Breach. Business Associate shall provide a report to the Plan within 15 days of discovery of a Breach except when despite all reasonable efforts by Business Associate to obtain the information required, circumstances beyond the control of the Business Associate necessitate additional, time. Under such circumstances Business Associate shall provide to the Plan the required information as soon, as possible and without unreasonable delay, but in no event laterthan 30 calendar days from the date, of discovery, of a Breach. Abreach will be treated as discovered in accordance witb.45 QFR §164.410, The Business Associate's report shall include; (i) the date of the Breach; (ii) the date of discovery. of the Breach; (iii) a list of each individual whose Unsecured PHI has been or is reasonably, believed to have been used, accessed, acquired, or disclosed during the Breach; (iv) a description of the type of Unsecured PHI involved; (y) the identity of who made the non -permitted use or disclosure and who received the non -permitted disclosure (if known); and (vi) any other details necessary to.co complete an assessment of whether the PHI has. been compromised. 2.8.2. Notification' to Individual and Others. Unless otherwise agreed between the Plan Sponsorand Business Associate, the Plan shall be responsible to provide notification to individuals whose Unsecured PHI has been disclosed, as well as the Secretary of Health and Human Services,and the media, as required by the HIPAA Rules. 2.8.3. Investigation and New Procedures. Business Associate agrees to investigate the Breach and to establish procedures to mitigate losses and protect against future Breachei, and:t.o.provide a description of these procedures and. the.speciffic. findings ofthe investigafion to the Plaoin the time and .manner reasonably requested by the Plan., 2.9.- :Plan Participant Requests. The Plans, Plan Sponsor and Business Associate. acknowledge that Plan..'Participants have certain rights. under -the Privacy Rule to access,. amend and receive an aecountiqg-of certain disclosipps of their,PU.. Busi4e" Associate further understands that the Plans have &vetoved specific policies and pioceduresi to be followed for Plan participants who make such requests as an exercise of their rights under,the. P#yacy,.-Rule.. : A rqqueat by a Plan participant �or such particippVs persdiial .;,epirsentative. made in acc9rdancewJth su&poIicjqA and procedures,to access, arnend�Drreceivean accounting of disclosures of the participant's PM is referred to herein as a "Formal HMAA Request.". 2.9.1. Access to.1`111. Within 30'days of a Plan's request on behalf,of an, individual, Business Associate agrees to make available to the Plan any relevant PHI in a Designated-Riqc.ord. Set receiY ed from, or created or received on behalf of the Plan in accordance with the Privacy Rule. If Business Associate receives, directly or indirectly, a request from an individual requesting PHI, Business Associate shall notify the Plan in writing promptly of such request no -later than 10 business days of receiving such request If a Plan requests an electronic copy of PHI that is maintained electronically in a Designated Record Set in the Business ' form and. format Associate!s-cu usi ep r v� lectro c p ,AQdy,.or- cont.m1j.B Vi _s.-Associate will p o de -an e me- o y m, the specified. ,by.the Plan .if - it -, s rq9Ldi producible: i - jy..,pr.9d4cible in such format; if it is not readilyn such.format, Business Assoolate.will work -with the Plan.to determine an,,altemative.form.andbormat that.pita.bles4hpTlan to meet its electronic access obligations under 45 CFR § 164.5,24. .19.2. Amendment of TEEL . Within 30 days of a Plan's request; Business Associate agrees to make -available to the Plan any relevant PHI in a Designated Record Set received from, or created or 13 received on behalf of, the Plan so the Plan may fulfill its obligations to amend such PHI pursuant to the Privacy Rule: Business Associate shall incorporate any amendments to PHI into any and all PHI Business Associate maintains. If Business Associate receives, directly or indirectly, a request from an individual for an amendment to PHI, Business Associate shall notify the Plan in writing promptly of such request no later than 10 business days of receiving such request. Each Plan shall have full discretion to determine whether the, requested amendment shall occur. 2.9.3. Accounting of Disclosures. Business Associate shall maintain, beginning as of the date Business Associate first receives PHI from a Plan or the Plan Sponsor; an accounting of those disclosures of PHI it receives from, -or creates or receives on behalf of the Plans which fire not excepted from disclosure accounting under the Privacy Rule. Within 30 days of a Plan's request, Business Associate shall make available to. such Plan, the information required to provide an accounting of disclosures in accordance with 45 CFR §:164.528. If Business Associate receives, directly or indirectly, a request from an individual requesting an accounting of disclosures of PHI, Business Associate shall notify the applicable.Plan in writing promptly of such request no later than 10 business days of receiving such a request. Business Associate shall provide such.an. accounting based on an- individual's Formal HIPAA bequest to the Plan and.the Plan shall have full discretion to; -determine whether the requested' .accounting shall' be provided to the requesting individual. Business Associate will maintain the disclosure information for at least 6 years following the date of the accountable, disclosure to which the disclosure information relates. 2.10.. ;Restrictions .and Confidential Communications. Business Associate shall, upon notice from a Plan in accordance with Section 3.3i accorrimodate any -restriction to ,the use or disclosure of PHI and any request for confidential communications to which such Plan has agreed in accordance with the Privacy Rule. 2.11. Subcontractors. Business Associate , will require each of its agents, 'including any subcontractor (if permitted under the applicable Services Arrangement), to' whom it provides 'PHI received from, or created or reccivedon behalf of, a Plan to agree, in a written agreement with Business Associate, to comply with the Security Rule, and to agree to all of the same restrictions and conditions -contained.. in .this Agreement or the HIPAA Rules that apply to Business Associate with respect tb.such information. 2.12. Audit. Business Associate shall make its internal practices, 'books, and records relating to the use and disclosure of PHI received from, or created or received on behalf of,. the Plans available-to'the Secretary of Health and Human Services upon request for purposes of determining compliance by the Plans with the HIPAA Rules. 2.13.- Enforcement. Business Associate acknowledges that it is subject to civil-and;crirninal enforcement for failure to comply with the HIPAA Rules. 3. OBLIGATIONS OF COVERED ENTITY 3.1. Notice of Privacy Practices. The Plans shall notify Business Associate of any'.lin nitations in its notice of privacy practices, to the extent such limitations may affect the Business Associate's use or disclosure of;PHI. in accordance with 45 ,CFR 164:520� i s well as 'any ciianses . such notice, 3.2 Revocation of Permissibu.:Each Plan shall provide Busincss Associate with any changes in, or revocation of, permission by any individual to use or disclose PHI, if such changes affect Business Associate's permitted or required uses and disclosures withxespect to-snch Platt. . 3.3. Notice of Restrictions and Confidential Communications: Each Plan shall notify Business Associate of any restriction on the use or.disclosure of PHI that such Plan has agreed to in accordance with 45 CFR § 164.522. The applicable Plan shall notify Business Associate of any .restriction on the use .or. 14 disclosure of PHI and any request for confidential corm-nunications.to which, in accordance with the Privacy Rule, such Plan has agreed. 3.4. Permissible Requests By the Plan. Except as. provided in Section 2.1i the Plansshall not request that Business Associate use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity. 4. AMENDMENT AND TERMINATION 4.1... Term and Termination. The Term of this Agreement shall be effective as of the date this Agreement is signed, and shall terminate when all of the PHI provided by the Plan to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such inforinat I ioni-in accordanice with Section 4.3. 4.2. Terminationfor Violation of Agreement. Without limiting the rights of -the parties under the Services. Arrangement, the. applicable, ' Plan(s) will have the right to terminate this Agreement and the Services Arrangement. if Business Associate has engaged in an activity.;or practice that constitutes a material breach or violation of Business Associate's obligations regarding PHI under this.Agreernent and')dntotice of such material breach or violation from such Plan(s) or Plan Sponsor, fails to take reasonable and diligent steps to cure the breach or end the violation. The applicable Plan(s),vvill follow. the'notiod of termiridionp ** rocedures (if any) applicable to theServices"Arrangement Notwithstanding the termination of this Agreenient,'Business Associate shall continue to comply with Section 4.3 hereof after termination of this Agreement. 4.3. Return of PEE[. At termination of this Agreement or the Services Arrangement, whichever shall be fast to occur, Business Associate shall return to the Plans all PHI received frorn,- or created or received on behalf of, such Plans- that Business Associate maintains in any f6rm and shall retain no copies of such inforrhation. This provisionshall also apply to PHI that is in the possession of any Subcontractor -of Business Associate., Further,: Busimss.Associate shall I require any such Subcontractor to -certify to. Business Associate that it has returned or destroyed. all such information. If such -return is not feasible,. Business Associate shall notify the applicable Plan(s) thereof and Business Associate shall destroy such PER and/or extend the protections 9f.Vs Agreement to such PHI retained by Business Associate and lirnit furtho uses and disclosures to those purposd9 that make the return or destruction ofthe information infeasible. S. MISCELLANEOUS PROVISIONS 51. , Third;.Party Beneficiary. Noindividual.or-entity is intended -to be a third -patty beneficiary to this Agreement. 5.2. Severability. If any provisions of this Agreement shall be held -by a 1- court of competent jurisdiction to be no longerrequiredby the HIPAA Rules, the parties shall exercise their best efforts to determine whether such proyisiomshall bexptained, replaced , or niodiAed..' 5.3. Procedures—Th parties'shall,co with -procedures mutiWly agreed upon by the parties to . . q '' - 4. , mPJy - facilitate the Plans' compliance with the RIPAA Rules, including procedures for employee sanctions and procedures designed -to. mitigate the:harmfu l pf(ects of any improper use'or disclosure of the PHI of ahy Plaris. 5.4. Choice of Law. This Agre6ment.shall be governed by, and consft. edjn accordance with, the laws of the state of Ohio, except to the extent federal law applies. 5.5:' Headin,gsd . The headings and :subheadings of, the Agreement have :been inserted for convenience of reference. only and shall not affect the construction of the provisions of the Agreement 15 W, 5.6 Cooperation. The parties shall agree to cooperate and to comply with procedures mutually agreed upon to facilitate compliance by the Plans with HIPAA Rules, including procedures designed to mitigate the harmful effects of any improper use or disclosure of the Plans' PHI. 5.7 Notice. All notices, requests, demands, approvals, and other communications required or permitted by this Agreement shall be in writing and sent by certified mail or by personal delivery. Such notice shall be deemed given on any such date if delivery by the United States Postal Service. Any notice shall be sent to the following address (or such subsequent address provided by the applicable party): 5.7.1. If to a Plan or the Plan Sponsor: 5.7.2. If to Business Associate: HORAN Associates, Inc. Privacy Officer 4990 E Galbraith Rd Cincinnati OH 452M 5.8. Conflict. In the event of any conflict between the provisions of the Services Arrangement and this Agreement, the terms of this Agreement shall govern to the extent necessary to assure the Plans' compliance with HIPAA Rules. IN WITNESS WHEREOF, the un,,� rsigned, ha ng full authority to bind their respective principals, have executed this Agreement as of thi Plday of �, 201_. City of Richmond, Indiana, by and through its Board of Public Works & Safety, on behalf of the plan By: /u /G City of Richmond, Indiana by and through its Board of Public Works & Safety, on behalf of the group Title: President Title: President Name: Vicki Robinson Name: Vicki Robinson Date: J"Z Y— Date: '„. LF-- HOR7Assq iates, In By: c' — Title: �(c Name: Va Date: Bye Mayor David M. Snow Date: b I 16