HomeMy Public PortalAbout030-2019 - Finance - Horan Associates - Business Associate AgreementBUSINESS ASSOCIATE AGREEMENT
WHEREAS, pursuant to the Health insurance Portability and AccountabilityAct.of 1996,P.ub.L. 194-
191, 110 Stat 2024 (Aug. 21, 1996) CMP"j, the Office of the Secretary of the. Department of -Health "
and
Human Seryfees has issued: (1) regulations providing Standards for Privacy of Individually Identifiable entifiable ' Health
Information* at 45 CFR Part 160 and Subparts A and E of Part 164 ("Privacy Rule");(2) regulations providing
Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and
Subpart C of Part 164 (the "Security Rule"); and (3) regulati modifying the P�Iyacy Rule, Security Rule.
% .. Ions ..curi
Enforcement and Breach.Notifidation Rules; and,
WHEREAS, the privacy and security provisions of HIPAA have been amended by the Health
Information Technology for Economic and Clinical Health Act (HITECH) provisions, of the American
Recovery and Reinvestment Act of 2009, and any and all references in this Agreement to the "HIPAA Rules"
shall be deemed to inchide the Privacy Rule, the Security Rule, HITEC4,- the Enforcement and Breach
Notification Rules, and all existing and future implementing regulations, as they become effective; and
WHEREAS,. the HIPAA Rules provide overed.Entity is permitted
ih among other .. i .that a �,C. to.
T99 . . I 1�
disclose Pf6tedted Health. Info a Business.Asso.e-We and.,allo t
i Health. WO Assoc! to
Information CTIT) to P. I�Yipxicss
obtain, receive, and create '4 b6half,,94 Entity-pbtains, satisfacipry,
on. the Covered Entity ly if the' (�Qvcre _d
a assurances' in the form '01 fwritten contract, that the Business Associate will appropriately s4egug.0 the PM;,
and
WHEREAS,. City of Richmond, Indiana (the "Plan Sponsor') maintains more -Health Plans
("Plans")*and has engaged HORAN Associates, Inc. (`Bueiness Associate.) to pqrfqrm services, which may
be described in a separate contract (the "Services Arrangemenfj and Business Associate may receive PHI, or
create and receive, such ' information iu the performance ofservices on behalf of such Plans. Plan Sponsor and,
Business Associate desire to determine the terms under which they shall comply with the HIPAA Rules;
NOW THEREFORE, the Plans, Plan Sponsor, and -Business Assooiate.agree as follows:
1. GENERAL HIPAA COMPLIANCE PROVISIONS
this 1,.I. H0?AA.Def1nitiojts!.E otherwise In S
Aqqpt as, q.,erwise proyi0co. -Agreement all capitalized terms
contained in this Agreement shall have the'meanings set forth in the HIPAA Rules.
12 AN POA&CS& Business agrees011 .,be f4ily compliant with. *e
pthat it. w .
ss Associate
requirement ts that
ap ess.Associates s under,
p to Busi4 by, the cqmp iahce datq�,�m. tab ished,
such rules to,'the e1Gtt Necessary
to,enable the Plans to comply with their obligationsunder t.h.e. WAA dies;
1.5. Changes in Law. Business Associate 4grM. th it will'..c.0iiaply AnZ P,_
at i with:any Chan ysiju the.
HIPAA Miles by the compliance date established for any such . fi . -changes. If, due to such a change,. either or all
of the partle o jpn&p . u , to-,t. t PHI in for in,this Agreemcqt, the parties shall
..4 are n, rjq red Street p r SW occur p
Pannqr�provx.
renegotiai6iiils.Asr subject to. "the r w- f $p fiqp15,,_An -,such,
pew I
.00t, st q pments 0 q Any,such
soon as practicable following the occurrence ofahe change
1.4..Na es
Nature; �J"F4ip The.p i acknowle* that+.
1.43. Each Plan is a Gtoup.-Heplth.Plim, and .a. 9vored Entity;
1 A.2.. Oqsihm_.Assooi;tte.isa.Busine�*AssoclatO.9foneofmore. 0 thqP14ns and
10
Contract No. 30-2019
1.4.3. City of Richmond, Indiana is the Plan Sponsor (as defined in section 3(16)(b) of
Employee Retirement Income Security Act of 1974 29 USC § 1001 et seq., as amended (" ERISA`�) of each
Plan, is not a Covered Entity, and acts in the capacity of a plan sponsor as defined in the HIPAA Rules.
1.4.4. Whenever reference is made in this Agreement to actions or undertakings of a Plan,
to reports or information provided by the Business Associate to a PIan, or to instructions to the Business
Associate from a Plan, the reference to the Plan shall be to the person or entity designated in such, Plan's
documents as having responsibility for Plan administration or, if no .designation is made therein, the Plan
Sponsor.
1.4.5. The relationship of the Business Associate to any Plan (or the Plan Sponsor) is solely.
a contractual relationship and nothing in the Services Arrangement or this Agreement shall be interpreted as
creating an agency relationship with the Business Associate under Federal common law.
2. TREATMENT OF PHI
2.1. Permitted Uses and Disclosures of PHI.
2.1.1. Uses and Disclosures on Behalf of the Plan. The Business Associate shall. be
permitted to:use and.disclose PHI for th'e°services Business Associate is providing to the Plan .or PIan Sponsor
pursuant to the Services Arrangement, which may include but not be limited to Treatment,. Payment, activities
and/or Health Card Operations, and as otherwise required to perforin'its obligations under this Agreement and
the Services Arrangement.
2.1.2. Other Permitted Uses and Disclosures. In addition to the uses and disclosures set
forth in Section 2,.1.1, Business Associate may use or" disclose PHI received from,. or created or received on
behalf of, the Plan under the following circumstances:
2.1.2.1. Disclosures to the Plan Sponsor. Business Associate may provide:
i. Summary Health Information to the Plan Sponsor upon Plan Sponsor's
written request which specifies that the purpose of the request is either- (a) to obtain premium bids for' roviding
health insurance coverage to a Plan; and/or (b) to modify, amend or terminate a Plan;
ii. information to the Plan Sponsor on whether an individual is participating
in a Plan ovis enrolled or has disenrolled from any insurance coverage"offered by the Plan; and7777'.:'
iii. PHI to the Plan Sponsor for purposes, of Plan Administration Functions,
provided that the. Plan Sponsor has provided to Business Associate (a) a copy of Plainporasor's certrcation
to the applicablePlan under 45 CFI254.504(f)(2) relating to the required` ameridmenfi of such. Pian'splan
'
documents (tlie "Certification"), -and (b) a list of employees of or descnptiotrs of positions with Plan. Sponsor
who are authorized in accordance with the applicable plan documents to receive PHI from the,Business.
Associate in connection with Plan Administration Functions 'of such Plan
2.I.2:2.-" fiJse of PIiI `fore ' Matiagenient, "Adnn#nistrafion, And. Leg
Responsibilities. Business Associate -is perrnitted to `use PHI if necessaryfor the prober inanagepient and
administration of Business Associate or to carry out its legal responsibilities:
2.1.2:3. Disclosure ,of 1PHI For 1Vlanagement, :Adz`mnistrat on, 'and Legal
Responsibilities. Business Associate is permitted to.disclose PHI if necessary for the propermanagernent and
administration of Business Associate; `or to carryout its `legal responsibilities, provided tliati the disclosure is
required by law, or Business Associate obtains reasonable assurances from the person to .whom. the PHI is
disclosed that it.will l elield confidentially and" used dr hirther disclosed only as required by law'or for the
11
purposes for which it was disclosed to the person; the person will use appropriate safeguards to prevent use or
disclosure of the information, and the person will notify Business Associate immediately of any instance of
which it is aware in which the confidentiality of the PHI has been -'breached.
2.1.2.4. Data Aggregation Services. Business Associate is permitted to use or
disclose PHI to provide data aggregation services, as that term is defined by 45 CFR § 164.501, relating to the
health care operations of a Plan.
2.1.2.5. De -identification. Business Associate is permitted to use PHI to de -
identify the information in accordance with 45 CFR § 164.514. Once de -identified, the information is no longer
PHI or subject to -the terms of this Agreement and may be used or disclosed by the Business Associate as long
as the information does not include a key or other mechanism that would enable the information to be identified.
2.i3. Further Uses Prohibited. Except as provided in Sections 2.1.1 and Section 2.1.2,
Business Associate is prohibited from further using or disclosing any infoniationYeceived.from the Plan, or
from anyother Business Associate of the Plan, for any commercial purposes of Business Associate. Business
Associate shall not. use or disclose Genetic Information. for underwriting purposes in violation of the HIPAA
Rules.
2.2: Minimum Necessary. Business Associate shall only request, use, and disclose the minimum
amount of PHI necessary to accomplish the purposes of the request, use, or disclosure. Business Associate and
PIan Sponsor acknowledge that the phrase "minimum necessary" shall be interpreted in accordance with the
HIPAA Rules.
2.3. Prohibited, Unlawful, or Unauthorized Use and Disclosure of P.M. Business Associate
shall not use or further disclose any PHI received from, or created or received on behalf of, a Plan, in a manner
that would violate the requirements of the Privacy Rule if done by the Plan.
2.4.'. Required Safeguards. Business Associate will develop, implement; maintain, and use
appropriate safeguards to pmvent_use or disclosure of PHI received from, or created or received on behalf of;
a Plan or other than as provided for in this Agreement or as required by law, including adopting policies and
procedures regarding the safeguarding of PHI; and providing training to relevant employees on such policies
and procedures1d'prevent the improperuse: or disclosure of PHL' To .the extent:Business Associate will cant'
out one or more of°Plan_Sponsdes obligations under the Privacy Rule,'the Business Associate will comply with
the requirements of the Privacy Rules that apply to the Plan Sponsor in -the performapce of such obligations.
2'15. Mitigation.of Improper Uses or Disclosures.Business Associate shall mitigate; to the Extent
practicable any bannfdl effect°that:is known to BusinessAssooiate of a use dr disclosure ofPHI,liy`Business
Associate in violation of the requirements of this -Agreement '
16.. Reporting. -of Unauthorized'Uses and Disclosures. Business Associate shall promptly
report in writing to the applicable Ilan any use or disclosure of PHI not provided,for under this Agreement;, of
which Business Associate b.ecome's aware:
23 Security Rule
2:7..1 > - Security Safeguards. 'Business Associate agrees to-iniplernent administrative. —
physical, and technical safeguards set forth in the Security Rule that reasonably`and' "appropriately ,ptotect.the'
confidentiality; integrity, acid ,availability .of the Electronic PHI. that Business Associate. creates; receives,.
maintains, or transmits on behalf of any Plan or Plan Sponsor.
.2.7.2:. Security Incidents. Business Associate- agrees-to:report.to-the Plans and Plan
Sponsor any unauthorized access, use,` disclosure, modifications or: destruction' of information .or.interference
12.
with information system operations which affect Electronic PHI created,. received, maintained,. or transmitted
on behalf of any.Plan of which Business Associate becomes. aware.- Business Associate agrees to also report
to the Plan and Plan Sponsor any . attempted unauthorized access affecting Electronic PIE created, received,
maintained, or transmitted on behalf of any Plan of which Business Associate becomes aware; provided that
Business Associate determines that the attempted access was material and credible.
2.8. Breach Notifications. Business Associate agrees to notify the applicable Plan and the Plan
Sponsor of any Breach of Unsecured PHI within 10 days from the date of discovery.
2:8.1. Information About Breach. Business Associate shall provide a report to the Plan
within 15 days of discovery of a Breach except when despite all reasonable efforts by Business Associate to
obtain the information required, circumstances beyond the control of the Business Associate necessitate
additional, time. Under such circumstances Business Associate shall provide to the Plan the required
information as soon, as possible and without unreasonable delay, but in no event laterthan 30 calendar days
from the date, of discovery, of a Breach. Abreach will be treated as discovered in accordance witb.45 QFR
§164.410, The Business Associate's report shall include; (i) the date of the Breach; (ii) the date of discovery.
of the Breach; (iii) a list of each individual whose Unsecured PHI has been or is reasonably, believed to have
been used, accessed, acquired, or disclosed during the Breach; (iv) a description of the type of Unsecured PHI
involved; (y) the identity of who made the non -permitted use or disclosure and who received the non -permitted
disclosure (if known); and (vi) any other details necessary to.co complete an assessment of whether the PHI has.
been compromised.
2.8.2. Notification' to Individual and Others. Unless otherwise agreed between the
Plan Sponsorand Business Associate, the Plan shall be responsible to provide notification to individuals whose
Unsecured PHI has been disclosed, as well as the Secretary of Health and Human Services,and the media, as
required by the HIPAA Rules.
2.8.3. Investigation and New Procedures. Business Associate agrees to investigate the
Breach and to establish procedures to mitigate losses and protect against future Breachei, and:t.o.provide a
description of these procedures and. the.speciffic. findings ofthe investigafion to the Plaoin the time and .manner
reasonably requested by the Plan.,
2.9.- :Plan Participant Requests. The Plans, Plan Sponsor and Business Associate. acknowledge
that Plan..'Participants have certain rights. under -the Privacy Rule to access,. amend and receive an aecountiqg-of
certain disclosipps of their,PU.. Busi4e" Associate further understands that the Plans have &vetoved specific
policies and pioceduresi to be followed for Plan participants who make such requests as an exercise of their
rights under,the. P#yacy,.-Rule.. : A rqqueat by a Plan participant �or such particippVs persdiial .;,epirsentative.
made in acc9rdancewJth su&poIicjqA and procedures,to access, arnend�Drreceivean accounting of disclosures
of the participant's PM is referred to herein as a "Formal HMAA Request.".
2.9.1. Access to.1`111. Within 30'days of a Plan's request on behalf,of an, individual,
Business Associate agrees to make available to the Plan any relevant PHI in a Designated-Riqc.ord. Set receiY ed
from, or created or received on behalf of the Plan in accordance with the Privacy Rule. If Business Associate
receives, directly or indirectly, a request from an individual requesting PHI, Business Associate shall notify the
Plan in writing promptly of such request no -later than 10 business days of receiving such request If a Plan
requests an electronic copy of PHI that is maintained electronically in a Designated Record Set in the Business
' form and. format
Associate!s-cu usi ep r v� lectro c p
,AQdy,.or- cont.m1j.B Vi _s.-Associate will p o de -an e me- o y m, the
specified. ,by.the Plan .if - it -, s rq9Ldi producible: i -
jy..,pr.9d4cible in such format; if it is not readilyn such.format,
Business Assoolate.will work -with the Plan.to determine an,,altemative.form.andbormat that.pita.bles4hpTlan
to meet its electronic access obligations under 45 CFR § 164.5,24.
.19.2. Amendment of TEEL . Within 30 days of a Plan's request; Business Associate
agrees to make -available to the Plan any relevant PHI in a Designated Record Set received from, or created or
13
received on behalf of, the Plan so the Plan may fulfill its obligations to amend such PHI pursuant to the Privacy
Rule: Business Associate shall incorporate any amendments to PHI into any and all PHI Business Associate
maintains. If Business Associate receives, directly or indirectly, a request from an individual for an amendment
to PHI, Business Associate shall notify the Plan in writing promptly of such request no later than 10 business
days of receiving such request. Each Plan shall have full discretion to determine whether the, requested
amendment shall occur.
2.9.3. Accounting of Disclosures. Business Associate shall maintain, beginning as of
the date Business Associate first receives PHI from a Plan or the Plan Sponsor; an accounting of those
disclosures of PHI it receives from, -or creates or receives on behalf of the Plans which fire not excepted from
disclosure accounting under the Privacy Rule. Within 30 days of a Plan's request, Business Associate shall
make available to. such Plan, the information required to provide an accounting of disclosures in accordance
with 45 CFR §:164.528. If Business Associate receives, directly or indirectly, a request from an individual
requesting an accounting of disclosures of PHI, Business Associate shall notify the applicable.Plan in writing
promptly of such request no later than 10 business days of receiving such a request. Business Associate shall
provide such.an. accounting based on an- individual's Formal HIPAA bequest to the Plan and.the Plan shall
have full discretion to; -determine whether the requested' .accounting shall' be provided to the requesting
individual. Business Associate will maintain the disclosure information for at least 6 years following the date
of the accountable, disclosure to which the disclosure information relates.
2.10.. ;Restrictions .and Confidential Communications. Business Associate shall, upon notice
from a Plan in accordance with Section 3.3i accorrimodate any -restriction to ,the use or disclosure of PHI and
any request for confidential communications to which such Plan has agreed in accordance with the Privacy
Rule.
2.11. Subcontractors. Business Associate , will require each of its agents, 'including any
subcontractor (if permitted under the applicable Services Arrangement), to' whom it provides 'PHI received
from, or created or reccivedon behalf of, a Plan to agree, in a written agreement with Business Associate, to
comply with the Security Rule, and to agree to all of the same restrictions and conditions -contained.. in .this
Agreement or the HIPAA Rules that apply to Business Associate with respect tb.such information.
2.12. Audit. Business Associate shall make its internal practices, 'books, and records relating to
the use and disclosure of PHI received from, or created or received on behalf of,. the Plans available-to'the
Secretary of Health and Human Services upon request for purposes of determining compliance by the Plans
with the HIPAA Rules.
2.13.- Enforcement. Business Associate acknowledges that it is subject to civil-and;crirninal
enforcement for failure to comply with the HIPAA Rules.
3. OBLIGATIONS OF COVERED ENTITY
3.1. Notice of Privacy Practices. The Plans shall notify Business Associate of any'.lin nitations in
its notice of privacy practices, to the extent such limitations may affect the Business Associate's use or
disclosure of;PHI. in accordance with 45 ,CFR 164:520� i s well as 'any ciianses . such notice,
3.2 Revocation of Permissibu.:Each Plan shall provide Busincss Associate with any changes in,
or revocation of, permission by any individual to use or disclose PHI, if such changes affect Business
Associate's permitted or required uses and disclosures withxespect to-snch Platt. .
3.3. Notice of Restrictions and Confidential Communications: Each Plan shall notify Business
Associate of any restriction on the use or.disclosure of PHI that such Plan has agreed to in accordance with
45 CFR § 164.522. The applicable Plan shall notify Business Associate of any .restriction on the use .or.
14
disclosure of PHI and any request for confidential corm-nunications.to which, in accordance with the Privacy
Rule, such Plan has agreed.
3.4. Permissible Requests By the Plan. Except as. provided in Section 2.1i the Plansshall not
request that Business Associate use or disclose PHI in any manner that would not be permissible under the
Privacy Rule if done by the Covered Entity.
4. AMENDMENT AND TERMINATION
4.1... Term and Termination. The Term of this Agreement shall be effective as of the date this
Agreement is signed, and shall terminate when all of the PHI provided by the Plan to Business Associate, or
created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered
Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such inforinat I ioni-in accordanice
with Section 4.3.
4.2. Terminationfor Violation of Agreement. Without limiting the rights of -the parties under
the Services. Arrangement, the. applicable, ' Plan(s) will have the right to terminate this Agreement and the
Services Arrangement. if Business Associate has engaged in an activity.;or practice that constitutes a material
breach or violation of Business Associate's obligations regarding PHI under this.Agreernent and')dntotice of
such material breach or violation from such Plan(s) or Plan Sponsor, fails to take reasonable and diligent steps
to cure the breach or end the violation. The applicable Plan(s),vvill follow. the'notiod of termiridionp ** rocedures
(if any) applicable to theServices"Arrangement Notwithstanding the termination of this Agreenient,'Business
Associate shall continue to comply with Section 4.3 hereof after termination of this Agreement.
4.3. Return of PEE[. At termination of this Agreement or the Services Arrangement, whichever
shall be fast to occur, Business Associate shall return to the Plans all PHI received frorn,- or created or received
on behalf of, such Plans- that Business Associate maintains in any f6rm and shall retain no copies of such
inforrhation. This provisionshall also apply to PHI that is in the possession of any Subcontractor -of Business
Associate., Further,: Busimss.Associate shall I require any such Subcontractor to -certify to. Business Associate
that it has returned or destroyed. all such information. If such -return is not feasible,. Business Associate shall
notify the applicable Plan(s) thereof and Business Associate shall destroy such PER and/or extend the
protections 9f.Vs Agreement to such PHI retained by Business Associate and lirnit furtho uses and disclosures
to those purposd9 that make the return or destruction ofthe information infeasible.
S. MISCELLANEOUS PROVISIONS
51. , Third;.Party Beneficiary. Noindividual.or-entity is intended -to be a third -patty beneficiary
to this Agreement.
5.2. Severability. If any provisions of this Agreement shall be held -by a 1- court of competent
jurisdiction to be no longerrequiredby the HIPAA Rules, the parties shall exercise their best efforts to determine
whether such proyisiomshall bexptained, replaced
, or niodiAed..'
5.3. Procedures—Th parties'shall,co with -procedures mutiWly agreed upon by the parties to
. . q '' - 4. , mPJy -
facilitate the Plans' compliance with the RIPAA Rules, including procedures for employee sanctions and
procedures designed -to. mitigate the:harmfu
l pf(ects of any improper use'or disclosure of the PHI of ahy Plaris.
5.4. Choice of Law. This Agre6ment.shall be governed by, and consft. edjn accordance with, the
laws of the state of Ohio, except to the extent federal law applies.
5.5:' Headin,gsd . The headings and :subheadings of, the Agreement have :been inserted for
convenience of reference. only and shall not affect the construction of the provisions of the Agreement
15
W,
5.6 Cooperation. The parties shall agree to cooperate and to comply with procedures mutually
agreed upon to facilitate compliance by the Plans with HIPAA Rules, including procedures designed to
mitigate the harmful effects of any improper use or disclosure of the Plans' PHI.
5.7 Notice. All notices, requests, demands, approvals, and other communications required or
permitted by this Agreement shall be in writing and sent by certified mail or by personal delivery. Such notice
shall be deemed given on any such date if delivery by the United States Postal Service. Any notice shall be
sent to the following address (or such subsequent address provided by the applicable party):
5.7.1. If to a Plan or the Plan Sponsor:
5.7.2. If to Business Associate:
HORAN Associates, Inc.
Privacy Officer
4990 E Galbraith Rd
Cincinnati OH 452M
5.8. Conflict. In the event of any conflict between the provisions of the Services Arrangement
and this Agreement, the terms of this Agreement shall govern to the extent necessary to assure the Plans'
compliance with HIPAA Rules.
IN WITNESS WHEREOF, the un,,� rsigned, ha ng full authority to bind their respective principals,
have executed this Agreement as of thi Plday of �, 201_.
City of Richmond, Indiana, by and through
its Board of Public Works & Safety, on behalf
of the plan
By: /u /G
City of Richmond, Indiana by and through its
Board of Public Works & Safety, on behalf of
the group
Title: President Title: President
Name: Vicki Robinson Name: Vicki Robinson
Date: J"Z Y— Date: '„. LF--
HOR7Assq iates, In
By: c' —
Title: �(c
Name: Va
Date:
Bye
Mayor
David M. Snow
Date: b I
16