The URL can be used to link to this page

Home My Public Portal About112-2020 - Finance - True Rx - Pharmacy Busness Associate AgreementTRUE RX Business Associate Agreement City of Richmond This Business Associate Agreement ("Agreement") is made and entered this 1st of January, 2019 hereinafter referred to as the "Effective Date", by and between True Rx Management Services, Inc., with primary offices located at 7 Williams Bros. Drive, Washington, Indiana 47501 ('Business Associate") and City of Richmond with primary offices located at 50 .N5ch Street, Richmond, IN, 47374 ("Covered Entity") (each a "Party" and collectively the "Parties"). WITNESSETH: WHEREAS, Business Associate will provide certain management and administrative services to Covered Entity that may require the disclosure of certain protected health information ("PHI"), which must be maintained confidential in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub. L. 104-191, and the accompanying regulations promulgated thereunder at 45 C.F.R. Parts 160 and 164 (the "Privacy Rule") and 45 C.F.R. Parts 160, 162, 164 (the "Security Rule") (collectively, the "HIPAA Regulations"), as amended and the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act'), enacted as part of the American Recovery and Reinvestment Act of 2009, Pub.'L. 111-5; and WHEREAS, pursuant to the HIPAA Regulations and the HITECH Act, Covered Entity and Business Associate must agree in writing to comply with certain mandatory provisions regarding the use and disclosure of PHI; and WHEREAS, Business Associate and its employees, affiliates, agents or representatives may access paper and/or electronic records containing PHI in carrying out their obligations to Covered Entity pursuant to either an existing or contemporaneously executed agreement for services ("Services Agreement'); and WHEREAS, the Parties desire to enter into this Agreement to comply with the HIPAA Regulations and the HITECH Act, and to amend any agreements between them, whether oral or written, with the execution of this Agreement; NOW, THEREFORE, for and in consideration of the premises and mutual covenants and agreements contained herein the parties agree as follows: 1. Definitions. The terms used, but not otherwise defined, in,this Agreement shall have the same meaning as those in the HIPAA Regulations and the HITECH Act, as amended. 2. Services Agreements. 2.1. Existing Services Agreements. Covered Entity and Business Associate are parties to the following ServicesAgreements executed prior to the Effective Date and. currently in effect (if any): Agreement: Services: Date of Agreement: Pharmacy Services Agreement Prescription Benefit Management January 1, 2019 All existing Services Agreements between the Parties are incorporated herein by reference and are hereby amended by this Agreement. In the event of conflict between the terms of any Services Agreement and this Agreement, the terms and conditions of this Agreement shall govern. Page 1 of 6 Contract No. 112-2020 2.2 Use and Disclosure of PHI to Provide Services. Business Associate will not use or further disclose PHI other than: (i) as permitted or required by the terms of the Services Agreement or this Agreement; (ii) as required by law; or (iii) as expressly permitted by HIPAA or the HITECH Act. Except as otherwise provided herein, Business Associate may make any and all uses or disclosures of PHI necessary to perform its obligations under the applicable Services Agreement. All other uses or disclosures not authorized by this Agreement are prohibited. Additional Business Associate Activities. Except as. otherwise provided in this Agreement, Business Associate may also: 3.1 Use the PHI in its possession for its proper management and administration and/or to fulfill any present or future legal responsibilities of Business Associate, provided that such uses are permitted under state and federal confidentiality laws. 3.2 Disclose the PHI in its possession for the purpose of its proper management and administration and/or to fulfill any present or future legal responsibilities of Business Associate. Business Associate represents to Covered Entity that (i) any disclosure it makes will be permitted under applicable laws; and (ii) Business Associate will obtain reasonable written assurances from any person to whom the PHI will be disclosed that the PHI will be held confidentially and used or further disclosed only as required and permitted under the Privacy Rule and other applicable laws, that any such person agrees to be governed by the same restrictions and conditions contained in this Agreement. 3.3 Aggregate Covered Entity's PHI in Business Associate's possession with .the PHI of other covered entities that Business Associate has in its possession through its capacity as a Business Associate to such other covered entities, provided that the purpose of such aggregation is to provide Covered Entity with data analyses relating to its Health Care Operations, as such term is defined in the Privacy Rule. Business Associate will not disclose the PHI obtained from Covered Entity to another covered entity absent written authorization from Covered Entity. 3.4 De -identify any and all PHI provided that the de -identification conforms to the requirements of applicable law as provided for in 45 C.F.R. § 164.514(b) and that Business Associate maintains such documentation as required by applicable law, as provided for in 45 C.F.R. § 164.514(b). The Parties understand that properly de -identified information is not PHI under the terms of this Agreement. Business Associate Covenants. 4.1 Appropriate Safeguards. Business Associate shall use appropriate safeguards to prevent the use or disclosure of PHI or access to ePHI, other than as provided for by this Agreement. For ePHI, appropriate safeguards means all the safeguards of the Security Rule and shall include the technologies and methodologies prescribed by the Secretary. of HHS in 74 Fed Reg.,42740 (August 24, 2009), as amended from time to time. 4.2 Full Compliance with Security Rule. Business Associate shall comply with all standards and implementation specifications set out in 45 C.F.R. §§ 164.309, 164.310, 164.312, and 164.316, to ensure protection of ePHI it creates, receives, maintains or transmits on behalf of Covered Entity. 4.3 Minimum Necessary. Business Associate may only use or further disclose the minimum necessary PHI in performing the activities called for under the Services Agreement; and may not use or further disclose PHI except as permitted under this Agreement, the Privacy Rule, and applicable state law, each as amended from time to time. 4.4 Reporting of Unauthorized Uses or Disclosures of PHI 4.4.1 Upon discovering a Breach of Unsecured PHI, Business Associate agrees to notify Covered Entity immediately, but in no event later than twenty (20) days from the date the Breach of Unsecured PHI is discovered by Business Associate in order that Covered Entity may comply with the notice and other requirements under the HIPAA Regulations and the HITECH Act. In accordance with 45 C.F.R. § 164.410, a Breach of Unsecured PHI shall be treated as discovered as of the first day on which such breach is known to Business Associate, or an employee, officer or other agent of Business Associate, or should reasonably have been known to such Business Associate. Notice regarding Breaches of Unsecured PHI must contain:. (i) the subject of the PHI Page 2 of 6 (i.e., patient name or identifier); (ii) a description of what happened; (iii) the date of the Breach and date of Discovery; (iv) a description of the types of unsecured PHI involved in the Breach; (v) the steps the individuals should take to protect themselves from potential harm resulting from the Breach; (vi) a brief description of what Business Associate is doing or will do to investigate and mitigate loss as a result of the Breach and to protect against any further Breaches; and (vii) the contact information and procedures for individuals to obtain additional information. 4.4.2 Business Associate will monitor for attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in Business Associate's information system ("Security Incident"). Business Associate will report any successful Security Incident rising to the level of a Breach to Covered Entity in accordance with Section 4.4.1. Business Associate will log all attempted but unsuccessful Security Incidents and report to the Covered Entity upon request, but at least annually, in accordance with 45 C.F.R. § 164.314. 4.5 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate from an unauthorized use or disclosure of PHI. 4.6 Subcontractors and Agents. Business Associate agrees to require that any subcontractors or agents to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agree in writing to the same- restrictions and conditions that apply to Business Associate with respect to such information under this Agreement, and to implement reasonable and appropriate safeguards to protect the confidentiality, integrity and availability of PHI created, received, transmitted or maintained by Business Associate or such third party in connection with this Agreement. 4.7 Policies 'and Procedures. Business Associate will comply with Covered Entity policies and procedures with respect to the privacy and security of PHI and other Covered Entity records, as well as policies and procedures with respect to access and use of Covered Entity's equipment and facilities. 4.8 Patient Privacy Rights. Business Associate will provide the rights of access, amendment, and, accounting as set forth in Sections 6, 7, and 8. 4.9 Marketing, Fundraising and Sale of PHI.' Business Associate shall not: (i) use or disclose PHI for fundraising or marketing purposes unless expressly permitted by Covered Entity, and in accordance with § 13406(a) of -the HITECH Act; or (ii) disclose PHI to a health plan for payment or health care operations purposes if the individual has requested a restriction on uses and disclosures of PHI for marketing and/or fundraising activities and paid out of pocket in full for the health care item or services to which the PHI solely relates; or (iii) directly or indirectly receive remuneration in exchange for PHI, including sale of Electronic Health Records ("EHR"), except with the prior written consent of Covered Entity and as permitted by the HIPAA Regulations or the HITECH Act. 6. - Covered Entity Covenants. Covered Entity covenants to notify Business Associate within five (5) business days of receipt of any material limitations to the consents or authorizations obtained by Covered Entity from individuals, or any other restrictions on the use or disclosure of PHI as agreed to by Covered Entity. 6. Access to PHI. Within ten (10) business days of a request by Covered Entity for -access to PHI about an individual contained in a Designated Record Set, as such term is defined in the Privacy Rule, Business Associate shall make available to Covered Entity, or the individual to whom such PHI relates, or his or her authorized representative, such PHI for so long as such information is maintained in the Designated Record Set as defined in 45 C.F.R. § 164.524 and §13405(e) of the HITECH Act, and any regulations promulgated thereunder. In the event any individual requests access to PHI directly from Business Associate, Business Associate shall, within ten (10) business days, forward such request to Covered Entity. Any denials of access to the PHI requested shall be the responsibility of Covered Entity. 7. Amendment of PHI. Within ten (10) business days of receipt of a request from Covered Entity for the amendment of an individual's PHI or a record regarding an individual contained in a Designated Record Set, Business Associate shall, as required by 45 C.F.R. § 164.526, incorporate any such amendments in the PHI; provided, however, that Covered Entity has made the determination that the amendment(s) is/are necessary because the PHI that is the subject of the amendment(s) has been, or foreseeably could be, relied upon by Business Associate or others to the detriment of the individual who is the subject of the PHI to be amended. The Page 3 of 6 obligation in this Section 7 shall apply only for so long as the PHI is maintained by Business Associate in a Designated Record Set. 8. Accountinq for Disclosures of PHI. Within ten (10) business days of notice by Covered Entity to Business. Associate that it has received a request for an accounting of disclosures of PHI regarding an individual, Business Associate shall make available to Covered Entity such information as is in Business Associate's possession and is required for Covered Entity to make the accounting required by 45 C.F.R. § 164.528. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall, within ten (10) business days, forward such request to Covered Entity. It shall be Covered Entity's responsibility to prepare and deliver any such accounting requested. Business Associate also agrees to comply with the requirements for disclosure of PHI from an EHR, as set out in §13405(c) of the HITECH Act and any regulations promulgated thereunder, as when applicable. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the'disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of the individuals' authorization, or a copy of the written request for disclosure. The information also shall include any additional information required under §.13405(c) of the HITECH Act and any regulations. . 9. Access to Books and Records Regarding PHI. Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of HHS for purposes of determining Business Associate's or Covered Entity's compliance with HIPAA and the HITECH Act. 10. Disposition of PHI Upon Termination. Business Associate will, at termination or expiration of the Services Agreement or this Agreement, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity which Business Associate and/or its subcontractors or agents still maintain in any form, and will not retain any copies of such information. Business Associate shall destroy all PHI and ePHI in accordance with the approved technologies and methodologies set out by HHS in its guidance (74 Fed Reg. 42740, 42742 (Aug. 24, 2009)), as amended from time to time. If such return or destruction is not feasible, Business Associate will notify Covered Entity of such event in writing, and will thereupon extend the protections of this Agreement to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible. 11. Representations and Warranties of the Parties. Each Party represents and warrants to the other Party: (i) that it is duly organized, validly existing, and in good standing under -the laws of the jurisdiction in which it is organized or licensed, it has the full power to enter into this Agreement and to perform its obligations hereunder, and that the performance by it of its obligations under this Agreement have been duly authorized by all necessary corporate or other actions and that such performance -will not violate any provision of any organizational charter or bylaws; (ii) that neither the execution of this Agreement, nor its performance hereunder, will directly or indirectly violate or interfere with the terms of another agreement to which it is a party, or give any governmental entity the right to suspend, terminate, or modify any of its governmental authorizations or assets required for its performance hereunder; (iii) that all of its employees, agents, representatives and members of its workforce, whose services may be used to fulfill obligations under this Agreement are or shall be appropriately informed of the terms of this Agreement and are under legal obligation to each Party, respectively, by contract or otherwise, sufficient to enable each Party to fully comply with all provisions of this Agreement; and (iv) that it will reasonably cooperate with the other Party in the performance of the mutual obligations under this Agreement. 12. Term. Unless otherwise terminated as provided'in Section 13, this Agreement shall become effective on the Effective Date and shall have a term that shall run concurrently with that of the Services Agreement. Page 4 of 6 13. Termination. 13.1 Generally. This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of the Services Agreement; provided, however, certain provisions and requirements of this Agreement shall survive such termination or expiration in accordance with Section 14. 13.2 Termination by Parties. Either Party may immediately terminate this Agreement, the Services Agreement and any related agreements if that Party ("Non -Breaching Party") makes the determination that the other Party ("Breaching Party") has breached a material term of this Agreement, or is engaging in a pattern of activity or practice that violates this Agreement. Alternatively, Non -Breaching Party may, in its sole discretion, choose to provide Breaching Party with written notice of the existence of the breach and provide Breaching Party with thirty (30) calendar days to cure said breach upon mutually agreeable terms. In the event that mutually agreeable terms cannot be reached within this thirty (30) day period, Breaching Party shall cure said breach to the satisfaction of Non -Breaching Party within an additional fifteen (15) days. Failure by Breaching Party to cure said breach or violation in the manner set forth above shall be grounds for immediate termination of this Agreement and the Services Agreement by Non -Breaching Party. If termination is not feasible, Non -Breaching Party has the right to report the problem to the Secretary of HHS. 14. Effect of Termination. Upon termination pursuant to Section 13, Business Associate agrees to return or destroy all PHI pursuant to 45 C.F.R. § 164.504(e)(2)(1), if it is feasible to do so. Prior to doing so, Business Associate further agrees to recover any PHI in the possession of its subcontractors or agents. If it is not feasible for Business Associate to return or destroy all PHI, Business Associate will notify Covered Entity in writing. Such notification shall include: (i) a statement that Business Associate has determined that it is infeasible to return or destroy the PHI in its possession; and (ii) the specific reasons for such determination. Business Associate further agrees to extend any and -all protections, limitations and .restrictions contained in this Agreement to Business Associate's use and/or disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible. If it is infeasible for Business Associate to obtain from a subcontractor or agent any PHI in the possession of the subcontractor or agent, Business Associate must provide a written explanation to Covered Entity and require the subcontractors and agents to agree to extend any and all protections, limitations and restrictions contained in this Agreement to the subcontractors' and/or agents' use and/or disclosure.of any PHI retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible. 15. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate from an unauthorized use or disclosure of PHI in Business Associates possession or control: Business Associate will cooperate with Client, at Client's sole expense, in mitigating, to the extent practicable, any harmful effect of an unauthorized use or disclosure of PHI in Client's possession or control. 16. Change of Law. The parties acknowledge that the HIPAA Regulations and the HITECH Act may be modified from time to time. The parties specifically agree to take such action as necessary to implement the standards and requirements of the HIPAA Regulations, the HITECH Act, and other applicable laws and regulations relating to the privacy and security of PHI. Upon either Party's request, the other Party shall agree to promptly enter into good faith negotiations concerning the terms of an amendment to this Agreement embodying written assurances consistent with the standards and requirements of the HIPAA Regulations, the HITECH Act, and other applicable state laws and regulations relating to the privacy and security of PHI. Either Party may terminate this Agreement upon sixty (60) days written notice in the event the other Party does not promptly enter into negotiations to amend this Agreement when requested by the other Party pursuant to this Section 16. 17. Regulatory References. A reference in this Agreement to a section in the HIPAA Regulations or the HITECH Act means the section as in effect, or as amended, and for which compliance is required. i 18. Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The failure of either Party to enforce at any time any provision of this Agreement shall not be construed to be a waiver of such provision, nor in any way to affect the validity of this Agreement or the right of either Party thereafter to enforce each and every such provision. Page 5 of 6 19. . No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever. 20. . Notices. Any notice required or permitted under this Agreement shall be given in writing and delivered by hand, via a nationally recognized overnight delivery service (e.g., Federal Express), or via registered mail or certified mail, postage pre -paid and return receipt requested, to the following: Business Associate: True Rx Management Services 7 Williams Bros Dr. Washington, IN 47501 ATTN: Jesse McDonald Covered Entity: City of Richmond 50.5 Street Richmond, IN 47374 ATTN: Stephanie Sherwood Notice of a change in address of one of the Parties shall be given in writing to the other Party as provided above 21. Counterparts: Facsimiles. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals. 22. Disputes. If any controversy, dispute or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally. 23. LIMITATION OF LIABILITY. EXCEPT FOR FRAUD AND INTENTIONAL MISREPRESENTATIONS, NO PARTY SHALL BE LIABLE FOR ANY SPECIAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, INCIDENTAL OR INDIRECT DAMAGES, COSTS, EXPENSES, CHARGES OR CLAIMS. INTENDING TO BE LEGALLY BOUND, the Parties hereto have duly executed this Agreement as of the Effective Date. — City of Richmond By: (Signature) 66�� (Printed) (Title) (Date) Contact Name: Contact Address: Contact City/State/Zip: Phone: Fax: — True Rx Management Services By: •ram/ I " ( gnature) Jesse McDonald (Printed) Chief Operating Officer (Title) i Ajy> (Date) Contact Name: Jesse McDonald, PharmD Contact Address: 7 Williams Bros. Drive Washington, IN 47501 Phone: (812) 254-7425 Fax: (812) 254-7426 Page 6 of 6