The URL can be used to link to this page

Home My Public Portal About040-2021 - Finance - Employers Health Purchasing Coporation - BAA - HIPPA Business Associate Agreement This HIPAA Business Associate Agreement ("Agreement") is hereby made and entered into this December 23,2020 ("Effective Date"),by and between City of Richmond, ("Covered Entity")and the Employers Health Purchasing Corporation ("Business Associate") (each a "Party" and collectively,the "Parties"). 'WHEREAS, Covered Entity and Business Associate have entered into one or more Services Agreement(s) (the "Services Agreements") pursuant to which Business Associate performs services for Covered Entity; WHEREAS, Business Associate acknowledges and agrees that it may be a Business Associate, and Covered Entity acknowledges that it may be a Covered Entity as those terms are defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and its implementing regulations, specifically 45 C.F.R. § 160.103; WHEREAS, Covered Entity and Business Associate mutually desire to outline their individual responsibilities with respect to the use and/or disclosure, safeguarding, and transmission of Protected Health Information ("PHP") and electronic Protected Health Infoiniation ("ePHI"), as mandated by the Privacy Rule and Security Rule under HIPAA and its implementing regulations at 45 C.F.R. Part 160 and Part 164; WHEREAS, Covered Entity and Business Associate understand and agree that the Security Rule and Privacy Rule require that a Covered Entity and Business Associate enter into this Agreement, as required by 45 C.F.R. § 164.314(a) and 45 C.F.R. § 164.504(e), respectively, and that this Agreement is intended to satisfy these obligations and will govern the terms and conditions under which such PHI and/or ePHI may be used and/or disclosed and safeguarded by Business Associate; NOW,THEREFORE, Covered Entity and Business Associate hereto agree to the foregoing and as follows: 1. Definitions Capitalized terms used,but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 C.F.R. Part 160 and Part 164 and ARRA (defined below in Section l.a.), as applicable. a. ARRA. "ARRA" shall mean the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, Pub. Law No. 111-5 and its implementing regulations. References in this Agreement to a section or subsection of title 42 of the United States Code are references to provisions of ARRA, and any reference to provisions of ARRA in this Agreement Contract No. 40-2021 shall be deemed a reference to that provision and its existing and future implementing regulations, when and as each is effective. b. Compliance Date. "Compliance Date" shall mean, in each case, the date by which compliance is required under the referenced provision of ARRA. c. Electronic Protected Health Information or ePHI. `Electronic Protected Health Information" or"ePHI" shall have the same meaning as the term"electronic protected health information" in 45 C.F.R. §160.103 and includes Protected Health Information transmitted by, or maintained in, electronic media. d. Individual. "Individual" shall have the same meaning as the term "individual" in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g). e. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, subparts A and E. f. Protected Health Information or PHI. "Protected Health Information" or "PHP' shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. g. Required By Law. "Required By Law" shall have the same meaning as the teen "required by law" in 45 C.F.R. § 164.103. h. Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. i. Security Rule. "Security Rule" shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, subpart C. j. Services Agreement. "Services Agreement" shall mean any agreement to which Covered Entity subscribes that is between Business Associate and an external, third party vendor to provide health care related services that require the transmission or use of PHI belonging to Covered Entity. 2. Obligations and Activities of Business Associate a. Business Associate agrees to use or disclose Protected Health Information only as permitted or required by this Agreement or as Required By Law and in compliance with the applicable Privacy Rule requirements set forth in 45 C.F.R. § 164.504 and 164.502. - 2 - b. Business Associate agrees to (i) implement and use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement; (ii)reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates,maintains, or transmits on behalf of the Covered Entity; and (iii) as of the Compliance Date of 42 U.S.C. § 17931, comply with the Security Rule requirements set forth in 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316. c. Business Associate agrees to use reasonable efforts to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. d. Business Associate agrees to report to Covered Entity (i) any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware; (ii) any Security Incident affecting Protected Health Information of which it becomes aware,and(iii)without unreasonable delay and in no case later than sixty(60) calendar days after discovery, any Breach of any Unsecured PHI in accordance with the security breach notification requirements set forth in 42 U.S.C. § 17932 as of its Compliance Date. e. Business Associate agrees (i) to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created, maintained, or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to that information, and(ii)to the extent that Business Associate provides ePHI to an agent, including a subcontractor, ensure that the agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect that information. f. To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity,Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner mutually agreed,to Protected Health Information in that Designated Record Set, to Covered Entity or, as directed by Covered Entity,to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. g. To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate agrees to make any amendment(s) to Protected Health Information in that Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual, and in the time and manner mutually agreed. h. Business Associate agrees to make its internal practices,books, and records, including policies and procedures and Protected Health Information, relating to the use and - 3 - disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a time and manner mutually agreed or designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule and Security Rule. i. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and, as of its Compliance Date, in accordance with the requirements for accounting for disclosures made through an Electronic Health Record in 42 U.S.C. 17935(c). j. Business Associate agrees to provide to Covered Entity or,when directed in writing by Covered Entity, directly to an Individual, in time and manner mutually agreed, information collected in accordance with Section 2.i. of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and, as of its Compliance Date, in accordance with the requirements for accounting for disclosures made through an Electronic Health Record in 42 U.S.C. 17935(c). k. In the event that Business Associate in connection with the Services Agreements uses or maintains an Electronic Health Record of information of or about an Individual,then the Business Associate shall provide an electronic copy(at the request of Covered Entity,and in the time and manner designated by Covered Entity) of the PHI, to Covered Entity or, as directed by Covered Entity, to an Individual or a third party designated by the Individual, all in accordance with 42 U.S.C. § 17935(e) as of its Compliance Date. 1. Business Associate shall request,use and/or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure; provided, that Business Associate shall comply with 42 U.S.C. § 17935(b) as of its Compliance Date. m. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI in compliance with 42 U.S.C. § 17935(d) as of its Compliance Date. n. Business Associate shall not make or cause to be made any communication about a product or service that is prohibited by 42 U.S.C. § 17936(a)as of its Compliance Date. o. Business Associate shall not make or cause to be made any written fundraising communication that is prohibited by 42 U.S.C. § 17936(b) as of its Compliance Date. 3. Permitted Uses and Disclosures by Business Associate a. General Use and Disclosure Provisions - 4 - Except as otherwise limited in this Agreement,Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of,Covered Entity as specified in the Services Agreements,provided that,except as set forth in Section 3.b., such use or disclosure would not violate the Privacy Rule and Security Rule if done by Covered Entity. b. Specific Use and Disclosure Provisions 1) Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. 2) Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. 3) On behalf of Covered Entity, Business Associate may de-identify any and all PHI obtained by Business Associate under this Agreement, and use such de- identified data on Business Associate's own behalf,all in accordance with the de-identification requirements of the Privacy Rule. 4) Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). 5) Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1). 4. Obligations of Covered Entity Provisions for Covered Entity To Inform Business Associate of Privacy Practices and Restrictions; Compliance Obligations: a. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 C.F.R. § 164.520, to the - 5 - extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information under this Agreement. b. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information under this Agreement. c. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information to which Covered Entity has agreed in accordance with 45 C.F.R. § 164.522 or 42 U.S.C. § 17935(a) as of its Compliance Date, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information under this Agreement. d. Covered Entity in performing its obligations and exercising its rights under this Agreement shall use and disclose Protected Health Information in compliance with the Privacy Rule, Security Rule and ARRA. 5. Permissible Requests by Covered Entity Covered Entity shall not request or require Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule and Security Rule if done by Covered Entity, provided that Business Associate may use or disclose PHI as set forth in Section 3.b. of this Agreement. Covered Entity shall disclose or provide access to Business Associate only to the minimum PHI necessary for Business Associate to perform its obligations under the Services Agreements as required by the Privacy Rule and 42 U.S.C. § 17935(b) as of its Compliance Date. 6. Term and Termination a. Term. The Term of this Agreement shall be effective as of the Effective Date and shall terminate upon the final expiration or termination of the last remaining Services Agreement subject to this Agreement,unless earlier terminated in accordance with this Section 6. b. Termination for Cause. In accordance with 42 U.S.C. § 17934(b),if either Party knows of a pattern of activity or practice of the other Party that constitutes a material breach or violation of this Agreement then the non-breaching Party shall provide written notice of the breach or violation to the other Party that specifies the nature of the breach or violation. The breaching Party must cure the breach or end the violation on or before thirty (30) days after receipt of the written notice. In the absence of a timely cure reasonably satisfactory to Covered Entity,or in the event that cure is not possible,then Covered Entity shall immediately terminate this Agreement unless neither termination - 6 - nor cure is feasible, in which case Covered Entity shall report the violation to the Secretary. c. Effect of Termination. 1) Except as provided in paragraph (2) of this Section 6.c., upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, including Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information. 2) In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible and Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. 3) Covered Entity agrees that it is infeasible for Business Associate to return or destroy the Protected Health Information reasonably needed to be retained by Business Associate for its own legal and risk management purposes. 7. Notice Business Associate and Covered Entity identify the following contact persons for all matters relating to this Agreement: Organization Employers Health City of Richmond Name Bryce Horomanski Sharry Hemingway, Payroll Title Associate Counsel City of Richmond, 50 North 5th St. Address 4771 Fulton Dr. NW Canton, OH 44718 Richmond, IN 47374 8. Miscellaneous a. Amendment of Services Agreement. The Parties agree that this Agreement hereby amends and is incorporated into the Services Agreements as of the Effective Date of this Agreement,and any reference to the Services Agreements on or after that date shall mean the Services Agreements as amended by this Agreement. This Agreement - 7 - supersedes all prior Business Associate Agreements between the parties with respect to the Services Agreements. b. Regulatory References. A reference in this Agreement to a section in the Privacy Rule, Security Rule and/or ARRA means the section as in effect or as amended. c. Future Amendment. Covered Entity and Business Associate agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Parties to comply with the requirements of the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and ARRA. d. Survival. The respective rights and obligations of Business Associate under Section 6.c. of this Agreement shall survive the termination of this Agreement. e. Interpretation.Any ambiguity in this Agreement shall be resolved to permit both Parties to comply with the Privacy Rule, Security Rule, and/or ARRA. IN WITNESS WHEREOF, Covered Entity and Business Associate have executed the Business Associate Agreement on the date written below. Employers Health Purchasing City of Richmond Corporation QQ By: Avtiate, By: Via(' i 94/J � Name: 6,„cr e.1-(- J Zr Name: Vicki Robinson Title: A-56-4. Grr _Aa.(. CoLAAL.se-L Title: President, Board of Public Works Date: 0 L+/ / 2.6Z k Date: 4 '1'1P-2/ Approved:. � r S yor Date: A 04 7_0Lr - 8 -