The URL can be used to link to this page

Home My Public Portal AboutEAP Keystone Peer Review OrganizationSTATE OF FLORIDA, DEPARTMENT OF MANAGEMENT SERVICES EMPLOYEE ASSISTANCE PROGRAM PARTICIPATION AGREEMENT WHEREAS, the State of Florida, Department of Management Services ("Department") entered into Contract # DMS-18/19-046 ("EAP Agreement"), effective July 1, 2020, with Keystone Peer Review Organization, Inc. ("Kepro") for Employee Assistance Program Benefits and Services ("Services"); WHEREAS, the State of Florida granted authority for governmental entities to independently contract with Kepro for Services ("Participation Agreement"); and WHEREAS, CITY OF CRESTVIEW ("Participating Entity") desires to participate and receive Services from Kepro under the same terms and conditions as the EAP Agreement. Participating Entity and Kepro may be referred to individually, the "Party" and collectively, the "Parties." NOW, THEREFORE, in consideration of the foregoing recitals and the mutual covenants contained herein, the Parties, intending to be legally bound, agree as follows: 1. Cooperative Purchasing. Pursuant to Section 8.11 of the EAP Agreement: Pursuant to their own governing laws, and subject to the agreement of the Contractor, governmental entities that are not directly eligible for services herein may make purchases under the terms and conditions contained herein, if agreed to by Contractor. Such purchases are independent of the Contract between the Department and the Contractor, and the Department is not a party to these transactions. Agencies seeking to make purchases under this Contract are required to follow the requirements of Rule 60A-1.045(5), Florida Administrative Code. Participating Entity agrees to receive services from Kepro subject to all terms and conditions of this Participation Agreement and EAP Agreement. As a third -party beneficiary to the EAP Agreement, Participating Entity shall be responsible for all costs and liabilities associated with services provided under this Participation Agreement. The State of Florida shall not be liable for the obligations of the Participating Entity or any other entity which uses services provided under the EAP Agreement. 2. Term. The initial term ("Initial Term") of the Participation Agreement shall be effective on July 1st 2023 ("Effective Date") and shall remain in full force and effect until the earlier of (i) June 30, 2026 or (ii) the date upon which the EAP Agreement is terminated. 3. Renewal. Unless this Participation Agreement is earlier terminated, the Participation Agreement may be renewed by mutual written agreement of Kepro and Participating Entity for a period not to exceed five (5) years. Any such renewal is limited to the term of the then current EAP Agreement between the State of Florida and Kepro. 4. Services Provided. Kepro shall provide the following Services. Page 1 of 13 Employee Overview Total Employee Count Per Employee Per Month (PEPM) Rate Four (4) counseling sessions per problem area, per year per Participant Critical Incident Stress Debriefings Critical Incident Support, onsite Fee -for -service: Critical Incident Support Training & Onsite Servi Training and On -site services Fee -for -service: Training or onsite support Ad Hoc Services Dependent Coverage $0.13 PEPM ces $0.81 PEPM Fee for service $300.00 per hour Fee for service $250.00 per hour 5. Notice. All communications, including notices, required or permitted to be given under this Participation Agreement shall be in writing and directed to the Parties at the addresses stated below. Notices may be given: (i) by delivery in person; (ii) by a nationally recognized next day courier service, return receipt requested; or (iii) by certified mail, return receipt request. If specifically requested by the party to be notified, valid notice may be given by facsimile transmission or electronic mail to the address(es) such party has specified in writing. To Kepro: Keystone Peer Review Organization, Inc. Attn: Contracts Department 777 East Park Drive Harrisburg, PA 17111 To Participating Entity: y r o- C -Qc\-\);AAJ4 6. Incorporation by Reference. The following are incorporated herein by reference and made a part hereof: (a) Contract # DMS-18/19-046 between the State of Florida, Department of Management Services and Keystone Peer Review Organization, Inc.; and (b) Exhibit A, Business Associate Agreement. 7. Successors and Assiut. This Participation Agreement shall be binding upon and inure to the benefit of the successors and permitted assigns of the Parties hereto. 8. Entire Agreement. This Participation Agreement and the EAP Agreement, collectively, are the Page 2 of 13 complete agreement of the Parties and supersede any prior agreements or representations, whether oral or written, with respect to the provision of employee assistance program services. IN WITNESS WHEREOF, each party has caused this Participation Agreement to be duly executed by its authorized representative. Keystone Peer Review Organization, Inc. Participating Entity By: By: Name: Name: Title: Title: Date: Date: Page 3 of 13 EXHIBIT A Business Associate Agreement This Business Associate Agreement ("Agreement"), effective as of the later date of the parties' signatures below ("Effective Date") is made by and between -DNA e L y a C'�f �1 ("Plan Sponsor") on behalf of the Services Plan (the "Plan") and Keystone Peer Review Organization, Inc. ("Business Associate"), (individually, the "Party" and collectively, the "Parties"), in order to comply with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended and its implementing privacy, security and breach notification regulations ("HIPAA"), including as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act in Public Law 111-5, 42 U.S.C. § 17921-54 and its implementing regulations, each as amended (collectively, the "HITECH Act"), and any other applicable state and federal confidentiality laws, as they may be amended from time to time. WHEREAS, the parties to this Agreement desire to establish the terms under which Business Associate may use or disclose Protected Health Information (as defined herein) such that the Plan may comply with applicable requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (45 C.F.R. Parts 160-164) ("HIPAA Privacy Regulation" and/or "HIPAA Security Regulation") and the requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (the "HITECH Act"), that are applicable to business associates, along with any guidance and/or regulations issued by the U.S. Department of Health and Human Services; WHEREAS, Plan Sponsor has established and maintains an EAP service plan of health care benefits which is an employee welfare benefit plan as defined by Section 3(1) of the Employee Retirement Income Security Act of 1974 ("ERISA"), and, therefore, a health plan under HIPAA; WHEREAS, Plan Sponsor has contracted with Business Associate to provide certain EAP services with respect to the Plan which are described and set forth in the Employee Assistance Program Participation Agreement ("Participation Agreement"), as amended from time to time; WHEREAS, Plan Sponsor is authorized to enter into this agreement on behalf of Plan; and NOW, THEREFORE, in consideration of the following mutual covenants and agreements contained herein, it is understood and agreed by and between the Parties as follows: ARTICLE 1 DEFINITIONS Terms used herein, but not otherwise defined, shall have meaning ascribed by Title 45, Parts 160 and 164, of the United States Code of Federal Regulations, as amended from time to time. Should any term set forth in 45 CFR Parts 160 or 164 conflict with any defined term herein, the definition found in 45 CFR Parts 160 or 164 shall prevail. 1.1 Breach. "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted which compromises the security or privacy of such information as defined and subject to the exceptions set forth in 45 CFR § 164.402. 1.2 Breach Notification Rule. "Breach Notification Rule" means the HIPAA Regulations pertaining to breaches of unsecured PHI as codified in 45 CFR Parts 160 and 164. Page 4 of 13 1.3 Designated Record Set. "Designated Record Set" means a group of records maintained by or for a covered entity, as defmed by the HITECH Act, that is: (i) the medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about Individuals. For purposes of this defmition, the term "record" means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity. 1.4 Electronic PHI. `Electronic PHI" or ` EPHI" means PHI that is transmitted by or maintained in electronic media as defmed by the Security Rule. 1.5 Individual. "Individual" means the same as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502 (g). 1.6 Law. "Law" means all applicable federal and state statutes and all relevant regulations. 1.7 Privacy Rule. "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR parts 160 and 164, subparts A and E. 1.8 Protected Health Information ("PHI"). "Protected Health Information" or PHI has the same meaning as the term "Protected Health Information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of the Plan. 1.9 Secretary. "Secretary" means the Secretary of the Department of Health and Human Services or his or her designee. 1.10 Security Incident. "Security Incident" shall have the meaning set out in the Security Rule. Generally, a "Security Incident" shall mean any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or systems operations in an electronic information system. 1.11 Security Rule. "Security Rule" means the Security Standards and Implementation Specifications at 45 CFR parts 160 and 164, subparts A and C, as they may be amended from time to time. 1.12 Unsecured PHI. "Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of either the encryption method or the destruction method, as defmed in Department of Health and Human Services ("HHS") guidance published on April 27, 2009 (74 FR 19006) and modified by guidance published on August 24, 2009 (74 FR 42740), as amended. Unsecured PHI can include information in any form or medium, including electronic, paper or oral. ARTICLE 2 BUSINESS ASSOCIATE OBLIGATIONS Business Associate agrees to comply with applicable federal and state confidentiality and security laws, specifically the provisions of the HITECH Act applicable to business associates (as defmed by the HITECH Act), including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement or applicable law, Business Associate shall not use, maintain, transmit or disclose PHI except as necessary to provide services to or on behalf of the Plan and except as required by Law. Business Associate may use and disclose Page 5 of 13 PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities. Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HITECH Act and this Agreement; 2.1.2 obtain reasonable assurances from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held confidential and further used and disclosed only as required by Law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; 2.1.3 agree to notify the Plan of any instances of which it is aware in which the PHI is used or disclosed fora purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HITECH Act. 2.2 Disclosure to Business Associate's Agents and Subcontractors. If Business Associate discloses PHI to agents, including a subcontractor, Business Associate shall require the agent or subcontractor to agree to the same restrictions and conditions as apply to Business Associate under this Agreement and to comply with the applicable requirements of the Privacy Rule, Security Rule, HITECH Act, Breach Notification Rule and other Law with respect to such information. Business Associate shall ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains, stores, uses or transmits on behalf of the Plan in accordance with Law. Business Associate shall be liable to the Plan for any acts, failures or omissions of the agent or subcontractor in providing the services as if they were Business Associate's own acts, failures or omissions, to the extent permitted by law. Business Associate further expressly warrants that its agents or subcontractors will be specifically advised of, and will comply in all respects with, the terms of this Agreement. 2.3 Disclosure to Plan and Plan Sponsor (and their Subcontractors). Other than disclosures permitted by Section 2.1 above, Business Associate will not disclose Individuals' Protected Health Information to the Plan, its Plan Sponsor, or any business associate or subcontractor of such parties except as set forth in Section 2.11. 2.4 Data Aggregation. Except as otherwise limited in the EAP Agreement or Participation Agreement, Business Associate is permitted to use and disclose PHI for data aggregation purposes, subject to the requirements of HIPAA and the HITECH Act. 2.5 Withdrawal of Authorization. If the use or disclosure of PHI in this Agreement is based upon an Individual's specific authorization for the use or disclosure of his or her PHI, and the Individual revokes such authorization, the effective date of such authorization has expired, or such authorization is found to be defective in any manner that renders it invalid, Business Associate shall, if it has notice of such revocation, expiration or invalidity, cease the use and disclosure of the Individual's PH except to the extent it has relied on such use or disclosure, or if an exception under the HITECH Act expressly applies. 2.6 Safeguards. Business Associate agrees to maintain appropriate safeguards as required by Law, including without limitation, a written security program that contains the necessary administrative, physical and technical safeguards to ensure that PHI or EPHI is not used, maintained, transmitted or disclosed other than as provided by this Agreement or as required by Law. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the Page 6 of 13 confidentiality, integrity and availability of any EPHI it creates, receives, maintains, stores, uses, transmits or discloses on behalf of the Plan in accordance with Law. Business Associate shall ensure, at a minimum, that: 2.6.1 PHI or EPHI will be maintained in locked and secured areas when PHI or EPHI is not in use; 2.6.2 Facsimile machines receiving EPHI shall not be located in a public area; 2.6.3 EPHI stored electronically shall be password protected; 2.6.4 PHI and EPHI will not be shared with outside organizations; and 2.6.5 PHI and EPHI will be used internally on a need to know basis only. 2.7 Individual Rights 2.7.1 Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for the Plan to respond to a request by an Individual for an accounting of disclosures of PHI as required by and in accordance with 45 CFR § 164.528 as amended by the HITECH Act and its implementing regulations. Business Associate, in accordance with 45 CFR § 164.528, does not need to document disclosures of PHI that are for treatment, payment or healthcare operations or disclosures that are incidental to another permissible disclosure. If Business Associate or its agents or subcontractors uses or maintains PHI in an electronic record of health -related information created, gathered or maintained or consulted by authorized health care clinicians and staff, then Business Associate and its agents and subcontractors shall document and make available to the Plan the information required to provide an accounting of disclosures to enable the Plan to fulfill its obligations under the HITECH Act as of the date compliance is required under the HITECH Act or its implementing regulations, including disclosures and uses relating to treatment, payment and health care operations. 2.7.2 Business Associate agrees to provide to the Plan, within thirty days of the request, in a mutually agreed upon form, information collected in accordance with 2.7.1 above to the extent required to permit the Plan to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528, as amended by the HITECH Act. The Plan shall provide to Business Associate within 30 days of the effective date of this Agreement, a written explanation of the Plan's requirements under this section (b) in sufficient detail to enable the Plan to comply with such requirements. The Plan agrees to respond promptly to requests from Business Associate for clarification of such requirements, and Business Associate may rely on such responses. The Parties agree to work together in good faith to resolve any disagreement over the requirements of 45 CFR § 164.528, as amended by the HITECH Act. The Plan will be responsible for the reasonable costs incurred by Business Associate to respond to a request for an accounting of disclosures. The Plan, rather than Business Associate, will directly handle all requests for accounting from an Individual. Business Associate shall promptly forward all requests for accounting it receives from Individuals to the Plan. 2.7.3 Business Associate shall, at the request of the Plan, provide PHI maintained in a Designated Record Set to the Plan or, as directed by the Plan, to an Individual in order to meet the requirements of an Individual's right of access and requests for access to his or her PHI. An Individual's right of access to PHI includes the right to access EPHI contained in an electronic health Page 7 of 13 record. The Plan will be responsible for the reasonable costs incurred by Business Associate to respond to a request for access. The provision of access to the Individual's PHI or EPHI and any denials of access to PHI or EPHI shall be the sole responsibility of the Plan. If Business Associate or its agents or subcontractors maintains or uses PHI, then promptly after receipt of a request from the Plan, Business Associate shall make a copy of such PHI available to the Plan in an electronic format in order to enable the Plan to fulfill its obligations under the HITECH Act and the Privacy Rule. 2.8 De -identified Information. Business Associate may use and disclose de -identified health information if (i) the use is disclosed to the Plan and permitted by law and (ii) the de -identification is in compliance with 45 CFR § 164.502(d) and (iii) the de -identified health information meets the standard and implementation specifications for de -identification under 45 CFR § 164.514(a) and (b). 2.9 Minimum Necessary. Business Associate shall attempt to ensure that all uses and disclosures of PHI are subject to the principle of "minimum necessary use and disclosure," i.e., that only PHI that is the minimum necessary to accomplish the intended purpose of the use, disclosure or request is used or disclosed. 2.10 Notice of Privacy Practices. Business Associate shall abide by the limitations of the Plan's notice of privacy practices ("Notice of Privacy Practices") of which it has knowledge. Any use or disclosure permitted by this Agreement may be amended by changes to the Plan's Notice of Privacy Practices; provided, however, that the amended Notice of Privacy Practices shall not affect permitted uses and disclosures on which Business Associate relied prior to receiving notice of such amended Notice of Privacy Practices. 2.11 Disclosures of Protected Health Information. The following provisions apply to disclosures of Protected Health Information to the Plan, Plan Sponsor and other business associates of the Plan. 2.11.1 Disclosure to Plan. Unless otherwise provided by this Section 2.11, all communications of Protected Health Information by Business Associate shall be directed to the Plan. 2.11.2 Disclosure to Plan Sponsor. Business Associate may provide Summary Health Information regarding the Individuals in the Plan to Plan Sponsor upon Plan Sponsor's written request for the purpose either (a) to obtain premium bids for providing health insurance coverage for the Plan, or (b) to modify, amend or terminate the Plan. Business Associate may provide information to Plan Sponsor on whether an individual is participating in the Plan or is enrolled in or has disenrolled from any insurance coverage offered by the Plan. 2.11.3 Disclosure to Other Business Associates and Subcontractors. Business Associate may disclose Individuals' Protected Health Information to other entities or business associates of the Plan if the Plan authorizes Business Associate in writing to disclose Individuals' Protected Health Information to such entity or business associate. The Plan shall be solely responsible for ensuring that any contractual relationships with these entities or business associates and subcontractors comply with the requirements of 45 Code of Federal Regulations § 164.504(e) and § 164.504(0. 2.12 Security Incident / Unauthorized Disclosure of PHI. 2.12.1 Business Associate shall report to the Plan any instances, including Security Incidents, of which it is aware in which PHI or EPHI_ is used or disclosed for a purpose that is not otherwise provided for in this Agreement. In the event that Business Associate knows of: (i) any suspected Breach of any individual PHI or EPHI; (ii) a Security Incident (i.e. PHI was inappropriately used, disclosed, released or obtained) or (iii) a Breach of Unsecured PHI, Business Associate shall notify the Plan in writing within five Page 8 of 13 (5) calendar days of such Breach. Notification shall include detailed information about the Breach, including, but not limited to, the nature and circumstances of such Breach, the means by which PHI or EPHI was or may have been breached (e.g. stolen laptop; breach of security protocols; unauthorized access to computer systems, etc.), the names and contact information of all individuals affected or reasonably believed by the Business Associate to be affected, and such other information as the Plan may reasonably request. Any delay in notification must include evidence demonstrating the necessity of the delay. The notice shall also set forth the remedial action taken or proposed to be taken with respect to such prohibited use or disclosure. Business Associate and the Plan agree to act together in good faith to take reasonable steps to investigate and mitigate any harm caused by such unauthorized use or successful Security Incident. The Party responsible for the breach shall bear the cost of any required notifications and corrective actions (e.g. credit monitoring services). The Business Associate will provide the Plan with any reasonable information known by Business Associate that the Plan needs for the required notifications under the Breach Notification Rule. The Plan shall have responsibility for determining that an incident is a Breach, including the requirement to perform a risk assessment. However, the Business Associate is expected to perform a risk assessment and provide such assessment to the Plan. Further, Business Associate shall provide and pay for required notifications to Individuals, HHS and/or the media, as requested by the Plan. 2.12.2 Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI or EPHI by Business Associate in violation of the requirements of this Agreement. 2.13 Prohibited Actions. With respect to PHI and EPHI, Business Associate agrees to: 2.13.1 not directly or indirectly receive remuneration in exchange for any PHI as prohibited by, and subject to the exceptions under the HITECH Act, Privacy Rule, and state law as of their respective compliance dates. 2.13.2 not make or cause to be made any communication about a product or service that encourages recipients of the communication to purchase or use the product or service as prohibited by, and subject to the exceptions under the HITECH Act and the Privacy Rule, as of their respective compliance dates. Business Associate agrees to comply with applicable federal and state Law regarding marketing communications involving the use of disclosure of PHI; and 2.12.3 not make or cause to be made any written fundraising communications that is a Health Care Operation without provision, in a clear and conspicuous manner, of an opportunity for the recipient to elect not to receive further fundraising communications in accordance with the HITECH Act and the Privacy Rule as of their respective compliance dates. Business Associate further agrees to comply with all applicable Law regarding the use of PHI for fundraising communications. ARTICLE 3 THE PLAN'S OBLIGATIONS 3.1 If applicable to the Plan under the Law, the Plan shall: 3.1.1 provide Business Associate a copy of its Notice of Privacy Practices produced by the Plan in accordance with 45 CFR 164.520 as well as any changes to such notice; 3.1.2 provide Business Associate with any changes in, or revocation of, authorizations by Individuals relating to the use and/or disclosure of PHI, if such changes affect Business Associate's permitted or required uses and/or disclosures; Page 9of13 3.1.3 notify Business Associate of any restriction to the use and/or disclosure of PHI to which the Plan has agreed in accordance with 45 CFR 164.522; 3.1.4 notify Business Associate of any amendment to PHI to which the Plan has agreed that affects a Designated Record Set maintained by Business Associate; and 3.1.5 if Business Associate maintains a Designated Record Set, provide Business Associate with a copy of its policies and procedures related to an Individual's right to: access PHI; request an amendment to PHI; request confidential communications of PHI; or request an accounting of disclosures of PHI. ARTICLE 4 MUTUAL OBLIGATIONS 4.1 Confidential Information. Both Parties acknowledge that in the course of performing under this Agreement, each Party may learn or receive confidential, trade secret or other proprietary information ("Confidential Business Information") concerning the other Party, or third parties to whom the other Party has an obligation of confidentiality. Each Party shall take all necessary steps to provide the maximum protection to the other Party's Confidential Business Information and records. Each Party agrees to take at least such precautions to protect the other Party's Confidential Business Information as it takes to protect its own Confidential Business Information, but shall in no instance less than a reasonable degree of care. Such information shall not be disclosed to third parties without the express written consent of the Party to whom the information belongs. The Parties shall not utilize any Confidential Business Information belonging to the other Party other than as expressly permitted by this Agreement or otherwise in writing. Each Party shall retain sole ownership of its own Confidential Business Information. 4.2 Electronic Transactions and Code Sets. Both Parties understand and agree that they are required to comply with the HIPAA Standards for Electronic Transactions, 45 CFR Parts 160 and 162 (HIPAA Electronic Transaction Law) as amended from time to time. The HIPAA Electronic Transaction Law requires Business Associate to conduct certain transactions as "standard transactions" using defined medical data code sets. Business Associate agrees that it will require its subcontractors, vendors, and independent contractors to comply with HIPAA Electronic Transaction Law as applicable. Business Associate agrees that it will not: standard; 4.2.1 change the definition, data condition, or use of a data element or segment in a 4.2.2 add any data elements or segments to the maximum defined data set; 4.2.3 use any code or data elements that are either marked "not used" or not included in the standard's implementation specification(s); or 4.2.4 change the meaning or intent of the standard's implementation specification(s). 4.3 Upon the enactment after the date of this Agreement of any Law or regulation affecting the use or disclosure of PHI, or the publication after the date of this Agreement of any decision of a court of the United States relating to any such Law, or the publication after the date of this Agreement of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such Law or regulation, the Plan and Business Associate shall jointly agree to negotiate in good faith to amend this Agreement in such manner as necessary to comply with such Law or regulation. If the Plan and Business Associate cannot come to an Page l0 of 13 agreement within thirty (30) calendar days following the initial amendment discussion between the Plan and Business Associate, this Agreement will terminate upon written notice to the other Party. ARTICLE 5 TERM AND TERMINATION 5.1 This Agreement will continue in full force and effect for as long as the EAP Agreement remains in full force and effect. This Agreement will terminate upon the cancellation, termination, expiration or other conclusion of the EAP Agreement. 5.2 Termination for Breach. Either Party may terminate this Agreement in the event of material breach by the other Party, upon thirty (30) days' prior written notice, unless the breach is cured during the notice period 5.3 Effect of Termination. Upon termination of this Agreement for any reason, Business Associate agrees to return or destroy all PHI maintained by Business Associate in any form. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall inform the Plan in writing of the reason thereof, and shall agree to extend the protections of this Agreement to such PHI and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI. ARTICLE 6 MISCELLANEOUS 6.1 Rights of Proprietary Information. The Plan retains any and all rights to the proprietary information, confidential information, and PHI it releases to Business Associate. 6.2 Survival. The respective rights and obligations of Business Associate with regard to the return of records to the Plan shall survive the termination of the Agreement. 6.3 Notices. Any notices pertaining to this Agreement shall be given in writing and shall be deemed duly given when personally delivered to a Party or a Party's authorized representative at the respective address indicated herein or sent by means of a reputable overnight carrier or certified mail, return receipt requested, postage prepaid. A notice sent by certified mail shall be deemed given on the date of receipt or refusal of receipt. 6.4 Amendments. This Agreement may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the Parties hereto. Amendments as determined by the Plan to be necessary to effect compliance with legislative, regulatory, or other legal authority do not require the consent of Business Associate and shall be effective immediately upon Business Associate's receipt from the Plan of notice of amendment. 6.5 Choice of Law. This Agreement and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the Commonwealth of Pennsylvania, without regard to applicable conflict of laws principles. 6.6 Assignment of Rights and Delegation of Duties. This Agreement is binding upon and inures to the benefit of the Parties hereto and their respective successors and permitted assigns. However, neither Party may assign any of its rights or delegate any of its obligations under this Agreement without the prior written consent of the other Party, which consent shall not be unreasonably withheld or delayed. Notwithstanding any provisions to the contrary, however, the Plan retains the right to assign or delegate any Page 11 of 13 of its rights or obligations hereunder to any of its wholly owned subsidiaries, affiliates, or successor companies. Assignments made in violation of this provision are null and void. 6.7 Nature of Agreement. Nothing in this Agreement shall be construed to create (i) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, (ii) any fiduciary duty owed by one Party to another Party or any of its affiliates, or (iii) a relationship of Plan Sponsor and employee between the Parties. 6.8 No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege, or remedy hereunder shall not constitute a waiver thereof. No provision of this Agreement may be waived by either Party except by a writing signed by an authorized officer of the Party making the waiver. 6.9 Severability. The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein. 6.10 No Third Party Beneficiaries. Nothing in this Agreement shall be considered or construed as conferring any right or benefit on a person not Party to this Agreement nor imposing any obligations on either Party hereto to persons not a Party to this Agreement. 6.11 Headings. The descriptive headings of the articles, sections, subsections, exhibits, and schedules of this Agreement are inserted for convenience only, do not constitute a part of this Agreement and shall not affect in any way the meaning or interpretation of this Agreement. All pronouns and any variations thereof are deemed to refer to the masculine, feminine, neuter, singular, or plural as the identity of the person or persons may require. 6.12 Entire Agreement. This Agreement, together with all the exhibits, riders and amendments, if applicable, which are fully completed and signed by authorized persons on behalf of both Parties from time to time while this Agreement is in effect, constitutes the entire Agreement between the Parties hereto with respect to the subject matter hereof and supersedes all previous or contemporaneous written or oral understandings, agreements, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof. In the event of any inconsistencies between any provisions of this Agreement in any provisions of the Exhibits or Riders, the provisions of this Agreement shall control. 6.13 Regulatory References. A citation in this Agreement to the Code of Federal Regulations means the cited section as that section may be amended from time to time. 6.14 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Plan to comply with the HITECH Act. The provisions of this Agreement shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this Agreement or the HITECH Act. Signature page follows Page 12of13 Keystone Peer Review Organization, Inc. Plan Sponsor By: By: Name: Name: Title: Title: Date: Date: Page 13 of 13 /a.y/5, biz?/a_3