HomeMy Public PortalAboutORD15558 BILL NO. 2016-37
SPONSORED BY COUNCILMAN Branch
ORDINANCE NO. 155 5550
AN ORDIANCE OF THE CITY OF JEFFERSON, MISSOURI, AUTHORIZING THE
MAYOR AND CITY CLERK TO EXECUTE A THREE-YEAR CONTRACT WITH
HEALTHCHECK360 IN AN AMOUNT NOT TO EXCEED $48,535.00 PER YEAR FOR
PROVIDING WELLNESS SCREENINGS AND HEALTHLY LIVING INFORMATION.
WHEREAS, Healthcheck360 has been selected as the best qualified company to
provide wellness program services for the City of Jefferson.
NOW, THEREFORE, BE IT ENACTED BY THE COUNCIL OF THE CITY OF
JEFFERSON, MISSOURI, AS FOLLOWS:
Section 1. Healthcheck360 is hereby approved as the best qualified wellness
vendor to provide services and its proposal is hereby accepted.
Section 2. The Mayor and City Clerk are hereby authorized to execute an
agreement with Healthcheck360 for a three-year contract as the City's wellness
provider.
Section 3. The agreement shall be substantially the same in form and content as
the attached agreement.
Section 4. This ordinance shall be in full force and effective from and after the
date of its passage and approval.
Passed:41 �, V/� Approved: _1, �0/�
611Aui, --T-11-tvl N a v.1 ik;e: (:....pi 7.ad,(4.,1 I
Presiding Officer Mayor Carrie Tergin
ATTEST-''' —->- APPROVED S TO FORM:
4./v.
/
ity Clerk: _ Ci y Counselor
j, ' a
HealthChe& 366c PERFORMANCE-BASED WELLNESS
Y
WELLNESS AND HEALTH SERVICES AGREEMENT
This Wellness and Health Services Agreement(the "Agreement") is made and entered into as of the date
executed by both parties (the "Effective Date"), by and between
with a business address at
/I7/) ("Company"), for itself and on
behalf of its group health plan(s) ("Plan")sponsored by Company underthe Employee Retirement Income
Security Act of 1974 ("ERISA") for the purpose of providing health related services to employees of
Company and their dependents,and HealthCheck3600 a division of HealthCorp("HealthCheck360°"),with
a principal place of business at 800 Main St., PO Box 1475, Dubuque, IA 52004-1475 (together, referred
to as "Parties").
I. DEFINITIONS
Unless otherwise specifically provided,the terms used in this Agreement shall have the meanings set forth
in Exhibit A, attached hereto and incorporated herein.
IL COVENANTS OF HEALTHCHECK360', COMPANY AND PLAN
(a) HealthCheck360° agrees that it will provide, or arrange for the provision of, the
HealthCheck360°Program (herein referred to as the"Program")as described in Exhibit B
for Participants, in accordance with the terms and conditions of this agreement.
(b) HealthCheck360°shall have no authority to make any coverage decisions with respect to
the determination of benefits for the participants under the employee benefit plan. The
Client understands and agrees that HealthCheck3600 determinations as to the
appropriateness and/or medical necessity of medical services, hospital admissions, or
lengths of stay are advisory only. Unless specifically agreed to in writing to the contrary,
HealthCheck360° shall have no authority to bind the Client to any of its assessments,
recommendations,findings or certifications in respect to the services provided under this
Agreement, and the Client reserves the right to act based on its own judgment with
respect to any or all claims issues reviewed under this Agreement.
(c) Plan agrees that it will, directly or through employees of Company providing plan
administrative services to Plan:
(i) Implement a financial incentive arrangement, mutually acceptable to both
Parties,that encourages Eligible Persons participation in the Program;
(ii) Provide Eligible Persons with enrollment materials describing the Program and
any financial incentive arrangement sponsored by Company or Plan related to
participation in the HealthCheck360° Program;
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 13
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
(iii) The Company authorizes HealthCheck3600 to have access to all relevant medical,
pharmacy and health risk assessment data, and other information pertaining to
the participants, the Client's benefits experience, the Client's coverage
descriptions and updates, and will provide HealthCheck360° with an executed
waiver or consent directly from the participants as necessary.
(iv) Provide a final count or schedule of participants to HealthCheck360° at least
fifteen (15) business days in advance of the Biometric Screening Event
("Lockdown Count"). Lockdown Count shall include the number of Eligible
Persons and the date(s) and the beginning and end time for each Biometric
Screening Event;
(v) Provide HealthCheck360°and its agents and subcontractors with an appropriate,
accessible and safe setting at each Work Site adequate for the purpose of
conducting Biometric Screenings of Eligible Persons who desire to participate in
the HealthCheck360°Program;
(vi) Encourage each Participant to complete all actions necessary for
HealthCheck360°to generate a HealthCheck360° individual report;
(vii) Designate one or more appropriate company representatives as a project
coordinator to serve as a liaison to HealthCheck3600 and to be available during
normal business hours to respond to inquiries from HealthCheck360". Designate
one or more appropriate company representatives as site coordinators at each
designated screening locations.The Company will staff each screening event with
an employee to sign in participants and assist phlebotomists;
(viii) Allow HealthCheck360'to review and approve the accuracy of the content of any
employee communication which references the HealthCheck360° Program; and
(ix) Communicate, implement, and run at least one company wellness challenge
through the myHealthCheck360.com website to further employee engagement.
(d) The Parties,as applicable, each further agree that:
(i) Except as provided herein, Parties each reserve the right to, and control of, the
use of its own name,symbols,trademarks and service marks presently existing or
later established. In addition, except as provided herein, neither of the Parties
shall use the other's name, symbols, trademarks or service marks, without the
prior written consent of that party, and shall cease any such usage immediately
upon written notice of the party or upon termination or expiration of this
Agreement;provided,however,(A)Company shall have the right to use the name
of HealthCheck360'for the purpose of communicating with Eligible Persons the
v051516 866.511.0360 1 W W W.HEALTHCHFCK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 14
CC-03
HealthCheck36O 0 PERFORMANCE-BASED WELLNESS
identity and services of HealthCheck360% and otherwise to carry out the terms
of this Agreement,and(B)HealthCheck3600 shall have the right to use Company's
name, symbols, trademarks and service marks in communicating with Eligible
Persons under this Agreement;
(ii) HealthCheck360°and its affiliates shall have the rightto use the outcomes and results
from the Program under this Agreement for their general marketing purposes in a
manner that does not identify Company, Plan or any Eligible Person or Participant;
(iii) During the term of this Agreement, neither Company nor Plan shall, directly or
indirectly, enter into any agreement or contract with any other vendor or company
for the provision of the same or similar services provided by HealthCheck360"under
this Agreement;and
(iv) The Program is designed to comply with the Wellness Program requirements of
Section 54.9802-1(f) of the Treasury Regulations, Section 2590.702(f) of the EBSA
Regulations and other relevant regulations (the "Wellness Program Exception').
Company acknowledges that changes to the structure or implementation of the
Program may adversely affect Plan's ability to rely upon this exception. Therefore,
neither Company nor Plan will make material changes to the structure or
implementation of the Program without the prior written consent of
HealthCheck360°.
III. PAYMENTS TO HEALTHCHECK360°
In consideration for the services rendered by HealthCheck360° under this Agreement, effective as of the
Effective Date, Company or Plan, as applicable, shall pay HealthCheck360°fees based upon the number
of Participants ("Participation Fee") and any additional program fees as set forth on Exhibit C. The fees
shall be invoiced by HealthCheck360'.
For the purposes of biometric screenings, fifty percent (50%) of the final proposal estimated cost is due
thirty (30) days prior to the first Biometric Screening Event. The balance will be invoiced as screenings
occur on a monthly basis and are due within thirty (30) days of the invoice date. Health coaching and
condition managementfees,if applicable,will be invoiced as outlined in Exhibit C and are due within thirty
(30) days of the invoice date.
IV. INDEPENDENT RELATIONSHIP
Each party is at all times acting and performing as an independent contractor with respect to the other
party, and no party shall have or exercise any control or direction over the method by which any other
party shall perform such work or render or perform such services and functions.
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 15
CC-03
HealthCheck360 0 PERFORMANCE-BASED WELLNESS
V. COMMUNICATION WITH COMPANY AND PLAN
Certain information communicated by an Eligible Person or a Participant following the Program may
constitute Protected Health Information. It is the parties' intent that all information exchanged following
the Program be compliant with the privacy and security regulations implementing the Health Insurance
Portability and Accountability Act of 1996 ("HIPAA") and other applicable law and be consistent with any
representations to Eligible Persons or Participants concerning confidentiality of information.
Except as specified in Exhibit B of this Agreement with respect to reports related to Program participation,
HealthCheck360* will not disclose to Company or Plan personal HealthCheck360' data except upon
Company's or Plan's specific request, provided that compliance with such request is permitted by law and
consistent with representations made by HealthCheck360', Company and Plan.
HealthCheck360*will cooperate with Plan with regard to making selected personal HealthCheck360*data
to other providers of healthcare related services and employee assistance programs designated by Plan,
with which Plan contracts and with which Plan has in effect a Business Associate Agreement consistent
with the requirements of the privacy and security regulations implementing HIPAA; provided that any
disclosures are permitted by applicable law and consistent with representations made by
HealthCheck360', Company and Plan.
In the event either Party determines that a requested disclosure requires written consent of the
Participant, the Company or Plan shall be responsible for all costs associated with obtaining such
consent(s) as a program fee payable pursuant to Section III above.
VI. CONFIDENTIALITY
a. Business Confidentiality. The Parties acknowledge and agree that during the course of the
performance of the parties' respective obligations under this Agreement, HealthCheck360'
may make available to Company or Plan, and Company or Plan may make available to
HealthCheck360', Confidential Information that is of value to the party disclosing the
information. Each party agrees to maintain the confidentiality of the Confidential Information
of the other party and not to disclose or disseminate such Confidential Information to third
parties. The party receiving Confidential Information agrees to use the same standard of care
in maintaining the confidentiality of the Confidential Information as it uses to avoid disclosure
of its most sensitive Confidential Information. Nothing in this Section shall preclude a party
from disclosing Confidential Information to the extent that the disclosure thereof is required
bylaw. Upon termination or expiration of this Agreement,the parties shall destroy or return
all Confidential Information of the other and shall not use any Confidential Information of the
other in its business. In the event that a party is required to disclose Confidential Information
in response to legal process, the party against whom disclosure is sought shall immediately
notify the other party and cooperate with the other party in connection with obtaining a
protective order. In the event of a breach or threatened breach by either party of the
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM I BOO MAIN STREET I DUBUQUE,IOWA 52001 Page ( 6
CC-03
HealthCheck36OC PERFORMANCE-BASED WELLNESS
provisions of this Section VI (a), the other party shall be entitled to seek an injunction
restraining the breaching party from the conduct causing such a breach orthreatened breach
without the necessity of posting bond. Nothing herein shall be construed as prohibiting either
party from pursuing any other remedies available to that party for such breach or threatened
breach,including the recovery of damages from the breaching party. This Section shall survive
termination or expiration of this Agreement.
b. Protected Health Information. Company and Plan represent and warrant that Plan's plan
documents have been amended to include all items required by the privacy and security
regulations implementing HIPAA and that Plan and Company maintain an "adequate
separation" between Company and Plan as required by such regulations or that Plan complies
with 45 C.F.R. § 164.530(k). Plan shall ensure that all necessary or required consents or
authorizations not otherwise obtained by HealthCheck360° are obtained from, and all
necessary or required notices are sent to, Eligible Persons or Participants regarding the use
and disclosure of Protected Health Information as may be necessary, in light of applicable
state and federal laws,for both parties to fulfill their obligations under this Agreement. The
parties acknowledge that HealthCheck360" is a business associate of Plan for purposes of
HIPAA, and not a health care provider as defined by HIPAA, and hereby agree to the terms of
the Business Associate Addendum attached hereto as Exhibit D. Plan is responsible for
assuring its own compliance with the privacy and security regulations implementing HIPAA
and is not relying on HealthCheck360°for legal or other advice regarding its compliance with
HIPAA, its implementing privacy and security regulations, other privacy laws or other
applicable laws.
VII. EFFECTIVE DATE,TERM, RENEWALANDTERMINATION
a. Effective Date Terms. This Agreement shall be effective as of the Effective Date and shall
continue for a three (3)year term (the "Initial Term"), unless otherwise terminated pursuant
to the terms hereof.
b. Renewal Terms. This Agreement shall automatically renew for additional one (1)year terms
after the Initial Term (a "Renewal Term") at the renewal year new pricing. All other terms,
conditions and provisions as contained herein, together with any authorized and approved
amendments hereto, shall remain the same, unless either party gives written notice to the
other party of its intent not to renew the Agreement at least sixty (60) days prior to the
expiration of the initial term or any renewal term.
c. General Termination Provisions. This Agreement may be terminated as follows by mutual
written consent of the parties; or upon thirty (30) days' notice in the event that either party
declares bankruptcy, becomes insolvent or makes an assignment for the benefit of its
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 17
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
creditors.
d. Termination for Material Breach. Either HealthCheck3600 or Company may terminate this
Agreement by providing the other party with a minimum of Sixty(60)days prior written notice
in the event the other party commits a Material Breach (as defined below). Said notice must
specify the nature of such Material Breach. The breaching party shall have sixty (60) days
from the date of receipt of the foregoing notice to cure said Material Breach. In the event the
breaching party fails to cure the Material Breach within said sixty (60) day period, this
Agreement shall automatically terminate. For purposes of this Agreement, the term
"Material Breach"shall mean a breach of an essential term of this Agreement, not caused by
or contributed to by the other party.
VIII. INDEMNIFICATION
a. HealthCheck3600 hereby agrees to indemnify, defend and hold harmless the Company its
officers, directors, employees, agents and affiliates,from and against any loss, cost,damage,
expense orother liability,including without limitation all reasonable costs and attorneys'fees,
actually incurred and finally determined and adjudicated by a court of competent jurisdiction,
to have arisen out of,or in connection with,the tortious acts or omissions of HealthCheck360,
its officers, directors, employees and agents, in the performance of its obligations under this
Agreement.
b. To the extent permitted by Missouri law,the Company agrees to indemnify, defend and hold
harmless HealthCheck360° its officers, directors, employees, agents and affiliates, from and
against any loss, cost, damage, expense or other liability, including without limitation all
reasonable costs and attorneys' fees, actually incurred and finally determined and
adjudicated by a court of competent jurisdiction,to have arisen out of,or in connection with,
the tortious acts or omissions of the Company, its officers, directors, employees and agents,
in the performance of its obligations under this Agreement.
c. An indemnitee entitled to indemnification under this Section VIII shall give notice to the
indemnitor of a claim or other circumstances likely to give rise to a request for indemnification
promptly after the indemnitee becomes aware of the same. No compromise or settlement
of any such claim shall be made without the prior written consent of the indemnitee.
d. The Parties agree to make all reasonable efforts, consistent with the advice of counsel and
the requirements of applicable insurance policies and carriers, to coordinate the defense of
all claims in which both parties are either a named defendant or have a substantial possibility
of being a named defendant interests are not in conflict. Each party shall promptly notify the
other party of the receipt of any actual or threatened claim relating to this Agreement.
v051516 866.511.03601 WWW.HEALTHCHECK360.COM 1800 MAIN STREET I DUBUQUE.IOWA 52001 page 18
CC-03
HealthCheck360o PERFORMANCE-BASED WELLNESS
IX. GENERAL PROVISIONS
a. Amendment. This Agreement may be amended at any time during the term of the Agreement
by mutual consent in writing of duly authorized representatives of the parties; provided,
however, that any change (including any addition and/or deletion) to any provision of this
Agreement that is required by duly enacted federal or state legislation, or by a regulation or
rule finally issued by a regulatory agency pursuant to such legislation, rule or regulation
(including, without limitation, any final regulations issued with regard to the Wellness
Program Exception) will be deemed to be part of this Agreement without further action
required to be taken by either party, for as long as such legislation, regulation or rule is in
effect. Without limiting the effect of the foregoing, if such amendment adversely affects
either party,the parties agree to renegotiate the affected portion of the Agreement in a good
faith effort to remedy the adverse effect.
b. Assignment. Neither party may assign this Agreement to a third party without the express
written approval of a duly authorized representative of the other party, and any such
attempted assignment shall be void; provided, however,that either party expressly reserves
the right to assign any and all of its rights hereunderto an affiliate orwholly-owned subsidiary,
or successor to the business of a party, provided that such party shall notify the other party
of any such assignment in writing at least thirty(30) days prior thereto.
c. Applicable Law. This Agreement shall be governed by the laws of the State of Iowa, without
regard to its conflicts of law rules. The Company consents to the jurisdiction of the state or
federal courts in the State of Iowa and any dispute arising under this Agreement shall be
decided by a state or federal court in the State of Iowa.
d. Binding Effect. This Agreement shall be binding upon and inure to the benefit of the parties,
their successors and their permitted assigns.
e. Enforceability. In the event any provision of this Agreement is rendered invalid or
unenforceable by a federal or state legislative action orjudicial decision,the remainder of the
provisions of this Agreement shall remain in full force and effect.
f. Entire Agreement. This Agreement, which shall be deemed to include all attachments,
amendments, exhibits, addenda and schedules, contains the entire agreement between the
parties. Any prior agreements, promises, negotiations or representations, either oral or
written, relating to the subject matter of this Agreement and not expressly set forth in this
Agreement are of no force or effect.
g. Limitations on Liability. Although this Agreement contemplates services for Eligible Persons,
the parties reserve the right to amend or terminate this Agreement without notice to,or the
consent of, any Eligible Person. No persons or entities other than Company, Plan and
HealthCheck360° are intended to be, or are in fact, beneficiaries of this Agreement, and the
existence of the Agreement shall not in any respect whatsoever increase the rights of any
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM I 800MAINSTREET I DUBUQUE,IOWA 52001 Page 19
CC-03
HealthCheck360 PERFORMANCE-BASED WELLNESS
Eligible Person or other third party, or create any rights on behalf of any Eligible Person or
other third party.
h. Corporate Authority. Company represents and warrants to HealthCheck360° that it has the
corporate power and corporate authority to execute this Agreement, and that this
Agreement, when executed, will be a valid and binding obligation of Company and Plan,
enforceable in accordance with its terms and conditions. HealthCheck360° represents and
warrants to Company and Plan that it has the corporate power and corporate authority to
execute this Agreement and that this Agreement, when executed,will be a valid and binding
obligation of HealthCheck360°, enforceable in accordance with its terms.
L Liability Insurance Coverage. Each party agrees to maintain, at its own expense, liability
insurance coverage in an amount of at least$1,000,000 per occurrence and$2,000,000 in the
aggregate, as well as adequate comprehensive general liability and worker's compensation
insurance.
j. Counterparts. This Agreement may be executed in any numberof counterparts,each of which
shall be an original, but all of which together comprise one and the same instrument.
k. Waiver of Breach. The waiver by a party of any breach of any provision of this Agreement by
the other party shall not operate or be construed as a waiver of any subsequent breach of the
same or any other provision hereof by that party.
I. Force Majeure. Either party shall be excused from the performance of any of its obligations
hereunder and such party's nonperformance shall not be a default or grounds for termination
of this Agreement to the extent that such party is prevented, hindered or delayed from
performing any of its obligations, in whole or in part, as a result of an ad of God, war,
terrorism, bio-terrorism, epidemic, civil disturbance, court order, regulatory order, labor
dispute or other cause beyond that party's control.
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Pagel 10
CC-03
HealthCheck3600 PERFORMANCE-BASED WELLNESS
X. NOTICES
Any notice required to be given pursuant to the terms and provisions of this Agreement shall be in writing,
postage prepaid,and shall be sent(by certified or registered mail, return receipt requested,or by Federal
Express or other overnight mail delivery for which evidence of delivery is obtained by the sender)to the
address or addresses set forth below unless the sender has been otherwise instructed in writing or unless
otherwise provided by law. The notice shall be deemed to be effective on the date indicated on the return
receipt or, if no date is so indicated,then on the date of the notice.
To HealthCheck360°: To Company: nnnn
800 Main Street C �� Tef-+e on
P.O. Box 1475 ..30 FeLs LL/' She&
Dubuque, IA 52004-1475 Te (15 D
Attn: Vice President Attn: Company Officer
IN WITNESS WHEREOF, by placing their duly authorized signatures below,the parties hereby execute this
Agreement as of the Effective Date and agree to be bound by its terms.
COMPA�NYY�,� _ HEALTHCHECK360°
By:
Name:Cod'rie icC�in U Name:
Ml Michael P Ke y
Title: Title:
Vice President
Date: � Date:
9 -8 - I
APP DAS TO FO ::'
City C nselor
v051516 866.511.0360 1 W W W,HEALTHCHECK360.COM 1800 MAIN STREET I DUBUQUE.IOWA 52001 Page 11
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
EXHIBIT A- DEFINITIONS
a. Biometric Screening means a Biometric Screening of an Eligible Person pursuant to the
Program that is provided or arranged by HealthCheck360° and which involves the collection
of a blood sample and a biometric examination that includes measurement of the Eligible
Person's blood pressure,weight, height, and other vital statistics.
b. Biometric Screening Event means at the same designated location within a defined period of
time with less than a week break between Biometric Screenings arranged by HealthCheck3600
and Company or Plan,as applicable,on which Biometric Screenings are provided to an Eligible
Persons by the examiner(s) pursuant to the HealthCheck360° program.
c. Confidential Information shall mean any information, whether written or oral, that may be
disclosed or made available by Company/Plan or HealthCheck360° to the other Party,
including, but not limited to, all current and future information disclosed relating to (a)
matters of a technical nature such as trade secret processes or devices, know-how, data,
technology, formulas, proprietary software, inventions (whether or not patentable or
copyrighted), specifications and characteristics of products or services planned or being
developed,and research subjects, methods and results,(b) matters of a financial,commercial
or business nature such as information about costs, profits, pricing, policies, markets, sales,
suppliers,customers,product plans, investment prospects,and marketing plans or strategies,
financial reports and projections, (c) matters of a human resources nature such as personnel
and compensation of either Party, (d) the identities and other related information of the
investors of either Party; (e) this Agreement and the fact that Confidential Information is
being disclosed by the Parties pursuant to this Agreement, (f) other information of a similar
nature that may be disclosed between the Parties whether in written, oral, electronic, web-
based, or other form, and (g) all data, nates, summaries or other works derived from the
information specified in(a)-(f).
d. Eligible Person means an employee of Company or, as applicable, the spouse or dependent
over the age of 18 of such employee, and permitted by Company to participate in the
HealthCheck360° Program. Individuals who are employees of company but who are not
permitted by company to participate in the Program are not considered "Eligible Persons' as
defined herein. Neither Company nor Plan shall restrict the eligibility of eligible employees
to participate in the Program unless such eligibility restriction is based on an employment-
based classification permitted under the Wellness Program Exception.
e. Health Risk Assessment Form(HRA) means HealthCheck360°proprietary questionnaire which
is available to Eligible Persons through HealthCheck360°web portal,and available as a printed
form provided by HealthCheck360° to Company and distributed to Eligible Persons by Plan,
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 1 12
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
directly or through Company employees providing plan administrative services to Plan.
f. HealthCheck360°Program means the HealthCheck360° proprietary program for providing
health risk management and population Biometric Screening and Health risk Assessment
services for employer-sponsored group health plans as described in Exhibit B.
g. Lockdown Count is the written verification of the number of biometric screening participants
for any Biometric Screening Event.
h. Participant means an Eligible Person who, prior to the participation deadline, either (a)
undergoes a Biometric Screening, or (b) submits an HRA to HealthCheck360° with sufficient
identifying data to permit HealthCheck360°to match accurately the HRA to an Eligible Person.
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE.IOWA 52001 Page 113
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
EXHIBIT B - HEALTHCHECK3600 PROGRAM
a. Incentive Design
If requested, HealthCheck360° will assist Company/Plan in the development of an
incentive program to encourage participation by Eligible Persons and reduce health risks.
b. General Communication Information
Communication with Eligible Persons in the implementation of the HealthCheck360°
Program shall be provided by HealthCheck360° or by Company, as applicable, using e-
mail, and/or website communications. Written (both electronic and paper)
communication is dependent upon HealthCheck3600 having a valid residential address
and email address for the Eligible Person. HealthCheck360° may contact Participants to
inform them about other wellness programs and related resources that may be
appropriate for and relevant to the Participants.
C. Introduction to Eligible Persons
Introduction of the HealthCheck360° Program to eligible persons shall be provided by
Company in a form mutually agreeable to Company or Plan, as applicable, and
HealthCheck360°.
d. Biometric Screening
HealthCheck360°shall provide,or arrange to provide,the examiners and blood collection
kits necessary to conduct biometric screenings for eligible persons at a work site on such
dates and times as shall be mutually acceptable to HealthCheck360° and Company, as
applicable.
Once the location,date and time of each Biometric Screening Event has been determined,
and notice of the location of the work site has been timely provided to HealthCheck360°
by Company or Plan, as applicable, the scheduling of eligible persons for biometric
screenings at such event shall be the sole responsibility of Company.
For efficiency, an average of six (6) eligible persons scheduled per examiner per hour.
Company or Plan,as applicable,shall provide the Lockdown Count to HealthCheck360°at
least fifteen (15) business days before the date of the Biometric Screening Event.
Lockdown Count shall include the number of eligible persons and the dates) and the
beginning and end time for each Biometric Screening Event.
Each eligible person must sign and submit to HealthCheck360°a written consent, in form
and content acceptable to HealthCheck360°, before the Biometric Screening Event can be
performed.
e. Health Risk Assessment ("HRA")
Each eligible person will be provided with access to the HealthCheck360° HRA on an
v051516 866.511.0360 1 W W W.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 114
CC-03
HealthCheck3600 PERFORMANCE-BASED WELLNESS
annual basis either in printed form (copies of which shall be provided by HealthCheck360°
to Company for distribution to eligible persons who do not wish to complete the HRA on-
line) or in an electronic format through HealthCheck360°secure web portal.
f. HealthCheck360° Report and HealthCheck360°Score for Participants
Following the completion by a participant of all of the requirements necessary for
HealthCheck360°to prepare a HealthCheck360" individual report, HealthCheck360°will
deliver a HealthCheck3600 individual report to such participant, including his/her
HealthCheck360° score, lab test results and risk-specific educational materials based on
the participant's individual risk factors. HealthCheck3600 may deliver these to participant
by standard mail or through secure website access.
g. Participant Web Tools
Participants will have access to a secure personalized web portal at
myhealthcheck360.com to complete HRAs on-line,view their HealthCheck360°individual
report, receive educational materials, track daily food and activity, join company
challenges, and other features. Tracking tools and other resources are also available
through a mobile application for Apple and Android device users.
h. Hotline
A toll-free telephone number and e-mail communication through the HealthCheck360°
website is available to eligible persons and participants to provide technical assistance in
accessing the HealthCheck360° Program website and to provide general information
regarding the program. The toll-free telephone service and e-mail account is monitored
by HealthCheck360°during normal business hours(Monday through Friday from 8:00 AM
to 5:00 PM Central time).
L Health Coaching
Incoming health coaching calls are included in the standard participation fees outlined in
Exhibit C. Outbound health coaching options can be elected in Exhibit C. Health coaching
activity reports will be provided under any model, but incentive eligibility reporting will
only be provided with the selection of an outbound model.
j. Cooperation with Third Parties
HealthCheck360° will cooperate with Company with regard to making selected personal
HealthCheck3600 data available to other providers of healthcare related services and
employee assistance programs designated by Company as set forth in Section V of this
Agreement. Nothing in this Exhibit B shall require HealthCheck360°to change its existing
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 1 15
CC-03
HealthCheck360 PERFORMANCE-BASED WELLNESS
data fields.
k. Account Manager Assignment
HealthCheck360°will designate one or more representatives of HealthCheck360°who will
serve as an account manager to Company and who will be available during normal
business hours to respond to inquiries from Company.
I. Reporting
Provided there are at least fifty (50) Participants in a reporting period, HealthCheck360°
will provide Company with one (1)annual corporate aggregate and executive report. An
incentive eligibility report of Plan's program data will be provided annually in a manner
consistent with the requirements of Section VI (b) and Exhibit D of this Agreement
regardless of participation. Location specific reporting may be available provided there
are at least fifty (50) participants in reporting period in a manner consistent with the
requirements of Section VI (b) and Exhibit D of this Agreement. Coaching engagement
reporting will be provided only if a coaching model is selected in Exhibit B. Online and
programming engagement is available upon request.
M. Condition Management
HealthCheck3600 will provide condition management services for the Company if elected
in Exhibit C. Condition management is directed at participants with chronic conditions in
which emphasis with compliance with recommended care guidelines are reviewed and
discussed with participants. Condition management supports the provider/patient
relationship and plan of care, emphasizes prevention of complications using evidence-
based practice guidelines, monitors Participant claims and health risk assessment data for
compliance with recommended treatment and medication adherence, and works to
educate and motivate the Participant toward improved overall health.
i. HealthCheck360° shall provide the Client with reports of its condition
management activity adherence statistics subject to the confidentiality
requirements set forth below.
ii. HealthCheck3600 strongly encourages Client to make condition management
mandatory for participants and tie non-participation to reductions in benefits or
increased contributions. Failure to do so may result in low engagement rates.
iii. "Participants"may be identified for condition management based on medical and
pharmacy claims, as well as biometric health risk assessment data. Participants
may also be referred to condition management by medical management, the
claims administrator, a Client representative,or they may self-refer.
iv. The Client will be responsible for ensuring a medical claims data feed is sent from
the claims administrator. Updated files will be provided no less than monthly and
be sent in a standardized format as provided by HealthCheck360°.
v051516 866.511.0360 1 W W W.HEALTHCHECK360.COM I 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 1 16
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
V. The Client will be responsible for ensuring an Rx data feed is sent from the
Pharmacy Benefit Manager. Updated files will be provided no less than monthly
and be sent in a standardized format as provided by HealthCheck360°.
vi. The Client will be responsible for ensuring an updated eligibility file is sent from
the health plan or claims administrator. Updated files will be provided no less
than monthly and be sent in a standardized format as provided by
HealthCheck360°.
n. Program Services Modification
HealthCheck360° reserves the right to make modifications to the Program services
outlined above for the express purpose of continuously improving the effectiveness
and/or efficiency of the Program. HealthCheck3600 will notify Plan in advance of any
material modifications.
0. Terms of Use
The use of the web portal by Company or Plan or eligible persons is subject to the terms
and conditions of use agreed to by participant when they first sign-in to the web portal,
which are incorporated herein by this reference. The terms and conditions of use on the
web portal shall control over any conflicting terms herein or made by any party,whether
oral or written or referenced herein.
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE.IOWA 52001 Page 1 17
CC-03
HealthCheck36O� PERFORMANCE-BASED WELLNESS
EXHIBIT C - PROGRAM FEES
BIOMETRIC SCREENING AND PROGRAM FEES
Type DescriptionPrice Fee ,
Standard Fees
Participation p of Participants at Biometric Screening Event
Fee 500+ $109.00 Participant
100-499 $119.00 Participant
20-99 $124.00 Participant
10-19 $139.00 Participant
6-9 $150.00 Participant
1-5 $175.00 Participant
Additional Program Fees(only applicable if elected)
Initial here to Off-line participant fee $29.00 Participant who completes Health Risk
elect Assessment via paper.
Initial here to Program Only/Physician Form $72.00 Participant screened by third party vendor or
elect Participation Fee uses physician form process
Initial here to Web Portal Access for Non- $37.00 Per Eligible Non-Biometric Participant Per
elect participants Year
Additional Testing Costs(only applicable if elected)
Initial here to Thyroid-Stimulating Hormone $17.00 Eligible Participant defined as:
elect (TSH) ❑All participants
❑Females only
Initial here to Prostate-Specific Antigen(PSA) $17.00 Eligible Participant defined as all males aged:
elect ❑>_35 ❑>_45
❑>_40 ❑>_50
Initial here to C Reactive Protein $17.00 Eligible Participant defined as all participants
elect (hs-CrP) on screening date
Initial here to Hemoglobin Alc(hAlc) $17.00 Eligible Participant defined as all participants
elect with biometric values on the fasting plasma
glucose test with results:
❑ >_100 ❑ >_115 ❑ >_126
This test requires an additional vial of blood
to be taken from all participants
Initial here to Complete Blood Count(CBC) $21.00 Eligible Participant defined as all participants
elect on screening date.This test requires an
additional vial of blood to be taken from all
participants
HealthCheck360" shall be entitled to, at a minimum, the fifty percent (50%) down payment of the final
proposal estimated cost,which is due at least thirty(30)days before the date of the first Screening Event.
HealthCheck3600 shall be entitled to payment of the Participation Fee for the greater of the number of
participants listed on the Lockdown Count provided to HealthCheck360°at least fifteen (15)business days
v051516 866.511.0360 1 W W W.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 118
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
before the date of the biometric screening event or the number of actual participants at that location's
screening.
The number of examiners attending a biometric screening event will be determined based an the
Lockdown Count provided to HealthCheck360°for such biometric screening event. Company or Plan shall
pay fifty percent(50%)of the Participation Fees that would have been incurred per the Lockdown Count
for any biometric screening event that is cancelled by Company or Planless than fifteen(15)business days
priorto the confirmed Biometric Screening Event.Company or Plan shall pay one hundred percent(100%)
of the Participation Fees that would have been incurred per the Lockdown Count for any Biometric
Screening Event that is cancelled by Company or Plan less than two (2) business days prior to the
confirmed Biometric Screening Event.
Information Services Fee - In the event of the use of external phlebotomists and lab vendors, all data
must be received from the Company to HealthCheck360° in the format provided by HealthCheck3600. If
data file requires re-formatting by HealthCheck360°,the Company will be obliged to pay an Information
Services Fee at the rate of Two Hundred Dollars ($200.00) per hour incurred by HealthCheck360°. For all
requests pertaining to data analysis, programming, or reporting not covered in the scope of this
agreement the Company will be obliged to pay an Information Services Fee at the rate of Two Hundred
Dollars ($200.00) per hour incurred by HealthCheck3600
.
Custom Mailing Fee—A custom mailing fee of$3.79 per item will be assessed for printing and/or mailing
costs associated with any materials provided outside of the standard HealthCheck360° Program offering.
This fee includes the mailing and printing of 2 pages printed in color or 10 pages printed in black and
white. If items requested exceed standard mailing expenses, additional fees may apply.
Physician Forms—An additional fee of$15.00 per form will apply to the increased processing associated
with incomplete or returned physician forms.
Fee(s) Increases - In the event that HealthCheck360° suppliers significantly increase their charges to
HealthCheck360°so that it becomes economically infeasible for HealthCheck360°to provide the Program
for the amount of the fees herein, HealthCheck3600 may propose new fees for the upcoming year to
Company for its approval at least thirty(30)days prior to the anniversary of the Effective Date end of the
Initial Term of this Agreement. In the event Company does not agree to such fee increase,this Agreement
shall automatically terminate at HealthCheck360"s option as of the end of the current contract year.
v051516 866.511.03601 WWW.HEALTHCHECK360.COM I BOO MAIN STREET I DUBUQUE,IOWA 52001 Page 1 19
CC-03
HealthChe&360c PERFORMANCE-BASED WELLNESS
BIOMETRIC SCREENING AND PROGRAM SURCHARGES
Off hours and Weekend Fees are subject to a 20%surcharge on an event basis.Standard hours are considered to be
Monday thru Friday 6:00 am to 7:00 pm.
Extra Examiner Fees will be One Hundred and Twenty-Five dollars($125.00)per hour upon request. Extra Examiner Fees
may also be incurred for events that are outside of the following parameters:
20+participant events will be a minimum of 3 hours with screenings taking place every 10 minutes.
Events with 1-19 participants will have one examiner with screenings taking place every 10 minutes.
Extra Examiner fees may be incurred for events with any breaks in the schedule requested by the Company.
Screening Rush Fee:Surcharge applied to sum of Participation Fee and applicable Geographic Surcharges
Requests<20 days 10%
Requests<15 days 30%
Requests<8 days 50%
Screening Geographic Surcharges:The Participation Fee for each participant at locations in the geographic areas listed
below are subject to an additional surcharge represented in the chart below
Alaska/Guam 50%
Puerto Rico/Hawaii 35%
California 25%
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 120
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
HEALTH COACHING FEES
Election Model Price Description
Initial hereto Review of $43.00 per health risk HealthCheck360°will provide scheduling
elect Findings Model assessment participant resources and availability for all participants to
receive a call from a health coach. This call is
designed to ensure a thorough understanding of
the results and to set goals for the upcoming
year. Follow-up is driven by the participant.
Initial hereto Targeted $78.00 per health risk HealthCheck360"will target and provide
elect Intervention assessment participant outreach to all moderate to very high risk
Model participants using the contact information
provided at the time of the screening. If the
participant engages,the health coach and
participant will manage a follow-up schedule at
a minimum of quarterly attempts. If the
individual does not engage,the health coach
will reach out to the participant quarterly to
attempt to do so. If the participant declines
contact,no further outreach will occur.
This model does not provide outbound
intervention for ideal or low risk participants.
Unlimited inbound calls are participant-driven
at all risk levels.
Initial here to Comprehensive $100.00 per health risk This model combines the Review of Findings
elect Model assessment participant model and the Targeted model into an intensive
intervention for all participants.
HealthCheck360'will provide scheduling
resources and availability for all participants to
receive a Review of Findings call from a health
coach. Participants with moderate to very high
risk will then be proactively targeted on a
quarterly basis or more based on participant
engagement level.
This model does not provide any additional
outbound intervention following the Review of
Findings outreach for ideal or low risk
participants. Unlimited inbound calls are
participant driven at all risk levels.
v051516 866.511.0360 I WWW.HEALTHCHECK360.COM 800 MAIN STREET l DUBUQUE,IOWA 52001 Page 121
CC-03
0
HealthCheck360 PERFORMANCE-BASED WELLNESS
Election Model Price Description
Initial here to Reasonable $158.00 per enrolled This model provides health coaching to all
elect Alternative participant in reasonable participants that request and enroll in a
Standard alternative standard. reasonable alternative standard to the
Coaching Company's existing incentive structure.This is
Model only applicable to Company if the Targeted or
Comprehensive models is not selected.
Initial here to Lean for Life $375.00 per enrolled Lean for The Lean for Life® Online Program includes 10
elect Life®Online Program weekly coaching calls with a HealthCheck360°
Participant health coach.
• The New Lean for Life®hardcover book
• Access to the Lean for Life®website
• Daily support emails
• 1 bottle of"Fat Burning Indicator"strips
• 1 box of sample protein snacks
Initial hereto Nicotine $375.00 per enrolled NCP The HealthCheck360`Nicotine Cessation
elect Cessation participant. Program includes a health coach who will reach
Program out to enrolled participants on a weekly basis
for six weeks and biweekly for the next six
weeks. The participant will receive a workbook
and ongoing educational materials.
Initial here to Metabolic Risk $375.00 per enrolled The Metabolic Risk Coaching Program is a 12
elect Coaching Metabolic Risk Coaching week high touch program with a health coach to
participant. provide support and interventions to improve
diet,exercise,lipids,glucose,and/or blood
pressure measurements.
Initial here to Review of $43.00 per health risk All participants complete Review of Findings
elect Findings Plus assessment participant;$375 coaching and may elect in one of the three
Model per enrolled participant in programs described above.
Lean for Life, Nicotine
Cessation Program,or
Metabolic Risk Coaching
Program
v051516 866.511.0360 1 W W W.HEALTHCHECK360.COM 1 800 MAIN STREET 1 DUBUQUE,IOWA 52001 page 122
CC-03
-HealthCheck360 PERFORMANCE-BASED WELLNESS
HEALTHCHECK360°CONDITION MANAGEMENT FEES
applicableCondition Management Fees (only
Initial here to 5 Disease States $4.60 PEPM Asthma,diabetes,coronary artery disease(includes
elect hypertension and hyperlipidemia), heart failure,and COPD
Initial here to 4 Disease States $4.35 PEPM Asthma,diabetes, hypertension,and Hyperlipidemia
elect
Initial here to 4 Disease States $4.35 PEPM Asthma,diabetes,hypertension,and COPD or heart failure
elect
Initial here to 3 Disease States $4.10 PEPM Asthma,diabetes and hypertension
elect
Initial here to 2 Disease States $3.50 PEPM Diabetes and hypertension
elect
Conditions that we help participants manage include asthma, diabetes, hypertension, coronary artery
disease, COPD and heart failure. Your company may choose to focus on a smaller segment of the
population,and pricing adjustments are made accordingly.
The Client shall notify HealthCheck3600 of additional employees under its medical benefits program.
HealthCheck360° retains the right to adjust and verify the payments due based upon changes in the
number of employees on each billing date.
*$2500 set up fee may apply
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 123
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
EXHIBIT D - BUSINESS ASSOCIATE ADDENDUM
II. PREAMBLE
("Covered Entity")and HealthCheck360°("Business Associate")
(jointly "the Parties") enter into this Business Associate Agreement to comply with the requirements of:
(i)the implementing regulations at 45 C.F.R Parts 160, 162, and 164 for the Administrative Simplification
provisions of Title II,Subtitle F of the Health Insurance Portability and Accountability Act of 1996("HIPAA")
(i.e.,the HIPAA Privacy,Security, Electronic Transaction, Breach Notification,and Enforcement Rules("the
Implementing Regulations")), (ii) the requirements of the Health Information Technology for Economic
and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (the
"HITECH Act") that are applicable to business associates, and (iii) the requirements of the final
modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as issued on
January 25, 2013 and effective March 26, 2013 (75 Fed. Reg. 5566 (Jan. 25, 2013)) ("the Final
Regulations"). The Implementing Regulations, the HITECH Act, and the Final Regulations are collectively
referred to in this Business Associate Agreement as "the HIPAA Requirements."
Covered Entity and Business Associate agree to incorporate into this Business Associate Agreement any
regulations issued by the U.S. Department of Health and Human Services ("DHHS") with respect to the
HIPAA Requirements that relate to the obligations of business associates and that are required to be (or
should be) reflected in a business associate agreement. Business Associate recognizes and agrees that it
is obligated by law to meet the applicable provisions of the HIPAA Requirements and that it has direct
liability for any violations of the HIPAA Requirements.
XI. DEFINITIONS
(a) "Breach" shall mean, as defined in 45 C.F.R. § 164.402, the acquisition, access, use or disclosure
of Unsecured Protected Health Information in a manner not permitted by the HIPAA
Requirements that compromises the security or privacy of that Protected Health Information.
(b) "Business Associate Subcontractor" shall mean, as defined in 45 C.F.R. § 160.103, any entity
(including an agent) that creates, receives, maintains or transmits Protected Health Information
on behalf of Business Associate.
(c) "Electronic PHI" shall mean, as defined in 45 C.F.R. § 160.103, Protected Health Information that
is transmitted or maintained in any Electronic Media.
(d) "Limited Data Set"shall mean,as defined in 45 C.F.R. § 164.514(e), Protected Health Information
that excludes the following direct identifiers of the individual or of relatives, employers, Or
household members of the individual:
(i) Names;
(ii) Postal address information, other than town or city,State, and zip code;
(iii) Telephone numbers;
(iv) Fax numbers;
(v) Electronic mail addresses;
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM I 800MAINSTREET I DUBUQUE,IOWA 52001 Page 124
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
(vi) Social security numbers;
(vii) Medical record numbers;
(viii) Health plan beneficiary numbers;
(ix) Account numbers;
(x) Certificate/license numbers;
(xi) Vehicle identifiers and serial numbers, including license plate numbers;
(xii) Device identifiers and serial numbers;
(xiii) Web Universal Resource Locators(URLs);
(xiv) Internet Protocol(IP) address numbers;
(xv) Biometric identifiers, including finger and voice prints; and
(xvi) Full face photographic images and any comparable images.
(e) "Protected Health Information"or"PHP'shall mean,as defined in 45 C.F.R. §160.103, information
created or received by a Health Care Provider, Health Plan, employer, or Health Care
Clearinghouse, that: (i) relates to the past, present, or future physical or mental health or
condition of an individual,provision of health care to the individual,orthe past, present,orfuture
payment for provision of health care to the individual; (ii) identifies the individual, or with respect
to which there is a reasonable basis to believe the information can be used to identify the
individual; and (iii) is transmitted or maintained in an electronic medium,or in any other form or
medium. The use of the term "Protected Health Information" or"PHI" in this Business Associate
Agreement shall mean both Electronic PHI and non-Electronic PHI, unless another meaning is
clearly specified.
(f) "Security Incident' shall mean, as defined in 45 C.F.R. § 164.304, the attempted or successful
unauthorized access, use, disclosure, modification, or destruction of information or interference
with system operations in an information system.
(g) "Unsecured Protected Health Information"shall mean,as defined in 45 C.F.R.§164.402,Protected
Health Information that is not rendered unusable,unreadable,or indecipherable to unauthorized
persons through the use of a technology or methodology specified by DHHS.
(h) "Business Associate"shall mean HealthCheck360°.
(i) "Covered Entity"shall mean the Plan referred to in the Service Agreement.
(j) "Designated Record Set shall have the same meaning as the term "designated record set" in 45
C.F.R. 164.501.
(k) "Individual"shall have the same meaning as the term "individual" in 45 C.F.R. § 164.502(g).
(1) "Privacy Rule"shall mean the Standards for Privacy of Individually Identifiable Health Information
at 45 C.F.R. Part 160 and Part 164,Subparts A and E.
(m) (k) "Required By Law"shall have the same meaning as the term "required by law" in 45 C.F.R. §
164.501.
(n) "Security Standards" refers to the standards with respect to security of electronic protected
health information referred to in 45 C.F.R. § 164.302 et seq.
(o) "Secretary" shall mean the Secretary of the Department of Health and Human Services or his
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 125
CC-03
'HealthChe& 3600 PERFORMANCE-BASED WELLNESS
designee.
(p) All other capitalized terms used in this Business Associate Agreement shall have the meanings set
forth in the applicable definitions under the HIPAA Requirements.
XII. GENERALTERMS
(a) In the event of an inconsistency between the provisions of this Business Associate Agreement and
a mandatory term of the HIPAA Requirements (as these terms may be expressly amended from
time to time by the DHHS or as a result of interpretations by DHHS,a court, or another regulatory
agency with authority over the Parties), the interpretation of DHHS, such court or regulatory
agency shall prevail. In the event of a conflict among the interpretations of these entities, the
conflict shall be resolved in accordance with rules of precedence.
(b) Where provisions of this Business Associate Agreement are different from those mandated bythe
HIPAA Requirements, but are nonetheless permitted by the HIPAA Requirements,the provisions
of this Business Associate Agreement shall control.
(c) Except as expressly provided in the HIPAA Requirements or this Business Associate Agreement,
this Business Associate Agreement does not create any rights in third parties.
XIII. SPECIFIC REQUIREMENTS
(a) Flow-Down of Obligations to Business Associate Subcontractors. Business Associate agrees that
as required by the HIPAA Requirements, Business Associate will enter into a written agreement
with all Business Associate Subcontractors that: (i) requires them to comply with the Privacy and
Security Rule provisions of this Business Associate Agreement in the same manner as required of
Business Associate, and (ii) notifies such Business Associate Subcontractors that they will incur
liability under the HIPAA Requirements for non-compliance with such provisions. Accordingly,
Business Associate shall ensure that all Business Associate Subcontractors agree in writing to the
same privacy and security restrictions, conditions and requirements that apply to Business
Associate with respect to PHI.
(b) Privacy of Protected Health Information
(i) Permitted Uses and Disclosures of PHI. Business Associate agrees to create, receive,
use, disclose, maintain or transmit PHI only in a manner that is consistent with this
Business Associate Agreement or the HIPAA Requirements and only in connection
with providing the services to Covered Entity identified in the Agreement.
Accordingly, in providing services to orforthe Covered Entity, Business Associate,for
example, will be permitted to use and disclose PHI for "Treatment, Payment, and
Health Care Operations," as those terms are defined in the HIPAA Requirements.
Business Associate further agrees that to the extent it is carrying out one or more of
the Covered Entity's obligations under the Privacy Rule (Subpart E of 45 C.F.R. Part
164), it shall comply with the requirements of the Privacy Rule that apply to the
Covered Entity in the performance of such obligations.
V051516 866.511.03601 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 1 26
CC-03
HealthChe& 3600 PERFORMANCE-BASED WELLNESS
(1) Business Associate shall report to Covered Entity any use or disclosure of PHI
that is not provided for in this Business Associate Agreement, including
reporting Breaches of Unsecured Protected Health Information as required
by 45 C.F.R. § 164.410 and required by Section 4(e)(ii) below.
(2) Business Associate shall establish, implement and maintain appropriate
safeguards, and comply with the Security Standards (Subpart C of 45 C.F.R.
Part 164) with respect to Electronic PHI, as necessary to prevent any use or
disclosure of PHI other than as provided for by this Business Associate
Agreement.
(ii) Business Associate Obligations. As permitted by the HIPAA Requirements, Business
Associate also may use or disclose PHI received by the Business Associate in its
capacity as a Business Associate to the Covered Entity for Business Associate's own
operations if:
(1) the use relates to: (1) the proper management and administration of the
Business Associate or to carry out legal responsibilities of the Business
Associate, or (2) data aggregation services relating to the health care
operations of the Covered Entity; or
(2) the disclosure of information received in such capacity will be made in
connection with a function,responsibility,or services to be performed by the
Business Associate, and such disclosure is required by law or the Business
Associate obtains reasonable assurances from the person to whom the
information is disclosed that it will be held confidential and the person agrees
to notify the Business Associate of any breaches of confidentiality.
(iii) Minimum Necessary Standard and Creation of Limited Data Set. Business Associate's
use, disclosure, or request of PHI shall utilize a Limited Data Set if practicable.
Otherwise, in performing the functions and activities as specified in the Agreement
and this Business Associate Agreement, Business Associate agrees to use,disclose,or
request only the minimum necessary PHI to accomplish the intended purpose of the
use, disclosure, or request.
(iv) Access. In accordance with 45 C.F.R. § 164.524 of the HIPAA Requirements, Business
Associate will make available to the Covered Entity (or as directed by the Covered
Entity,to those individuals who are the subject of the PHI (or their designees)),their
PHI in the Designated Record Set. Business Associate shall make such information
available in an electronic format where directed by the Covered Entity.
(v) Disclosure Accounting. Business Associate shall make available the information
necessary to provide an accounting of disclosures of PHI as provided for in 45 C.F.R. §
164.528 of the HIPAA Requirements by making such information available to the
Covered Entity or (at the direction of the Covered Entity) making such information
available directly to the individual.
v051516 866.511.03601 WWW.HEALTHCHECK360.COM I 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 127
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
(vi) Amendment. Business Associate shall make PHI in a Designated Record Set available
for amendment and, as directed by the Covered Entity, incorporate any amendment
to PHI in accordance with 45 C.F.R. § 164.526 of the HIPAA Requirements.
(vii) Right to Request Restrictions on the Disclosure of PHI and Confidential
Communications. If an individual submits a Request for Restriction or Request for
Confidential Communications to the Business Associate, Business Associate and
Covered Entity agree that Business Associate, on behalf of Covered Entity, will
evaluate and respond to these requests according to Business Associate's own
procedures for such requests.
(viii) Return or Destruction of PHI. Upon the termination orexpiration of the Agreement or
this Business Associate Agreement, Business Associate agrees to return the PHI to
Covered Entity, destroy the PHI (and retain no copies), or if Business Associate
determines that return or destruction of the PHI is not feasible;
(1) continue to extend the protections of this Business Associate Agreement and of
the HIPAA Requirements to the PHI, and
(2) limit any further uses and disclosures of the PHI to the purpose making return or
destruction infeasible.
(ix) Availability of Books and Records. Business Associate shall make available to DHHS or
its agents the Business Associate's internal practices, books, and records relating to
the use and disclosure of PHI in connection with this Business Associate Agreement.
(x) Termination for Breach.
(1) Business Associate agrees that Covered Entity shall have the right to terminate
this Business Associate Agreement or seek other remedies if Business Associate
violates a material term of this Business Associate Agreement.
(2) Covered Entity agrees that Business Associate shall have the right to terminate
this Business Associate Agreement or seek other remedies if Covered Entity
violates a material term of this Business Associate Agreement.
(c) Information and Security Standards
(i) Business Associate will develop, document, implement, maintain, and use
appropriate Administrative, Technical, and Physical Safeguards to preserve the
Integrity, Confidentiality, and Availability of, and to prevent non-permitted use or
disclosure of, Electronic PHI created or received for or from the Covered Entity.
(ii) Business Associate agrees that with respect to Electronic PHI,these Safeguards, at a
minimum,shall meet the requirements of the HIPAA Security Standards applicable to
Business Associate.
v051516 866.511.0360 I WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 128
CC-03
HealthCheck36Oo PERFORMANCE-BASED WELLNESS
(iii) More specifically, to comply with the HIPAA Security Standards for Electronic PHI,
Business Associate agrees that it shall:
(1) Implement Administrative, Physical, and Technical Safeguards consistent with
(and as required by) the HIPAA Security Standards that reasonably protect the
Confidentiality,Integrity,and Availability of Electronic PHI that Business Associate
creates, receives, maintains, or transmits on behalf of Covered Entity. Business
Associate shall develop and implement policies and procedures that meet the
documentation requirements as required by the HIPAA Requirements;
(2) As also provided for in Section 4(a) above, ensure that any Business Associate
Subcontractor agrees to implement reasonable and appropriate safeguards to
protect the Electronic PHI;
(3) Report to Covered Entity any unauthorized access, use, disclosure, modification,
or destruction of PHI (including Electronic PHI) not permitted by this Business
Associate Agreement, applicable law, or permitted by Covered Entity in writing
("Successful Security Incidents' or Breaches) of which Business Associate
becomes aware. Business Associate shall report such Successful Security
Incidents or Breaches to Covered Entity as specified in Section 4(e)(iii)(1);
(4) For Security Incidents that do not result in unauthorized access, use, disclosure,
modification, or destruction of PHI (including, for purposes of example and not
for purposes of limitation, pings on Business Associate's firewall, port scans,
attempts to log onto a system or enter a database with an invalid password or
username, denial-of-service attacks that do not result in the system being taken
off-line,or malware such as worms orviruses)(hereinafter"Unsuccessful Security
Incidents"), aggregate the data and, upon the Covered Entity's written request,
report to the Covered Entity in accordance with the reporting requirements
identified in Section 4(e)(iii)(2);
(S) Take all commercially reasonable steps to mitigate,to the extent practicable,any
harmful effect that is known to Business Associate resulting from any
unauthorized access, use, disclosure, modification, or destruction of PHI;
(6) Permit termination of this Business Associate Agreement if the Covered Entity
determines that Business Associate has violated a material term of this Business
Associate Agreement with respect to Business Associate's security obligations
and Business Associate is unable to cure the violation; and
(7) Upon Covered Entity's request, provide Covered Entity with access to and copies
of documentation regarding Business Associate's safeguards for PHI and
Electronic PHI.
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 page 1 29
CC-03
HealthChe& 3600 PERFORMANCE-BASED WELLNESS
(d) Compliance with HIPAA Transaction Standards
(i) Application of HIPAA Transaction Standards.Business Associate will conduct Standard
Transactions consistent with 45 C.F.R. Part 162 for or on behalf of the Covered Entity
to the extent such Standard Transactions are required in the course of Business
Associate's performing services under the Agreement and this Business Associate
Agreement for the Covered Entity. As provided for in Section 4(a) above, Business
Associate will require any Business Associate Subcontractor involved with the
conduct of such Standard Transactions to comply with each applicable requirement
of 45 C.F.R. Part 162. Further, Business Associate will not enter into, or permit its
Subcontractors to enter into, any trading partner agreement in connection with the
conduct of Standard Transactions for or on behalf of the Covered Entity that:
(1) Changes the definition, data condition, or use of a data element or segment in a
Standard Transaction;
(2) Adds any data element or segment to the maximum defined data set;
(3) Uses any code or data element that is marked "not used" in the Standard
Transaction's implementation specification or is not in the Standard Transaction's
implementation specification;or
(4) Changes the meaning or intent of the Standard Transaction's implementation
specification.
(ii) Specific Communications. Business Associate, Plan Sponsor and Covered Entity
recognize and agree that communications between the parties that are required to
meet the Standards for Electronic Transactions will meet the Standards set by that
regulation. Communications between Plan Sponsor and Business Associate, or
between Plan Sponsor and the Covered Entity,do not need to comply with the HIPAA
Standards for Electronic Transactions. Accordingly, unless agreed otherwise by the
Parties in writing, all communications (if any) for purposes of "Enrollment" as that
term is defined in 45 C.F.R. Part 162,Subpart O orfor"Health Covered Entity Premium
Payment Data," as that term is defined in 45 C.F.R. Part 162, Subpart Q, shall be
conducted between the Plan Sponsor and either Business Associate or the Covered
Entity. For all such communications (and any other communications between Plan
Sponsor and the Business Associate),Plan Sponsor shall use such forms,tape formats,
or electronic formats as Business Associate may approve. Plan Sponsor will include all
information reasonably required by Business Associate to affect such data exchanges
or notifications.
(iii) Communications Between the Business Associate and the Covered Entity. All
communications between the Business Associate and the Covered Entity that are
required to meet the HIPAA Standards for Electronic Transactions shall do so. For any
other communications between the Business Associate and the Covered Entity, the
Covered Entity shall use such forms,tape formats, or electronic formats as Business
Associate may approve. The Covered Entity will include all information reasonably
v051516 866.511.03601 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 130
CC-03
-HealthCheck36OC PERFORMANCE-BASED WELLNESS
required by Business Associate to affect such data exchanges or notifications.
(e) Notice and Reporting Obligations of Business Associate
(i) Notice of Non-Compliance with the Business Associate Agreement. Business Associate will
notify Covered Entity within 10 calendar days after discovery, any unauthorized access,
use, disclosure, modification, or destruction of PHI (including any successful Security
Incident) that is not permitted by this Business Associate Agreement, by applicable law,
or permitted in writing by Covered Entity, whether such non-compliance is by (or at)
Business Associate or by(or at) a Business Associate Subcontractor.
(ii) Notice of Breach. Business Associate will notify Covered Entity following discovery and
without unreasonable delay but in no event later than 10 calendar days following
discovery, any Breach of Unsecured Protected Health Information,whether such Breach
is by Business Associate or by Business Associate Subcontractor.
(1) As provided for in 45 C.F.R. § 164.402, Business Associate recognizes and agrees that
any acquisition,access,use or disclosure of PHI in a manner not permitted underthe
HIPAA Privacy Rule (Subpart E of 45 C.F.R. Part 164) is presumed to be a Breach. As
such, Business Associate shall (i) notify Covered Entity of any non-permitted
acquisition, access, use or disclosure of PHI, and (ii) assist Covered Entity in
performing(orat Covered Entity's direction, perform)a risk assessment to determine
if there is a low probability that the PHI has been compromised.
(2) Business Associate shall cooperate with Covered Entity in meeting the Covered
Entity's obligations under the HIPAA Requirements and any other security breach
notification laws. Business Associate shall follow its notification to the Covered Entity
with a report that meets the requirements outlined immediately below.
(iii) Reporting Obligations.
(1) For Successful Security Incidents and Breaches, Business Associate — without
unreasonable delay and in no event later than 30 calendar days after Business
Associate learns of such non-permitted use or disclosure (whether at Business
Associate or at Business Associate Subcontractor) — shall provide Covered Entity a
report that will:
(a) Identify (if known) each individual whose Unsecured Protected Health
Information has been, or is reasonably believed by Business Associate to have
been accessed,acquired, or disclosed;
(b) Identify the nature of the non-permitted access, use, or disclosure including the
date of the incident and the date of discovery;
(c) Identify the PHI accessed, used, or disclosed (e.g., name;social security number;
date of birth);
(d) Identify what corrective action Business Associate (or Business Associate
Subcontractor)took or will take to prevent further non-permitted accesses,uses,
or disclosures;
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 131
CC-03
- HealthCheck36Oo PERFORMANCE-BASED WELLNESS
(e) Identify what Business Associate(or Business Associate Subcontractor)did or will
do to mitigate any deleterious effect of the non-permitted access, use, or
disclosure; and
(f) Provide such other information, including a written report, as the Covered Entity
may reasonably request.
(2) For Unsuccessful Security Incidents, Business Associate shall provide Covered Entity,
upon its written request, a report that:
(a) identifies the categories of Unsuccessful Security Incidents as described in Section
4(c)(iii)(4);
(b) indicates whether Business Associate believes its (or its Business Associate
Subcontractor's)current defensive security measures are adequate to address all
Unsuccessful Security Incidents,given the scope and nature of such attempts;and
(c) if the security measures are not adequate, the measures Business Associate (or
Business Associate Subcontractor) will implement to address the security
inadequacies.
(iv) Termination.
(1) Covered Entity and Business Associate each will have the right to terminate this Business
Associate Agreement if the other party has a material breach or violation of Business
Associate's or the Covered Entity's respective obligations regarding PHI under this
Business Associate Agreement and, on notice of such material breach or violation from
the Covered Entity or Business Associate, fails to take reasonable steps to cure the
material breach or end the violation.
(2) If Business Associate or the Covered Entity fail to cure the material breach or end the
violation afterthe Covered Entity or Business Associate(as applicable)may terminate this
Business Associate Agreement by providing Business Associate or the Covered Entity
written notice of termination, stating the uncured material breach or violation that
provides the basis for the termination and specifying the effective date of the
termination. Such termination shall be effective 60 days from this termination notice.
(v) Continuing Privacy and Security Obligations. Business Associate's and the Covered Entity's
obligation to protect the privacy and security of the PHI it created, received, maintained, or
transmitted in connection with services to be provided under the Agreement and this
Business Associate Agreement will be continuous and survive termination, cancellation,
expiration, or other conclusion of this Business Associate Agreement or the Agreement.
Business Associate's other obligations and rights, and the Covered Entity's obligations and
rights upon termination, cancellation, expiration, or other conclusion of this Business
Associate Agreement, are those set forth in this Business Associate Agreement and/or the
Agreement.
XIV. TERM
The Term of this Addendum shall be effective as of the effective date of the Agreement and shall terminate
when all of the Protected Health Information provided by Covered Entity to Business Associate,or created
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 132
CC-o3
+ 'HealthCheck36Oo PERFORMANCE-BASED WELLNESS
or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity,
or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such
information, in accordance with the provisions of this Addendum.
IN WITNESS WHEREOF, the parties have executed this Addendum as of the date(s)set forth below.
Employer, as Plan
�Administrator oofthe Plan- -
By: l�A� ✓ I �� Lr�V✓�
Name: LGLfY1 ° lerzw�h
Title: aUn2
I� p— ) (XAPF EDAS 1'OF
Date: I 0
HEALTHCHECK360" City Co nselor
By:
Name: Michael P Kel(
Title: Vice President of HealthCCheck360°
Date:
v051516 866.511.0360 1 WWW.HEALTHCHECK360.COM 1 800 MAIN STREET I DUBUQUE,IOWA 52001 Page 33
CC-03