HomeMy Public PortalAbout055-2014 - Next Generation Enrollment - Enrollment AdministrationNEXT GENERATION ENROLLMENT, INC.
ADMINISTRATION AGREEMENT — DEPENDENT ELIGIBILITY AUDIT
This Administration Agreement ("Agreement") is made by and between City of
Richmond ("Employer") and Next Generation Enrollment, Inc., a Michigan
corporation with its principal place of business in Ada, Michigan ("Next Generation").
Employer has established one or more other group health plans and Employer desires to
have Next Generation provide certain administrative services in connection with the Plans
and enters into this Agreement for that purpose.
ARTICLE 1
DEFINITIONS
The following definitions will apply to the terms in this Agreement unless otherwise
expressly stated:
(a) "Agreement" means this Administration Agreement, including all Exhibits.
(b) "COBRA" means the Consolidated Omnibus Budget Reconciliation Act of 1985,
as amended.
(c) "Code" means the Internal Revenue Code of 1986, as amended.
(d) "Employer' has the meaning stated above.
(e) "FMLA" means the Family and Medical Leave Act of 1993, as amended.
(f) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996.
(g) "Plans" means the plans for which Employer has retained Next Generation to
provide services. The names of the Plans are listed in Exhibit B.
(h)
ARTICLE 2
DUTIES OF NEXT GENERATION
Section 2.1 Dependent Eligibility Audit
Employer is retaining Next Generation to provide administrative services in connection
with the Plans during the term of this Agreement. Next Generation will do the following
with regard to the Plans (place an "X" in the box for each service to be provided):
El (a) Assist Employer in determining plan dependent eligibility
El (b) Draft all employee communication pieces and work with Employer for
approval
El (c) Print, stuff, and mail two (2) separate letters to employee's homes
regarding audit. One at onset and follow-up mailer to employees failing
Contract #55-2014
A
to respond
(d) Coordinate two (2) automated outbound calls to employees in order to
remind them of audit
(e) Establish a call center for the purpose of employee questions and issues
that arise during audit
El (f) Receive all employee documentation, solely by secure email and by mail
to the Next Generation PO Box, during audit and verify each employee
has provided the required documentation in order to continue to cover
dependents. Required documentation will be set forth by Employer and
validation will be based upon Employer's eligibility wording
(g) With fifteen (15) days remaining for employees to provide the proper
documentation, Next Generation will produce a personalized memo that
will be delivered by Employer to each employee with a dependent that is
not fully documented
(h) After employees have been identified as having dependents that will lose
coverage due to not providing the proper documentation, Next
Generation will send each an Appeals Letter
(i) Next Generation will administer an appeals process for employees to
provide proper documentation following the Appeals Letters.
(j) Provide Employer with ongoing status reports of progress of audit and
fifteen (15) days prior to end of audit, provide Employer with listing of
employees with outstanding documentation
(k) At completion of audit, deliver all employee documentation electronically
sorted alphabetically. All employee documentation is owned by Employer
ARTICLE 3
ADDITIONAL SERVICES
Section 3.1 Additional Services Available.
At Employer's request, Next Generation will perform the following services in addition to
its duties under Article 2:
(a) Assistance with annual open enrollment not described in Article 2.
(b) Collection of Employer annual election forms not described in Article 2.
(c) Communication of benefit plan changes during annual open enrollment
not described in Article 2.
(d) Any other additional services agreed to by Employer and Next
Generation.
ARTICLE 4
DUTIES OF EMPLOYER
Section 4.1 Eligibility Information
It will be the duty of the Employer to provide the required Eligibility information for Next
Generation Enrollment to conduct audit.
Section 4.2 Approval of Communication Pieces
Employer will have final say on and will sign off on all pieces sent to employees in
conjunction with audit.
Section 4.3 Information to be Provided to Next Generation.
Employer will provide Next Generation with all information relating to the Plans and its
participants necessary for Next Generation to perform its duties under this Agreement.
Employer understands that in order for Next Generation to carry out its duties under this
Agreement, Employer must provide this information to Next Generation on a timely basis.
Further, Next Generation will be entitled to fully rely on the accuracy and completeness of
any information submitted by Employer on behalf of the Plans and Next Generation will
have no duty or responsibility to verify such information.
In order to conduct audit, Next Generation Enrollment will require an electronic file,
preferably in Microsoft Excel, containing the following information:
1. Employee First Name
2. Employee Last Name
3. Employee Social Security Number (last four (4) digits)
4. First Name of all Covered Dependents
5. Last Name of all Covered Dependents
6. Relationship Type of all Covered Dependents
7. Dates of Birth of all Covered Dependents
8. Employee Home Address, City, State, Zip
9. Employee Phone Number (if available)
Section 4.4 Compliance with Plans and Law.
Employer will be responsible for the following with respect to the Plans:
(a) To determine if a participant may make a mid -year election change due
to a change in status or other circumstances as set forth in the cafeteria
plan and prescribed by law.
(b) To comply with the applicable provisions of FMLA.
(c) To comply with the applicable provisions of COBRA, including, but not
limited to, the notification to each Qualified Beneficiary of his or her right
to continuation coverage in connection with the Plans where required,
except as otherwise provided by Next Generation under this Agreement.
Section 4.5 Instructions to Next Generation.
Employer will advise Next Generation, in writing, of the name and duties of each
individual to whom responsibilities have been delegated in connection with the
administration of the Plans. Next Generation will act, and be fully protected in acting, in
accordance with the written directions of any individual designated by Employer. Next
Generation will not be bound by any communication under the Plans or this Agreement
not made in writing.
ARTICLE 5
PLAN ADMINISTRATION, LIABILITY AND INDEMNIFICATION
Section 5.1 Benefit Administrator.
Next Generation will have neither discretionary authority nor control concerning the
management of the Plans, nor exercise any control with respect to the management of
any funds and will not render investment advice with respect to any funds. Next
Generation will have no power to add to, subtract from, or modify any terms of the Plans.
In addition, Next Generation is not the plan administrator of Employer's Plans or the
trustee of any funds. Further, Next Generation does not actually pay benefits or provide
insurance for benefits with respect to Employer's Plans.
Section 5.2 Liability.
Except as otherwise provided in this Agreement, Employer will retain the liability:
(a) For all Plan benefit claims and expenses incident to the Plans;
(b) For any state premium tax, or similar tax, including any penalties or
interest, assessed on the basis of and/or measured by the amount of
Plan benefit funds handled pursuant to this Agreement;
(c) For any acts or omissions by the Employer or its employees, agents or
affiliates arising out of this Agreement or the administration of the Plans;
and
(d) For any legal action or proceeding to recover benefits under the Plans.
Section 5.3 Indemnification.
Employer agrees to indemnify and hold harmless Next Generation and its directors,
officers, members, managers, employees and agents against any and all claims, lawsuits,
settlements, judgments, costs, taxes, penalties and expenses (including attorneys' fees)
resulting from the performance of services relating to the Plans by Next Generation.
However, this provision will not apply if the claim or liability is the direct consequence of
fraudulent or negligent acts or omissions by Next Generation or its directors, officers,
members, managers, employees or agents.
Next Generation agrees to indemnify and hold harmless Employer and its directors,
officers, members, managers, employees and agents against any and all claims, lawsuits,
settlements, judgments, costs, taxes, penalties and expenses (including attorneys' fees)
resulting from the direct consequence of fraudulent or negligent acts or omissions in the
performance of services relating to the Plans by Next Generation.
In the event that either party to this Agreement is successful in pursuing any legal action
against the other party to this Agreement on account of the default or violation of any of
the terms of this Agreement, that party will be entitled to recover, in addition to any other
relief to which they are entitled, reasonable attorneys' fees.
ARTICLE 6
TERM OF AGREEMENT
Section 6.1 Term and Renewal.
This Agreement will become effective on March 1, 2014, and will remain in full force and
effect until the final payment is made by Employer and the Employer considers the audit
to be completed which is expected to be May 31, 2014.
Section 6.2 Payment.
Employer agrees to fees as set forth in Exhibit A. Payment is due fifteen (15) days after
receipt of Next Generation Enrollment invoice(s).
Employer understands that penalties and late fees may apply if payments to Next
Generation Enrollment, Inc. are not made on a timely basis, subject to Indiana Code (IC)
5-17-5 as applicable.
Section 6.3 Fees.
Fees are fixed for the length of the agreement. For subsequent agreements, Next
Generation Enrollment, Inc. reserves the right to propose a change to the associated fees.
Any change in fees for subsequent agreements shall be subject to the mutual agreement
of the Employer and Next Generation.
ARTICLE 7
MISCELLANEOUS PROVISIONS
Section 7.1 Termination of this Agreement.
(a) At any time during the Term, this Agreement may be terminated by the mutual
consent in writing of both parties.
(b) During the Term, either party may terminate this Agreement in the event the
other party breaches any material provision of this Agreement, and such breach is not cured
within thirty (30) days of receipt of written notice thereof. In addition, Next Generation shall
have the right, at any time, to immediately terminate this Agreement in the event Employer:
(i) is late with payment of Services Fees as outlined and payable under this
Agreement or any Exhibits referenced or attached hereto;
(ii) files or has filed against it a petition in bankruptcy or if Employer makes
an assignment for the benefit of creditors; or
(iii) fails to timely provide Next Generation with required information
necessary for Next Generation to perform its obligations hereunder.
(d) Upon termination and to the extent permitted by law, it is the intent of the
parties that they be placed in their respective positions, as they existed immediately
before entry into this Agreement.
(e) Employer hereby agrees that if Employer terminates this Agreement for any
reason other than those set forth in this Section, Next Generation reserves the right to
invoice Employer up to $25.00 per employee for each employee who has, or would have,
received a Dependent Eligibility Audit letter. NGE may exercise any other provisional or
ancillary remedies by and through a court, agency or tribunal at any time even if the
dispute resolution and escalation process outlined in Section 7.2 has been invoked by
either party. Next Generation shall retain all rights, claims and remedies against
Employer, regardless of any termination under this paragraph or the Agreement.
Section 7.2 Dispute Escalation and Resolution.
The following procedure will be adhered to in all disputes or disagreements arising out of
this Agreement which the parties cannot resolve informally. The aggrieved party shall
notify the other party in writing of the nature of the dispute with as much detail as
possible. Each party shall designate a representative with full authority to address and/or
resolve the dispute or disagreement. The designated representatives shall meet (in person
or by telephone) within fifteen (15) business days after the date of the written notification
to reach an agreement about the nature of the dispute or disagreement and the corrective
action to be taken by the respective parties.
If the designated representatives do not meet or are unable to agree on corrective action,
the parties shall have thirty (30) days within which to institute a one -day mediation with a
third party mediator mutually agreeable to both parties. The cost of such mediation shall
be shared by the parties, exclusive of any reasonable attorneys' fees, if any. Except as
otherwise specifically provided, neither party shall initiate legal action to enforce its rights
unless and until this dispute resolution procedure has been substantially complied with or
waived. Failure of a party to fulfill its obligations in this Paragraph 12, including failure to
meet timely upon the other party's notice, shall be deemed such a waiver.
Nothing in this section shall effect, abrogate, or act as a waiver of either parties rights to
terminate this Agreement as outlined in Section 7.1, nor shall this section eliminate nor
inhibit Next Generation's rights and/or remedies in law or equity to collect any outstanding
balances due and owing for services rendered. This section shall survive termination of
this Agreement.
Section 7.3 HIPAA Compliance.
If any "protected health information," as defined by HIPAA, is provided by, or created or
received by, Next Generation from or on behalf of Employer under this Agreement, Next
Generation, the Plans and Employer will enter into business associate agreements as
required under HIPAA.
Section 7.4 Amendment.
No amendment to this Agreement will be effective unless it is in writing and signed by
both of the parties.
Section 7.5 Inspection of Records.
Employer or its authorized representative may periodically inspect and audit all relevant
documents, books and records of Next Generation pertaining to its administration of the
Plans at mutually agreeable times and with proper notice during the term of this
Agreement. Any such reviews will occur during normal business hours, 8:OOAM to
8:OOPM Monday through Friday, excluding holidays.
Section 7.6 Notices.
Any written notice required to be provided in connection with this Agreement will be
made in writing via hand delivery, first-class mail, certified mail or telefax to each party
as follows:
Next Generation Enrollment, Inc.
Attn: Bradley J. Taylor
455 Pettis Ave, Ada, MI 49301
Phone No: 616-676-4801
Employer: City of Richmond
Attn: D. Sue Roberson
Phone Number: 765-983-7244
Section 7.7 Enforcement of Rights.
No failure or delay by either party to this Agreement in the exercise of any right under
this Agreement, or enforcing or requiring the compliance or performance by the other
party to this Agreement of any of the representations, warranties, covenants, terms or
conditions of this Agreement, will operate as a waiver of any such right, or constitute a
waiver of the breach of any such representation, warranty, covenant, term or condition
nor will any single or partial exercise of any such right preclude, affect or impair such
rights generally in any way.
Section 7.8 Severability.
If any provision of this Agreement is determined to be void by any court of competent
jurisdiction and such determination will not affect any other provision of this Agreement
and if any other provision of this Agreement is capable of two constructions, one of
which would render the provision void and the other of which would render the provision
valid, the provision will have the meaning which renders it valid.
Section 7.9 Confidentiality.
Next Generation will maintain the confidentiality of personal data identifying individual
participants. Next Generation will not disclose personal information that may be
associated with an identifiable participant except as required or permitted by law or for
the administration of the Plans.
Section 7.10 Tax Consequences.
Next Generation does not warrant or guarantee the legal and tax consequences under
the Plans or this Agreement. Employer, as Plan Administrator, is responsible for
retaining independent counsel to determine the legal and tax consequences of the Plans.
Section 7.11 Entire Understanding.
This Agreement represents the understanding between Employer and Next Generation,
and cancels and replaces any and all prior agreements between them. Any amendment
of this Agreement will be in writing and signed by Employer and Next Generation.
Section 7.12 Binding Effect.
This Agreement will be binding on, and inure to the benefit of, Employer and Next
Generation and their respective successors and assigns.
Section 7.13 Construction.
This Agreement will be governed by the laws of the state of Indiana except to the extent
preempted by ERISA.
Section 7.14 Force Majeure.
Neither party will be responsible for any failure to perform hereunder due to unforeseen
circumstances or to causes beyond its reasonable control, including, but not limited to,
hardware or software error, acts of God, war, riot, embargoes, acts of civil or military
authorities, fire, floods, accidents, strikes, or shortages of transportation, facilities, fuel,
energy, labor or materials.
Section 7.15 Prohibition Against Discrimination
(a) Pursuant to Indiana Code 22-9-1-10, Next Generation, any sub -contractor, or
any person acting on behalf of Next Generation or any sub -contractor shall not
discriminate against any employee or applicant for employment to be employed in the
performance of this Agreement, with respect to hire, tenure, terms, conditions or
privileges of employment or any matter directly or indirectly related to employment,
because of race, religion, color, sex, disability, national origin, or ancestry.
(b) Pursuant to Indiana Code 5-16-6-1, the Next Generation agrees:
(i) That in the hiring of employees for the performance of work under this
Agreement of any subcontract hereunder, Next Generation, any subcontractor, or any
person acting on behalf of Next Generation or any sub -contractor, shall not discriminate
by reason of race, religion, color, sex, national origin or ancestry against any citizen of
the State of Indiana who is qualified and available to perform the work to which the
employment relates;
(ii) That Next Generation, any sub -contractor, or any person action on
behalf of Next Generation or any sub -contractor shall in no manner discriminate against
or intimidate any employee hired for the performance of work under this Agreement on
account of race, religion, color, sex, national origin or ancestry;
(iii) That there may be deducted from the amount payable to Next
Generation by the Employer under this Agreement, a penalty of five dollars ($5.00) for
each person for each calendar day during which such person was discriminated against
or intimidated in violation of the provisions of the Agreement; and
(iv) That this Agreement may be canceled or terminated by the Employer
and all money due or to become due hereunder may be forfeited, for a second or any
subsequent violation of the terms or conditions of this section of the Agreement.
(c) Violation of the terms or conditions of this Agreement relating to discrimination
or intimidation shall be considered a material breach of this Agreement.
Section 7.16 E-Verify
Pursuant to Indiana Code 22-5-1.7, Next Generation is required to enroll in and verify
the work eligibility status of all newly hired employees of the contractor through the
Indiana E-Verify program. Next Generation is not required to verify the work eligibility
status of all newly hired employees of the contractor through the Indiana E-Verify
program if the Indiana E-Verify program no longer exists. Prior to the performance of
this Agreement, Next Generation shall provide to Employer its signed Affidavit affirming
that Next Generation does not knowingly employ an unauthorized alien in accordance
with IC 22-5-1.7-11 (a) (2). In the event Next Generation violates IC 22-5-1.7 Next
Generation shall be required to remedy the violation not later than thirty (30) days after
Employer notifies Next Generation of the violation. If Next Generation fails to remedy
the violation within the thirty (30) day period provided above, Employer shall consider
Next Generation to be in breach of this Agreement and this Agreement will be
terminated. If Employer determines that terminating this Agreement would be
detrimental to the public interest or public property, Employer may allow this Agreement
to remain in effect until Employer procures a new contractor. If this Agreement is
terminated under this section, then pursuant to IC 22-5-1.7-13 (c) Next Generation will
remain liable to Employer for actual damages.
Section 7.18 Iran Investment Activities
Pursuant to Indiana Code (IC) 5-22-16.5, Next Generation certifies that it is not engaged
in investment activities in Iran. In the event Employer determines during the course of
this Agreement that this certification is no longer valid, Employer shall notify Next
Generation in writing of said determination and shall give Next Generation ninety (90)
days within which to respond to the written notice. In the event Next Generation fails to
demonstrate to Employer that Next Generation has ceased investment activities in Iran
within ninety (90) days after the written notice is given to Next Generation, Employer
may proceed with any remedies it may have pursuant to IC 5-22-16.5. In the event
Employer determines during the course of this Agreement that this certification is no
longer valid and said determination is not refuted by Next Generation in the manner set
forth in IC 5-22-16.5, Employer reserves the right to consider Next Generation to be in
breach of this Agreement and terminate the agreement upon the expiration of the ninety
(90) day period set forth above.
IN WITNESS OF WHICH, Employer and Next Generation have executed this
Administration Agreement.
Dated: , 201Y
NEXT GENERATION ENROLLMENT, INC.
���
i .• � •
i
EMPLOYER
CITY OF RICHMOND, INDIANA, BY AND THROUGH ITS
BOARD OF PUBLIC WORKS AND SAFETY
Dated: 201�( By:
Vicki Robinson, President
By:
Richard Foore, Member
By: `
Anthony Foster, II, Member
Approved:CC
Sarah L. Hutton, Mayor
EXHIBIT A- Fee Schedule
Basic Services — Sections 2.1
Next Generation charges a percentage of the saving generated from the Dependent
Audit. The value of one dependent will be based upon the actual annual medical claims
utilization of the average dependent covered under the audited insurance plans. Next
Generation has based its pricing on an annual cost to the medical plan of $XXXX.XX per
insured dependent and an annual cost to the dental plan of $XXX.XX per insured
dependent.
Twenty (20%) percent of one year's worth of savings for each dependent removed
capped when 6% of audited dependents have been found to be ineligible will be paid to
Next Generation.
Next Generation's invoice will be generated following the agreed upon completion of the
dependent audit.
NGE's fees are based upon all dependents found to be ineligible along with those who
either did not respond in the allotted timeframe and those who responded but with
inadequate documentation to prove eligibility as of the mutually agreed upon end of the
appeals period noted below.
City of Richmond Audit Timeline and Process
1. Pre -Audit Communication Work: Week of March 3, 2014
2. Initial Letter announcing Audit mailed on: March 11, 2014 and therefore,
the start date for the Dependent Eligibility Audit
3. First Automated Outbound Phone Call placed on: April 1, 2014
4. Follow-up Letter mailed on: April 15, 2014
5. Customized memo for each employee detailing what is outstanding (memo
hand delivered by Employer): April 29, 2014
6. Second Automated Outbound Phone Call placed on: May 6, 2014
7. Deadline for Employees to Postmark required documentation: May 10,
2014
8. Date of mailing of Appeals Letters detailing the fact that a dependent has
been removed from the medical plan: May 16, 2014
9. Timing of appeals process for employees to postmark documentation: May
16, 2014 to May 26, 2014
10. Recap meeting to discuss appeals and total value of removed dependents:
Week of May 26, 2014
Employer and Next Generation will set a Pre -Determined schedule for the conduction
of audit. Employer has ultimate authority as to which employees have dependents
that lose coverage. Employer may also change timeframe and extend the amount of
time employees have to provide the required documentation. However, Next
Generation Enrollment is hired to conduct this audit for a certain length of time.
11
Employer assumes all on -going management of audit at the PRE -DETERMINED end
date of audit if Employer decides to extend the time period.
NO FEE ADJUSTMENTS WILL BE MADE FOR DEPENDENTS WHO ARE FOUND TO BE
ELIGIBLE AFTER THE AGREED UPON END DATE IN THE TIMELINE ABOVE. NOR WILL
ANY FEE ADJUSTMENTS BE MADE FOR DEPENDENTS THAT THE EMPLOYER CHOOSES
TO ALLOW TO REMAIN ON THE PLAN.
EXHIBIT B
Plans and Employee Groups
The benefit plans subject to the dependent eligibility audit are as follows:
1. Medical Plan
12
Nei�t
Generation
BUSINESS ASSOCIATE AGREEMENT
[amended for HITECH under ARRA]
This Business Associate Agreement ("Agreement") is entered into by and between City of Richmond on
behalf of the group medical plan ("Covered Entity") and Next Generation Enrollment, Inc. ("Business Associate").
I. Purpose
A. Business Associate is contractually obligated to provide certain services related to one or more
"covered entities" as that term is defined and regulated under HIPAA. The parties to this
Agreement acknowledge that (1) Business Associate is a "business associate" as that term is
defined and regulated under the Health Insurance Portability and Accountability Act of 1996, as
amended ("HIPAA"); and (2) Business Associate provides services to one or more "covered
entities" as that term is defined and regulated under HIPAA.
B. This Agreement is intended to constitute a "business associate" agreement between the Plan, as
a Covered Entity, and the Business Associate, as required under the privacy and security
provisions of HIPAA, as amended. Portions of HIPAA apply directly to Business Associate as
provided in the Heath Information Technology for Economic and Clinical Health Act ("HITECH"),
part of the American Recovery and Reinvestment Act of 2009 ("ARRA"). Business Associate's
obligations under this Agreement may be the same as, or in some cases in addition to, Business
Associate's own obligations under HIPAA as provided in HITECH.
H. Special Definitions
The following definitions are used by this Agreement:
A. Agreement — means this Business Associate Agreement, which is an agreement required under
45 C.F.R. Section 164.314(a)(2) between a Business Associate and a Covered Entity.
B. ARRA — means the American Recovery and Reinvestment Act of 2009.
C. Breach — means the unauthorized acquisition, access, use, or disclosure of Protected Health
Information regarding a Covered Individual that (1) prior to September 23, 2013, poses a
significant risk of financial, reputational, or other harm to such Covered Individual, or (2) on or
after September 23, 2013, compromises the security or privacy of the Protected Health
Information as determined in accordance with 45 C.F.R. Section 164.402. Notwithstanding the
foregoing, a Breach does not include: (1) any unintentional acquisition, access, or use of
Protected Health Information by an employee or individual acting under the authority of
Covered Entity or Business Associate and in the scope of the employment or relationship
between the employee or individual and Covered Entity or Business Associate, provided such
information is not further acquired, accessed, used, or disclosed by any person without
authorization; (2) any inadvertent disclosure by an individual who is authorized to access
Protected Health Information at Covered Entity's or Business Associate's facility to another
455 Pettis Avenue SE • P.O. Box 527 • Ada, MI 49301
;BS.266.1732 • R83 224.2371 1 nextctenerationenrollmenttcom
similarly situated individual at the same facility, provided such information is not further
acquired, accessed, used, or disclosed by any person without authorization; and (3) a disclosure
of Protected Health Information in a situation in which Business Associate has a good faith belief
that the person(s) to which the unauthorized disclosure was made would not reasonably have
been able to retain such information.
D. Business Associate — means Next Generation Enrollment, Inc., a person described in 45 C.F.R.
Section 160.103 who performs certain functions on behalf of a Covered Entity.
E. Covered Electronic Transactions — shall have the meaning given to the term "transaction" in 45
C.F.R. Section 160.103.
F. Covered Entity — means the Plan, an entity described in 45 C.F.R. Section 160.103.
G. Covered Individual — means a person who is eligible for payment of certain services or supplies
rendered or sold to the person or the person's eligible dependents under the terms, conditions,
limitations, and exclusions of the Plan.
H. Data Aggregation — means, with respect to Protected Health Information created or received by
Business Associate in its capacity as a business associate (as that term is defined in 45 C.F.R.
Section 160.103) of the Plan, the combining of such Protected Health Information by Business
Associate with the Protected Health Information received by Business Associate in its capacity as
a business associate of another covered entity (as those terms are defined in 45 C.F.R. Section
160.103), to permit data analyses that relate to the health care operations of the respective
covered entities.
I. Designated Record Set — means a group of records maintained by or for Covered Entity that is
(1) the medical records and billing records about Individuals maintained by or for a covered
health care provider, (2) the enrollment, payment, claims adjudication, and case or medical
management record systems maintained by or for Covered Entity, or (3) used, in whole or in
part, by or for Covered Entity to make decisions about Individuals. As used herein, the term
"Record" means any item, collection, or grouping of information that includes Protected Health
Information and is maintained, collected, used or disseminated by or for Covered Entity.
J. Effective Date — means [February 12, 2014], unless specifically noted otherwise herein.
K. Electronic Health Record — means an electronic record of health -related information regarding
an Individual that is created, gathered, managed, and consulted by authorized health care
clinicians and their staff.
L. Electronic Protected Health Information — shall have the same meaning as the term "electronic
protected health information" in 45 C.F.R. Section 160.103, limited to the information created,
received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
M. GINA - shall mean the Genetic Information Nondiscrimination Act of 2008 (Pub. L. 110-223).
N. HITECH — means Heath Information Technology for Economic and Clinical Health Act.
0. HHS — means the United States Department of Health and Human Services.
P. Including — means "including but not limited to."
Q. Individual — shall have the same meaning as the term "individual" in 45 C.F.R. Section 160.103
and shall include a person who qualifies as a personal representative in accordance with 45
C.F.R. Section 164.502(g).
R. Limited Data Set — shall have the same meaning as the term "limited data set" in 45 C.F.R.
Section 164.514(e)(2).
S. Plan — means the group health plan(s) identified in the introductory paragraph to this
Agreement.
T. Privacy Rule — means the Standards and Privacy of Individually Identifiable Health Information
at 45 C.F.R. Part 160 and Part 164, subparts A and E and the privacy provisions of HIPAA, as
amended.
U. Protected Health Information — shall have the same meaning as the term "protected health
information" in 45 C.F.R. 160.103, limited to the information created, received, maintained, or
transmitted by Business Associate from or on behalf of Covered Entity. Protected Health
Information specifically includes Electronic Protected Health Information.
V. Required By Law — shall have the same meaning as the term "required by law" in 45 C.F.R.
Section 164.103.
W. Secretary — means the Secretary of the Department of Health and Human Services or his/her
designee.
X. Security Incident — shall have the same meaning as the term "security incident" in 45 C.F.R.
Section 164.304, unless defined differently in Covered Entity's policies and procedures for
compliance with the Security Rule, which shall be provided to the Business Associate.
Y. Security Rule — means the Security Standards and Implementation Specifications at 45 C.F.R.
Part 160 and Part 164, subpart C and the security provisions of HIPAA, as amended.
Z. Standards for Electronic Transactions Rule - means the final regulations issued by HHS
concerning standard transactions and code sets under the Administrative Simplification
provisions of HIPAA, 45 C.F.R. Part 160 and Part 162.
AA. Subcontractor — means an agent of a Business Associate described in 45 C.F.R. Section 165.103
to whom the Business Associate provides protected health information that the Business
Associate creates, receives, maintains, or transmits on behalf of a Covered Entity.
BB. Unsecured Protected Health Information — means Protected Health Information that has not
been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the
use of a technology or methodology specified by the Secretary. As of August 24, 2009, the
Secretary has specified the following technologies and methodologies that will render Protected
Health Information unusable, unreadable, and indecipherable (i.e., secured Protected Health
Information): (1) encryption as described in the Secretary's guidance and determined by the
National Institute of Standard and Technology to meet the standards described in such
guidance, or (2) destruction, in accordance with the procedures identified in the Secretary's
guidance, of the media on which the Protected Health Information was stored or recorded.
III. Privacy Provisions
A. Introduction. Business Associate, on behalf of Covered Entity, performs or assists in the
performance of functions and activities that may involve the use, disclosure, receipt and/or
creation of Protected Health Information. The "business associate" provisions of the Privacy
Rule govern the terms and conditions under which the Business Associate may use or disclose
Protected Health Information. In general, Business Associate agrees and intends to act such that
(1) Covered Entity can fulfill its responsibilities under HIPAA; and (2) Business Associate can
fulfill its contractual obligations under this Agreement. In addition, Business Associate
specifically acknowledges its direct liability for the failure to comply with certain portions of the
Privacy Rule as provided under HITECH and the regulations issued thereunder.
B. Permitted Uses and Disclosures by Business Associate.
1. Except as otherwise limited in this Agreement, Business Associate may use or disclose
Protected Health Information (i) to perform functions, activities, or services for, or on
behalf of, Covered Entity pursuant to any services agreement with the Business
Associate, (ii) as permitted or required by this Agreement, and (iii) as Required by Law.
Business Associate may disclose Protected Health Information to other business
associates of Covered Entity, or to business associates of another covered entity that is
part of an organized health care arrangement that includes Covered Entity, to the fullest
extent allowed under applicable law. If and when Business Associate discloses or makes
available Protected Health Information to the sponsor of the Plan, Business Associate
agrees to disclose or make available Protected Health Information only to the persons
identified in the attached Designated Persons Appendix (which may be updated by
Covered Entity and communicated to Business Associate from time to time) for the
purpose of performing functions, services, or activities for or on behalf of Covered
Entity. Upon Covered Entity's request, Business Associate will provide Protected Health
Information to other business associates of Covered Entity that assist in administering
the group health plans and that are authorized to receive such information.
2. Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information for the proper management and administration of its business or to carry
out its legal responsibilities.
3. Except as otherwise limited in this Agreement, Business Associate may disclose Protected
Health Information for the proper management and administration of its business, if:
i) the disclosures are Required by Law, or
ii) Business Associate obtains reasonable assurances from the person to whom the
information is disclosed that the information will be held confidentially and will
be used or further disclosed only as Required by Law or for the purpose for
which it was disclosed to such person, and the person will promptly notify the
Business Associate of any instances of which the person is aware in which the
confidentiality of the information has been breached.
4. Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information to provide Data Aggregation services to Covered Entity as permitted by 45
C.F.R. Section 164.504(e)(2)(i)(B).
5. Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information to report violations of law to appropriate Federal and State authorities,
consistent with 45 C.F.R. Section 164.502(j)(1).
6. Business Associate will limit the use, disclosure, or request of Protected Health Information,
to the extent practicable, (i) to the Limited Data Set, or (ii) if needed by Business
Associate, to the minimum necessary (as determined by Business Associate) to
accomplish the intended purpose of such use, disclosure, or request, except to the
extent a broader use, disclosure, or request of Protected Health Information is allowed
by the Privacy Rule. Business Associate's ability to satisfy the requirement of this
Paragraph III.B.6 by use of the Limited Data Set shall be available until the effective date
of subsequent guidance issued by the Secretary regarding what constitutes "minimum
necessary," at which time Business Associate will take reasonable efforts to limit the
use, disclosure, or request of Protected Health Information to the minimum necessary
(as defined by such Secretary's guidance) to accomplish the intended purpose of such
use, disclosure, or request, except to the extent a broader use, disclosure, or request of
Protected Health Information is allowed by the Privacy Rule.
7. Except as otherwise authorized by the Privacy Rule, Business Associate shall not directly or
indirectly receive remuneration (whether financial or nonfinancial) in exchange for any
Protected Health Information of a Covered Individual unless Covered Entity has received
a valid authorization from the Covered Individual that includes a specification of
whether the Protected Health Information can be further exchanged for remuneration
by the entity receiving Protected Health Information of that Covered Individual, This
Paragraph III.B.7 shall apply to exchanges of Protected Health Information occurring on
or after the compliance date applicable under the final regulations issued under HITECH
that address this restriction.
8. Except as otherwise allowed by the Privacy Rule, Business Associate may not use or disclose
Protected Health Information regarding a Covered Individual with respect to a
communication about a product or service that encourages recipients of the
communication to purchase or use the product or service unless Covered Entity receives
no direct or indirect payment in exchange for making such communication and the
communication is made to the Covered Individual: (i) to describe a health -related
product or service (or payment for such product or service) that is provided by, or
included in, the Plan, including communications about the entities participating in a
health care provider network or health plan network, replacement of, or enhancements
to, the Plan, and health -related products or services available only to Covered
Individuals that add value to, but are not part of, the Plan; (ii) for treatment of the
Covered Individual; or (iii) for case management or care coordination for the Covered
Individual, or to direct or recommend alternative treatments, therapies, health care
providers, or settings of care to the Covered Individual. Notwithstanding the foregoing,
Business Associate may use or disclose Protected Health Information regarding a
Covered Individual with respect to a communication about a product or service that
encourages recipients of the communication to purchase or use the product or service if
the communication relates to a prescription drug that is currently being prescribed for a
Covered Individual and any financial remuneration received by Covered Entity in
exchange for making the communication is reasonably related to Covered Entity's cost
of making the communication. This Paragraph II1.B.8 shall apply to disclosures of
Protected Health Information occurring on or after the compliance date applicable
under the final regulations issued under HITECH that address this restriction.
C. Limitations on Business Associate's Uses and Disclosures. With respect to Protected Health
Information that Covered Entity discloses to Business Associate or Business Associate creates,
receives, maintains, or transmits on behalf of Covered Entity, Business Associate will not use or
further disclose the Protected Health Information other than as permitted or required by this
Agreement (including, but not limited to, any restrictions described in Section III.E.4) or as
Required by Law.
D. Additional Obligations of Business Associate. Except as otherwise specified in this Agreement,
the provisions of this Paragraph III.D. apply only to Protected Health Information that Covered
Entity discloses to Business Associate or Business Associate creates, receives, maintains, or
transmits on behalf of Covered Entity.
1. Safeguards. Business Associate will use appropriate safeguards to prevent the improper use
of, disclosure of, and tampering with Protected Health Information and to reasonably
and appropriately protect the confidentiality, integrity, and availability of the Electronic
Protected Health Information.
2. Reporting and Mitigation. Business Associate will report to Covered Entity any acquisition,
access, use, or disclosure of Protected Health Information of which Business Associate
becomes aware, or that is reported to Business Associate by an agent or Subcontractor,
that is in violation of this Agreement. Such report shall be made within ten (10)
business days of its discovery (as that term is defined in 45 C.F.R. Section 164.410(a)(2))
by Business Associate. Business Associate agrees to promptly mitigate, to the extent
practicable, any harmful effect that is known to Business Associate of an acquisition,
access, use, or disclosure in violation of this Agreement. This obligation includes, but is
not limited to, any acquisition, access, use, or disclosure of Unsecured Protected Health
Information that may constitute a Breach. The determination of whether a Breach has
occurred, and of the resultant action, shall be the responsibility of Covered Entity.
3. Agents and Subcontractors. Business Associate will enter into a written contract with any
agent or Subcontractor who creates, receives, maintains, or transmits Protected Health
Information on behalf of Business Associate that requires such agent or Subcontractor
to comply with the same restrictions and conditions that apply by and through this
Agreement to Business Associate with respect to such information. Business Associate
will be liable to Covered Entity for any acts, failures or omissions of the agent or
subcontractor in providing the services as if they were Business Associate's own acts,
failures or omissions, to the extent permitted by law. Business Associate further
expressly warrants that its agents or subcontractors will be specifically advised of, and
will comply in all respects with, the terms of this Agreement.
4. Access to Protected Health Information. Within fifteen (15) days of a request by Covered
Entity for access to Protected Health Information about a Covered Individual, Business
Associate shall make available to Covered Entity or, as directed by Covered Entity, a
Covered Individual such Protected Health Information contained in a Designated Record
Set. Effective September 23, 2013, if the Protected Health Information requested by
Covered Entity is maintained in a Designated Record Set electronically, Business
Associate shall make available, within the time period specified above, a copy of such
information in the electronic form and format specified by Covered Entity, provided
such information is readily producible in such form and format. If the information is not
readily producible in such form and format, Business Associate shall make the
information available in a readable electronic form and format as agreed to by the
parties. In the event any Covered Individual requests access to Protected Health
Information directly from Business Associate, Business Associate shall within five (5)
days forward such request to Covered Entity. Notwithstanding anything herein to the
contrary, Covered Entity shall be ultimately responsible for providing access to the
requested Protected Health Information or making the determination to deny access to
requested Protected Health Information.
5. Amendment of Protected Health Information. Within fifteen (15) days of receipt of a
request from Covered Entity or a Covered Individual for the amendment of Protected
Health Information or a record regarding a Covered Individual contained in a Designated
Record Set, Business Associate shall (i) provide such information to Covered Entity for
amendment, and (ii) incorporate any such amendments in the Protected Health
Information as required by 45 C.F.R. Section 164.526. It shall be Covered Entity's
responsibility to promptly notify Business Associate of the request for an amendment.
Notwithstanding anything herein to the contrary, Covered Entity shall be ultimately
responsible for determining whether the requested amendment shall be made and, if
the request is denied, in whole or in part, complying with 45 C.F.R. Section 164.S26.
6. Disclosure Accounting. Business Associate agrees to track such disclosures of Protected
Health Information and information related to such disclosures as is necessary to enable
Covered Entity to respond to a request by a Covered Individual for an accounting of
disclosures of Protected Health Information in accordance with 45 C.F.R. Section
164.528. Within fifteen (15) days of receipt of notice from Covered Entity that it has
received a request for an accounting of disclosures of Protected Health Information
regarding a Covered Individual, Business Associate shall make available to Covered
Entity such information as is in Business Associate's possession and is required for
Covered Entity to make the accounting required by 45 C.F.R. Section 164.528. At a
minimum, Business Associate shall provide Covered Entity with the following
information: (i) the date of the disclosure; (ii) the name of the entity or person who
received the Protected Health Information, and if known, the address of such entity or
person; (iii) a brief description of the Protected Health Information disclosed; and, (iv) a
brief statement of the purpose of such disclosure which includes an explanation of the
basis for such disclosure. Business Associate hereby agrees to implement an appropriate
record keeping process to enable it to comply with the requirements of this section and
applicable law. It shall be Covered Entity's responsibility to promptly notify Business
Associate of the request for an accounting, and to prepare and deliver any such
accounting requested. In addition to the forgoing, Business Associate shall track other
disclosures and/or make available to Covered Entity such information as is necessary for
Covered Entity to comply with any additional accounting requirements effective as of
the compliance date applicable under final regulations implementing such
requirements. Notwithstanding anything herein to the contrary, Covered Entity shall be
ultimately responsible for providing the disclosure accounting to the Covered Individual.
7. Access to Business Associate's Internal Records. Business Associate shall make its internal
practices, books, and records relating to the use and disclosure of Protected Health
Information received from, or created or received by Business Associate on behalf of,
Covered Entity available to Covered Entity or the Secretary, for the purposes of the
Secretary's determining compliance with HIPAA for Covered Entity and/or Business
Associate.
8. Electronic Transactions. In the event the Business Associate transmits or receives any
Covered Electronic Transaction on behalf of Covered Entity, it shall comply with all
applicable provisions of the Standards for Electronic Transactions Rule to the extent
Required by Law, and shall ensure that any agents and Subcontractors that assist
Business Associate in conducting Covered Electronic Transactions on behalf of Covered
Entity agree in writing to comply with the Standards for Electronic Transactions Rule to
the extent Required by Law.
11. GINA. Business Associate agrees not to use or disclose Protected Health Information
that contains genetic information if such use or disclosure would violate GINA.
E. Obligations and Rights of Covered Entity.
1. Notice of Privacy Practices. Covered Entity shall provide Business Associate with the notice
of privacy practices that Covered Entity produces in accordance with 45 C.F.R. Section
164.520, as well as any changes to such notice.
2. Requests by Covered Entity. Covered Entity shall not request or direct Business Associate to
use or disclose Protected Health Information in any manner that would not be
permissible under the Privacy Rule if done by Covered Entity. This includes, but is not
limited to, requests or directions for disclosure of Protected Health Information to the
Plan sponsor in a capacity other than acting on behalf of the Plan as Covered Entity. To
the extent a dispute or difference of opinion exists between the Business Associate and
Covered Entity regarding whether a use or disclosure is permissible, Business Associate
may disclose the Protected Health Information under objection pursuant to the specific,
written direction of Covered Entity. Any disclosures made pursuant to such specific,
written direction shall be subject to the indemnification provisions of the Agreement.
3. Authorizations. Covered Entity shall notify Business Associate of any authorization provided
by an Individual to use or disclose Protected Health Information (and any changes in or
revocation of such an authorization), to the extent that such information may affect
Business Associate's use or disclosure of Protected Health Information. Upon receipt of
such notification, Business Associate shall use or disclose Protected Health Information
in accordance with the authorization or changes thereto.
4. Restrictions. Covered Entity shall notify Business Associate of any restriction on the use or
disclosure of Protected Health Information to which Covered Entity has agreed in
accordance with 45 C.F.R. Section 164.522 or is required to agree under HITECH (and
any changes to or termination of such a restriction), to the extent that such restriction
may affect Business Associate's use or disclosure of Protected Health Information. Such
restrictions include, but are not limited to, a Covered individual's request not to disclose
Protected Health Information for purposes of payment or health care operations where
the Protected Health Information relates solely to a health item or service for which the
health care provider has been paid in full out-of-pocket by, or on behalf of, the Covered
Individual. Upon receipt of such notification, Business Associate shall comply with such
a restriction.
5. Agreement Breaches by Business Associate. If Covered Entity obtains knowledge of a
pattern of activity or practice of Business Associate that constitutes a material breach or
violation of Business Associate's obligations under this Agreement, Covered Entity will
take reasonable steps to cure such breach or end such violation. If Covered Entity
cannot successfully cure the breach or end the violation, Covered Entity shall terminate
the Agreement in accordance with Section VI.B if feasible.
IV. Electronic Security Provisions
A. Introduction. This section applies where Business Associate, on behalf of Covered Entity,
performs or assists in the performance of functions and activities that may involve the creation,
maintenance, receipt, or transmission of Electronic Protected Health Information. This Section
IV along with the other sections of the Business Associate Agreement are (1) intended to meet
the requirements of the "business associate" provisions of Security Rule, and (2) govern the
terms and conditions under which the Business Associate may create, maintain, receive, and
transmit Electronic Protected Health Information on behalf of Covered Entity. In general,
Business Associate agrees and intends to act such that (1) Covered Entity can fulfill its
responsibilities under HIPAA; (2) Business Associate can fulfill its responsibilities under HIPAA;
and (3) Business Associate can fulfill its contractual obligations under this Agreement.
B. Obligations of Business Associate. In accordance with the Security Rule, Business Associate
agrees to:
1. Conduct a security risk assessment (in accordance with 45 C.F.R. Section 164.308(a)(1)(ii)(A))
and adopt and implement policies and procedures designed to ensure compliance with the
Security Rule and this Agreement including, but not limited to, identifying a security officer
and training personnel. This Paragraph IV.B.1 shall be effective as of the compliance date
applicable under the final regulations issued under HITECH that address this requirement.
2. Implement administrative, physical and technical safeguards (including written policies and
procedures) that reasonably and appropriately protect the confidentiality, integrity, and
availability of the Electronic Protected Health Information that Business Associate creates,
maintains, receives, or transmits on behalf of Covered Entity.
3. Enter into a written contract with any agent or Subcontractor to whom Business Associate
provides Electronic Protected Health Information that requires such agent or Subcontractor
to comply with the same restrictions and conditions that apply under this Section IV to
Business Associate, including, but not limited to, implementing reasonable and appropriate
safeguards to protect such information.
4. Report to Covered Entity any Security Incident of which Business Associate becomes aware.
Business Associate shall provide such notification on a quarterly basis, unless a more prompt
notice is otherwise required by this Agreement (e.g., under Section III.D.2. or Article V).
With respect to Security Incidents that result from an unsuccessful attempt to access, use,
disclose, modify, or destroy Electronic Protected Health Information or interfere with
system operations in an information system containing Electronic Protected Health
Information, the notification required hereunder need only report the aggregate number of
such incidents.
5. Promptly mitigate, to the extent practicable, any harmful effect of a Security Incident that is
known to Business Associate.
C. Obligations of Covered Entity. Covered Entity shall not request or direct Business Associate to
create, maintain, receive, or transmit Electronic Protected Health Information in any manner
that would not be permissible under the Security Rule.
V. Breach Notification Requirements
A. Breach Notification. To the extent Business Associate accesses, maintains, retains, modifies,
records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health
Information, as set forth in Section 13402(h) of HITECH, Business Associate shall promptly report
to Covered Entity any Breach of such Unsecured Protected Health Information by it, its
subcontractors or agents of which it becomes aware. Notification to Covered Entity shall be
made without unreasonable delay and in no case later than fifteen business days after the
earlier of: (i) the first day on which such Breach is known to Business Associate; or (ii) the first
day on which such Breach, by exercising reasonable diligence, would have been known to any
person (other than the person committing the Breach) who is an employee, officer or other
agent of Business Associate. Notification of the Breach may only be delayed if such delay is
required by law enforcement purposes as set forth in 45 C.F.R. Section 164.412. Business
Associate shall exercise reasonable diligence and promptly supplement its report with any
additional information as may be obtained by Business Associate. Business Associate, its
affiliates, agents and subcontractors shall not provide any notification or information regarding
any Breach to any person other than Covered Entity, except to the extent such action is: (i)
required by law, (ii) required under this Agreement, or (iii) taken pursuant to a prior written
consent of Covered Entity. Notwithstanding the foregoing, Business Associate may provide
information regarding a Breach to its legal counsel.
B. Content of Report. Notification to Covered Entity of a Breach shall include, at a minimum, the
following:
1. A brief description of what happened, including the date of the incident and the date of
the discovery of the incident, if known;
2. A description of the types of Protected Health Information that were involved in the
incident (such as whether full name, social security number, date of birth, home address,
account number, diagnosis, disability code, or other types of information) and that were
or are reasonably believed by Business Associate to have been impermissibly accessed,
acquired, used or disclosed;
3. A fact -specific and detailed risk assessment of whether the incident poses a significant risk
of financial, reputational, or other harm to the individual whose Protected Health
Information has been (or is reasonable believed by Business Associate to have been)
acquired, accessed, used or disclosed;
4. Identification of the Individuals whose Protected Health Information has been, or is
reasonably believed by Business Associate to have been, accessed, acquired, used or
disclosed;
S. Any steps Individuals should take to protect themselves from potential harm resulting
from the incident;
6. A brief description of what Business Associate is doing to investigate the incident, to
mitigate harm to Individuals, and to protect against any further incidents; and
7. Any other information reasonably requested by Covered Entity to be included in the
report.
C. Documentation and Retention. Business Associate will document all actions described in this
Section V and maintain such documentation for at least six years from the date the
documentation is created or the date it was last in effect, whichever is later.
D. Reimbursement, Mitigation and Cooperation. Business Associate will reimburse Covered Entity
for all reasonable and necessary out-of-pocket costs incurred (including without limitation costs
associated with providing required notices) as a result of a Breach by the Business Associate, its
affiliates, subcontractors or agents. Business Associate further agrees to cooperate with
Covered Entity as reasonably requested, to mitigate, to the extent practicable, any harmful
effect of such a Breach or other use or disclosure of Protected Health Information in violation of
the terms and conditions of this Agreement, and fully cooperate with Covered Entity on all
matters relating to such incident and associated notifications by Covered Entity to Individuals,
the media, the Secretary, the Federal Trade Commission, or any other governmental entity.
VI. Term and Termination
A. Term. The Term of this Agreement will begin and become effective on the Effective Date and
shall terminate when all of the Protected Health Information provided by Covered Entity to
Business Associate, or created or received by Business Associate on behalf of Covered Entity is
destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected
Health Information, protections are extended to such information, in accordance with the
termination provisions in this Section VI.
B. Termination. In the event that a party (the "non -breaching party") discovers and determines
that the other party (the "breaching party") materially breached or violated any of its
obligations under this Agreement, the non -breaching party will notify the breaching party of
such breach in writing and may immediately terminate the Agreement upon notice to the
breaching party or may provide the breaching party with an opportunity to take reasonable
steps to cure the breach or end the violation, as applicable, within a mutually agreed upon
period of time. If the breaching party's attempts to cure the breach or end the violation are
unsuccessful within that period, without limiting the rights of the parties under the Agreement,
the non -breaching party may immediately terminate the Agreement upon notice to the
breaching party.
C. Effect of Relationship Termination.
1. Except as provided in paragraphs (b) and/or (c) of this sub -section, upon termination of
the Agreement, for any reason, Business Associate shall return or destroy all Protected
Health Information received from, or created or received by it on behalf of Covered
Entity. This provision shall apply to Protected Health Information that is in the
possession of Business Associate and/or its Subcontractors or agents. Business
Associate will not retain any copies of Protected Health Information.
2. In the event that Business Associate determines that returning or destroying Protected
Health Information is infeasible, Business Associate will notify Covered Entity of the
conditions that make return or destruction infeasible. Upon mutual agreement of the
parties that return or destruction of Protected Health Information is infeasible, Business
Associate will extend the protections of this Agreement to such Protected Health
Information and limit further uses and disclosures of such Protected Health Information
to those purposes that make the return or destruction infeasible, for so long as Business
Associate maintains such Protected Health Information.
3. Should Covered Entity notify Business Associate that the information necessary to
comply with the recordkeeping requirements under other applicable law includes the
Protected Health Information, Business Associate shall return or provide to Covered
Entity such information, including Protected Health Information.
VII. General Provisions
A. Regulatory References. A reference in this Agreement to a section in the Privacy Rule or the
Security Rule means the section as in effect or as amended.
B. Amendment. The parties agree to take such action as is necessary to amend this Agreement
from time to time as is necessary for Covered Entity and/or Business Associate to comply with
the requirements of the Privacy Rule, the Security Rule, and the Health Insurance Portability and
Accountability Act of 1996, Pub. L. No. 104-191.
C. Interpretation. Any ambiguity in this Agreement shall be resolved to permit each party to
comply with the Privacy Rule and the Security Rule, if applicable.
D. Survival. The respective rights and obligations of Business Associate and Covered Entity under
this Agreement shall survive the termination of this Agreement and any related agreement,
Including a services agreement.
E. Indemnity. Each party will indemnify, hold harmless, and defend the other party and its
affiliates, officers, directors, employees or agents from and against any claim, cause of action,
liability, damage, cost or expense, including reasonable attorneys' fees and court or proceeding
costs, arising out of or in connection with any non -permitted or violating use or disclosure of
Protected Health Information or other breach of this Agreement by such party or any
Subcontractor, agent, person or entity under such party's control. Notwithstanding the
foregoing, nothing in this section shall limit any rights of the parties to additional remedies
under this Agreement and the Technology and Services Agreement.
F. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to
confer, nor shall anything herein confer, upon any person other than the parties hereto, any
rights obligations, or liabilities whatsoever.
G. Conformance with Law. The parties agree to take such action as is necessary to amend this
Agreement from time to time as is necessary for the parties to comply with the requirements of
HIPAA as they apply to each party.
H. Action. For purposes of this Agreement, whenever action is required by a party to this
Agreement, such action must be taken by a person or persons with authority to act on behalf of
such party to this Agreement.
I. Governing law. This Agreement shall be governed by the law of Indiana, except to the extent
preempted by federal law.
J. Severability. The invalidity or unenforceability of any provision of this Agreement shall not
affect the validity or enforceability of any other provision of this Agreement, which shall remain
in full force and effect.
K. Notices. All notices and communications required by this Agreement shall be in writing. Such
notices and communications shall be given in one of the following forms: (i) by delivery in
person, (ii) by a nationally -recognized, next -day courier service, (iii) by first-class, registered or
certified mail, postage prepaid; or (iv) by electronic mail to the address that each party specifies
in writing.
L. Entire Agreement. This Agreement constitutes the entire agreement between the parties with
respect to its subject matter and constitutes and supersedes all prior agreements,
representations and understandings of the parties, written or oral, with regard to this same
subject matter. Notwithstanding the foregoing, this Agreement is intended to supplement
(rather than supersede) the agreement between Business Associate and the sponsor of the Plan
related to the services that Business Associate provides with respect to administration of the
Plan.
M. Counterparts. This Agreement may be executed in counterparts, each of which so executed
shall be construed to be an original, but all of which together shall constitute one agreement
binding on all parties, notwithstanding that all parties are not signatories to the same
counterpart. Transmission by facsimile or electronic mail of an executed counterpart of this
Agreement shall be deemed to constitute due and sufficient delivery of such counterpart. This
Agreement and any amendment or modification may not be denied legal effect or enforceability
solely because it is in electronic form, or because an electronic signature or electronic record
was used in its formation.
IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date set forth below.
Covered Entity:
This ^1 day of 201Y
t
City of Richmond, Indiana, by and through its Board
of Public Works and Safety
By: 2 ;�
Vicki Robinson, President
-/ ,
RiKard .. - Member
Approved1l
�Gr�%c!'
Sarah L. Hutton, Mayor
Business Associate:
This/ day of 2011
Next Generation Enrollment, Inc.
By:
Print Name:
Title: Plta�,
DESIGNATED PERSONS APPENDIX
Persons Authorized to Receive
Protected Health Information
In accordance with Section III.B.1. of this Agreement, disclosure of Protected Health Information may be made
to the following employees of the sponsor of the Plan:
Title/Office Name Phone Fax E-mail
Confidential information will be provided only to the individuals identified above.