The URL can be used to link to this page

Home My Public Portal About055-2014 - Next Generation Enrollment - Enrollment AdministrationNEXT GENERATION ENROLLMENT, INC. ADMINISTRATION AGREEMENT — DEPENDENT ELIGIBILITY AUDIT This Administration Agreement ("Agreement") is made by and between City of Richmond ("Employer") and Next Generation Enrollment, Inc., a Michigan corporation with its principal place of business in Ada, Michigan ("Next Generation"). Employer has established one or more other group health plans and Employer desires to have Next Generation provide certain administrative services in connection with the Plans and enters into this Agreement for that purpose. ARTICLE 1 DEFINITIONS The following definitions will apply to the terms in this Agreement unless otherwise expressly stated: (a) "Agreement" means this Administration Agreement, including all Exhibits. (b) "COBRA" means the Consolidated Omnibus Budget Reconciliation Act of 1985, as amended. (c) "Code" means the Internal Revenue Code of 1986, as amended. (d) "Employer' has the meaning stated above. (e) "FMLA" means the Family and Medical Leave Act of 1993, as amended. (f) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996. (g) "Plans" means the plans for which Employer has retained Next Generation to provide services. The names of the Plans are listed in Exhibit B. (h) ARTICLE 2 DUTIES OF NEXT GENERATION Section 2.1 Dependent Eligibility Audit Employer is retaining Next Generation to provide administrative services in connection with the Plans during the term of this Agreement. Next Generation will do the following with regard to the Plans (place an "X" in the box for each service to be provided): El (a) Assist Employer in determining plan dependent eligibility El (b) Draft all employee communication pieces and work with Employer for approval El (c) Print, stuff, and mail two (2) separate letters to employee's homes regarding audit. One at onset and follow-up mailer to employees failing Contract #55-2014 A to respond (d) Coordinate two (2) automated outbound calls to employees in order to remind them of audit (e) Establish a call center for the purpose of employee questions and issues that arise during audit El (f) Receive all employee documentation, solely by secure email and by mail to the Next Generation PO Box, during audit and verify each employee has provided the required documentation in order to continue to cover dependents. Required documentation will be set forth by Employer and validation will be based upon Employer's eligibility wording (g) With fifteen (15) days remaining for employees to provide the proper documentation, Next Generation will produce a personalized memo that will be delivered by Employer to each employee with a dependent that is not fully documented (h) After employees have been identified as having dependents that will lose coverage due to not providing the proper documentation, Next Generation will send each an Appeals Letter (i) Next Generation will administer an appeals process for employees to provide proper documentation following the Appeals Letters. (j) Provide Employer with ongoing status reports of progress of audit and fifteen (15) days prior to end of audit, provide Employer with listing of employees with outstanding documentation (k) At completion of audit, deliver all employee documentation electronically sorted alphabetically. All employee documentation is owned by Employer ARTICLE 3 ADDITIONAL SERVICES Section 3.1 Additional Services Available. At Employer's request, Next Generation will perform the following services in addition to its duties under Article 2: (a) Assistance with annual open enrollment not described in Article 2. (b) Collection of Employer annual election forms not described in Article 2. (c) Communication of benefit plan changes during annual open enrollment not described in Article 2. (d) Any other additional services agreed to by Employer and Next Generation. ARTICLE 4 DUTIES OF EMPLOYER Section 4.1 Eligibility Information It will be the duty of the Employer to provide the required Eligibility information for Next Generation Enrollment to conduct audit. Section 4.2 Approval of Communication Pieces Employer will have final say on and will sign off on all pieces sent to employees in conjunction with audit. Section 4.3 Information to be Provided to Next Generation. Employer will provide Next Generation with all information relating to the Plans and its participants necessary for Next Generation to perform its duties under this Agreement. Employer understands that in order for Next Generation to carry out its duties under this Agreement, Employer must provide this information to Next Generation on a timely basis. Further, Next Generation will be entitled to fully rely on the accuracy and completeness of any information submitted by Employer on behalf of the Plans and Next Generation will have no duty or responsibility to verify such information. In order to conduct audit, Next Generation Enrollment will require an electronic file, preferably in Microsoft Excel, containing the following information: 1. Employee First Name 2. Employee Last Name 3. Employee Social Security Number (last four (4) digits) 4. First Name of all Covered Dependents 5. Last Name of all Covered Dependents 6. Relationship Type of all Covered Dependents 7. Dates of Birth of all Covered Dependents 8. Employee Home Address, City, State, Zip 9. Employee Phone Number (if available) Section 4.4 Compliance with Plans and Law. Employer will be responsible for the following with respect to the Plans: (a) To determine if a participant may make a mid -year election change due to a change in status or other circumstances as set forth in the cafeteria plan and prescribed by law. (b) To comply with the applicable provisions of FMLA. (c) To comply with the applicable provisions of COBRA, including, but not limited to, the notification to each Qualified Beneficiary of his or her right to continuation coverage in connection with the Plans where required, except as otherwise provided by Next Generation under this Agreement. Section 4.5 Instructions to Next Generation. Employer will advise Next Generation, in writing, of the name and duties of each individual to whom responsibilities have been delegated in connection with the administration of the Plans. Next Generation will act, and be fully protected in acting, in accordance with the written directions of any individual designated by Employer. Next Generation will not be bound by any communication under the Plans or this Agreement not made in writing. ARTICLE 5 PLAN ADMINISTRATION, LIABILITY AND INDEMNIFICATION Section 5.1 Benefit Administrator. Next Generation will have neither discretionary authority nor control concerning the management of the Plans, nor exercise any control with respect to the management of any funds and will not render investment advice with respect to any funds. Next Generation will have no power to add to, subtract from, or modify any terms of the Plans. In addition, Next Generation is not the plan administrator of Employer's Plans or the trustee of any funds. Further, Next Generation does not actually pay benefits or provide insurance for benefits with respect to Employer's Plans. Section 5.2 Liability. Except as otherwise provided in this Agreement, Employer will retain the liability: (a) For all Plan benefit claims and expenses incident to the Plans; (b) For any state premium tax, or similar tax, including any penalties or interest, assessed on the basis of and/or measured by the amount of Plan benefit funds handled pursuant to this Agreement; (c) For any acts or omissions by the Employer or its employees, agents or affiliates arising out of this Agreement or the administration of the Plans; and (d) For any legal action or proceeding to recover benefits under the Plans. Section 5.3 Indemnification. Employer agrees to indemnify and hold harmless Next Generation and its directors, officers, members, managers, employees and agents against any and all claims, lawsuits, settlements, judgments, costs, taxes, penalties and expenses (including attorneys' fees) resulting from the performance of services relating to the Plans by Next Generation. However, this provision will not apply if the claim or liability is the direct consequence of fraudulent or negligent acts or omissions by Next Generation or its directors, officers, members, managers, employees or agents. Next Generation agrees to indemnify and hold harmless Employer and its directors, officers, members, managers, employees and agents against any and all claims, lawsuits, settlements, judgments, costs, taxes, penalties and expenses (including attorneys' fees) resulting from the direct consequence of fraudulent or negligent acts or omissions in the performance of services relating to the Plans by Next Generation. In the event that either party to this Agreement is successful in pursuing any legal action against the other party to this Agreement on account of the default or violation of any of the terms of this Agreement, that party will be entitled to recover, in addition to any other relief to which they are entitled, reasonable attorneys' fees. ARTICLE 6 TERM OF AGREEMENT Section 6.1 Term and Renewal. This Agreement will become effective on March 1, 2014, and will remain in full force and effect until the final payment is made by Employer and the Employer considers the audit to be completed which is expected to be May 31, 2014. Section 6.2 Payment. Employer agrees to fees as set forth in Exhibit A. Payment is due fifteen (15) days after receipt of Next Generation Enrollment invoice(s). Employer understands that penalties and late fees may apply if payments to Next Generation Enrollment, Inc. are not made on a timely basis, subject to Indiana Code (IC) 5-17-5 as applicable. Section 6.3 Fees. Fees are fixed for the length of the agreement. For subsequent agreements, Next Generation Enrollment, Inc. reserves the right to propose a change to the associated fees. Any change in fees for subsequent agreements shall be subject to the mutual agreement of the Employer and Next Generation. ARTICLE 7 MISCELLANEOUS PROVISIONS Section 7.1 Termination of this Agreement. (a) At any time during the Term, this Agreement may be terminated by the mutual consent in writing of both parties. (b) During the Term, either party may terminate this Agreement in the event the other party breaches any material provision of this Agreement, and such breach is not cured within thirty (30) days of receipt of written notice thereof. In addition, Next Generation shall have the right, at any time, to immediately terminate this Agreement in the event Employer: (i) is late with payment of Services Fees as outlined and payable under this Agreement or any Exhibits referenced or attached hereto; (ii) files or has filed against it a petition in bankruptcy or if Employer makes an assignment for the benefit of creditors; or (iii) fails to timely provide Next Generation with required information necessary for Next Generation to perform its obligations hereunder. (d) Upon termination and to the extent permitted by law, it is the intent of the parties that they be placed in their respective positions, as they existed immediately before entry into this Agreement. (e) Employer hereby agrees that if Employer terminates this Agreement for any reason other than those set forth in this Section, Next Generation reserves the right to invoice Employer up to $25.00 per employee for each employee who has, or would have, received a Dependent Eligibility Audit letter. NGE may exercise any other provisional or ancillary remedies by and through a court, agency or tribunal at any time even if the dispute resolution and escalation process outlined in Section 7.2 has been invoked by either party. Next Generation shall retain all rights, claims and remedies against Employer, regardless of any termination under this paragraph or the Agreement. Section 7.2 Dispute Escalation and Resolution. The following procedure will be adhered to in all disputes or disagreements arising out of this Agreement which the parties cannot resolve informally. The aggrieved party shall notify the other party in writing of the nature of the dispute with as much detail as possible. Each party shall designate a representative with full authority to address and/or resolve the dispute or disagreement. The designated representatives shall meet (in person or by telephone) within fifteen (15) business days after the date of the written notification to reach an agreement about the nature of the dispute or disagreement and the corrective action to be taken by the respective parties. If the designated representatives do not meet or are unable to agree on corrective action, the parties shall have thirty (30) days within which to institute a one -day mediation with a third party mediator mutually agreeable to both parties. The cost of such mediation shall be shared by the parties, exclusive of any reasonable attorneys' fees, if any. Except as otherwise specifically provided, neither party shall initiate legal action to enforce its rights unless and until this dispute resolution procedure has been substantially complied with or waived. Failure of a party to fulfill its obligations in this Paragraph 12, including failure to meet timely upon the other party's notice, shall be deemed such a waiver. Nothing in this section shall effect, abrogate, or act as a waiver of either parties rights to terminate this Agreement as outlined in Section 7.1, nor shall this section eliminate nor inhibit Next Generation's rights and/or remedies in law or equity to collect any outstanding balances due and owing for services rendered. This section shall survive termination of this Agreement. Section 7.3 HIPAA Compliance. If any "protected health information," as defined by HIPAA, is provided by, or created or received by, Next Generation from or on behalf of Employer under this Agreement, Next Generation, the Plans and Employer will enter into business associate agreements as required under HIPAA. Section 7.4 Amendment. No amendment to this Agreement will be effective unless it is in writing and signed by both of the parties. Section 7.5 Inspection of Records. Employer or its authorized representative may periodically inspect and audit all relevant documents, books and records of Next Generation pertaining to its administration of the Plans at mutually agreeable times and with proper notice during the term of this Agreement. Any such reviews will occur during normal business hours, 8:OOAM to 8:OOPM Monday through Friday, excluding holidays. Section 7.6 Notices. Any written notice required to be provided in connection with this Agreement will be made in writing via hand delivery, first-class mail, certified mail or telefax to each party as follows: Next Generation Enrollment, Inc. Attn: Bradley J. Taylor 455 Pettis Ave, Ada, MI 49301 Phone No: 616-676-4801 Employer: City of Richmond Attn: D. Sue Roberson Phone Number: 765-983-7244 Section 7.7 Enforcement of Rights. No failure or delay by either party to this Agreement in the exercise of any right under this Agreement, or enforcing or requiring the compliance or performance by the other party to this Agreement of any of the representations, warranties, covenants, terms or conditions of this Agreement, will operate as a waiver of any such right, or constitute a waiver of the breach of any such representation, warranty, covenant, term or condition nor will any single or partial exercise of any such right preclude, affect or impair such rights generally in any way. Section 7.8 Severability. If any provision of this Agreement is determined to be void by any court of competent jurisdiction and such determination will not affect any other provision of this Agreement and if any other provision of this Agreement is capable of two constructions, one of which would render the provision void and the other of which would render the provision valid, the provision will have the meaning which renders it valid. Section 7.9 Confidentiality. Next Generation will maintain the confidentiality of personal data identifying individual participants. Next Generation will not disclose personal information that may be associated with an identifiable participant except as required or permitted by law or for the administration of the Plans. Section 7.10 Tax Consequences. Next Generation does not warrant or guarantee the legal and tax consequences under the Plans or this Agreement. Employer, as Plan Administrator, is responsible for retaining independent counsel to determine the legal and tax consequences of the Plans. Section 7.11 Entire Understanding. This Agreement represents the understanding between Employer and Next Generation, and cancels and replaces any and all prior agreements between them. Any amendment of this Agreement will be in writing and signed by Employer and Next Generation. Section 7.12 Binding Effect. This Agreement will be binding on, and inure to the benefit of, Employer and Next Generation and their respective successors and assigns. Section 7.13 Construction. This Agreement will be governed by the laws of the state of Indiana except to the extent preempted by ERISA. Section 7.14 Force Majeure. Neither party will be responsible for any failure to perform hereunder due to unforeseen circumstances or to causes beyond its reasonable control, including, but not limited to, hardware or software error, acts of God, war, riot, embargoes, acts of civil or military authorities, fire, floods, accidents, strikes, or shortages of transportation, facilities, fuel, energy, labor or materials. Section 7.15 Prohibition Against Discrimination (a) Pursuant to Indiana Code 22-9-1-10, Next Generation, any sub -contractor, or any person acting on behalf of Next Generation or any sub -contractor shall not discriminate against any employee or applicant for employment to be employed in the performance of this Agreement, with respect to hire, tenure, terms, conditions or privileges of employment or any matter directly or indirectly related to employment, because of race, religion, color, sex, disability, national origin, or ancestry. (b) Pursuant to Indiana Code 5-16-6-1, the Next Generation agrees: (i) That in the hiring of employees for the performance of work under this Agreement of any subcontract hereunder, Next Generation, any subcontractor, or any person acting on behalf of Next Generation or any sub -contractor, shall not discriminate by reason of race, religion, color, sex, national origin or ancestry against any citizen of the State of Indiana who is qualified and available to perform the work to which the employment relates; (ii) That Next Generation, any sub -contractor, or any person action on behalf of Next Generation or any sub -contractor shall in no manner discriminate against or intimidate any employee hired for the performance of work under this Agreement on account of race, religion, color, sex, national origin or ancestry; (iii) That there may be deducted from the amount payable to Next Generation by the Employer under this Agreement, a penalty of five dollars ($5.00) for each person for each calendar day during which such person was discriminated against or intimidated in violation of the provisions of the Agreement; and (iv) That this Agreement may be canceled or terminated by the Employer and all money due or to become due hereunder may be forfeited, for a second or any subsequent violation of the terms or conditions of this section of the Agreement. (c) Violation of the terms or conditions of this Agreement relating to discrimination or intimidation shall be considered a material breach of this Agreement. Section 7.16 E-Verify Pursuant to Indiana Code 22-5-1.7, Next Generation is required to enroll in and verify the work eligibility status of all newly hired employees of the contractor through the Indiana E-Verify program. Next Generation is not required to verify the work eligibility status of all newly hired employees of the contractor through the Indiana E-Verify program if the Indiana E-Verify program no longer exists. Prior to the performance of this Agreement, Next Generation shall provide to Employer its signed Affidavit affirming that Next Generation does not knowingly employ an unauthorized alien in accordance with IC 22-5-1.7-11 (a) (2). In the event Next Generation violates IC 22-5-1.7 Next Generation shall be required to remedy the violation not later than thirty (30) days after Employer notifies Next Generation of the violation. If Next Generation fails to remedy the violation within the thirty (30) day period provided above, Employer shall consider Next Generation to be in breach of this Agreement and this Agreement will be terminated. If Employer determines that terminating this Agreement would be detrimental to the public interest or public property, Employer may allow this Agreement to remain in effect until Employer procures a new contractor. If this Agreement is terminated under this section, then pursuant to IC 22-5-1.7-13 (c) Next Generation will remain liable to Employer for actual damages. Section 7.18 Iran Investment Activities Pursuant to Indiana Code (IC) 5-22-16.5, Next Generation certifies that it is not engaged in investment activities in Iran. In the event Employer determines during the course of this Agreement that this certification is no longer valid, Employer shall notify Next Generation in writing of said determination and shall give Next Generation ninety (90) days within which to respond to the written notice. In the event Next Generation fails to demonstrate to Employer that Next Generation has ceased investment activities in Iran within ninety (90) days after the written notice is given to Next Generation, Employer may proceed with any remedies it may have pursuant to IC 5-22-16.5. In the event Employer determines during the course of this Agreement that this certification is no longer valid and said determination is not refuted by Next Generation in the manner set forth in IC 5-22-16.5, Employer reserves the right to consider Next Generation to be in breach of this Agreement and terminate the agreement upon the expiration of the ninety (90) day period set forth above. IN WITNESS OF WHICH, Employer and Next Generation have executed this Administration Agreement. Dated: , 201Y NEXT GENERATION ENROLLMENT, INC. �� i .• � • i EMPLOYER CITY OF RICHMOND, INDIANA, BY AND THROUGH ITS BOARD OF PUBLIC WORKS AND SAFETY Dated: 201�( By: Vicki Robinson, President By: Richard Foore, Member By: ` Anthony Foster, II, Member Approved:CC Sarah L. Hutton, Mayor EXHIBIT A- Fee Schedule Basic Services — Sections 2.1 Next Generation charges a percentage of the saving generated from the Dependent Audit. The value of one dependent will be based upon the actual annual medical claims utilization of the average dependent covered under the audited insurance plans. Next Generation has based its pricing on an annual cost to the medical plan of $XXXX.XX per insured dependent and an annual cost to the dental plan of $XXX.XX per insured dependent. Twenty (20%) percent of one year's worth of savings for each dependent removed capped when 6% of audited dependents have been found to be ineligible will be paid to Next Generation. Next Generation's invoice will be generated following the agreed upon completion of the dependent audit. NGE's fees are based upon all dependents found to be ineligible along with those who either did not respond in the allotted timeframe and those who responded but with inadequate documentation to prove eligibility as of the mutually agreed upon end of the appeals period noted below. City of Richmond Audit Timeline and Process 1. Pre -Audit Communication Work: Week of March 3, 2014 2. Initial Letter announcing Audit mailed on: March 11, 2014 and therefore, the start date for the Dependent Eligibility Audit 3. First Automated Outbound Phone Call placed on: April 1, 2014 4. Follow-up Letter mailed on: April 15, 2014 5. Customized memo for each employee detailing what is outstanding (memo hand delivered by Employer): April 29, 2014 6. Second Automated Outbound Phone Call placed on: May 6, 2014 7. Deadline for Employees to Postmark required documentation: May 10, 2014 8. Date of mailing of Appeals Letters detailing the fact that a dependent has been removed from the medical plan: May 16, 2014 9. Timing of appeals process for employees to postmark documentation: May 16, 2014 to May 26, 2014 10. Recap meeting to discuss appeals and total value of removed dependents: Week of May 26, 2014 Employer and Next Generation will set a Pre -Determined schedule for the conduction of audit. Employer has ultimate authority as to which employees have dependents that lose coverage. Employer may also change timeframe and extend the amount of time employees have to provide the required documentation. However, Next Generation Enrollment is hired to conduct this audit for a certain length of time. 11 Employer assumes all on -going management of audit at the PRE -DETERMINED end date of audit if Employer decides to extend the time period. NO FEE ADJUSTMENTS WILL BE MADE FOR DEPENDENTS WHO ARE FOUND TO BE ELIGIBLE AFTER THE AGREED UPON END DATE IN THE TIMELINE ABOVE. NOR WILL ANY FEE ADJUSTMENTS BE MADE FOR DEPENDENTS THAT THE EMPLOYER CHOOSES TO ALLOW TO REMAIN ON THE PLAN. EXHIBIT B Plans and Employee Groups The benefit plans subject to the dependent eligibility audit are as follows: 1. Medical Plan 12 Nei�t Generation BUSINESS ASSOCIATE AGREEMENT [amended for HITECH under ARRA] This Business Associate Agreement ("Agreement") is entered into by and between City of Richmond on behalf of the group medical plan ("Covered Entity") and Next Generation Enrollment, Inc. ("Business Associate"). I. Purpose A. Business Associate is contractually obligated to provide certain services related to one or more "covered entities" as that term is defined and regulated under HIPAA. The parties to this Agreement acknowledge that (1) Business Associate is a "business associate" as that term is defined and regulated under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"); and (2) Business Associate provides services to one or more "covered entities" as that term is defined and regulated under HIPAA. B. This Agreement is intended to constitute a "business associate" agreement between the Plan, as a Covered Entity, and the Business Associate, as required under the privacy and security provisions of HIPAA, as amended. Portions of HIPAA apply directly to Business Associate as provided in the Heath Information Technology for Economic and Clinical Health Act ("HITECH"), part of the American Recovery and Reinvestment Act of 2009 ("ARRA"). Business Associate's obligations under this Agreement may be the same as, or in some cases in addition to, Business Associate's own obligations under HIPAA as provided in HITECH. H. Special Definitions The following definitions are used by this Agreement: A. Agreement — means this Business Associate Agreement, which is an agreement required under 45 C.F.R. Section 164.314(a)(2) between a Business Associate and a Covered Entity. B. ARRA — means the American Recovery and Reinvestment Act of 2009. C. Breach — means the unauthorized acquisition, access, use, or disclosure of Protected Health Information regarding a Covered Individual that (1) prior to September 23, 2013, poses a significant risk of financial, reputational, or other harm to such Covered Individual, or (2) on or after September 23, 2013, compromises the security or privacy of the Protected Health Information as determined in accordance with 45 C.F.R. Section 164.402. Notwithstanding the foregoing, a Breach does not include: (1) any unintentional acquisition, access, or use of Protected Health Information by an employee or individual acting under the authority of Covered Entity or Business Associate and in the scope of the employment or relationship between the employee or individual and Covered Entity or Business Associate, provided such information is not further acquired, accessed, used, or disclosed by any person without authorization; (2) any inadvertent disclosure by an individual who is authorized to access Protected Health Information at Covered Entity's or Business Associate's facility to another 455 Pettis Avenue SE • P.O. Box 527 • Ada, MI 49301 ;BS.266.1732 • R83 224.2371 1 nextctenerationenrollmenttcom similarly situated individual at the same facility, provided such information is not further acquired, accessed, used, or disclosed by any person without authorization; and (3) a disclosure of Protected Health Information in a situation in which Business Associate has a good faith belief that the person(s) to which the unauthorized disclosure was made would not reasonably have been able to retain such information. D. Business Associate — means Next Generation Enrollment, Inc., a person described in 45 C.F.R. Section 160.103 who performs certain functions on behalf of a Covered Entity. E. Covered Electronic Transactions — shall have the meaning given to the term "transaction" in 45 C.F.R. Section 160.103. F. Covered Entity — means the Plan, an entity described in 45 C.F.R. Section 160.103. G. Covered Individual — means a person who is eligible for payment of certain services or supplies rendered or sold to the person or the person's eligible dependents under the terms, conditions, limitations, and exclusions of the Plan. H. Data Aggregation — means, with respect to Protected Health Information created or received by Business Associate in its capacity as a business associate (as that term is defined in 45 C.F.R. Section 160.103) of the Plan, the combining of such Protected Health Information by Business Associate with the Protected Health Information received by Business Associate in its capacity as a business associate of another covered entity (as those terms are defined in 45 C.F.R. Section 160.103), to permit data analyses that relate to the health care operations of the respective covered entities. I. Designated Record Set — means a group of records maintained by or for Covered Entity that is (1) the medical records and billing records about Individuals maintained by or for a covered health care provider, (2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for Covered Entity, or (3) used, in whole or in part, by or for Covered Entity to make decisions about Individuals. As used herein, the term "Record" means any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used or disseminated by or for Covered Entity. J. Effective Date — means [February 12, 2014], unless specifically noted otherwise herein. K. Electronic Health Record — means an electronic record of health -related information regarding an Individual that is created, gathered, managed, and consulted by authorized health care clinicians and their staff. L. Electronic Protected Health Information — shall have the same meaning as the term "electronic protected health information" in 45 C.F.R. Section 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity. M. GINA - shall mean the Genetic Information Nondiscrimination Act of 2008 (Pub. L. 110-223). N. HITECH — means Heath Information Technology for Economic and Clinical Health Act. 0. HHS — means the United States Department of Health and Human Services. P. Including — means "including but not limited to." Q. Individual — shall have the same meaning as the term "individual" in 45 C.F.R. Section 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. Section 164.502(g). R. Limited Data Set — shall have the same meaning as the term "limited data set" in 45 C.F.R. Section 164.514(e)(2). S. Plan — means the group health plan(s) identified in the introductory paragraph to this Agreement. T. Privacy Rule — means the Standards and Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, subparts A and E and the privacy provisions of HIPAA, as amended. U. Protected Health Information — shall have the same meaning as the term "protected health information" in 45 C.F.R. 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity. Protected Health Information specifically includes Electronic Protected Health Information. V. Required By Law — shall have the same meaning as the term "required by law" in 45 C.F.R. Section 164.103. W. Secretary — means the Secretary of the Department of Health and Human Services or his/her designee. X. Security Incident — shall have the same meaning as the term "security incident" in 45 C.F.R. Section 164.304, unless defined differently in Covered Entity's policies and procedures for compliance with the Security Rule, which shall be provided to the Business Associate. Y. Security Rule — means the Security Standards and Implementation Specifications at 45 C.F.R. Part 160 and Part 164, subpart C and the security provisions of HIPAA, as amended. Z. Standards for Electronic Transactions Rule - means the final regulations issued by HHS concerning standard transactions and code sets under the Administrative Simplification provisions of HIPAA, 45 C.F.R. Part 160 and Part 162. AA. Subcontractor — means an agent of a Business Associate described in 45 C.F.R. Section 165.103 to whom the Business Associate provides protected health information that the Business Associate creates, receives, maintains, or transmits on behalf of a Covered Entity. BB. Unsecured Protected Health Information — means Protected Health Information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary. As of August 24, 2009, the Secretary has specified the following technologies and methodologies that will render Protected Health Information unusable, unreadable, and indecipherable (i.e., secured Protected Health Information): (1) encryption as described in the Secretary's guidance and determined by the National Institute of Standard and Technology to meet the standards described in such guidance, or (2) destruction, in accordance with the procedures identified in the Secretary's guidance, of the media on which the Protected Health Information was stored or recorded. III. Privacy Provisions A. Introduction. Business Associate, on behalf of Covered Entity, performs or assists in the performance of functions and activities that may involve the use, disclosure, receipt and/or creation of Protected Health Information. The "business associate" provisions of the Privacy Rule govern the terms and conditions under which the Business Associate may use or disclose Protected Health Information. In general, Business Associate agrees and intends to act such that (1) Covered Entity can fulfill its responsibilities under HIPAA; and (2) Business Associate can fulfill its contractual obligations under this Agreement. In addition, Business Associate specifically acknowledges its direct liability for the failure to comply with certain portions of the Privacy Rule as provided under HITECH and the regulations issued thereunder. B. Permitted Uses and Disclosures by Business Associate. 1. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information (i) to perform functions, activities, or services for, or on behalf of, Covered Entity pursuant to any services agreement with the Business Associate, (ii) as permitted or required by this Agreement, and (iii) as Required by Law. Business Associate may disclose Protected Health Information to other business associates of Covered Entity, or to business associates of another covered entity that is part of an organized health care arrangement that includes Covered Entity, to the fullest extent allowed under applicable law. If and when Business Associate discloses or makes available Protected Health Information to the sponsor of the Plan, Business Associate agrees to disclose or make available Protected Health Information only to the persons identified in the attached Designated Persons Appendix (which may be updated by Covered Entity and communicated to Business Associate from time to time) for the purpose of performing functions, services, or activities for or on behalf of Covered Entity. Upon Covered Entity's request, Business Associate will provide Protected Health Information to other business associates of Covered Entity that assist in administering the group health plans and that are authorized to receive such information. 2. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of its business or to carry out its legal responsibilities. 3. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of its business, if: i) the disclosures are Required by Law, or ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will be held confidentially and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such person, and the person will promptly notify the Business Associate of any instances of which the person is aware in which the confidentiality of the information has been breached. 4. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. Section 164.504(e)(2)(i)(B). 5. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. Section 164.502(j)(1). 6. Business Associate will limit the use, disclosure, or request of Protected Health Information, to the extent practicable, (i) to the Limited Data Set, or (ii) if needed by Business Associate, to the minimum necessary (as determined by Business Associate) to accomplish the intended purpose of such use, disclosure, or request, except to the extent a broader use, disclosure, or request of Protected Health Information is allowed by the Privacy Rule. Business Associate's ability to satisfy the requirement of this Paragraph III.B.6 by use of the Limited Data Set shall be available until the effective date of subsequent guidance issued by the Secretary regarding what constitutes "minimum necessary," at which time Business Associate will take reasonable efforts to limit the use, disclosure, or request of Protected Health Information to the minimum necessary (as defined by such Secretary's guidance) to accomplish the intended purpose of such use, disclosure, or request, except to the extent a broader use, disclosure, or request of Protected Health Information is allowed by the Privacy Rule. 7. Except as otherwise authorized by the Privacy Rule, Business Associate shall not directly or indirectly receive remuneration (whether financial or nonfinancial) in exchange for any Protected Health Information of a Covered Individual unless Covered Entity has received a valid authorization from the Covered Individual that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by the entity receiving Protected Health Information of that Covered Individual, This Paragraph III.B.7 shall apply to exchanges of Protected Health Information occurring on or after the compliance date applicable under the final regulations issued under HITECH that address this restriction. 8. Except as otherwise allowed by the Privacy Rule, Business Associate may not use or disclose Protected Health Information regarding a Covered Individual with respect to a communication about a product or service that encourages recipients of the communication to purchase or use the product or service unless Covered Entity receives no direct or indirect payment in exchange for making such communication and the communication is made to the Covered Individual: (i) to describe a health -related product or service (or payment for such product or service) that is provided by, or included in, the Plan, including communications about the entities participating in a health care provider network or health plan network, replacement of, or enhancements to, the Plan, and health -related products or services available only to Covered Individuals that add value to, but are not part of, the Plan; (ii) for treatment of the Covered Individual; or (iii) for case management or care coordination for the Covered Individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the Covered Individual. Notwithstanding the foregoing, Business Associate may use or disclose Protected Health Information regarding a Covered Individual with respect to a communication about a product or service that encourages recipients of the communication to purchase or use the product or service if the communication relates to a prescription drug that is currently being prescribed for a Covered Individual and any financial remuneration received by Covered Entity in exchange for making the communication is reasonably related to Covered Entity's cost of making the communication. This Paragraph II1.B.8 shall apply to disclosures of Protected Health Information occurring on or after the compliance date applicable under the final regulations issued under HITECH that address this restriction. C. Limitations on Business Associate's Uses and Disclosures. With respect to Protected Health Information that Covered Entity discloses to Business Associate or Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity, Business Associate will not use or further disclose the Protected Health Information other than as permitted or required by this Agreement (including, but not limited to, any restrictions described in Section III.E.4) or as Required by Law. D. Additional Obligations of Business Associate. Except as otherwise specified in this Agreement, the provisions of this Paragraph III.D. apply only to Protected Health Information that Covered Entity discloses to Business Associate or Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. 1. Safeguards. Business Associate will use appropriate safeguards to prevent the improper use of, disclosure of, and tampering with Protected Health Information and to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information. 2. Reporting and Mitigation. Business Associate will report to Covered Entity any acquisition, access, use, or disclosure of Protected Health Information of which Business Associate becomes aware, or that is reported to Business Associate by an agent or Subcontractor, that is in violation of this Agreement. Such report shall be made within ten (10) business days of its discovery (as that term is defined in 45 C.F.R. Section 164.410(a)(2)) by Business Associate. Business Associate agrees to promptly mitigate, to the extent practicable, any harmful effect that is known to Business Associate of an acquisition, access, use, or disclosure in violation of this Agreement. This obligation includes, but is not limited to, any acquisition, access, use, or disclosure of Unsecured Protected Health Information that may constitute a Breach. The determination of whether a Breach has occurred, and of the resultant action, shall be the responsibility of Covered Entity. 3. Agents and Subcontractors. Business Associate will enter into a written contract with any agent or Subcontractor who creates, receives, maintains, or transmits Protected Health Information on behalf of Business Associate that requires such agent or Subcontractor to comply with the same restrictions and conditions that apply by and through this Agreement to Business Associate with respect to such information. Business Associate will be liable to Covered Entity for any acts, failures or omissions of the agent or subcontractor in providing the services as if they were Business Associate's own acts, failures or omissions, to the extent permitted by law. Business Associate further expressly warrants that its agents or subcontractors will be specifically advised of, and will comply in all respects with, the terms of this Agreement. 4. Access to Protected Health Information. Within fifteen (15) days of a request by Covered Entity for access to Protected Health Information about a Covered Individual, Business Associate shall make available to Covered Entity or, as directed by Covered Entity, a Covered Individual such Protected Health Information contained in a Designated Record Set. Effective September 23, 2013, if the Protected Health Information requested by Covered Entity is maintained in a Designated Record Set electronically, Business Associate shall make available, within the time period specified above, a copy of such information in the electronic form and format specified by Covered Entity, provided such information is readily producible in such form and format. If the information is not readily producible in such form and format, Business Associate shall make the information available in a readable electronic form and format as agreed to by the parties. In the event any Covered Individual requests access to Protected Health Information directly from Business Associate, Business Associate shall within five (5) days forward such request to Covered Entity. Notwithstanding anything herein to the contrary, Covered Entity shall be ultimately responsible for providing access to the requested Protected Health Information or making the determination to deny access to requested Protected Health Information. 5. Amendment of Protected Health Information. Within fifteen (15) days of receipt of a request from Covered Entity or a Covered Individual for the amendment of Protected Health Information or a record regarding a Covered Individual contained in a Designated Record Set, Business Associate shall (i) provide such information to Covered Entity for amendment, and (ii) incorporate any such amendments in the Protected Health Information as required by 45 C.F.R. Section 164.526. It shall be Covered Entity's responsibility to promptly notify Business Associate of the request for an amendment. Notwithstanding anything herein to the contrary, Covered Entity shall be ultimately responsible for determining whether the requested amendment shall be made and, if the request is denied, in whole or in part, complying with 45 C.F.R. Section 164.S26. 6. Disclosure Accounting. Business Associate agrees to track such disclosures of Protected Health Information and information related to such disclosures as is necessary to enable Covered Entity to respond to a request by a Covered Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. Section 164.528. Within fifteen (15) days of receipt of notice from Covered Entity that it has received a request for an accounting of disclosures of Protected Health Information regarding a Covered Individual, Business Associate shall make available to Covered Entity such information as is in Business Associate's possession and is required for Covered Entity to make the accounting required by 45 C.F.R. Section 164.528. At a minimum, Business Associate shall provide Covered Entity with the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the Protected Health Information, and if known, the address of such entity or person; (iii) a brief description of the Protected Health Information disclosed; and, (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. Business Associate hereby agrees to implement an appropriate record keeping process to enable it to comply with the requirements of this section and applicable law. It shall be Covered Entity's responsibility to promptly notify Business Associate of the request for an accounting, and to prepare and deliver any such accounting requested. In addition to the forgoing, Business Associate shall track other disclosures and/or make available to Covered Entity such information as is necessary for Covered Entity to comply with any additional accounting requirements effective as of the compliance date applicable under final regulations implementing such requirements. Notwithstanding anything herein to the contrary, Covered Entity shall be ultimately responsible for providing the disclosure accounting to the Covered Individual. 7. Access to Business Associate's Internal Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to Covered Entity or the Secretary, for the purposes of the Secretary's determining compliance with HIPAA for Covered Entity and/or Business Associate. 8. Electronic Transactions. In the event the Business Associate transmits or receives any Covered Electronic Transaction on behalf of Covered Entity, it shall comply with all applicable provisions of the Standards for Electronic Transactions Rule to the extent Required by Law, and shall ensure that any agents and Subcontractors that assist Business Associate in conducting Covered Electronic Transactions on behalf of Covered Entity agree in writing to comply with the Standards for Electronic Transactions Rule to the extent Required by Law. 11. GINA. Business Associate agrees not to use or disclose Protected Health Information that contains genetic information if such use or disclosure would violate GINA. E. Obligations and Rights of Covered Entity. 1. Notice of Privacy Practices. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. Section 164.520, as well as any changes to such notice. 2. Requests by Covered Entity. Covered Entity shall not request or direct Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. This includes, but is not limited to, requests or directions for disclosure of Protected Health Information to the Plan sponsor in a capacity other than acting on behalf of the Plan as Covered Entity. To the extent a dispute or difference of opinion exists between the Business Associate and Covered Entity regarding whether a use or disclosure is permissible, Business Associate may disclose the Protected Health Information under objection pursuant to the specific, written direction of Covered Entity. Any disclosures made pursuant to such specific, written direction shall be subject to the indemnification provisions of the Agreement. 3. Authorizations. Covered Entity shall notify Business Associate of any authorization provided by an Individual to use or disclose Protected Health Information (and any changes in or revocation of such an authorization), to the extent that such information may affect Business Associate's use or disclosure of Protected Health Information. Upon receipt of such notification, Business Associate shall use or disclose Protected Health Information in accordance with the authorization or changes thereto. 4. Restrictions. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information to which Covered Entity has agreed in accordance with 45 C.F.R. Section 164.522 or is required to agree under HITECH (and any changes to or termination of such a restriction), to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information. Such restrictions include, but are not limited to, a Covered individual's request not to disclose Protected Health Information for purposes of payment or health care operations where the Protected Health Information relates solely to a health item or service for which the health care provider has been paid in full out-of-pocket by, or on behalf of, the Covered Individual. Upon receipt of such notification, Business Associate shall comply with such a restriction. 5. Agreement Breaches by Business Associate. If Covered Entity obtains knowledge of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of Business Associate's obligations under this Agreement, Covered Entity will take reasonable steps to cure such breach or end such violation. If Covered Entity cannot successfully cure the breach or end the violation, Covered Entity shall terminate the Agreement in accordance with Section VI.B if feasible. IV. Electronic Security Provisions A. Introduction. This section applies where Business Associate, on behalf of Covered Entity, performs or assists in the performance of functions and activities that may involve the creation, maintenance, receipt, or transmission of Electronic Protected Health Information. This Section IV along with the other sections of the Business Associate Agreement are (1) intended to meet the requirements of the "business associate" provisions of Security Rule, and (2) govern the terms and conditions under which the Business Associate may create, maintain, receive, and transmit Electronic Protected Health Information on behalf of Covered Entity. In general, Business Associate agrees and intends to act such that (1) Covered Entity can fulfill its responsibilities under HIPAA; (2) Business Associate can fulfill its responsibilities under HIPAA; and (3) Business Associate can fulfill its contractual obligations under this Agreement. B. Obligations of Business Associate. In accordance with the Security Rule, Business Associate agrees to: 1. Conduct a security risk assessment (in accordance with 45 C.F.R. Section 164.308(a)(1)(ii)(A)) and adopt and implement policies and procedures designed to ensure compliance with the Security Rule and this Agreement including, but not limited to, identifying a security officer and training personnel. This Paragraph IV.B.1 shall be effective as of the compliance date applicable under the final regulations issued under HITECH that address this requirement. 2. Implement administrative, physical and technical safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that Business Associate creates, maintains, receives, or transmits on behalf of Covered Entity. 3. Enter into a written contract with any agent or Subcontractor to whom Business Associate provides Electronic Protected Health Information that requires such agent or Subcontractor to comply with the same restrictions and conditions that apply under this Section IV to Business Associate, including, but not limited to, implementing reasonable and appropriate safeguards to protect such information. 4. Report to Covered Entity any Security Incident of which Business Associate becomes aware. Business Associate shall provide such notification on a quarterly basis, unless a more prompt notice is otherwise required by this Agreement (e.g., under Section III.D.2. or Article V). With respect to Security Incidents that result from an unsuccessful attempt to access, use, disclose, modify, or destroy Electronic Protected Health Information or interfere with system operations in an information system containing Electronic Protected Health Information, the notification required hereunder need only report the aggregate number of such incidents. 5. Promptly mitigate, to the extent practicable, any harmful effect of a Security Incident that is known to Business Associate. C. Obligations of Covered Entity. Covered Entity shall not request or direct Business Associate to create, maintain, receive, or transmit Electronic Protected Health Information in any manner that would not be permissible under the Security Rule. V. Breach Notification Requirements A. Breach Notification. To the extent Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information, as set forth in Section 13402(h) of HITECH, Business Associate shall promptly report to Covered Entity any Breach of such Unsecured Protected Health Information by it, its subcontractors or agents of which it becomes aware. Notification to Covered Entity shall be made without unreasonable delay and in no case later than fifteen business days after the earlier of: (i) the first day on which such Breach is known to Business Associate; or (ii) the first day on which such Breach, by exercising reasonable diligence, would have been known to any person (other than the person committing the Breach) who is an employee, officer or other agent of Business Associate. Notification of the Breach may only be delayed if such delay is required by law enforcement purposes as set forth in 45 C.F.R. Section 164.412. Business Associate shall exercise reasonable diligence and promptly supplement its report with any additional information as may be obtained by Business Associate. Business Associate, its affiliates, agents and subcontractors shall not provide any notification or information regarding any Breach to any person other than Covered Entity, except to the extent such action is: (i) required by law, (ii) required under this Agreement, or (iii) taken pursuant to a prior written consent of Covered Entity. Notwithstanding the foregoing, Business Associate may provide information regarding a Breach to its legal counsel. B. Content of Report. Notification to Covered Entity of a Breach shall include, at a minimum, the following: 1. A brief description of what happened, including the date of the incident and the date of the discovery of the incident, if known; 2. A description of the types of Protected Health Information that were involved in the incident (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information) and that were or are reasonably believed by Business Associate to have been impermissibly accessed, acquired, used or disclosed; 3. A fact -specific and detailed risk assessment of whether the incident poses a significant risk of financial, reputational, or other harm to the individual whose Protected Health Information has been (or is reasonable believed by Business Associate to have been) acquired, accessed, used or disclosed; 4. Identification of the Individuals whose Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed; S. Any steps Individuals should take to protect themselves from potential harm resulting from the incident; 6. A brief description of what Business Associate is doing to investigate the incident, to mitigate harm to Individuals, and to protect against any further incidents; and 7. Any other information reasonably requested by Covered Entity to be included in the report. C. Documentation and Retention. Business Associate will document all actions described in this Section V and maintain such documentation for at least six years from the date the documentation is created or the date it was last in effect, whichever is later. D. Reimbursement, Mitigation and Cooperation. Business Associate will reimburse Covered Entity for all reasonable and necessary out-of-pocket costs incurred (including without limitation costs associated with providing required notices) as a result of a Breach by the Business Associate, its affiliates, subcontractors or agents. Business Associate further agrees to cooperate with Covered Entity as reasonably requested, to mitigate, to the extent practicable, any harmful effect of such a Breach or other use or disclosure of Protected Health Information in violation of the terms and conditions of this Agreement, and fully cooperate with Covered Entity on all matters relating to such incident and associated notifications by Covered Entity to Individuals, the media, the Secretary, the Federal Trade Commission, or any other governmental entity. VI. Term and Termination A. Term. The Term of this Agreement will begin and become effective on the Effective Date and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section VI. B. Termination. In the event that a party (the "non -breaching party") discovers and determines that the other party (the "breaching party") materially breached or violated any of its obligations under this Agreement, the non -breaching party will notify the breaching party of such breach in writing and may immediately terminate the Agreement upon notice to the breaching party or may provide the breaching party with an opportunity to take reasonable steps to cure the breach or end the violation, as applicable, within a mutually agreed upon period of time. If the breaching party's attempts to cure the breach or end the violation are unsuccessful within that period, without limiting the rights of the parties under the Agreement, the non -breaching party may immediately terminate the Agreement upon notice to the breaching party. C. Effect of Relationship Termination. 1. Except as provided in paragraphs (b) and/or (c) of this sub -section, upon termination of the Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from, or created or received by it on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of Business Associate and/or its Subcontractors or agents. Business Associate will not retain any copies of Protected Health Information. 2. In the event that Business Associate determines that returning or destroying Protected Health Information is infeasible, Business Associate will notify Covered Entity of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of Protected Health Information is infeasible, Business Associate will extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. 3. Should Covered Entity notify Business Associate that the information necessary to comply with the recordkeeping requirements under other applicable law includes the Protected Health Information, Business Associate shall return or provide to Covered Entity such information, including Protected Health Information. VII. General Provisions A. Regulatory References. A reference in this Agreement to a section in the Privacy Rule or the Security Rule means the section as in effect or as amended. B. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and/or Business Associate to comply with the requirements of the Privacy Rule, the Security Rule, and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191. C. Interpretation. Any ambiguity in this Agreement shall be resolved to permit each party to comply with the Privacy Rule and the Security Rule, if applicable. D. Survival. The respective rights and obligations of Business Associate and Covered Entity under this Agreement shall survive the termination of this Agreement and any related agreement, Including a services agreement. E. Indemnity. Each party will indemnify, hold harmless, and defend the other party and its affiliates, officers, directors, employees or agents from and against any claim, cause of action, liability, damage, cost or expense, including reasonable attorneys' fees and court or proceeding costs, arising out of or in connection with any non -permitted or violating use or disclosure of Protected Health Information or other breach of this Agreement by such party or any Subcontractor, agent, person or entity under such party's control. Notwithstanding the foregoing, nothing in this section shall limit any rights of the parties to additional remedies under this Agreement and the Technology and Services Agreement. F. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties hereto, any rights obligations, or liabilities whatsoever. G. Conformance with Law. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the parties to comply with the requirements of HIPAA as they apply to each party. H. Action. For purposes of this Agreement, whenever action is required by a party to this Agreement, such action must be taken by a person or persons with authority to act on behalf of such party to this Agreement. I. Governing law. This Agreement shall be governed by the law of Indiana, except to the extent preempted by federal law. J. Severability. The invalidity or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement, which shall remain in full force and effect. K. Notices. All notices and communications required by this Agreement shall be in writing. Such notices and communications shall be given in one of the following forms: (i) by delivery in person, (ii) by a nationally -recognized, next -day courier service, (iii) by first-class, registered or certified mail, postage prepaid; or (iv) by electronic mail to the address that each party specifies in writing. L. Entire Agreement. This Agreement constitutes the entire agreement between the parties with respect to its subject matter and constitutes and supersedes all prior agreements, representations and understandings of the parties, written or oral, with regard to this same subject matter. Notwithstanding the foregoing, this Agreement is intended to supplement (rather than supersede) the agreement between Business Associate and the sponsor of the Plan related to the services that Business Associate provides with respect to administration of the Plan. M. Counterparts. This Agreement may be executed in counterparts, each of which so executed shall be construed to be an original, but all of which together shall constitute one agreement binding on all parties, notwithstanding that all parties are not signatories to the same counterpart. Transmission by facsimile or electronic mail of an executed counterpart of this Agreement shall be deemed to constitute due and sufficient delivery of such counterpart. This Agreement and any amendment or modification may not be denied legal effect or enforceability solely because it is in electronic form, or because an electronic signature or electronic record was used in its formation. IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date set forth below. Covered Entity: This ^1 day of 201Y t City of Richmond, Indiana, by and through its Board of Public Works and Safety By: 2 ;� Vicki Robinson, President -/ , RiKard .. - Member Approved1l �Gr�%c!' Sarah L. Hutton, Mayor Business Associate: This/ day of 2011 Next Generation Enrollment, Inc. By: Print Name: Title: Plta�, DESIGNATED PERSONS APPENDIX Persons Authorized to Receive Protected Health Information In accordance with Section III.B.1. of this Agreement, disclosure of Protected Health Information may be made to the following employees of the sponsor of the Plan: Title/Office Name Phone Fax E-mail Confidential information will be provided only to the individuals identified above.