The URL can be used to link to this page

Home My Public Portal About056-2014 - Next Generation Enrollment - Business AgreementNext Generation EN ROLLME NT, INC BUSINESS ASSOCIATE AGREEMENT [amended for HITECH under ARRA] This Business Associate Agreement ("Agreement") is entered into by and between City of Richmond on behalf of the group medical plan ("Covered Entity") and Next Generation Enrollment, Inc. ("Business Associate"). I. Purpose A. Business Associate is contractually obligated to provide certain services related to one or more "covered entities" as that term is defined and regulated under HIPAA. The parties to this Agreement acknowledge that (1) Business Associate is a "business associate" as that term is defined and regulated under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"); and (2) Business Associate provides services to one or more "covered entities" as that term is defined and regulated under HIPAA. B. This Agreement is intended to constitute a "business associate" agreement between the Plan, as a Covered Entity, and the Business Associate, as required under the privacy and security provisions of HIPAA, as amended. Portions of HIPAA apply directly to Business Associate as provided in the Heath Information Technology for Economic and Clinical Health Act ("HITECH"), part of the American Recovery and Reinvestment Act of 2009 ("ARRA"). Business Associate's obligations under this Agreement may be the same as, or in some cases in addition to, Business Associate's own obligations under HIPAA as provided in HITECH. II. Special Definitions The following definitions are used by this Agreement: A. Agreement — means this Business Associate Agreement, which is an agreement required under 45 C.F.R. Section 164.314(a)(2) between a Business Associate and a Covered Entity. B. ARRA — means the American Recovery and Reinvestment Act of 2009. C. Breach — means the unauthorized acquisition, access, use, or disclosure of Protected Health Information regarding a Covered Individual that (1) prior to September 23, 2013, poses a significant risk of financial, reputational, or other harm to such Covered Individual, or (2) on or after September 23, 2013, compromises the security or privacy of the Protected Health Information as determined in accordance with 45 C.F.R. Section 164.402. Notwithstanding the foregoing, a Breach does not include: (1) any unintentional acquisition, access, or use of Protected Health Information by an employee or individual acting under the authority of Covered Entity or Business Associate and in the scope of the employment or relationship between the employee or individual and Covered Entity or Business Associate, provided such information is not further acquired, accessed, used, or disclosed by any person without authorization; (2) any inadvertent disclosure by an individual who is authorized to access -- rofecte Nea n ormation—FCovere-d - ntity's or Business Associate's facility to another 455 Pettis Avenue SE • P.O. Box 527 • Ada. MI 49301 888.266.1732 • 888,224.2371 • nextgenerationenrollment.com Contract No. 56-2014 similarly situated individual at the same facility, provided such information is not further acquired, accessed, used, or disclosed by any person without authorization; and (3) a disclosure of Protected Health Information in a situation in which Business Associate has a good faith belief that the person(s) to which the unauthorized disclosure was made would not reasonably have been able to retain such information. D. Business Associate — means Next Generation Enrollment, Inc., a person described in 45 C.F.R. Section 160.103 who performs certain functions on behalf of a Covered Entity. E. Covered Electronic Transactions — shall have the meaning given to the term "transaction" in 45 C.F.R. Section 160.103. F. Covered Entity — means the Plan, an entity described in 45 C.F.R. Section 160.103. G. Covered Individual — means a person who is eligible for payment of certain services or supplies rendered or sold to the person or the person's eligible dependents under the terms, conditions, limitations, and exclusions of the Plan. H. Data Aggregation — means, with respect to Protected Health Information created or received by Business Associate in its capacity as a business associate (as that term is defined in 45 C.F.R. Section 160.103) of the Plan, the combining of such Protected Health Information by Business Associate with the Protected Health Information received by Business Associate in its capacity as a business associate of another covered entity (as those terms are defined in 45 C.F.R. Section 160.103), to permit data analyses that relate to the health care operations of the respective covered entities. Designated Record Set — means a group of records maintained by or for Covered Entity that is (1) the medical records and billing records about Individuals maintained by or for a covered health care provider, (2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for Covered Entity, or (3) used, in whole or in part, by or for Covered Entity to make decisions about Individuals. As used herein, the term "Record" means any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used or disseminated by or for Covered Entity. Effective Date — means [February 12, 20141, unless specifically noted otherwise herein. K. Electronic Health Record — means an electronic record of health -related information regarding an Individual that is created, gathered, managed, and consulted by authorized health care clinicians and their staff. L. Electronic Protected Health Information — shall have the same meaning as the term "electronic protected health information" in 45 C.F.R. Section 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity. M. GINA - shall mean the Genetic Information Nondiscrimination Act of 2008 (Pub. L. 110-223). N. HITECH — means Heath Information Technology for Economic and Clinical Health Act. 0. HHS — means the United States Department of Health and Human Services. guidance, or (2) destruction, in accordance with the procedures identified in the Secretary's guidance, of the media on which the Protected Health Information was stored or recorded. Ill. Privacy Provisions A. Introduction. Business Associate, on behalf of Covered Entity, performs or assists in the performance of functions and activities that may involve the use, disclosure, receipt and/or creation of Protected Health Information. The "business associate" provisions of the Privacy Rule govern the terms and conditions under which the Business Associate may use or disclose Protected Health Information. In general, Business Associate agrees and intends to act such that (1) Covered Entity can fulfill its responsibilities under HIPAA; and (2) Business Associate can fulfill its contractual obligations under this Agreement. In addition, Business Associate specifically acknowledges its direct liability for the failure to comply with certain portions of the Privacy Rule as provided under HITECH and the regulations issued thereunder. B. Permitted Uses and Disclosures by Business Associate. 1. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information (i) to perform functions, activities, or services for, or on behalf of, Covered Entity pursuant to any services agreement with the Business Associate, (ii) as permitted or required by this Agreement, and (iii) as Required by Law. Business Associate may disclose Protected Health Information to other business associates of Covered Entity, or to business associates of another covered entity that is part of an organized health care arrangement that includes Covered Entity, to the fullest extent allowed under applicable law. If and when Business Associate discloses or makes available Protected Health Information to the sponsor of the Plan, Business Associate agrees to disclose or make available Protected Health Information only to the persons identified in the attached Designated Persons Appendix (which may be updated by Covered Entity and communicated to Business Associate from time to time) for the purpose of performing functions, services, or activities for or on behalf of Covered Entity. Upon Covered Entity's request, Business Associate will provide Protected Health Information to other business associates of Covered Entity that assist in administering the group health plans and that are authorized to receive such information. 2. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of its business or to carry out its legal responsibilities. 3. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of its business, if: i) the disclosures are Required by Law, or ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will be held confidentially and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such person, and the person will promptly notify the Business Associate of any instances of which the person is aware in which the confidentiality of the information has been breached._ 4. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. Section 164.504(e)(2)(i)(B). 5. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. Section 164.5020)(1). 6. Business Associate will limit the use, disclosure, or request of Protected Health Information, to the extent practicable, (i) to the Limited Data Set, or (ii) if needed by Business Associate, to the minimum necessary (as determined by Business Associate) to accomplish the intended purpose of such use, disclosure, or request, except to the extent a broader use, disclosure, or request of Protected Health Information is allowed by the Privacy Rule. Business Associate's ability to satisfy the requirement of this Paragraph III.B.6 by use of the Limited Data Set shall be available until the effective date of subsequent guidance issued by the Secretary regarding what constitutes "minimum necessary," at which time Business Associate will take reasonable efforts to limit the use, disclosure, or request of Protected Health Information to the minimum necessary (as defined by such Secretary's guidance) to accomplish the intended purpose of such use, disclosure, or request, except to the extent a broader use, disclosure, or request of Protected Health Information is allowed by the Privacy Rule. 7. Except as otherwise authorized by the Privacy Rule, Business Associate shall not directly or indirectly receive remuneration (whether financial or nonfinancial) in exchange for any Protected Health Information of a Covered Individual unless Covered Entity has received a valid authorization from the Covered Individual that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by the entity receiving Protected Health Information of that Covered Individual. This Paragraph III.B.7 shall apply to exchanges of Protected Health Information occurring on or after the compliance date applicable under the final regulations issued under HITECH that address this restriction. 8. Except as otherwise allowed by the Privacy Rule, Business Associate may not use or disclose Protected Health Information regarding a Covered Individual with respect to a communication about a product or service that encourages recipients of the communication to purchase or use the product or service unless Covered Entity receives no direct or indirect payment in exchange for making such communication and the communication is made to the Covered Individual: (i) to describe a health -related product or service (or payment for such product or service) that is provided by, or included in, the Plan, including communications about the entities participating in a health care provider network or health plan network, replacement of, or enhancements to, the Plan, and health -related products or services available only to Covered Individuals that add value to, but are not part of, the Plan; (ii) for treatment of the Covered Individual; or (iii) for case management or care coordination for the Covered Individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the Covered Individual. Notwithstanding the foregoing, Business Associate may use or disclose Protected Health Information regarding a Covered Individual with respect to a communication about a product or service that encourages recipients of the communication t0 purchase br use the product or sefVice I the communication relates to a prescription drug that is currently being prescribed for a Covered Individual and any financial remuneration received by Covered Entity in exchange for making the communication is reasonably related to Covered Entity's cost of making the communication. This Paragraph III.B.8 shall apply to disclosures of Protected Health Information occurring on or after the compliance date applicable under the final regulations issued under HITECH that address this restriction. C. Limitations on Business Associate's Uses and Disclosures. With respect to Protected Health Information that Covered Entity discloses to Business Associate or Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity, Business Associate will not use or further disclose the Protected Health Information other than as permitted or required by this Agreement (including, but not limited to, any restrictions described in Section III.E.4) or as Required by Law. D. Additional Obligations of Business Associate. Except as otherwise specified in this Agreement, the provisions of this Paragraph III.D. apply only to Protected Health Information that Covered Entity discloses to Business Associate or Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. 1. Safeguards. Business Associate will use appropriate safeguards to prevent the improper use of, disclosure of, and tampering with Protected Health Information and to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information. 2. Reporting and Mitigation. Business Associate will report to Covered Entity any acquisition, access, use, or disclosure of Protected Health Information of which Business Associate becomes aware, or that is reported to Business Associate by an agent or Subcontractor, that is in violation of this Agreement. Such report shall be made within ten (10) business days of its discovery (as that term is defined in 45 C.F.R. Section 164.410(a)(2)) by Business Associate. Business Associate agrees to promptly mitigate, to the extent practicable, any harmful effect that is known to Business Associate of an acquisition, access, use, or disclosure in violation of this Agreement. This obligation includes, but is not limited to, any acquisition, access, use, or disclosure of Unsecured Protected Health Information that may constitute a Breach. The determination of whether a Breach has occurred, and of the resultant action, shall be the responsibility of Covered Entity. 3. Agents and Subcontractors. Business Associate will enter into a written contract with any agent or Subcontractor who creates, receives, maintains, or transmits Protected Health Information on behalf of Business Associate that requires such agent or Subcontractor to comply with the same restrictions and conditions that apply by and through this Agreement to Business Associate with respect to such information. Business Associate will be liable to Covered Entity for any acts, failures or omissions of the agent or subcontractor in providing the services as if they were Business Associate's own acts, failures or omissions, to the extent permitted by law. Business Associate further expressly warrants that its agents or subcontractors will be specifically advised of, and will comply in all respects with, the terms of this Agreement. 4. Access to Protected Health Information. Within fifteen (15) days of a request by Covered - -- - Entity- for access to Protected -Health -Information -about--a Covered -individual,- Business--- Associate shall make available to Covered Entity or, as directed by Covered Entity, a Covered Individual such Protected Health Information contained in a Designated Record Set. Effective September 23, 2013, if the Protected Health Information requested by Covered Entity is maintained in a Designated Record Set electronically, Business Associate shall make available, within the time period specified above, a copy of such information in the electronic form and format specified by Covered Entity, provided such information is readily producible in such form and format. If the information is not readily producible in such form and format, Business Associate shall make the information available in a readable electronic form and format as agreed to by the parties. In the event any Covered Individual requests access to Protected Health Information directly from Business Associate, Business Associate shall within five (5) days forward such request to Covered Entity. Notwithstanding anything herein to the contrary, Covered Entity shall be ultimately responsible for providing access to the requested Protected Health Information or making the determination to deny access to requested Protected Health Information. 5. Amendment of Protected Health Information. Within fifteen (15) days of receipt of a request from Covered Entity or a Covered Individual for the amendment of Protected Health Information or a record regarding a Covered Individual contained in a Designated Record Set, Business Associate shall (i) provide such information to Covered Entity for amendment, and (ii) incorporate any such amendments in the Protected Health Information as required by 45 C.F.R. Section 164.526. It shall be Covered Entity's responsibility to promptly notify Business Associate of the request for an amendment. Notwithstanding anything herein to the contrary, Covered Entity shall be ultimately responsible for determining whether the requested amendment shall be made and, if the request is denied, in whole or in part, complying with 45 C.F.R. Section 164.526. 6. Disclosure Accounting. Business Associate agrees to track such disclosures of Protected Health Information and information related to such disclosures as is necessary to enable Covered Entity to respond to a request by a Covered Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. Section 164.528. Within fifteen (15) days of receipt of notice from Covered Entity that it has received a request for an accounting of disclosures of Protected Health Information regarding a Covered Individual, Business Associate shall make available to Covered Entity such information as is in Business Associate's possession and is required for Covered Entity to make the accounting required by 45 C.F.R. Section 164.528. At a minimum, Business Associate shall provide Covered Entity with the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the Protected Health Information, and if known, the address of such entity or person; (iii) a brief description of the Protected Health Information disclosed; and, (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. Business Associate hereby agrees to implement an appropriate record keeping process to enable it to comply with the requirements of this section and applicable law. It shall be Covered Entity's responsibility to promptly notify Business Associate of the request for an accounting, and to prepare and deliver any such accounting requested. In addition to the forgoing, Business Associate shall track other disclosures and/or make available to Covered Entity such information as is necessary for Covered Entity to comply with any additional accounting requirements effective as of -the- com tiance -date applicable under first - P pp -regulations _ irrtifste-me-nting—wcti requirements. Notwithstanding anything herein to the contrary, Covered Entity shall be ultimately responsible for providing the disclosure accounting to the Covered Individual. 7. Access to Business Associate's Internal Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to Covered Entity or the Secretary, for the purposes of the Secretary's determining compliance with HIPAA for Covered Entity and/or Business Associate. 8. Electronic Transactions. In the event the Business Associate transmits or receives any Covered Electronic Transaction on behalf of Covered Entity, it shall comply with all applicable provisions of the Standards for Electronic Transactions Rule to the extent Required by Law, and shall ensure that any agents and Subcontractors that assist Business Associate in conducting Covered Electronic Transactions on behalf of Covered Entity agree in writing to comply with the Standards for Electronic Transactions Rule to the extent Required by Law. 11. GINA. Business Associate agrees not to use or disclose Protected Health Information that contains genetic information if such use or disclosure would violate GINA. E. Obligations and Rights of Covered Entity. 1. Notice of Privacy Practices. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. Section 164.520, as well as any changes to such notice. 2. Requests by Covered Entity. Covered Entity shall not request or direct Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. This includes, but is not limited to, requests or directions for disclosure of Protected Health Information to the Plan sponsor in a capacity other than acting on behalf of the Plan as Covered Entity. To the extent a dispute or difference of opinion exists between the Business Associate and Covered Entity regarding whether a use or disclosure is permissible, Business Associate may disclose the Protected Health Information under objection pursuant to the specific, written direction of Covered Entity. Any disclosures made pursuant to such specific, written direction shall be subject to the indemnification provisions of the Agreement. 3. Authorizations. Covered Entity shall notify Business Associate of any authorization provided by an Individual to use or disclose Protected Health Information (and any changes in or revocation of such an authorization), to the extent that such information may affect Business Associate's use or disclosure of Protected Health Information. Upon receipt of such notification, Business Associate shall use or disclose Protected Health Information in accordance with the authorization or changes thereto. 4. Restrictions. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information to which Covered Entity has agreed in accordance with 45 C.F.R. Section 164.522 or is required to agree under HITECH (and - - - - - -- -any-c-hanges-to or termination -of -such a restriction), to the extent -that-such--restric-tkm -- - may affect Business Associate's use or disclosure of Protected Health Information. Such restrictions include, but are not limited to, a Covered Individual's request not to disclose Protected Health Information for purposes of payment or health care operations where the Protected Health Information relates solely to a health item or service for which the health care provider has been paid in full out-of-pocket by, or on behalf of, the Covered Individual. Upon receipt of such notification, Business Associate shall comply with such a restriction. 5. Agreement Breaches by Business Associate. If Covered Entity obtains knowledge of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of Business Associate's obligations under this Agreement, Covered Entity will take reasonable steps to cure such breach or end such violation. If Covered Entity cannot successfully cure the breach or end the violation, Covered Entity shall terminate the Agreement in accordance with Section VI.B if feasible. IV. Electronic Security Provisions A. Introduction. This section applies where Business Associate, on behalf of Covered Entity, performs or assists in the performance of functions and activities that may involve the creation, maintenance, receipt, or transmission of Electronic Protected Health Information. This Section IV along with the other sections of the Business Associate Agreement are (1) intended to meet the requirements of the "business associate" provisions of Security Rule, and (2) govern the terms and conditions under which the Business Associate may create, maintain, receive, and transmit Electronic Protected Health Information on behalf of Covered Entity. In general, Business Associate agrees and intends to act such that (1) Covered Entity can fulfill its responsibilities under HIPAA; (2) Business Associate can fulfill its responsibilities under HIPAA; and (3) Business Associate can fulfill its contractual obligations under this Agreement. B. Obligations of Business Associate. In accordance with the Security Rule, Business Associate agrees to: 1. Conduct a security risk assessment (in accordance with 45 C.F.R. Section 164.308(a)(1)(ii)(A)) and adopt and implement policies and procedures designed to ensure compliance with the Security Rule and this Agreement including, but not limited to, identifying a security officer and training personnel. This Paragraph IV.6.1 shall be effective as of the compliance date applicable under the final regulations issued under HITECH that address this requirement. L. implement administrative, physical and technical safegua rdS (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that Business Associate creates, maintains, receives, or transmits on behalf of Covered Entity. 3. Enter into a written contract with any agent or Subcontractor to whom Business Associate provides Electronic Protected Health Information that requires such agent or Subcontractor to comply with the same restrictions and conditions that apply under this Section IV to Business Associate, including, but not limited to, implementing reasonable and appropriate safeguards to protect such information. 4. Report to Covered Entity any Security Incident of which Business Associate becomes aware. Business Associate shall provide such notification on a quarterly basis, unless a more prompt notice is otherwise required by this Agreement (e.g., under Section III.D.2. or Article V). With respect to Security Incidents that result from an unsuccessful attempt to access, use, disclose, modify, or destroy Electronic Protected Health Information or interfere with system operations in an information system containing Electronic Protected Health Information, the notification required hereunder need only report the aggregate number of such incidents. S. Promptly mitigate, to the extent practicable, any harmful effect of a Security Incident that is known to Business Associate. C. Obligations of Covered Entity. Covered Entity shall not request or direct Business Associate to create, maintain, receive, or transmit Electronic Protected Health Information in any manner that would not be permissible under the Security Rule. V. Breach Notification Requirements A. Breach Notification. To the extent Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information, as set forth in Section 13402(h) of HITECH, Business Associate shall promptly report to Covered Entity any Breach of such Unsecured Protected Health Information by it, its subcontractors or agents of which it becomes aware. Notification to Covered Entity shall be made without unreasonable delay and in no case later than fifteen business days after the earlier of: (i) the first day on which such Breach is known to Business Associate; or (ii) the first day on which such Breach, by exercising reasonable diligence, would have been known to any person (other than the person committing the Breach) who is an employee, officer or other agent of Business Associate. Notification of the Breach may only be delayed if such delay is required by law enforcement purposes as set forth in 45 C.F.R. Section 164.412. Business Associate shall exercise reasonable diligence and promptly supplement its report with any additional information as may be obtained by Business Associate. Business Associate, its affiliates, agents and subcontractors shall not provide any notification or information regarding any Breach to any person other than Covered Entity, except to the extent such action is: (i) required by law, (ii) required under this Agreement, or (iii) taken pursuant to a prior written consent of Covered Entity. Notwithstanding the foregoing, Business Associate may provide information regarding a Breach to its legal counsel. B. Content of Report. ivCitifiCatioii to Covereu Entity of a Mea 1, Shaii iiiCiUue, a't a iiiiiiin'iiim, the following: 1. A brief description of what happened, including the date of the incident and the date of the discovery of the incident, if known; 2. A description of the types of Protected Health Information that were involved in the incident (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information) and that were or are reasonably believed by Business Associate to have been impermissibly accessed, acquired, used or disclosed; 3. A fact -specific and detailed risk assessment of whether the incident poses a significant risk of financial, reputational, or other harm to the individual whose Protected Health Information has been (or is reasonable believed by Business Associate to have been) acquired, accessed, used or disclosed; 4. Identification of the Individuals whose Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed; S. Any steps Individuals should take to protect themselves from potential harm resulting from the incident; 6. A brief description of what Business Associate is doing to investigate the incident, to mitigate harm to Individuals, and to protect against any further incidents; and 7. Any other information reasonably requested by Covered Entity to be included in the report. C. Documentation and Retention. Business Associate will document all actions described in this Section V and maintain such documentation for at least six years from the date the documentation is created or the date it was last in effect, whichever is later. D. Reimbursement, Mitigation and Cooperation. Business Associate will reimburse Covered Entity for all reasonable and necessary out-of-pocket costs incurred (including without limitation costs associated with providing required notices) as a result of a Breach by the Business Associate, its affiliates, subcontractors or agents. Business Associate further agrees to cooperate with Covered Entity as reasonably requested, to mitigate, to the extent practicable, any harmful effect of such a Breach or other use or disclosure of Protected Health Information in violation of the terms and conditions of this Agreement, and fully cooperate with Covered Entity on all matters relating to such incident and associated notifications by Covered Entity to Individuals, the media, the Secretary, the Federal Trade Commission, or any other governmental entity. VI. Term and Termination A. Term. The Term of this Agreement will begin and become effective on the Effective Date and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section VI. B. Termination. In the event that a party (the "non -breaching party") discovers and determines that the other party (the "breaching party") materially breached or violated any of its obligations under this Agreement, the non -breaching party will notify the breaching party of such breach in writing and may immediately terminate the Agreement upon notice to the breaching party or may provide the breaching party with an opportunity to take reasonable steps to cure the breach or end the violation, as applicable, within a mutually agreed upon period of time. If the breaching party's attempts to cure the breach or end the violation are unsuccessful within that period, without limiting the rights of the parties under the Agreement, the non -breaching party may immediately terminate the Agreement upon notice to the breaching party. C. Effect of Relationship Termination. 1. Except as provided in paragraphs (b) and/or (c) of this sub -section, upon termination of the Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from, or created or received by it on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of Business Associate and/or its Subcontractors or agents. Business Associate will not retain any copies of Protected Health Information. Z. In the event that Business Associate determines that returning or destroying Protected Health Information is infeasible, Business Associate will notify Covered Entity of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of Protected Health Information is infeasible, Business Associate will extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. 3. Should Covered Entity notify Business Associate that the information necessary to comply with the recordkeeping requirements under other applicable law includes the Protected Health Information, Business Associate shall return or provide to Covered Entity such information, including Protected Health Information. VII. General Provisions A. Regulatory References. A reference in this Agreement to a section in the Privacy Rule or the Security Rule means the section as in effect or as amended. B. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and/or Business Associate to comply with the requirements of the Privacy Rule, the Security Rule, and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191. C. Interpretation. Any ambiguity in this Agreement shall be resolved to permit each party to comply with the Privacy Rule and the Security Rule, if applicable. D. Survival. The respective rights and obligations of Business Associate and Covered Entity under this Agreement shall survive the termination of this Agreement and any related agreement, Including a services agreement. E. Indemnity. Each party will indemnify, hold harmless, and defend the other party and its affiliates, officers, directors, employees or agents from and against any claim, cause of action, liability, damage, cost or expense, including reasonable attorneys' fees and court or proceeding costs, arising out of or in connection with any non -permitted or violating use or disclosure of Protected Health Information or other breach of this Agreement by such party or any Subcontractor, agent, person or entity under such parry's control. Notwithstanding the foregoing, nothing in this section shall limit any rights of the parties to additional remedies under this Agreement and the Technology and Services Agreement. F. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties hereto, any rights obligations, or liabilities whatsoever. G. Conformance with Law. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the parties to comply with the requirements of HIPAA as they apply to each party. H. Action. For purposes of this Agreement, whenever action is required by a party to this Agreement, such action must be taken by a person or persons with authority to act on behalf of such party to this Agreement. Governing Law. This Agreement shall be governed by the law of Indiana, except to the extent preempted by federal law. J. Severability. The invalidity or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement, which shall remain in full force and effect. K. Notices. All notices and communications required by this Agreement shall be in writing. Such notices and communications shall be given in one of the following forms: (i) by delivery in person, (ii) by a nationally -recognized, next -day courier service, (iii) by first-class, registered or certified mail, postage prepaid; or (iv) by electronic mail to the address that each party specifies in writing. L. Entire Agreement. This Agreement constitutes the entire agreement between the parties with respect to its subject matter and constitutes and supersedes all prior agreements, representations and understandings of the parties, written or oral, with regard to this same subject matter. Notwithstanding the foregoing, this Agreement is intended to supplement (rather than supersede) the agreement between Business Associate and the sponsor of the Plan related to the services that Business Associate provides with respect to administration of the Plan. M. Counterparts. This Agreement may be executed in counterparts, each of which so executed shall be construed to be an original, but all of which together shall constitute one agreement binding on all parties, notwithstanding that all parties are not signatories to the same counterpart. Transmission by facsimile or electronic mail of an executed counterpart of this Agreement shall be deemed to constitute due and sufficient delivery of such counterpart. This Agreement and any amendment or modification may not be denied legal effect or enforceability solely because it is in electronic form, or because an electronic signature or electronic record was used in its formation. IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date set forth below. Covered Entity: This J� day of 201Y City of Richmond, Indiana, by and through its Board of Public Works and Safety By:z(./ Vicki Robinson, President ---Z iYhard .. .- �*LFo"- . - Approved: Sarah L. Hutton, Mayor Business Associate: This.2,/'q"day of 201.1 Next Generation Enrollment, Inc. By: Print Name: DI �� n? n(i YL- Title: DESIGNATED PERSONS APPENDIX Persons Authorized to Receive Protected Health Information In accordance with Section III.B.1. of this Agreement, disclosure of Protected Health Information may be made to the following employees of the sponsor of the Plan: Title/Office Name Phone Fax E-mail Confidential information will be provided only to the individuals identified above.