HomeMy Public PortalAbout056-2014 - Next Generation Enrollment - Business AgreementNext
Generation
EN ROLLME NT, INC
BUSINESS ASSOCIATE AGREEMENT
[amended for HITECH under ARRA]
This Business Associate Agreement ("Agreement") is entered into by and between City of Richmond on
behalf of the group medical plan ("Covered Entity") and Next Generation Enrollment, Inc. ("Business Associate").
I. Purpose
A. Business Associate is contractually obligated to provide certain services related to one or more
"covered entities" as that term is defined and regulated under HIPAA. The parties to this
Agreement acknowledge that (1) Business Associate is a "business associate" as that term is
defined and regulated under the Health Insurance Portability and Accountability Act of 1996, as
amended ("HIPAA"); and (2) Business Associate provides services to one or more "covered
entities" as that term is defined and regulated under HIPAA.
B. This Agreement is intended to constitute a "business associate" agreement between the Plan, as
a Covered Entity, and the Business Associate, as required under the privacy and security
provisions of HIPAA, as amended. Portions of HIPAA apply directly to Business Associate as
provided in the Heath Information Technology for Economic and Clinical Health Act ("HITECH"),
part of the American Recovery and Reinvestment Act of 2009 ("ARRA"). Business Associate's
obligations under this Agreement may be the same as, or in some cases in addition to, Business
Associate's own obligations under HIPAA as provided in HITECH.
II. Special Definitions
The following definitions are used by this Agreement:
A. Agreement — means this Business Associate Agreement, which is an agreement required under
45 C.F.R. Section 164.314(a)(2) between a Business Associate and a Covered Entity.
B. ARRA — means the American Recovery and Reinvestment Act of 2009.
C. Breach — means the unauthorized acquisition, access, use, or disclosure of Protected Health
Information regarding a Covered Individual that (1) prior to September 23, 2013, poses a
significant risk of financial, reputational, or other harm to such Covered Individual, or (2) on or
after September 23, 2013, compromises the security or privacy of the Protected Health
Information as determined in accordance with 45 C.F.R. Section 164.402. Notwithstanding the
foregoing, a Breach does not include: (1) any unintentional acquisition, access, or use of
Protected Health Information by an employee or individual acting under the authority of
Covered Entity or Business Associate and in the scope of the employment or relationship
between the employee or individual and Covered Entity or Business Associate, provided such
information is not further acquired, accessed, used, or disclosed by any person without
authorization; (2) any inadvertent disclosure by an individual who is authorized to access
-- rofecte Nea n ormation—FCovere-d - ntity's or Business Associate's facility to another
455 Pettis Avenue SE • P.O. Box 527 • Ada. MI 49301
888.266.1732 • 888,224.2371 • nextgenerationenrollment.com
Contract No. 56-2014
similarly situated individual at the same facility, provided such information is not further
acquired, accessed, used, or disclosed by any person without authorization; and (3) a disclosure
of Protected Health Information in a situation in which Business Associate has a good faith belief
that the person(s) to which the unauthorized disclosure was made would not reasonably have
been able to retain such information.
D. Business Associate — means Next Generation Enrollment, Inc., a person described in 45 C.F.R.
Section 160.103 who performs certain functions on behalf of a Covered Entity.
E. Covered Electronic Transactions — shall have the meaning given to the term "transaction" in 45
C.F.R. Section 160.103.
F. Covered Entity — means the Plan, an entity described in 45 C.F.R. Section 160.103.
G. Covered Individual — means a person who is eligible for payment of certain services or supplies
rendered or sold to the person or the person's eligible dependents under the terms, conditions,
limitations, and exclusions of the Plan.
H. Data Aggregation — means, with respect to Protected Health Information created or received by
Business Associate in its capacity as a business associate (as that term is defined in 45 C.F.R.
Section 160.103) of the Plan, the combining of such Protected Health Information by Business
Associate with the Protected Health Information received by Business Associate in its capacity as
a business associate of another covered entity (as those terms are defined in 45 C.F.R. Section
160.103), to permit data analyses that relate to the health care operations of the respective
covered entities.
Designated Record Set — means a group of records maintained by or for Covered Entity that is
(1) the medical records and billing records about Individuals maintained by or for a covered
health care provider, (2) the enrollment, payment, claims adjudication, and case or medical
management record systems maintained by or for Covered Entity, or (3) used, in whole or in
part, by or for Covered Entity to make decisions about Individuals. As used herein, the term
"Record" means any item, collection, or grouping of information that includes Protected Health
Information and is maintained, collected, used or disseminated by or for Covered Entity.
Effective Date — means [February 12, 20141, unless specifically noted otherwise herein.
K. Electronic Health Record — means an electronic record of health -related information regarding
an Individual that is created, gathered, managed, and consulted by authorized health care
clinicians and their staff.
L. Electronic Protected Health Information — shall have the same meaning as the term "electronic
protected health information" in 45 C.F.R. Section 160.103, limited to the information created,
received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
M. GINA - shall mean the Genetic Information Nondiscrimination Act of 2008 (Pub. L. 110-223).
N. HITECH — means Heath Information Technology for Economic and Clinical Health Act.
0. HHS — means the United States Department of Health and Human Services.
guidance, or (2) destruction, in accordance with the procedures identified in the Secretary's
guidance, of the media on which the Protected Health Information was stored or recorded.
Ill. Privacy Provisions
A. Introduction. Business Associate, on behalf of Covered Entity, performs or assists in the
performance of functions and activities that may involve the use, disclosure, receipt and/or
creation of Protected Health Information. The "business associate" provisions of the Privacy
Rule govern the terms and conditions under which the Business Associate may use or disclose
Protected Health Information. In general, Business Associate agrees and intends to act such that
(1) Covered Entity can fulfill its responsibilities under HIPAA; and (2) Business Associate can
fulfill its contractual obligations under this Agreement. In addition, Business Associate
specifically acknowledges its direct liability for the failure to comply with certain portions of the
Privacy Rule as provided under HITECH and the regulations issued thereunder.
B. Permitted Uses and Disclosures by Business Associate.
1. Except as otherwise limited in this Agreement, Business Associate may use or disclose
Protected Health Information (i) to perform functions, activities, or services for, or on
behalf of, Covered Entity pursuant to any services agreement with the Business
Associate, (ii) as permitted or required by this Agreement, and (iii) as Required by Law.
Business Associate may disclose Protected Health Information to other business
associates of Covered Entity, or to business associates of another covered entity that is
part of an organized health care arrangement that includes Covered Entity, to the fullest
extent allowed under applicable law. If and when Business Associate discloses or makes
available Protected Health Information to the sponsor of the Plan, Business Associate
agrees to disclose or make available Protected Health Information only to the persons
identified in the attached Designated Persons Appendix (which may be updated by
Covered Entity and communicated to Business Associate from time to time) for the
purpose of performing functions, services, or activities for or on behalf of Covered
Entity. Upon Covered Entity's request, Business Associate will provide Protected Health
Information to other business associates of Covered Entity that assist in administering
the group health plans and that are authorized to receive such information.
2. Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information for the proper management and administration of its business or to carry
out its legal responsibilities.
3. Except as otherwise limited in this Agreement, Business Associate may disclose Protected
Health Information for the proper management and administration of its business, if:
i) the disclosures are Required by Law, or
ii) Business Associate obtains reasonable assurances from the person to whom the
information is disclosed that the information will be held confidentially and will
be used or further disclosed only as Required by Law or for the purpose for
which it was disclosed to such person, and the person will promptly notify the
Business Associate of any instances of which the person is aware in which the
confidentiality of the information has been breached._
4. Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information to provide Data Aggregation services to Covered Entity as permitted by 45
C.F.R. Section 164.504(e)(2)(i)(B).
5. Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information to report violations of law to appropriate Federal and State authorities,
consistent with 45 C.F.R. Section 164.5020)(1).
6. Business Associate will limit the use, disclosure, or request of Protected Health Information,
to the extent practicable, (i) to the Limited Data Set, or (ii) if needed by Business
Associate, to the minimum necessary (as determined by Business Associate) to
accomplish the intended purpose of such use, disclosure, or request, except to the
extent a broader use, disclosure, or request of Protected Health Information is allowed
by the Privacy Rule. Business Associate's ability to satisfy the requirement of this
Paragraph III.B.6 by use of the Limited Data Set shall be available until the effective date
of subsequent guidance issued by the Secretary regarding what constitutes "minimum
necessary," at which time Business Associate will take reasonable efforts to limit the
use, disclosure, or request of Protected Health Information to the minimum necessary
(as defined by such Secretary's guidance) to accomplish the intended purpose of such
use, disclosure, or request, except to the extent a broader use, disclosure, or request of
Protected Health Information is allowed by the Privacy Rule.
7. Except as otherwise authorized by the Privacy Rule, Business Associate shall not directly or
indirectly receive remuneration (whether financial or nonfinancial) in exchange for any
Protected Health Information of a Covered Individual unless Covered Entity has received
a valid authorization from the Covered Individual that includes a specification of
whether the Protected Health Information can be further exchanged for remuneration
by the entity receiving Protected Health Information of that Covered Individual. This
Paragraph III.B.7 shall apply to exchanges of Protected Health Information occurring on
or after the compliance date applicable under the final regulations issued under HITECH
that address this restriction.
8. Except as otherwise allowed by the Privacy Rule, Business Associate may not use or disclose
Protected Health Information regarding a Covered Individual with respect to a
communication about a product or service that encourages recipients of the
communication to purchase or use the product or service unless Covered Entity receives
no direct or indirect payment in exchange for making such communication and the
communication is made to the Covered Individual: (i) to describe a health -related
product or service (or payment for such product or service) that is provided by, or
included in, the Plan, including communications about the entities participating in a
health care provider network or health plan network, replacement of, or enhancements
to, the Plan, and health -related products or services available only to Covered
Individuals that add value to, but are not part of, the Plan; (ii) for treatment of the
Covered Individual; or (iii) for case management or care coordination for the Covered
Individual, or to direct or recommend alternative treatments, therapies, health care
providers, or settings of care to the Covered Individual. Notwithstanding the foregoing,
Business Associate may use or disclose Protected Health Information regarding a
Covered Individual with respect to a communication about a product or service that
encourages recipients of the communication t0 purchase br use the product or sefVice I
the communication relates to a prescription drug that is currently being prescribed for a
Covered Individual and any financial remuneration received by Covered Entity in
exchange for making the communication is reasonably related to Covered Entity's cost
of making the communication. This Paragraph III.B.8 shall apply to disclosures of
Protected Health Information occurring on or after the compliance date applicable
under the final regulations issued under HITECH that address this restriction.
C. Limitations on Business Associate's Uses and Disclosures. With respect to Protected Health
Information that Covered Entity discloses to Business Associate or Business Associate creates,
receives, maintains, or transmits on behalf of Covered Entity, Business Associate will not use or
further disclose the Protected Health Information other than as permitted or required by this
Agreement (including, but not limited to, any restrictions described in Section III.E.4) or as
Required by Law.
D. Additional Obligations of Business Associate. Except as otherwise specified in this Agreement,
the provisions of this Paragraph III.D. apply only to Protected Health Information that Covered
Entity discloses to Business Associate or Business Associate creates, receives, maintains, or
transmits on behalf of Covered Entity.
1. Safeguards. Business Associate will use appropriate safeguards to prevent the improper use
of, disclosure of, and tampering with Protected Health Information and to reasonably
and appropriately protect the confidentiality, integrity, and availability of the Electronic
Protected Health Information.
2. Reporting and Mitigation. Business Associate will report to Covered Entity any acquisition,
access, use, or disclosure of Protected Health Information of which Business Associate
becomes aware, or that is reported to Business Associate by an agent or Subcontractor,
that is in violation of this Agreement. Such report shall be made within ten (10)
business days of its discovery (as that term is defined in 45 C.F.R. Section 164.410(a)(2))
by Business Associate. Business Associate agrees to promptly mitigate, to the extent
practicable, any harmful effect that is known to Business Associate of an acquisition,
access, use, or disclosure in violation of this Agreement. This obligation includes, but is
not limited to, any acquisition, access, use, or disclosure of Unsecured Protected Health
Information that may constitute a Breach. The determination of whether a Breach has
occurred, and of the resultant action, shall be the responsibility of Covered Entity.
3. Agents and Subcontractors. Business Associate will enter into a written contract with any
agent or Subcontractor who creates, receives, maintains, or transmits Protected Health
Information on behalf of Business Associate that requires such agent or Subcontractor
to comply with the same restrictions and conditions that apply by and through this
Agreement to Business Associate with respect to such information. Business Associate
will be liable to Covered Entity for any acts, failures or omissions of the agent or
subcontractor in providing the services as if they were Business Associate's own acts,
failures or omissions, to the extent permitted by law. Business Associate further
expressly warrants that its agents or subcontractors will be specifically advised of, and
will comply in all respects with, the terms of this Agreement.
4. Access to Protected Health Information. Within fifteen (15) days of a request by Covered
- -- - Entity- for access to Protected -Health -Information -about--a Covered -individual,- Business---
Associate shall make available to Covered Entity or, as directed by Covered Entity, a
Covered Individual such Protected Health Information contained in a Designated Record
Set. Effective September 23, 2013, if the Protected Health Information requested by
Covered Entity is maintained in a Designated Record Set electronically, Business
Associate shall make available, within the time period specified above, a copy of such
information in the electronic form and format specified by Covered Entity, provided
such information is readily producible in such form and format. If the information is not
readily producible in such form and format, Business Associate shall make the
information available in a readable electronic form and format as agreed to by the
parties. In the event any Covered Individual requests access to Protected Health
Information directly from Business Associate, Business Associate shall within five (5)
days forward such request to Covered Entity. Notwithstanding anything herein to the
contrary, Covered Entity shall be ultimately responsible for providing access to the
requested Protected Health Information or making the determination to deny access to
requested Protected Health Information.
5. Amendment of Protected Health Information. Within fifteen (15) days of receipt of a
request from Covered Entity or a Covered Individual for the amendment of Protected
Health Information or a record regarding a Covered Individual contained in a Designated
Record Set, Business Associate shall (i) provide such information to Covered Entity for
amendment, and (ii) incorporate any such amendments in the Protected Health
Information as required by 45 C.F.R. Section 164.526. It shall be Covered Entity's
responsibility to promptly notify Business Associate of the request for an amendment.
Notwithstanding anything herein to the contrary, Covered Entity shall be ultimately
responsible for determining whether the requested amendment shall be made and, if
the request is denied, in whole or in part, complying with 45 C.F.R. Section 164.526.
6. Disclosure Accounting. Business Associate agrees to track such disclosures of Protected
Health Information and information related to such disclosures as is necessary to enable
Covered Entity to respond to a request by a Covered Individual for an accounting of
disclosures of Protected Health Information in accordance with 45 C.F.R. Section
164.528. Within fifteen (15) days of receipt of notice from Covered Entity that it has
received a request for an accounting of disclosures of Protected Health Information
regarding a Covered Individual, Business Associate shall make available to Covered
Entity such information as is in Business Associate's possession and is required for
Covered Entity to make the accounting required by 45 C.F.R. Section 164.528. At a
minimum, Business Associate shall provide Covered Entity with the following
information: (i) the date of the disclosure; (ii) the name of the entity or person who
received the Protected Health Information, and if known, the address of such entity or
person; (iii) a brief description of the Protected Health Information disclosed; and, (iv) a
brief statement of the purpose of such disclosure which includes an explanation of the
basis for such disclosure. Business Associate hereby agrees to implement an appropriate
record keeping process to enable it to comply with the requirements of this section and
applicable law. It shall be Covered Entity's responsibility to promptly notify Business
Associate of the request for an accounting, and to prepare and deliver any such
accounting requested. In addition to the forgoing, Business Associate shall track other
disclosures and/or make available to Covered Entity such information as is necessary for
Covered Entity to comply with any additional accounting requirements effective as of
-the- com tiance -date applicable under first -
P pp -regulations _ irrtifste-me-nting—wcti
requirements. Notwithstanding anything herein to the contrary, Covered Entity shall be
ultimately responsible for providing the disclosure accounting to the Covered Individual.
7. Access to Business Associate's Internal Records. Business Associate shall make its internal
practices, books, and records relating to the use and disclosure of Protected Health
Information received from, or created or received by Business Associate on behalf of,
Covered Entity available to Covered Entity or the Secretary, for the purposes of the
Secretary's determining compliance with HIPAA for Covered Entity and/or Business
Associate.
8. Electronic Transactions. In the event the Business Associate transmits or receives any
Covered Electronic Transaction on behalf of Covered Entity, it shall comply with all
applicable provisions of the Standards for Electronic Transactions Rule to the extent
Required by Law, and shall ensure that any agents and Subcontractors that assist
Business Associate in conducting Covered Electronic Transactions on behalf of Covered
Entity agree in writing to comply with the Standards for Electronic Transactions Rule to
the extent Required by Law.
11. GINA. Business Associate agrees not to use or disclose Protected Health Information
that contains genetic information if such use or disclosure would violate GINA.
E. Obligations and Rights of Covered Entity.
1. Notice of Privacy Practices. Covered Entity shall provide Business Associate with the notice
of privacy practices that Covered Entity produces in accordance with 45 C.F.R. Section
164.520, as well as any changes to such notice.
2. Requests by Covered Entity. Covered Entity shall not request or direct Business Associate to
use or disclose Protected Health Information in any manner that would not be
permissible under the Privacy Rule if done by Covered Entity. This includes, but is not
limited to, requests or directions for disclosure of Protected Health Information to the
Plan sponsor in a capacity other than acting on behalf of the Plan as Covered Entity. To
the extent a dispute or difference of opinion exists between the Business Associate and
Covered Entity regarding whether a use or disclosure is permissible, Business Associate
may disclose the Protected Health Information under objection pursuant to the specific,
written direction of Covered Entity. Any disclosures made pursuant to such specific,
written direction shall be subject to the indemnification provisions of the Agreement.
3. Authorizations. Covered Entity shall notify Business Associate of any authorization provided
by an Individual to use or disclose Protected Health Information (and any changes in or
revocation of such an authorization), to the extent that such information may affect
Business Associate's use or disclosure of Protected Health Information. Upon receipt of
such notification, Business Associate shall use or disclose Protected Health Information
in accordance with the authorization or changes thereto.
4. Restrictions. Covered Entity shall notify Business Associate of any restriction on the use or
disclosure of Protected Health Information to which Covered Entity has agreed in
accordance with 45 C.F.R. Section 164.522 or is required to agree under HITECH (and
- - - - - -- -any-c-hanges-to or termination -of -such a restriction), to the extent -that-such--restric-tkm -- -
may affect Business Associate's use or disclosure of Protected Health Information. Such
restrictions include, but are not limited to, a Covered Individual's request not to disclose
Protected Health Information for purposes of payment or health care operations where
the Protected Health Information relates solely to a health item or service for which the
health care provider has been paid in full out-of-pocket by, or on behalf of, the Covered
Individual. Upon receipt of such notification, Business Associate shall comply with such
a restriction.
5. Agreement Breaches by Business Associate. If Covered Entity obtains knowledge of a
pattern of activity or practice of Business Associate that constitutes a material breach or
violation of Business Associate's obligations under this Agreement, Covered Entity will
take reasonable steps to cure such breach or end such violation. If Covered Entity
cannot successfully cure the breach or end the violation, Covered Entity shall terminate
the Agreement in accordance with Section VI.B if feasible.
IV. Electronic Security Provisions
A. Introduction. This section applies where Business Associate, on behalf of Covered Entity,
performs or assists in the performance of functions and activities that may involve the creation,
maintenance, receipt, or transmission of Electronic Protected Health Information. This Section
IV along with the other sections of the Business Associate Agreement are (1) intended to meet
the requirements of the "business associate" provisions of Security Rule, and (2) govern the
terms and conditions under which the Business Associate may create, maintain, receive, and
transmit Electronic Protected Health Information on behalf of Covered Entity. In general,
Business Associate agrees and intends to act such that (1) Covered Entity can fulfill its
responsibilities under HIPAA; (2) Business Associate can fulfill its responsibilities under HIPAA;
and (3) Business Associate can fulfill its contractual obligations under this Agreement.
B. Obligations of Business Associate. In accordance with the Security Rule, Business Associate
agrees to:
1. Conduct a security risk assessment (in accordance with 45 C.F.R. Section 164.308(a)(1)(ii)(A))
and adopt and implement policies and procedures designed to ensure compliance with the
Security Rule and this Agreement including, but not limited to, identifying a security officer
and training personnel. This Paragraph IV.6.1 shall be effective as of the compliance date
applicable under the final regulations issued under HITECH that address this requirement.
L. implement administrative, physical and technical safegua rdS (including written policies and
procedures) that reasonably and appropriately protect the confidentiality, integrity, and
availability of the Electronic Protected Health Information that Business Associate creates,
maintains, receives, or transmits on behalf of Covered Entity.
3. Enter into a written contract with any agent or Subcontractor to whom Business Associate
provides Electronic Protected Health Information that requires such agent or Subcontractor
to comply with the same restrictions and conditions that apply under this Section IV to
Business Associate, including, but not limited to, implementing reasonable and appropriate
safeguards to protect such information.
4. Report to Covered Entity any Security Incident of which Business Associate becomes aware.
Business Associate shall provide such notification on a quarterly basis, unless a more prompt
notice is otherwise required by this Agreement (e.g., under Section III.D.2. or Article V).
With respect to Security Incidents that result from an unsuccessful attempt to access, use,
disclose, modify, or destroy Electronic Protected Health Information or interfere with
system operations in an information system containing Electronic Protected Health
Information, the notification required hereunder need only report the aggregate number of
such incidents.
S. Promptly mitigate, to the extent practicable, any harmful effect of a Security Incident that is
known to Business Associate.
C. Obligations of Covered Entity. Covered Entity shall not request or direct Business Associate to
create, maintain, receive, or transmit Electronic Protected Health Information in any manner
that would not be permissible under the Security Rule.
V. Breach Notification Requirements
A. Breach Notification. To the extent Business Associate accesses, maintains, retains, modifies,
records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health
Information, as set forth in Section 13402(h) of HITECH, Business Associate shall promptly report
to Covered Entity any Breach of such Unsecured Protected Health Information by it, its
subcontractors or agents of which it becomes aware. Notification to Covered Entity shall be
made without unreasonable delay and in no case later than fifteen business days after the
earlier of: (i) the first day on which such Breach is known to Business Associate; or (ii) the first
day on which such Breach, by exercising reasonable diligence, would have been known to any
person (other than the person committing the Breach) who is an employee, officer or other
agent of Business Associate. Notification of the Breach may only be delayed if such delay is
required by law enforcement purposes as set forth in 45 C.F.R. Section 164.412. Business
Associate shall exercise reasonable diligence and promptly supplement its report with any
additional information as may be obtained by Business Associate. Business Associate, its
affiliates, agents and subcontractors shall not provide any notification or information regarding
any Breach to any person other than Covered Entity, except to the extent such action is: (i)
required by law, (ii) required under this Agreement, or (iii) taken pursuant to a prior written
consent of Covered Entity. Notwithstanding the foregoing, Business Associate may provide
information regarding a Breach to its legal counsel.
B. Content of Report. ivCitifiCatioii to Covereu Entity of a Mea 1, Shaii iiiCiUue, a't a iiiiiiin'iiim, the
following:
1. A brief description of what happened, including the date of the incident and the date of
the discovery of the incident, if known;
2. A description of the types of Protected Health Information that were involved in the
incident (such as whether full name, social security number, date of birth, home address,
account number, diagnosis, disability code, or other types of information) and that were
or are reasonably believed by Business Associate to have been impermissibly accessed,
acquired, used or disclosed;
3. A fact -specific and detailed risk assessment of whether the incident poses a significant risk
of financial, reputational, or other harm to the individual whose Protected Health
Information has been (or is reasonable believed by Business Associate to have been)
acquired, accessed, used or disclosed;
4. Identification of the Individuals whose Protected Health Information has been, or is
reasonably believed by Business Associate to have been, accessed, acquired, used or
disclosed;
S. Any steps Individuals should take to protect themselves from potential harm resulting
from the incident;
6. A brief description of what Business Associate is doing to investigate the incident, to
mitigate harm to Individuals, and to protect against any further incidents; and
7. Any other information reasonably requested by Covered Entity to be included in the
report.
C. Documentation and Retention. Business Associate will document all actions described in this
Section V and maintain such documentation for at least six years from the date the
documentation is created or the date it was last in effect, whichever is later.
D. Reimbursement, Mitigation and Cooperation. Business Associate will reimburse Covered Entity
for all reasonable and necessary out-of-pocket costs incurred (including without limitation costs
associated with providing required notices) as a result of a Breach by the Business Associate, its
affiliates, subcontractors or agents. Business Associate further agrees to cooperate with
Covered Entity as reasonably requested, to mitigate, to the extent practicable, any harmful
effect of such a Breach or other use or disclosure of Protected Health Information in violation of
the terms and conditions of this Agreement, and fully cooperate with Covered Entity on all
matters relating to such incident and associated notifications by Covered Entity to Individuals,
the media, the Secretary, the Federal Trade Commission, or any other governmental entity.
VI. Term and Termination
A. Term. The Term of this Agreement will begin and become effective on the Effective Date and
shall terminate when all of the Protected Health Information provided by Covered Entity to
Business Associate, or created or received by Business Associate on behalf of Covered Entity is
destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected
Health Information, protections are extended to such information, in accordance with the
termination provisions in this Section VI.
B. Termination. In the event that a party (the "non -breaching party") discovers and determines
that the other party (the "breaching party") materially breached or violated any of its
obligations under this Agreement, the non -breaching party will notify the breaching party of
such breach in writing and may immediately terminate the Agreement upon notice to the
breaching party or may provide the breaching party with an opportunity to take reasonable
steps to cure the breach or end the violation, as applicable, within a mutually agreed upon
period of time. If the breaching party's attempts to cure the breach or end the violation are
unsuccessful within that period, without limiting the rights of the parties under the Agreement,
the non -breaching party may immediately terminate the Agreement upon notice to the
breaching party.
C. Effect of Relationship Termination.
1. Except as provided in paragraphs (b) and/or (c) of this sub -section, upon termination of
the Agreement, for any reason, Business Associate shall return or destroy all Protected
Health Information received from, or created or received by it on behalf of Covered
Entity. This provision shall apply to Protected Health Information that is in the
possession of Business Associate and/or its Subcontractors or agents. Business
Associate will not retain any copies of Protected Health Information.
Z. In the event that Business Associate determines that returning or destroying Protected
Health Information is infeasible, Business Associate will notify Covered Entity of the
conditions that make return or destruction infeasible. Upon mutual agreement of the
parties that return or destruction of Protected Health Information is infeasible, Business
Associate will extend the protections of this Agreement to such Protected Health
Information and limit further uses and disclosures of such Protected Health Information
to those purposes that make the return or destruction infeasible, for so long as Business
Associate maintains such Protected Health Information.
3. Should Covered Entity notify Business Associate that the information necessary to
comply with the recordkeeping requirements under other applicable law includes the
Protected Health Information, Business Associate shall return or provide to Covered
Entity such information, including Protected Health Information.
VII. General Provisions
A. Regulatory References. A reference in this Agreement to a section in the Privacy Rule or the
Security Rule means the section as in effect or as amended.
B. Amendment. The parties agree to take such action as is necessary to amend this Agreement
from time to time as is necessary for Covered Entity and/or Business Associate to comply with
the requirements of the Privacy Rule, the Security Rule, and the Health Insurance Portability and
Accountability Act of 1996, Pub. L. No. 104-191.
C. Interpretation. Any ambiguity in this Agreement shall be resolved to permit each party to
comply with the Privacy Rule and the Security Rule, if applicable.
D. Survival. The respective rights and obligations of Business Associate and Covered Entity under
this Agreement shall survive the termination of this Agreement and any related agreement,
Including a services agreement.
E. Indemnity. Each party will indemnify, hold harmless, and defend the other party and its
affiliates, officers, directors, employees or agents from and against any claim, cause of action,
liability, damage, cost or expense, including reasonable attorneys' fees and court or proceeding
costs, arising out of or in connection with any non -permitted or violating use or disclosure of
Protected Health Information or other breach of this Agreement by such party or any
Subcontractor, agent, person or entity under such parry's control. Notwithstanding the
foregoing, nothing in this section shall limit any rights of the parties to additional remedies
under this Agreement and the Technology and Services Agreement.
F. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to
confer, nor shall anything herein confer, upon any person other than the parties hereto, any
rights obligations, or liabilities whatsoever.
G. Conformance with Law. The parties agree to take such action as is necessary to amend this
Agreement from time to time as is necessary for the parties to comply with the requirements of
HIPAA as they apply to each party.
H. Action. For purposes of this Agreement, whenever action is required by a party to this
Agreement, such action must be taken by a person or persons with authority to act on behalf of
such party to this Agreement.
Governing Law. This Agreement shall be governed by the law of Indiana, except to the extent
preempted by federal law.
J. Severability. The invalidity or unenforceability of any provision of this Agreement shall not
affect the validity or enforceability of any other provision of this Agreement, which shall remain
in full force and effect.
K. Notices. All notices and communications required by this Agreement shall be in writing. Such
notices and communications shall be given in one of the following forms: (i) by delivery in
person, (ii) by a nationally -recognized, next -day courier service, (iii) by first-class, registered or
certified mail, postage prepaid; or (iv) by electronic mail to the address that each party specifies
in writing.
L. Entire Agreement. This Agreement constitutes the entire agreement between the parties with
respect to its subject matter and constitutes and supersedes all prior agreements,
representations and understandings of the parties, written or oral, with regard to this same
subject matter. Notwithstanding the foregoing, this Agreement is intended to supplement
(rather than supersede) the agreement between Business Associate and the sponsor of the Plan
related to the services that Business Associate provides with respect to administration of the
Plan.
M. Counterparts. This Agreement may be executed in counterparts, each of which so executed
shall be construed to be an original, but all of which together shall constitute one agreement
binding on all parties, notwithstanding that all parties are not signatories to the same
counterpart. Transmission by facsimile or electronic mail of an executed counterpart of this
Agreement shall be deemed to constitute due and sufficient delivery of such counterpart. This
Agreement and any amendment or modification may not be denied legal effect or enforceability
solely because it is in electronic form, or because an electronic signature or electronic record
was used in its formation.
IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date set forth below.
Covered Entity:
This J� day of 201Y
City of Richmond, Indiana, by and through its Board
of Public Works and Safety
By:z(./
Vicki Robinson, President
---Z
iYhard .. .-
�*LFo"- . -
Approved:
Sarah L. Hutton, Mayor
Business Associate:
This.2,/'q"day of 201.1
Next Generation Enrollment, Inc.
By:
Print Name: DI �� n? n(i YL-
Title:
DESIGNATED PERSONS APPENDIX
Persons Authorized to Receive
Protected Health Information
In accordance with Section III.B.1. of this Agreement, disclosure of Protected Health Information may be made
to the following employees of the sponsor of the Plan:
Title/Office Name Phone Fax E-mail
Confidential information will be provided only to the individuals identified above.