HomeMy Public PortalAbout070-2015 - HR - Magellan - Business Associate AgreementBUSINESS ASSOCIATE AGREEMENT
Magellan Rx Management, Inc. ("MRx"), and MRx's Client or one of its affiliates ("Sponsor"), are parties to an
agreement ("PBM Agreement") whereby MRX provides certain pharmacy benefit management services to the
Sponsor's prescription drug plan (Sponsor and Sponsor's prescription drug plan collectively referred to hereinafter
as "Plan"). The PBM Agreement addresses the parties' rights and obligations concerning the use and disclosure
of patients' protected health information. The HIPAA Rules (as defined below) require MRX and the Plan to enter
into a "business associate agreement" to comply with applicable sections of the HIPAA Rules as of the applicable
Compliance Dates.
Definitions.
(a) "Breach" shall mean the unauthorized acquisition, access, use, or disclosure of Protected Health
Information that compromises the security or privacy of such information, except where an unauthorized person to
whom such information is disclosed would not reasonably have been able to retain such information. "Breach" shall
not include:
(i) any unintentional acquisition, access, or use of PHI by an employee or individual acting
under the authority of Plan or MRX, as long as such acquisition, access, or use was made
in good faith and within the course and scope of the employment or other professional
relationship of such employee or individual with Plan or MRX and such information is not
further acquired, accessed, used, or disclosed by any person; or
(ii) an inadvertent disclosure from an individual who is otherwise authorized to access PHI at a
facility operated by Plan or MRX to another similarly situated individual at the same
facility, provided that any such information received as a result of such
disclosure is not further acquired, accessed, used, or disclosed by any person.
(b) "Compliance Date(s)" shall mean the date established by HHS or the United States Congress for
effective date of applicability and enforceability of the HIPAA Rules and HITECH Standards.
(c) "Designated Record Set" shall mean a group of records maintained by or for Plan that is (i) the
medical records and billing records about individuals maintained by or for Plan, (ii) the enrollment,
payment, claims adjudication, and case or medical management record systems maintained by or for a health plan;
or (iii) used, in whole or in part, by or for Plan to make decisions about individuals.
(d) "Electronic Health Record" shall mean an electronic record of health -related information on an
individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
(e) "Electronic PHI" shall have the same meaning as the term "electronic protected health
information" in 45 C.F.R. § 160.103.
(f) "Health Plan" or "Plan" shall have the same meaning as the term "Health Plan" in 45 C.F.R.
§160.103.
(g) "HIPAA Rules" means the collective privacy, transaction and code sets, and security regulations
promulgated pursuant to the Health Insurance Portability and Accountability Act, as codified at 45 C.F.R. Parts 160,
162 & 164.
(h) "HTTECH Standards" means the privacy, security and security Breach notification provisions
applicable to a Business Associate under Subtitle D of the Health Information Technology for Economic and
Clinical Health Act ("HTTECH"), which is Title XIII of the American Recovery and Reinvestment Act of 2009
(Public Law 111-5), and any regulations promulgated thereunder.
MRxBAA102914
)W%®')J/s-
(i) "Individual" shall have the same meaning as the term "individual" in 45 C.F.R. § 160.103 and
shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
6) "Protected Health Information" or "PHI" shall have the same meaning as the term "protected
health information" in 45 C.F.R. § 160.103, limited to the information created or received by MRX from or on
behalf of Plan.
(k) "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health
Information at 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subpart A and Subpart E, as they exist now or as they
may be amended.
(1) "Required by Law" shall have the same meaning as the term "required by law" in 45 C.F.R.
§ 164.103.
(m) "Secretary" shall mean the Secretary of the Department of Health and Human Services or his
designee.
(n) "Security Incident" shall have the same meaning as "security incident" in 45 C.F.R. § 164.304.
(o) "Security Standards" shall mean the Security Standards, 45 C.F.R. Part 160 and 45 C.F.R. Part 164,
Subpart A and Subpart C, to be effective no later than April 20, 2005, as they exist now or as they may be amended.
(p) "Transactions Standards" shall mean the Standards for Electronic Transactions, 45 C.F.R. Parts
160 and 162, as they exist now or as they may be amended.
Terms used, but not otherwise defined, in this Business Associate Agreement shall have the same meaning
as those terms in the HIPAA Rules and the HITECH Standards.
General Use and Disclosure Provisions. MRX and Plan acknowledge and agree as follows:
(a) Use or Disclosure. MRX agrees not to use or further disclose PHI other than as expressly
permitted or required by this Business Associate Agreement or as Required by Law. MRx shall not use or disclose
Genetic Information (as defined in C.F.R. § 160.103) for underwriting purposes in violation of the HIPAA Rules.
(b) Minimum Necessary. MRX will take reasonable efforts to limit requests for, use and disclosure
of PHI to the minimum necessary to accomplish the intended request, use or disclosure.
(c) Specific Use or Disclosure Provisions. Except as otherwise limited in this Business Associate
Agreement, MRX may use and disclose PHI to properly provide, manage and administer the services required under
the PBM Agreement and consistent with applicable law to assist the Plan in its operations, as long as such use or
disclosure would not violate the HIPAA Rules if done by the Plan, or such use or disclosure is expressly permitted in
(i) through (iii) below:
0) MRX may use PHI for the proper management and administration of MRX or to carry out
MRX's legal responsibilities.
Oi) MRX may disclose PHI to third parties for the proper management and administration of
MRX or to carry out the legal responsibilities of MRx provided that the disclosures are
Required by Law, or MRX obtains written assurances from the person to whom the
information is disclosed that: (A) the information will remain confidential, (B) the
information will be used or further disclosed only as Required by Law or for the
purpose for which it was disclosed to the person, and (C) the person will notify MRX of
any instances of which it is aware in which the confidentiality of the information has been
breached.
(iii) MRx may use PHI to perform Data Aggregation services on behalf of the Plan as permitted
by 45 C.F.R. § 164.504(e)(2)(i)(B).
MRxB AA 102914 2
(d) Reporting. MRX agrees to promptly notify Plan if MRX has knowledge that PHI has been used or
disclosed by MRX in a manner that violates this Business Associate Agreement. To the extent that MRX creates,
receives, maintains or transmits Electronic PHI, MRX agrees to report promptly to Plan any Security Incident, as
determined by MRX, involving PHI of which MRX becomes aware. MRX shall, following the discovery of a Breach
of Unsecured PHI, notify Plan of such Breach without unreasonable delay and in no event later than thirty (30)
calendar days after the discovery, including the identification of each individual whose Unsecured PHI has been, or
is reasonably believed to have been, accessed, acquired or disclosed during the Breach. A Breach shall be treated as
discovered as of the first day on which such Breach is known or reasonably should have been known by MRX.
(e) Safeguards. MRX agrees to use appropriate safeguards, consistent with applicable law, to prevent
use or disclosure of PHI in a manner that would violate this Business Associate Agreement. MRX shall provide Plan
with such information concerning such safeguards as Plan may reasonably request from time to time. To the extent that
MRX creates, receives, maintains or transmits Electronic PHI, MRX agrees to use appropriate administrative, physical
and technical safeguards to protect the confidentiality, integrity and availability of the Electronic PHI that MRX
creates, receives, maintains or transmits on behalf of the Plan as required by the Security Standards.
(f) Mitigation. MRX agrees to mitigate, to the extent practicable, any harmful effect that is known to
MRX of a use or disclosure of PHI by MRX in violation of this Business Associate Agreement or the PBM
Agreement.
(g) Subcontractors and Agents. MRX agrees to ensure that any agent, including a subcontractor, to
whom it provides PHI received from, or created or received by MRX on behalf of the Plan, agrees to the same
restrictions, terms and conditions that apply through this Agreement to MRX with respect to such information,
including the requirement that it implement reasonable and appropriate safeguards to protect any Electronic PHI that is
disclosed to it by MRX.
(h) Access. Within fifteen (15) business days of a request by the Plan, MRX shall provide access to
Plan to PHI in a Designated Record Set in order to meet the requirements under 45 C.F.R. § 164.524. If MRX
receives a request directly from an Individual, or if requested by the Plan that access be provided to the Individual,
MRX shall provide access to the Individual to PHI in a Designated Record Set within thirty (30) days in order to meet
the requirements under 45 C.F.R. § 164.524.
(i) Amendment. Within sixty (60) days of a request by the Plan or subject Individual, MRX agrees to
make any appropriate amendment(s) to PHI in a Designated Record Set that Plan directs or agrees to pursuant to 45
C.F.R. § 164.526.
0) Accounting. Within thirty (30) days of a proper request by the Plan, MRX agrees to document and
make available to Plan, for a reasonable cost -based fee (under conditions permitted by HIPAA if an Individual requests
an accounting more than once during a twelve month period), such disclosures of PHI and information related to such
disclosures necessary to respond to such request for an accounting of disclosures of PHI, in accordance with 45 C.F.R.
§ 164.528, Within sixty (60) days of proper request by subject Individual, MRX agrees to make available to the
Individual the information described above. MRX shall retain copies of any accountings for a period of six (6) years
from the date the accounting was created.
(k) Restrictions on Use or Disclosure. Within fifteen (15) business days of a request of the Plan, MRX
agrees to consider restrictions on the use or disclosure of PHI agreed to by the Plan on behalf of an Individual in
accordance with 45 C.F.R. § 164.522.
(1) Audit and Inspection. MRX agrees to make internal practices, books, and records relating to the use
and disclosure of PH received from, or created or received by MRX on behalf of the Plan, available to Plan within ten
(10) business days, or at the request of the Plan or the Secretary, to the Secretary in a time and manner directed by the
Secretary, for purposes of the Secretary determining the Plan's compliance with the HIPAA Rules. Any release of
information regarding MRX's practices, books and records is proprietary to MRX and shall be treated as confidential
and shall not be further disclosed without the written permission of MRX, except as necessary to comply with the
HIPAA Rules.
(m) Compliance with the HTTECH Standards. MRX shall comply with the HITECH Standards,
including, but not limited to: (i) compliance with the requirements regarding minimum necessary under
HPTECH § 13405(b); (ii) requests for restrictions on use or disclosure to health plans for payment or health care
MRxBAA102914 3
operations purposes when the provider has been paid out of pocket in full consistent with HITECH § 13405(a); (iii)
the prohibition of sale of PHI without authorization unless an exception under HITECH § 13405(d) applies; (iv)
the prohibition on receiving remuneration for certain communications that fall within the exceptions to the definition of
marketing under 45 C.F.R. § 164.501 unless permitted by this Agreement and Section 13406 of HITECH; (v) the
requirements relating to the provision of access to certain information in electronic access under HITECH § 13405(e);
(vi) compliance with each of the Standards and Implementation Specifications of 45 C.F.R. §§ 164.308 (Administrative
Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards) and 164,316 (Policies and Procedures and
Documentation Requirements); and (vii) as of the separate compliance date set forth in regulations promulgated under
HITECH on this topic, the requirements regarding accounting of certain disclosures of PHI maintained in an Electronic
Health Record under HITECH § 13405(c) to the extent that MRX discloses any PHI maintained in an Electronic Health
Record on behalf of the Plan pursuant to this Business Associate Agreement.
3. Plan Oblieations.
(a) Plan shall notify MRX of any limitation(s) in the notice of privacy practices of Plan in accordance
with 45 C.F.R. § 164.520, to the extent that such limitation may affect MRx's use or disclosure of PHI.
(b) Plan shall notify MRX of any changes in, or revocation of, permission by an Individual to use or
disclose PHI, to the extent that such changes may affect MRX's use or disclosure of PHI.
(c) Plan shall notify MRX of any restriction to the use or disclosure of PHI that Plan has agreed to in
accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect MRX's use or disclosure of PHI.
(d) Plan shall not request that MRX use or disclose PHI in any manner that would exceed that which is
minimally necessary under the HIPAA Rules or that would not be permitted by a Covered Entity.
(e) Plan agrees that it will have entered into "Business Associate Agreements" with any third parties
(e.g., case managers, brokers or third party administrators) to which Plan directs and authorizes NM to disclose PHI.
4. Transactions Standards. The HIPAA Rules provide for certain Transactions Standards for transfer of
data between trading partners, While certain of the standards may or may not be adopted by the Plan (e.g., for
eligibility), NM will be prepared to accept the following in accordance with 45 C.F.R. Part 162.502: ASC X12N 834
— Benefit Enrollment and Maintenance. In addition, to the extent applicable, MRX shall comply with other applicable
transactions standards for claims processing functions between MRX and provider pharmacies. Each party hereby
agrees that it shall not change any definition, data condition or use of a data element or segment in a standard, add any
data elements or segment to the maximum defined data set, use any code or data elements that are either marked "not
used" in the standard's implementation specification or are not in the implementation specification, or change the
meaning or intent of the implementation specification.
5. Breach: Termination.
(a) Without limiting the termination rights of the parties pursuant to the PBM Agreement, upon Plan's
knowledge of a material breach by MRX of this Business Associate Agreement, Plan shall notify MRX of such
breach and MRX shall have thirty (30) days to cure such breach. In the event MRX does not cure the breach,
or cure is infeasible, Plan shall have the right to immediately terminate this Business Associate Agreement and the
PBM Agreement. If cure of the material breach is infeasible, Plan shall report the violation to the Secretary.
(b) Without limiting the termination rights of the parties pursuant to the PBM Agreement, upon MRX's
knowledge of a material breach by the Plan of this Business Associate Agreement, MRX shall notify Plan of such
breach and the Plan shall have thirty (30) days to cure such breach. In the event the Plan does not cure the breach, or
cure is infeasible, MRX shall have the right to immediately terminate this Business Associate Agreement and the PBM
Agreement. If cure of the material breach is infeasible, MRX shall report the violation to the Secretary.
(c) To the extent feasible, upon termination of the PBM Agreement for any reason, MRX shall, and shall
cause any subcontractors and agents to, return or destroy and retain no copies of all PHI received from, or created or
received by MRX on behalf of, the Plan. If MRX determines, in its sole discretion, that return or destruction of such
information is not feasible, MRX shall continue to limit the use or disclosure of such information as set forth in this
Agreement as if the PBM Agreement had not been terminated.
MRxBAA102914 4
Value -Added Services. The additional services MRx may make available at additional cost to its clients and
Accounts as set forth in Exhibit A of this Agreement.
IN WITNESS WHEREOF, the parties have executed this Agreement as of the most recent below -indicated date.
Magellan Rx Management, Inc. City of Richmond, by and through it Board of Public
Works and Safety
By: By:
Title:
Date:
Title: President
Date:
Approved:
Sarah L. Hutton, Mayor
Date:
12
Proprietary and Confidential
The contents of this document are confidential and proprietary to Magellan Rx Management, Inc. and may not be
reproduced, transmitted, published, or disclosed to others without prior written authorization from Magellan Rx
Management, Inc.
Plan Sponsor Agreement — Direct Traditional 100714
(d) Survival. The obligations of Business Associate under this Section shall survive the termination
of this Agreement.
6. Miscellaneous.
(a) Amendment. The parties acknowledge that the foregoing provisions are designed to comply with
the mandates of the HIPAA Rules and HITECH Standards. MRX shall provide written notice to Plan to the extent
that any final regulation or amendment to final regulations promulgated by the Secretary under HIPAA rules or
HITECH requires changes to this Business Associate Agreement. Such written notice shall include any additional
amendment required by any such final regulation and the Business Associate Agreement shall be
automatically amended to incorporate the changes set forth in such amendment provided by MRX to Plan,
unless Plan objects to such amendment in writing within fifteen (15) days of receipt of such written notice. In the
event that Plan objects timely to such amendment, the parties shall work in good faith to reach agreement on an
amendment to the Business Associate Agreement that complies with the final regulations. If the parties are unable to
reach agreement regarding an amendment to the Business Associate Agreement within thirty (30) days of the date
that MRX receives any written objection from the Plan, either MRX or Sponsor may terminate this Business
Associate Agreement upon ninety (90) days written notice to the other party. Any other amendment to this
Business Associate Agreement unrelated to compliance with applicable law and regulations shall be effective only
upon execution of a written agreement between the parties.
(b) Effect on PBM Agreement. Except as relates to the use, security and disclosure of PHI and
electronic transactions, this Business Associate Agreement is not intended to change the terms and conditions of, or
the rights and obligations of the parties under, the PBM Agreement.
(c) No Third -Party Beneficiaries. Nothing express or implied in the PBM Agreement or in this
Business Associate Agreement is intended to confer, nor shall anything herein confer, upon any person other than the
parties and the respective successors or assigns of the parties, any rights, remedies, obligations or liabilities
whatsoever.
(d) Interpretation. Any ambiguity in this Business Associate Agreement shall be resolved in favor of
a meaning that permits the Plan to comply with the HIPAA Rules and the HITECH Standards.
(e) Effective Date. This Business Associate Agreement shall be effective as of the applicable
Compliance Dates.
(f) Binding Signature. MRX's signature below shall constitute a valid and binding
enforceable Business Associate Agreement between the parties, even if Plan chooses not to
countersign and return this Business Associate Agreement.
MAGELLAN RX MANAGEMENT, INC.
By: 5��
Printed Name: Robert W. Field
Title: President
Date: January 1, 2015
MRxBAA102914
CITY OF RICHMOND
Printed Name: Vicki Rnhinann
Title: President, Board of forks and
Public Safet
Date: (a �f1_z
PLAN SIGNATURE OPTIONAL
Approved: �—
Sarah L. Hutton, Mayor
5
Date: