HomeMy WebLinkAboutContract 47818 PmC /j, CITY SECRETAW r
e CONTi I T+ ,_ ��1
MAY 25 2016
��1rYOF�.o�r
r,71yg f ,�WOf�;;;
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement("Agree-inettt") is entered into on this 6th day of
N1ay , 2016 (the "Effective Date"), by and between the City of Fort Worth ("Client') on
behalf of itself and its group health and welfare plans (collectively the "Coiered Entity")
and AON Consulting, Inc. ("Business Associate").
RECITALS:
WHEREAS, .Business Associate performs or assists in performing a function or
activity on behalf of Covered .Entity that involves the use and/or disclosure of the Covered
Entity's "protected health information" (such information, as defined in 45 C.F.R. 160-103, as
such provision is currently drafted and if applicable subsequently updated, amended, or
revised; referred to herein as "Protected Health Information"or"PHI"); and
WHEREAS, the pal-ties desire to enter into this Business Associate Agreement to
govern the use and/or disclosure of Protested Health Information as-required by the Health
Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information-
Technology
nformationTechnology for Economic and Clinical Health .Act (`°HI`I'ECH"), the Standards for Privacy of
Individually Identifiable Health Information (the "Privacy Rule"), and the Security Standards
for the Protection of Electronic Protected health Information (the "Security Rule")
promulgated thereunder(collectively,the"HIPAA.Privacy Rules and/or Security Standards").
NOW, THEREFORE, the parties hereto agree as follows:
1. Definitions. When used in this Agreement and capitalized, the following
terms have the following meanings:
(a) "Breach" shall have the same meaning as the term "Breach" in 45
C.F.R. §164.402.
(b) "Electronic Protected Ileidth Information" or "ePHl" shall mean
Protected Health Information transmitted by electronic media or maintained in
electronic media.
(c) "Individrral" shall have the sante ;Heading as the term "Individual" in
45 C.F.R. §160.103 and shall include a person who qualifies as a personal
representative in accordance with 45 C.F.R. §164.502(g).
(d) "Privary Rule" shall mean the Standards for Privacy of Individual
Identifiable I-#ealth Information as set forth at 45 C.F,R. Parts 160 and 164 Subparts A
and E.
(e) "Protected Health Inforinatimi" or "PI-11" shall have the same meaning
as the term "protected health information" in 45 C.F.R. § 160.103, limited to the
OFFICEAL RECORD
CITY SECRETARY
Cite of Fort Worth Business Associate Afreeinent FT WORTHS'Ty age i or,)
information created or received by Business Associate from or on behalf of Covered
Entity.
(1) "Required Gy Law" shall have the same meaning as the term "required
by law" in 45 C.F.R. § 164.103;
(g) "Seeretwj3" shall mean the Secretary of the Department of Health and
Human Services or his or her designee.
(h) "Security Incident" shall mean any attempted or successful
unauthorized. access; use, disclosure, modification or destruction of information or
systems operations in an electronic information system,
(i) "Security Rule," shall mean the Standards for Security of PHI,
including ePH1, as set forth at 45 C.F..R.. Parts 160 and 164 Subparts A and C.
0) "Utnsectu•ed Protected Health Itifornsatiol" shall mean protected
health information that is not rendered unusable, unreadable, or indecipherable to
unauthorized persons through the use of a technology or methodology specified by the
Secretary.
Terms used but not defined in this Agreement shall have the same meaning as those
terms in the HIPAA Privacy Rules rind/or Security Standards,
2. Oblitzations and Activities of Business Associate Regarding PHI.
(a) Business Associate agrees not to use or further disclose PHI other than
as permitted or required by this Agreement or as Required by Law.
(b) Business Associate agrees to use appropriate.safeguards to prevent use
or disclosure of the PIII other than as provided for by this Agreement.
(c) Business Associate agrees to ensure that any agents, including sub-
contractors (excluding entities that are: merely conduits), to whom it provides PHI
agree to the same restrictions and conditions that apply to Business Associate with
respect to such.ini..ormation.
(d) Business Associate agrees to provide access, at the request of Covered
Entity, and in a reasonable time and mannerdesignated by Covered Entity, to PHI in a
Designated Record Set that is not also in Covered Entity's possession, to Covered
Entity in order for Covered Entity to meet the requirements under 45 C.F.R.
§ 164.524.
(e) Business Associate agrees to make any amendment to PHI in a
Designated Record Set that the Covered Entity directs or agrees to pursuant to 45
C.F.R. § 164.526 in a reasonable time and mazlner designated by Covered Entity.
City of Fort Worth Busincss As.sociate Asgreenenl Page 2 of 9
(f) Business Associate agrees to make internal practices books and records
including policies and procedures-relating to the use and disclosure of PHI available to
the Secretary, in a reasonable time and manner as designated by the Covered Entity or
Secretary, for purposes of the Secretary determining Covered Entity's compliance with
the. Privacy Rule, Business Associate shall promptly notify Covered Entity upon
receipt or notice of any request by the Secretary to conduct an investigation with
respect to PHI received from the Covered Entity.
(g) Business Associate agrees to document any disclosures of PHI that are
not excepted-under 45 CRR, § 164.528(a)(1) as would be required for Covered Entity
to respond to a request by art Individual for an accounting of disclosures of PHI in
accordance with 45 C.F.R. § I64,528.
(h) Business Associate agrees to provide to Covered Entity or an
Individual, in a time and. manner designated by Covered Entity, iirformation collected
in accordance with paragraph (g) above, to permit Covered Entity to respond to a
request by an.Individual for an accounting of disclosures of PIiI in accordance with 45
C.F.R, § 154.528,
(i) Business Associate agrees to use or disclose PHI pursuant to the
request of Covered Entity; provided, however, that Covered Entity shall not request
Business Associate to use or disclose PMI in any manner that would not be permissible
under the Privacy Rule if done by Covered Entity,
3. Permitted Uses and Disclosures of PHI by Business Associate.
(a) Business Associate may use or disclose PHI to perforn- functions,
activities or services for, or on behalf of, Covered Entity in accordance with the terms
of this Agreement, provided that such use or disclosure would not violate the Privacy
Rule if done by Covered Entity.
(b) Business .Associate may use PMI for the proper management and
administration of Business Associate and to carry out the legal responsibilities of
Business Associate,
(c) Business Associate may disclose PHI for the proper management and
administration of Business Associate and to carry out the legal responsibilities of
Business Associate if.,
(i) such.disclosure is Required by Law, or
(ii) Business Associate obtains reasonable assurances from the person
to whon3 the information is disclosed that such information will remain
confidential and used or furtlier disclosed only as Required by Law or
for the purposes for which it was disclosed to the person, and the
person agrees to notify Business Associate of any instances of which it
City or Fort Worth Business Assooiale Agreement Page 3 of 9
is aware that the confidentiality of the information has been breached.
(d) Business Associate shall limit the PHI to the extent practicable, to the
limited data.set or if needed by the Business Associate, to the minimum necessary to
accomplish the intended purpose of such use, disclosure or request subject to
exceptions set forth in the Privacy Rule.
(e) Business Associate may use PIII to provide Data Aggregation services
to Covered Entity as permitted by 4S C.F.R. § 164.504(e)(2)(i)(B).
4. Qblit;ations of Cowered Entity Regarding PIH.
(a) Covered Entity shall provide :business Associate with the notice of
privacy practices that Covered Entity produces in accordance with 45 C.F.R.
§ 164.520, as well as any changes to such notice.
(b) Covered Entity shall provide Business Associate with any changes in,
or revocation of, authorization by an Individual to use or disclose PHI, if such changes
affect Business Associate's permitted or required uses and disclosures,
(c) Covered Entity shall notify Business Associate of any restriction to the
use or disclosure of PHI that Covered Entity has agreed to in accordance with 45
C.F.R. § 164.522,, if such restrictions affect Business Associate's permitted or.required
uses and disclosures.
(d) Covered Entity shall. regdire all of its employees, agents and
representatives to be appropriately informed of its legal obligations pursuant to this
Agreement and the Privacy Rule and Security Standards required by HIPAA. and will
reasonably cooperate with Business Associate in the perforinance of the mutual
obligations under this Agreement.
S. Security of Protected Health Information.
(a) Business Associate represents that it has implemented policies and
procedures to ensure that its receipt, maintenance, or transmission of all PHI, either
electronic or otherwise, on behalf of Covered Entity complies with the applicable
administrative, physical, and teelvlieal safeguards required protecting the
confidentiality, availability and integrity of PHI as required by the HIPAA Privacy
Rules and Security Standards.
(b) Business Associate agrees that it will ensure that agents or
subcontractors agree to implement the applicable administrative, physical, and
technical safeguards required to protect the confidentiality, availability and integrity of
PHI as required by HIPAA Privacy Rules and Security Standards.
(c) Business Associate. agrees to report to Covered Entity any Security
Incident (as defined 45 C,I`.R. Part 164.304) of which it becomes aware. Business
C'iw of Fort worth Business Assoeime Agreement Page 4 of 9
Associate agrees to report the Security Incident to the Covered Entity as soon. as
reasonably practicable, but not later than 10 business days:from the date the Business
Associate becomes aware of the incident,
(d) Business Associate agrees to establish procedures to mitigate, to the
extent possible, any harmful effect that is known to Business Associate of a use or
disclosure of PHI by Business Associate in violation of this Agreement.
(e) Business Associate agrees to notify Covered Entity promptly upon
discovery of any Breach of Unsecured Protected Health Information (as defined in 45
C.F.R. §§ 164,402 and 164.410) and provide to Covered Entity, to the extent available
to .Business Associate, all information required to permit Covered Entity to comply
with the requirements of 45 C,RR. Part 164 Subpart D,
(f) Covered Entity agrees and understands that the Covered Entity is
independently responsible for the security of all PHI in.its possession (electronic or
otherwise), including all PHI that it receives from outside sources including the
Business Associate,
6. Term and Termination.
(a) Tenn. This Agreement shall be effective as of the Effective Date and
shall remain in effect until the Business Associate relationship with the Covered Entity
is terminated in accordance with this Section 6 herein, and all PHI is returned,
destroyed or is otherwise protected as set forth in Section 6(e),
(b) Terininatiort for Cause bj� Covered Entity, Upon Covered .Entity's
knowledge of a material breach by Business Associate, Covered Entity shall provide
an opportunity for Business Associate to cure the breach. If.Business Associate does
not cure the breach within 30 days from the date that Covered Entity provides notice
Of such breach to Business Associate, Covered Entity shall have the right to
imi-mediately terminate this Agreement and any existing underlying services agreement
between Covered Entity and Business Associate,
(c) Terrninatintt by Business Associate. This Agreement may be
terminated by Business Associate upon 30 days prior written notice to Covered Entity
in the event that Business Associate, acting in good faith, believes that the
requirements of any law, legislation, consent decree, judicial action, governmental
regulation or agency opinion, enacted, issued, or otherwise effective after the date of
this Agreement and applicable to 111-1I or to this Agreement, cannot be met by Business
Associate in a commercially reasonable manner and without significant additional
expense,
(d) Terininatimi for Cmivenience, Either party may terminate this
Agreement :ror convenience, for any reason, upon sixty (60) days written notice to the
other party.
City ofFort ort Worth Business Associatc Agrcoment 1'uge 5 or9
(e) Effect of Termination. Upon termination of this Agreement for any
reason, at the request of Covered Entity, Business Associate shall return or destroy all
PHI received fon, Covered Entity, or created or received by Business Associate on
behalf of Covered Entity. Business Associate shall not retain any copies of the PHI
unless return or destruction is deemed infeasible. If the return or destruction of PHI is
infeasible, business Associate shall extend the protections of this Agreement to such
111-11 and limit further rises and disclosures of such,131II to those proposes that snake the
return or destruction infeasible, for so longus Business Associate maintains such PIII.
For purposes of illustration only and not to limit the set of circumstances that could
potentially male return or destruction infeasible, it would be infeasible for Business
Associate to return or destroy certain Pl•II that is part of work product that must be
retained for document retention/archival purposes, as well as PHI that is stored as a
result of backup e-mail systems that store e-mails for emergency backup purposes.
7. Amendment.
11,e parties may agree to amend this Agreement from time to time in any other respect
that they deet„ appropriate, This Agreement shall not be amended except by written
instrument executed by the parties.
8. Indemnification.
Business Associate shall indemnify and hold harmless Covered Entity from and
against any and all damages, losses, liabilities, and expenses(including reasonable attorneys'
fees and expenses) (collectively a "Loss" or "Losses") arising from Business Associate's
material breach of this Agreement. The indemnification obligations provided for in this
Section will commence on the effective date of this Agreement and will survive its
termination.
9. Severability..
The parties intend this Agreement to be enforced as written. However, (i) if any
portion or provision of this Agreement is to any extent declared illegal or unenforceable by a
duly authorized court having jurisdiction, then the remainder of this Agreement, or the
application of such portion or provision in circumstances other than those as to which it is so
declared illegal.or unenforceable, will not be affected thereby, and each portion and provision
of this Agreement will be valid and enforceable to the fullest extent permitted by law; and (ii)
if any provision, or part thereof, is held to be unenforceable because of the duration of such
provision, the Covered Entity and the Business Associate agree that the court making_such
determination will have the power to modify such provision, and such modified provision will
then be enforceable to the fullest extent permitted by law.
10. Notices.
City of Dori Worth Business/associate Agreement Page 6 of 9
All notices, requests, consents and other communications hereunder will be in writing,
will be addressed to the receiving party's address set forth below or to such other address as a
party may designate by notice hereunder, and will be either (i) delivered by hand, (ii) made
facsimile transmission, (iii) sent by overnight courier, or (iv) sent by registered mail or
certified mail,return receipt requested,postage prepaid.
If to the Covered Entity: If to the Business Associate:
Assitant City Manager for HR Aon Corporation
1000 Throckmorton 200 East Randolph Street, 81st Floor
Fort Worth, Texas 76102 Clvcago, IL 60601
Willi copy to: Attn: HIPAA Privacy Officer
City Attorney's Office at sante address
11. Regulatory References.
A reference in this Agreement to a section in the Privacy Rule means the referenced
section or its successor, and for which compliance is required.
12. Headings and Captions.
The headings and captions of the various subdivisions of the Agreement are for
convenience of reference only and will in no way modify or affect the meaning or
construction of any of the terms or provisions hereof.
13. Entire Agreement.
This Agreement sets forth the entire understanding of the parties with respect to the
subject platter set forth herein and supersedes all prior agreements, arrangements and
communications,whether oral or written, pertaining to the subject matter hereof
14. Binding Effect,
The provisions of this Agreement shall-be binding upon and shall inure to the benefit
of both parties and their respective successors and assigns.
15. Na Waiver of Rights,Powers and Remedies.
No failure or delay by a party hereto in exercising arty right, power or remedy under
this Agreement, and no course of dealing between the parties hereto, will operate asa waiver
of any such right, power or remedy of the party. No single or partial exercise of any right,
power or remedy under this Agreement by a party hereto, nor any abandonment or
discontinuance of steps to enforce any such right, power or remedy, will preclude such party
from any other or further exercise thereof or the exercise of any other right, power or remedy
City of Tort watch Business A_"geiate Agreement Mtge 7 or
hereunder, The election of any remedy by a party hereto will not constitute a waiver of the
right of such party to pursue other available remedies. No notice to or demand on a party not
expressly required under this Agreement will entitle the party receiving such notice or
demand to any other or further notice or demand in similar or other circumstances or
constitute a waiver of the right of the party giving such notice or demand to any other or
further action in any circumstances without such notice or demand. The terms and provisions
of this Agreement may be waived, or consent for the departure therefrom granted, only by
written document executed by the party entitled to the benefits of such terms or previsions.
No such waiver or consent will be deemed to be or will constitute a waiver or consent with
respect to any other terms or provisions of this Agreement, whether or not similar. Each such
waiver or consent will be effective only in the specific instance and for the purpose for which
it was given, and will not constitute a continuing waiver or consent.
16. Governing Law; Venue.
This Agreement will be governed by and construed in accordance with the laws of
the State of Texas. Should an action, Whether.real or asserted, at law or in equity, arise
out of the execution, performance, attempted performance of this Agreement, venue for
said action shall lie in Tarrant County, Texas.
17. Interpretation,
It is the parties' intent to comply strictly with all applicable laws, including without
limitation, HIPAA, state statutes, or regulations (collectively, the "Regulatory Laws"), in
connection with this Agreement, In the event there shall be a change in the Regulatory Laws,
or in the reasoned interpretation of any of the Regulatory Laws or the adoption of new federal
or state legislation, any of which are reasonably likely to materially and adversely affect the
manner in which either party may perform or be compensated under this Agreement or which
shall snake this Agreement unlawful, the parties -,hall immediately enter into good faith
negotiations regarding a new arrangement or basis for compensation pursuant in this
Agreement that complies with the law, regulation or policy and that approximates as closely
as possible the economic position of the parties prior to the change. In addition, the parties
hereto have negotiated and prepared the terms of this Agreement in good -faith with the intent
that each and every one of the terms, covenants and conditions herein be binding upon and
inure to the benefit of the respective parties,
18. Review of Counsel. The parties acknowledge that each party and its counsel
have had the opportunity to review and revise this Agreement and that the normal rules of
construction to the effect: that any ambiguities are to be resolved against the drafting party
shall not be employed in the interpretation of this Agreement or exhibits hereto.
19. Signature Authorilty. The person signing- this Agreement hereby warrants
that he or she has the legal authority to execute this Agreement on behalf of .his or her
respective party, and that such binding authority has been granted by proper order, resolution,
ordinance or other authorization of the entity, The other party is filly entitled to rely on this
warranty and representation in entering into this Agreement.
City of Fort Worth Business Associite Agreement }'age 8 or9
IN WITNESS WHEREOF, the parties have executed this .Business Associate
Agreement as of the Effective Date.
COVERS . ENTCTY: BUSINESS ASSOCIATE:
U
By: By: �._.
`' P ._.
Name. U 5 �p/�� Name: Matt Miller
Title: Assistant City Manager Title: Chief Counsel
AT'T'EST: 0 000
Mar),Kayser, City Secretary
® ami
a
DOoJDno6
AS
APPROVED AS TO FORM AND LEGALITY: �- '
ill Trevino,Asst. City Attorney II
No M&C.Required
EFT.
L RECORD
CRETARY'
RTH TX
Oily of Port Worth Business Associate Acrecmcnt };ace 4 of