HomeMy WebLinkAboutContract 46249 CITY SECRUARY
CONTRACT NO. L Z
BUSINESS ASSOCIATE AGREEMENT
This BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is effective January Is% 2015
(the "Effective Date"), by and between Envision Pharmaceutical Services, Inc. ("Business
Associate") and the City of Fort Worth ("Plan Sponsor"), each referred to individually herein
as a"Party" or collectively as the "Parties".
RECITALS
A. Plan Sponsor sponsors a health benefit plan that provides coverage for prescription
medications and supplies to covered members. Plan Sponsor has entered into a service
agreement with Business Associate to provide certain administrative services to, or on
behalf of, Plan Sponsor.
B. In order for Business Associate to provide services to Plan Sponsor, Plan Sponsor may
disclose certain Protected Health Information ("PHI") (as defined in Article 1 of this
Agreement) of Plan Sponsor's members to Business Associate and anticipates that
Business Associate will create, receive, maintain or transmit PHI on behalf of Plan
Sponsor.
C. The Parties desire to protect the privacy and security of all PHI in compliance with the
Health Insurance Portability and Accountability Act ("HIPAA"), as amended by the
Health Information Technology for Economic and Clinical Health Act of 2009 ("the
HITECH Act"), and the regulations promulgated there under. The purpose of this
Agreement is to ensure such compliance.
D. This Agreement incorporates provisions 42 U.S.C. § 17931(a) and 42 U.S.C. § 17934(a)
of the HITECH Act.
NOW, THEREFORE, the Parties, in consideration of the mutual agreements herein contained,
and for other good and valuable consideration, the receipt and adequacy of which are hereby
acknowledged, do hereby agree as follows:
Article 1: Definitions
For the purposes of this Agreement, the following defined terms shall have the following
definitions. Except as otherwise stated herein, the defined terms used in this Agreement shall
have the meanings given them under HIPAA and the regulations thereunder, including any
amendments thereto.
1.1 "Breach" shall mean the acquisition, access, use, or disclosure of PHI in a manner not
permitted under Subpart E of 45 C.F.R. Part 164, which compromises the security or
privacy of the PHI.
"Breach"excludes:
(1) Any unintentional acquisition, access, or use of PHI by an employee or a person
acting under the authority of Business acquisition, access, or use was
OFFICIAL RECORD
\B.A-Plan sponsor[Rev.09-23-20131 CITY SECRETARY RECEIVED DEC 1
FT.WORTH,TX 5 PM.
J
made in good faith and within the scope of the authority, and does not result in further
use or disclosure in a manner not permitted under Subpart E of 45 C.F.R. Part 164.
(2) Any inadvertent disclosure of PHI by a person authorized to access PHI at Business
Associate to another person authorized to access PHI at Business Associate, and the
information received as a result of the disclosure is not further used or disclosed in a
manner not permitted under Subpart E of 45 C.F.R. Part 164.
(3) A disclosure of PHI in which Business Associate has a good faith belief that an
unauthorized person to whom PHI is disclosed would not reasonably have been able to
retain the information.
1.2 "Designated Record Set" shall have the meaning prescribed to it in 45 C.F.R. § 164.501.
1.3 "HHS" shall mean the U. S. Department of Health and Human Services.
1.4 "HIPAA Standards" shall mean the standards for privacy and security of Individually
Identifiable Health Information found at 45 C.F.R. Parts 160 and 164.
1.5 "Individual" shall have the same meaning as the term "individual" in 45 C.F.R. § 160.103
and shall include a person who qualifies as a personal representative in accordance with
45 C.F.R. § 164.502(g).
1.6 "Individually Identifiable Health Information" shall have the meaning prescribed to it in
45 C.F.R. § 160.103.
1.7 "Protected Health Information" shall have the meaning prescribed to it in 45 C.F.R. §
160.103, limited to Individually Identifiable Health Information transmitted or
maintained in any form or medium that Business Associate creates or receives from or on
behalf of Plan Sponsor.
1.8 "Required by Law" shall have the same meaning as the term "required by law" in 45
C.F.R. § 164.103.
1.9 "Secretary" shall mean the Secretary of HHS or his or her designee.
1.10 "Security Incident" shall mean the attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or interference with system
operations in an information system.
1.11 "Unsecured PHI" shall mean PHI that is not rendered unusable, unreadable, or
indecipherable to unauthorized persons through the use of technology or methodology
specified by the Secretary in the guidance issued under section 13402(h)(2) of Public
Law 111-5.
Article 2: Business Associate Use and Disclosure of PHI
2.1 Purpose. As further described above under Recitals, Business Associate performs certain
administrative services for Plan Sponsor.
\BAA-Plan Sponsor[Rev.09-23-20131 2
✓ l
2.2 Receipt and Use of PHI. Performance of administrative services by Business Associate
requires that Business Associate receive and use PHI obtained from or on behalf of Plan
Sponsor, or that Business Associate create, receive, maintain, or transmit PHI on behalf
of Plan Sponsor. To perform these administrative services, Business Associate may use
or disclose PHI provided such use or disclosure would not violate the HIPAA Standards
if done by Plan Sponsor. However, Business Associate may use PHI internally to carry
out its legal responsibilities and for its proper management, internal auditing, and
administration, and at the request of Plan Sponsor, to provide data aggregation services to
Plan Sponsor as permitted by the HIPAA Standards.
2.3 Disclosure of PHI. Performance of administrative services by Business Associate may
require that Business Associate disclose PHI to agents or subcontractors of Business
Associate. Business Associate may disclose PHI to third parties with which it contracts
to assist in providing administrative services, and to its agents to carry out Business
Associate's legal responsibilities, for proper management, internal auditing, and
administration, only if (a) Business Associate obtains reasonable assurances from such
third parties or agents that the PHI will be held by them confidentially and used or further
disclosed only as Required by Law or for the purpose for which it was disclosed to them,
(b) such third parties or agents agree to implement reasonable and appropriate safeguards
to protect the confidentiality, integrity, and availability of PHI, and (c) such third parties
or agents agree to notify Business Associate of any instance of which they are aware that
the confidentiality of the information has been breached or that a Security Incident has
occurred. Notwithstanding the foregoing, Business Associate will be permitted to
exchange PHI freely with any Business Associates of the Plan Sponsor with which the
Plan Sponsor has executed a Business Associate Agreement/Addendum.
2.4 Satisfactory Assurances. Plan Sponsor may not transfer or transmit PHI to Business
Associate or permit Business Associate to create, receive, or transmit PHI on behalf of
Plan Sponsor without satisfactory assurances from Business Associate that it will
appropriately safeguard the information.
Article 3: Duties of Business Associate
3.1 Limitations on Use of PHI. Business Associate shall not use PHI except as permitted or
required by this Agreement or as Required by Law. Business Associate shall only use
PHI in a manner that is consistent with the HIPAA Standards.
3.2 Limitations on Disclosure of PHI. Business Associate shall not disclose PHI except as
permitted or required by this Agreement or as Required by Law. Business Associate
shall only disclose PHI in a manner that is consistent with the HIPAA Standards.
3.3 Minimum Necessary. Business Associate shall request, use and disclose the minimum
amount of PHI necessary to accomplish the purpose of the request, use or disclosure, in
accordance with 42 U.S.C. § 17935(b).
3.4 Safeguarding PHI. Business Associate shall use appropriate safeguards, and comply with
Subpart C of 45 CFR Part 164, to prevent the use or disclosure of PHI other than as
provided for by this Agreement. Business Associate shall comply with the provisions of
\BAA-Plan Sponsor[Rev.09-23-20131 3
45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316, and implement administrative,
physical, and technical safeguards that reasonably and appropriately protect the
confidentiality, integrity, and availability of the PHI that it creates, receives, maintains, or
transmits on behalf of Plan Sponsor as required by the HIPAA Standards.
3.5 Third Party Agreements. Business Associate may need to enter into agreements with
third parties, including agents or subcontractors, in order to satisfy its obligations to Plan
Sponsor. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 164.308(b)(2), should
third parties, agents, or subcontractors create, receive, maintain, or transmit PHI on
behalf of Business Associate, Business Associate shall require such third parties or agents
to agree, in writing, to (a) be bound by the same restrictions, conditions, and requirements
that apply to Business Associate with respect to such information, and (b) implement
reasonable and appropriate administrative, technical and physical safeguards to protect
PHI and the confidentiality, integrity and availability of PHI. Notwithstanding the
foregoing, Business Associate will be permitted to exchange PHI freely with any
Business Associates of the Plan Sponsor with which the Plan Sponsor has executed a
Business Associate Agreement/Addendum.
3.6 Reporting of Security Incidents. Business Associate shall identify and report to Plan
Sponsor any suspected or known Security Incidents, mitigate, to the extent practicable,
harmful effects of Security Incidents that are known to Business Associate, and document
Security Incidents and their outcomes.
3.7 Reporting of Unauthorized Uses and Disclosures. If Business Associate becomes aware
that Unsecured PHI has been, or is reasonably believed to have been accessed, acquired,
used, or disclosed as a result of a Breach by Business Associate, its employees, officers,
or other agents, except as provided in 45 C.F.R. § 164.412, Business Associate shall
notify Plan Sponsor of the Breach, in writing, without unreasonable delay, and no later
than thirty (30) calendar days after discovering the Breach. Business Associate is
deemed to have discovered the Breach on the first day Business Associate knows about
the Breach, or by exercising reasonable diligence, would have been known to any person,
other than the person committing the Breach, who is an employee, officer, or other agent
of Business Associate.
3.8 Content of Notification. To the extent possible, Business Associate's notice to Plan
Sponsor shall include the identification of each Individual whose Unsecured PHI has
been, or is reasonably believed to have been, accessed, acquired, used, or disclosed
during the Breach.
At the time of notification or soon thereafter as information becomes available, Business
Associate shall provide the following information to Plan Sponsor:
(a) A brief description of what occurred, including the date of the Breach and the date
of discovery of the Breach, if known;
(b) A description of the types of Unsecured PHI involved in the Breach;
(c) Steps Individuals should take to protect themselves from potential harm resulting
from the Breach;
\BAA-Plan Sponsor[Rev.09-23-2013] 4
✓ T
(d) A brief description of what Business Associate is doing to investigate the Breach,
to mitigate harm to Individuals, and to protect against any further Breaches; and
(e) Contact procedures for Individuals to ask questions or learn additional
information, including a toll-free telephone number, an e-mail address, website or
postal address.
3.9 Burden of Proof. Business Associate shall have the burden of demonstrating that it made
all notifications to Plan Sponsor, including evidence showing the necessity of any delay,
or that the use or disclosure did not constitute a Breach.
3.10 Mitigation of Disclosure of PHI. Business Associate agrees to mitigate, to the extent
practicable, any harmful effect that is known to Business Associate of a use or disclosure
of PHI by Business Associate in violation of the requirements of this Agreement.
3.11 Access to PHI. Within ten (10) business days of Plan Sponsor's written request, Business
Associate shall provide Plan Sponsor or an Individual who is the subject of the PHI with
access to PHI in Business Associate's possession, if Business Associate's information
consists of a Designated Record Set in order for Plan Sponsor to comply with 45 C.F.R. §
164.524.
3.12 Availability of PHI for Amendment. The Parties acknowledge that the HIPAA Standards
permit an Individual who is the subject of PHI to request certain amendments of his or
her records. Within ten (10) business days of Plan Sponsor's written request, Business
Associate shall make PHI contained in a Designated Record Set in Business Associate's
possession available for amendment and shall incorporate any amendments in accordance
with 45 C.F.R. § 164.526.
3.13 Accounting of Disclosures. Business Associate agrees to document disclosures of PHI,
and to make available, within ten (10) business days of Plan Sponsor's written request,
information to Plan Sponsor concerning Business Associate's disclosure of PHI for
which Plan Sponsor needs to provide an Individual with an accounting of disclosures as
required by 45 C.F.R. § 164.528. Should an accounting of the PHI of a particular
Individual be requested more than once in any twelve (12) month period, Business
Associate may charge Plan Sponsor a reasonable, cost-based fee.
3.14 Compliance with Subpart E of 45 C.F.R. Part 164. To the extent Business Associate
carries out Plan Sponsor's obligations under Subpart E of 45 C.F.R. Part 164, Business
Associate shall comply with the requirements of Subpart E that apply to Plan Sponsor in
the performance of such obligations.
3.15 Availability of Books and Records. For purposes of determining compliance of Plan
Sponsor with the HIPAA Standards, Business Associate agrees to make available to the
Secretary its internal policies and procedures, books and records relating to the use and
disclosure of PHI received from, or created or received by Business Associate on behalf
of, Plan Sponsor.
\BAA-Plan Sponsor[Rev.09-23-2013] 5
r
3.16 Treatment of PHI at Termination.
With respect to PHI received from Plan Sponsor, or created, maintained, or received by
Business Associate on behalf of Plan Sponsor, upon termination of this Agreement for
any reason, Business Associate, shall:
(a) Retain only that PHI which is necessary for Business Associate to continue its
proper management and administration or to carry out its legal responsibilities;
(b) Return to Plan Sponsor or, if agreed to by Plan Sponsor, destroy the PHI that is
not retained by the Business Associate under(a) above;
(c) Continue to use appropriate safeguards and comply with Subpart C of 45 CFR
Part 164 to prevent use or disclosure of the PHI, other than as provided for in this
Agreement, for as long as Business Associate retains the PHI;
(d) Not use or disclose the PHI retained by Business Associate other than for the
purposes for which such PHI was retained and subject to the same conditions set
out in Section 2.2 and Section 2.3 which applied prior to termination; and
(e) Return to Plan Sponsor or, if agreed to by Plan Sponsor, destroy the PHI retained
by Business Associate when it is no longer needed by Business Associate for its
proper management and administration or to carry out its legal responsibilities.
Article 4: Duties of Plan Sponsor
4.1 Limitations in Notice of Privacy Practices. Plan Sponsor shall notify Business Associate
of any limitations in the notice of privacy practices of Plan Sponsor under 45 C.F.R. §
164.520, to the extent that such limitation may affect Business Associate's use or
disclosure of PHI.
4.2 Changes in Permission. Plan Sponsor shall notify Business Associate of any changes in,
or revocation of, the permission by an Individual to use or disclose his or her PHI, to the
extent that such changes may affect Business Associate's use or disclosure of PHI.
4.3 Restriction on Use or Disclosure of PHI. Plan Sponsor shall notify Business Associate of
any restriction on the use or disclosure of PHI that Plan Sponsor has agreed to or is
required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may
affect Business Associate's use or disclosure of PHI.
Article 5: Term and Termination
5.1 Term. The term of this Agreement shall be effective as of the Effective Date stated
above, and shall terminate on the date Business Associate discontinues the provision of
services to or on behalf of Plan Sponsor, or on the date Plan Sponsor terminates for cause
as authorized in Section 5.2, whichever is sooner.
\BAA-Plan Sponsor[Rev.09-23-20131 6
r
5.2 Termination for Cause. Business Associate authorizes termination of this Agreement by
Plan Sponsor, if Plan Sponsor reasonably determines that Business Associate has violated
a material term of the Agreement and Business Associate has not cured the breach or
ended the violation within the time specified by Plan Sponsor or ten (10) business days,
whichever is greater. Plan Sponsor shall provide Business Associate notice of such
breach or violation, in writing, with sufficient specificity as to reasonably permit
Business Associate to cure such breach or violation. Plan Sponsor understands that, upon
termination of this Agreement, Business Associate will no longer be authorized to create,
receive, or transmit PHI on behalf of Plan Sponsor, except as otherwise provided herein.
5.3 Survival of Certain Rights and Obligations. The respective rights and obligations of
Business Associate under Section 3.16 of this Agreement shall survive the termination of
this Agreement.
Article 6: Miscellaneous
6.1 Regulatory References. A reference in this Agreement to a section in the HIPAA
Standards means the section as in effect or as amended.
6.2 Amendment. The Parties to this Agreement agree to take such action as is necessary to
amend this Agreement from time to time as is necessary to comply with the requirements
of the HIPAA Standards and any other applicable law.
6.3 Prior Business Associate Agreements or Addenda. This Agreement shall supersede any
prior Business Associate Agreement or Business Associate Agreement Addenda.
6.4 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit
compliance with the HIPAA Standards.
6.5 HIPAA. Business Associate will comply with all requirements under HIPAA that apply
to business associates.
[SIGNATURE PAGE FOLLOWS]
\BAA-Plan Sponsor[Rev.09-23-2013] 7
IN WITNESS WHEREOF, the Parties have, by their duly authorized representatives, executed
this Agreement to be effective as of the date first above written.
PLAN SPONSOR:
By:
Print Name and Title
BUSINESS ASSOCIATE:
By:
—S �1 Clint L �f
Print Name and Title
PPRO E) Aa TO
I LEGALITY:
AS -1,STA ITY ATTORNEY
�0 ®O�
by:
00 00
• Q o0 pe►
U o�
0 0
0
Mary J. Kiy0k, Clty tary
� o0
A�000000v`C 0 +7'®
OFFICIAL. RECORD
CITY SECRETARY
�BAA-Plan Sponsor[Rev.09-23-2013]
FT.WORTH,TX
8
M&C Review Page 1 of 2
Official site of the City of Fort Worth,Texas
CITY COUNCIL AGENDA FoRTWORTH
COUNCIL ACTION: Approved on 7/22/2014
DATE: 7/22/2014 REFERENCE NO.: C-26887 LOG NAME: 14PBM
CODE: C TYPE: NON-CONSENT PUBLIC HEARING: NO
SUBJECT: Authorize Execution of a Contract with Envision Pharmaceutical Services, LLC, in the
Amount Up to $305,505.00 for the First Year for Administrative Services for the City's Self-
Funded Pharmacy Benefits (ALL COUNCIL DISTRICTS)
RECOMMENDATION:
It is recommended that the City Council authorize the execution of a contract with Envision
Pharmaceutical Services, LLC, in the amount up to $305,505.00 for the first year for administrative
services for the City's self-funded pharmacy benefits.
DISCUSSION:
The Human Resources Department will use this contract for claims administration and Pharmacy
Benefit Management(PBM) services. The City of Fort Worth currently contracts with Aetna for these
services.
The City issued a Request for Proposals (RFP) on February 19, 2014. Fifty-nine vendors were
solicited from the purchasing database; eight responses were received. The proposals were
thoroughly reviewed by an evaluation team consisting of staff from the following
departments: Transportation & Public Works, Fire, Water, Parks and Community Services and
Human Resources. The evaluation team was provided with resources and assistance by the City's
benefits consultant, Arthur J. Gallagher, and by staff in the Human Resources Department and
Purchasing Division.
The evaluation team ranked the proposals based on the following factors: technical proposals,
qualifications, adherence to terms and conditions of the RFP, financial stability and value-added
services and pricing competitiveness. Two finalists were selected for presentations. Following the
presentations, the evaluation team determined that Envision Pharmaceutical Services, LLC
(Envision), provides the best overall solution to the City.
Key factors in the team's decision included Envision's pass-through pricing program, which is
expected to result in lower claims costs, a point-of-sale rebate option that provides easier processing
for participants and more frequent updates to the preferred drug list, which will ensure the City is
getting the most up-to-date pricing.
As part of its proposal, Envision used information about the City's recent pharmacy claims experience
to compare its projected claims with those of the incumbent over a one-year period. Those
projections show anticipated claims cost in the amount of$14,763,611.00 with Envision compared to
the amount of$17,589,624.00 with the current vendor, meaning a projected savings amount of$2.8M
for the City's health plan over the test year.
PRICE ANAYLSIS - The City will pay a monthly premium in the amount of$3.75 per employee/non-
Medicare retiree per month for a total premium amount of$305,505.00 for the first year.
ADMINISTRATIVE CHANGE ORDER-An administrative change order or increase may be made by
the City Manager in the amount up to $50,000.00 and does not require specific City Council approval
http://apps.cfwnet.org/council_packet/mc review.asp?ID=20035&councildate=7/22/2014 12/15/2014
M&C Review Page 2 of 2
as long as sufficient funds have been appropriated.
AGREEMENT TERMS - Upon City Council approval, the initial three-year term of this contract shall
begin on January 1, 2015 and expire on December 31, 2017.
RENEWAL OPTIONS - This contract may be renewed up to two one-year terms at the City's sole
discretion. This action does not require specific City Council approval provided that sufficient funds
are appropriated for the City to meet its obligations during the renewal period.
M/WBE OFFICE -A waiver of the goal for MBE/SBE subcontracting was requested by the
Purchasing Division and approved by the M/WBE Office, in accordance with the BIDE Ordinance,
because the purchase of goods or services is from sources where subcontracting or supplier
opportunities are negligible.
FISCAL INFORMATION/CERTIFICATION:
The Financial Management Services Director certifies that funds are available in the current operating
budget, as appropriated, of the Group Health Insurance Fund.
TO Fund/Account/Centers FROM FundiAccount/Centers
FE85 534830 0148520 $249,435.00
FE85 534830 00148540 $56,070.00
Submitted for City Manager's Office by: Susan Alanis(8180)
Originating Department Head: Brian Dickerson (7783)
Additional Information Contact: Margaret Wise (8058)
ATTACHMENTS
http://apps.cfwnet.org/council_packet/mc—review.asp?ID=2003 5&councildate=7/22/2014 12/15/2014