HomeMy WebLinkAboutContract 47461 Business Associate Agreement GPID 25345
CITY SECRETAW
GPID: CONTRACT M.--�J
This Business Associate Agreement (the "Agreement') is made and entered into effective as of 01/01/16 by and between
Discovery Benefits, Inc. and its subsidiaries and affiliate companies ("DBP') and City of Fort Worth Health Plan (the "Plan"), which is
sponsored by City of Fort Worth (the"Sponsor").
WITNESSETH:
WHEREAS, DBI shall provide certain administrative services, activities or functions in connection with the Plan (the"Services")
pursuant to a Services Agreement between DBI and the Sponsor(the"Services Agreement'); and
WHEREAS, the parties desire to enter into this Agreement as set forth below for the purpose of addressing the Health
Information Technology for Economic and Clinical Health Act (the "HITECH Act') enacted as part of the American Recovery and
Reinvestment Act of 2009, and the regulations promulgated thereunder relating to the privacy and security of protected health
information;the"Standards for Privacy of Individually Identifiable Health Information,"45 CFR Part 160(specifically recognizing here 45
CFR Part 160, Subparts C, D, and E (the"Enforcement Rule'))and Part 164, Subparts A and E (the"Privacy Rule');the"Standards for
Electronic Transactions,"45 CFR Part 160, Subpart A, and Part 162, Subpart A and Subparts I through R (the "Electronic Transaction
Rule"); the "Security Standards for the Protection of Electronic Protected Health Information," 45 CFR Part 160, Subpart A, and Part
164, Subparts A and C (the "Security Rule'); and the "Standards for Breach Notification for Unsecured Protected Health Information,"
45 CFR Part 164, Subpart D (the"Breach Notification Rule'),as amended and clarified by the HIPAA Omnibus Rule or any regulations,
rules or guidance that may be issued after the effective date of this Agreement.
NOW, THEREFORE, in consideration of the premises and other good and valuable consideration, the receipt and sufficiency
of which is hereby acknowledged,the Plan and DBI agree as follows:
Article I—Definitions
1.1 "Agent' shall have the meaning given to it in Section 2.5. As provided by HIPAA, an Agent and a Subcontractor are
two separate types of arrangements.
1.2 "Breach"shall have the meaning given to it by 45 CFR§ 164.402.
1.3 "Business Associate'shall have the meaning given to it by 45 CFR§ 160.103.
1.4 "Designated Record Set'shall have the meaning given to it by 45 CFR§ 164.501.
1.5 "Health Care Operations"shall have the same meaning given to it in 45 CFR§ 164.501.
1.6 "HIPAX shall mean, collectively, the Privacy Rule, the Electronic Transaction Rule, the Security Rule, and/or the
Breach Notification Rule, each as amended and clarified by the HIPAA Omnibus Rule.
1.7 "HIPAA Omnibus Rule' shall mean the "Modifications to the HIPAA Privacy, Security, Enforcement and Breach
Notification Rules under the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) and the Genetic
Information Nondiscrimination Act(GINA),"78 Federal Register 5566 (January 25, 2013).
1.8 "Individual' shall mean the person who is the subject of PHI and shall include a person who qualifies as a personal
representative in accordance with 45 CFR§ 164.502(g).
1.9 "Individual Rights Requests" shall mean Access Requests, Amendment Requests, Accounting Requests, and
requests under Section 3.3.
0IFFICPAL G3I Ca�G �
Business Associate Agreement
1.10 "Payment"shall have the same meaning given to it in 45 CFR§ 164.501.
1.11 "PHI" shall mean any information, whether oral or recorded in any form or medium, that — (i) relates to the past,
present or future physical or mental health or condition of an Individual;the provision of health care to an Individual; or the past, present
or future payment for the provision of health care to an Individual; and (ii) identifies the Individual or with respect to which there is a
reasonable basis to believe the information can be used to identify the Individual.
1.12 "Plan"shall have the meaning provided as first written above. In all cases,the Plan shall mean the group health plan
or plans of the Sponsor as set forth in 45 CFR§ 160.103.
1.13 "Plan Administration Functions"shall have the same meaning given to it in 45 CFR§ 164.504.
1.14 "Plan Administrator' shall mean the entity, individual, group or committee appointed by the Sponsor, or its successor
or successors with the authority to administer the Plan.
1.15 "Privacy Official"shall mean the person designated by the Plan to serve as its privacy official within the meaning of 45
CFR§ 164.530(a),and any person to whom the Privacy Official has delegated any of his or her duties or responsibilities.
1.16 "Protected Information"shall mean PHI received from the Plan or created, received, maintained or transmitted by DBI
on behalf of the Plan.
1.17 "Required by Law"shall have the same meaning given to it in 45 CFR§ 164.103.
1.18 "Secretary"shall mean the Secretary of the United States Department of Health and Human Services.
1.19 "Services"shall mean the activities,functions and/or services that DBI from time to time renders to or on behalf of the
Plan to the extent that those activities,functions and/or services are covered by HIPAA.
1.20 "Subcontractor'shall have the same meaning given to it in 45 CFR§ 160.103.
1.21 "Unsecured PHI" shall mean Protected Information that is not secured through the use of a technology or
methodology that renders such Protected Information unusable, unreadable or indecipherable to unauthorized individuals as specified
in 45 CFR§ 164.402.
Article 11—Obligations and Activities of DBI
2.1 Status of DBI. DBI acknowledges and agrees that it is a Business Associate of the Plan for purposes of the Privacy
Rule.
2.2 Permitted Uses and Disclosures of Protected Information.
(a) Permitted Uses. DBI shall not use Protected Information other than as permitted by this Agreement. DBI
may use Protected Information: (i) in connection with the performance, management and administration of the Services; (ii) for the
proper business management and administration of DBI, (iii) to carry out DBI's legal responsibilities; (iv) to report violations of law
consistent with 45 CFR§ 164.5020); (v)to the extent and for any purpose authorized by an Individual under 45 CFR§164.508; and (vi)
for any purpose provided that no data is identifiable and has been de-identified pursuant to 45 CFR§164.514(b) (including the separate
de-identification guidance issued by the Secretary on November 26, 2012). Notwithstanding the foregoing sentence, DBI shall not use
Protected Information in any manner that violates the Privacy Rule,or that would violate the Privacy Rule if so used by the Plan (except
for the purposes specified under 45 CFR§ 164.504(e)(2)(i)(A)and (B)).
(b) Permitted Disclosures. DBI shall not disclose Protected Information other than as permitted by this
Agreement. DBI may disclose Protected Information— (i) in connection with the performance, management and administration of the
Services; (ii) to report violations of law consistent with 45 CFR § 164.5020); (iii) to the extent and for any purpose authorized by an
21
Business Associate Agreement
Individual under 45 CFR§164.508; and (iv)for any purpose provided that no data is identifiable and has been de-identified pursuant to
45 CFR §164.514(b) (including the separate de-identification guidance issued by the Secretary on November 26, 2012). In addition,
DBI may also disclose Protected Information to a third party for the proper business management and administration of DBI and to
carry out DBI's legal responsibilities; provided, that the disclosure is Required by Law, or DBI obtains, prior to the disclosure — (1)
reasonable assurances from the third party that the Protected Information will be held confidentially and used or further disclosed only
as Required by Law or for the purpose for which it was disclosed to the third party, and (2) an agreement from the third party that the
third party will notify DBI immediately of any instances in which it knows the confidentiality of the information has been breached.
Further, DBI shall disclose, upon request, Protected Information to the Sponsor for Plan Administration Functions and to designated
Sponsor employees (or designated Business Associates of the Plan) who are working for or on behalf of the Plan for purposes of
Payment and Health Care Operations (including claims assistance activities) consistent with 45 CFR§ 164.506(c)(1). Notwithstanding
the foregoing, DBI shall not disclose Protected Information in any manner that violates the Privacy Rule, or that would violate the
Privacy Rule if so disclosed by the Plan (except for the purposes specified under 45 CFR§ 164.504(e)(2)(i)(A)and (B)).
(c) Minimum Necessary. To the extent required by the Privacy Rule, DBI shall only request, use and/or
disclose the minimum amount of Protected Information necessary to accomplish the purpose of the request, use and/or disclosure. For
this purpose, the determination of what constitutes the minimum necessary amount of Protected Information shall be determined in
accordance with Section 164.502(b)of the Privacy Rule.
(d) Direct Application of Privacy Rules. DBI shall not use and/or disclose Protected Information or provide any
Services that require the use and/or disclosure of Protected Information unless such use and/or disclosure directly complies with this
Section 2.2 and Sections 164.502(a)(3)and 164.504(e)of the Privacy Rule.
(e) GINA Provisions. Notwithstanding subsections (a) through (c) above, DBI shall not use and/or disclose
Protected Information that is genetic information for underwriting purposes,as set forth in 45 CFR§ 164.502(a)(5).
2.3 Safeguards. DBI shall maintain and use appropriate and commercially reasonable safeguards to prevent use and/or
disclosure of Protected Information other than as permitted or required in this Agreement.
2.4 Reports of Prohibited Disclosures. If DBI becomes aware of a disclosure of an Individual's Protected Information by
DBI and the disclosure violated the provisions of this Agreement, DBI must inform the Privacy Official regarding the prohibited
disclosure of the Individual's Protected Information. To the extent that a disclosure described in this Section 2.4 also constitutes a
Breach of Unsecured PHI,the provisions of this Section 2.4 shall not apply, but rather the provisions of Section 2.8 shall apply.
2.5 Agents and Subcontractors. DBI shall require each of its representatives, agents, and entities (collectively, "Agents")
to whom DBI provides Protected Information on behalf of the Plan to agree to observe the restrictions on use and disclosure of the
Protected Information imposed upon DBI by this Agreement and the Privacy Rule. In addition, DBI shall enter into a Business
Associate Agreement with each of its Subcontractors which meets the requirements of the Privacy Rule, including the requirements set
forth in 45 CFR§ 164.504(e).
2.6 Access by Secretary. DBI shall make available to the Secretary DBI's internal practices, books and records
(including its policies and procedures) relating to DBI's use and disclosure of Protected Information for the purpose of enabling the
Secretary to assess the Plan's and/or DBI's compliance with HIPAA. DBI shall inform the Privacy Official of any request sent by the
Secretary on behalf of the Plan that is received by DBI, unless it is prohibited by applicable law from doing so.
2.7 Mitigation. DBI agrees to mitigate, to the extent practicable, any harmful effect that is known to DBI of a use or
disclosure of Protected Information by DBI in violation of the requirements of this Agreement.
2.8 Notice of Breach of Unsecured PHI.
(a) DBI Requirements. Upon DBI's discovery of a Breach of Unsecured PHI by DBI, DBI shall-
22
Business Associate Agreement
(1) Pursuant to the requirements set forth in subsection (b) below, provide written notice of the Breach,
on behalf of the Plan, without unreasonable delay but no later than sixty (60) calendar days following the date the Breach is
discovered or such later date as is authorized under 45 CFR§ 164.412,to:
(i) each Individual whose Unsecured PHI has been, or is reasonably believed by DBI to have
been,accessed,acquired, used or disclosed as a result of the Breach with copy to the Sponsor;
(ii) the media to the extent required under 45 CFR§ 164.406;and
(iii) the Secretary to the extent required under 45 CFR§ 164.408 (unless the Plan has elected
to provide this notification and has informed DBI);
(2) Pursuant to the requirements set forth in subsection (c) below, provide written notice of the Breach
to the Privacy Official, as soon as administratively practicable, but no later than three (3) business days after the Breach is
discovered;and
(3) If the Breach involves less than 500 individuals, maintain a log or other documentation of the
Breach which contains such information as would be required to be included if the log were maintained by the Plan pursuant to
45 CFR§ 164.408,and provide such log to the Plan within five(5) business days of the Plan's written request.
(b) Notice Requirements. This subsection (b) provides the following special rules that shall each be applicable
to the provisions of Section 2.8(a)(1)—
(1) The date that a Breach is discovered shall be determined by DBI, in its sole discretion, in
accordance with the Breach Notification Rule.
(2) The content, form and delivery of each of the notices required by Section 2.8(a)(1) shall comply in
all respects with the breach notification provisions applicable to the Plan, as set forth in the Breach Notification Rule.
(3) DBI shall send the notices described in Section 2.8(a)(1)(i)to each Individual using the address on
file with DBI (or as may be otherwise provided by the Plan). If the notice to any Individual is returned as undeliverable, DBI
shall make one additional attempt to deliver the notice to the Individual using such information as is reasonably available to it,
or shall take other action required by the Breach Notification Rule.
(4) With respect to notices required under Section 2.8(a)(1)(i)and(ii), DBI and the Privacy Official shall
cooperate in all respects regarding the drafting and the content of the notices. To that end, before sending any notice to any
Individual or the media under Section 2.8(a)(1)(i) or(ii), DBI shall first provide a draft of the notice to the Privacy Official. The
Privacy Official shall have five(5)business days(plus any reasonable extensions)to either approve DBI's draft of the notice or
revise the language of the notice. Alternatively, the Privacy Official may elect to draft the notice for review by DBI. Once DBI
and the Privacy Official agree on the final content of the notice, DBI shall send the notice to the Individuals and/or the media
based on the requirements of the Breach Notification Rule.
(c) Privacy Official Notice. The notice to the Privacy Official pursuant to Section 2.8(a)(2) shall include the
identity of each Individual whose Unsecured PHI was involved in the Breach and a brief description of the Breach. To the extent that
DBI does not know the identities of all affected Individuals when it is required to notify the Privacy Official, DBI shall provide such
information as soon as administratively practicable after such information becomes available. Upon the Plan's written request, DBI
shall provide such additional information regarding the Breach as may be reasonably requested from time to time by the Plan.
(d) Services Agreement. DBI reserves the right upon notice and acceptance in writing by Sponsor, to charge
reasonable, cost based fees for sending the notices required by this Section 2.8 should a Breach be due to actions on the part of the
Sponsor,the Plan or any other entity other than DBI, its Agents or Subcontractors.
23
LIST`t Associate Agreement
Article III—Individual Rights Requirements
3.1 Designated Record Sets.
(a) General. DBI agrees to maintain a Designated Record Set for the Plan in a manner and form that will allow
the Plan to provide access and amendment rights to an Individual with respect to the Individual's Protected Information in conformance
with 45 CFR§§ 164.524 and 164.526.
(b) Access to Protected Information. Upon request from the Plan, DBI shall process and respond to a request
by an Individual for access to an Individual's Protected Information that is maintained by DBI in a Designated Record Set pursuant to 45
CFR § 164.524 (an "Access Request"). DBI shall respond to such Access Request within the timeframes required by 45 CFR §
164.524 by furnishing such Protected Information to the Plan. If the Protected Information that is requested is maintained electronically
and the Individual requests an electronic copy of such information, DBI will provide access to the information in an electronic format that
complies with 45 CFR§ 164.524(c)(2)(ii).Thereafter,the Plan will be responsible for sending such information to the Individual.
(c) Amendment to Protected Information. Upon request from the Plan, DBI shall process a request by an
Individual for amendments to an Individual's Protected Information that is maintained by DBI in a Designated Record Set pursuant to 45
CFR§ 164.526 (an"Amendment Request"). DBI shall process such Amendment Request within the timeframes required by 45 CFR§
164.526.
(d) Coordination with Privacy Official. DBI shall coordinate and cooperate with the Privacy Official (or any other
person designated by the Plan Administrator for this purpose) regarding all processing, recordkeeping and documentation issues
relating to Access Requests and Amendment Requests. Notwithstanding the foregoing, DBI shall not be obligated to coordinate with
the Privacy Official if an Individual files an Access Request or an Amendment Request with DBI and such request is directed solely to
DBI.
3.2 Accounting of Disclosures of Protected Information.
(a) Documentation of Disclosures. DBI agrees to document and maintain a log of any and all disclosures from
and after the date or dates required by 45 CFR § 164.528 made by DBI of Protected Information in a manner and form that will allow
the Plan to provide to an Individual an accounting of disclosures or other applicable report of the Individual's Protected Information in
compliance with and based on the requirements of 45 CFR§ 164.528.
(b) Accounting Requests. Upon request from the Plan, DBI shall process and respond to a request by an
Individual for an accounting of disclosures or other applicable report of an Individual's Protected Information pursuant to the
requirements of 45 CFR § 164.528 (an "Accounting Request"). DBI shall respond to such Accounting Request within the timeframes
required by 45 CFR § 164.528 by furnishing such accounting to the Plan. Thereafter, the Plan will be responsible for sending such
information to the Individual.
(c) Coordination with Privacy Official. DBI shall coordinate and cooperate with the Privacy Official (or any other
person designated by the Plan Administrator for this purpose) regarding all processing, recordkeeping and documentation issues
relating to Accounting Requests. Notwithstanding the foregoing, DBI shall not be obligated to coordinate with the Privacy Official if an
Individual files an Accounting Request with DBI and such request is directed solely to DBI.
3.3 Privacy Protection Requests.
(a) Restriction Requests on Uses and Disclosures. The Plan and DBI on behalf of the Plan shall not agree to a
restriction on the use or disclosure of Protected Information pursuant to 45 CFR § 164.522(a) without first consulting with the other
party. DBI is not obligated to implement any restriction, if such restriction would hinder Health Care Operations or the Services DBI
provides to the Plan, unless such restriction would otherwise be required by 45 CFR§ 164.522(a).
24
Business Associate Agreement
(b) Confidential Communication Requests. DBI shall implement any reasonable requests by Individuals relating
to a request to receive communications of Protected Information by alternative means or at alternative locations to the extent required
by 45 CFR§ 164.522(b).
(c) Coordination with Privacy Official. DBI shall coordinate and cooperate with the Privacy Official (or any other
person designated by the Plan Administrator for this purpose) regarding all processing, recordkeeping and documentation issues
relating to requests under this Section 3.3.
Article IV—Electronic Transaction Rule
4.1 Business Associate Requirements. DBI acknowledges that it is a Business Associate of the Plan for purposes of the
Electronic Transaction Rule. DBI agrees that it shall comply with all Electronic Transaction Rule requirements that may be applicable to
DBI with respect to the Services it provides to and on behalf of the Plan. DBI shall also require each of its Agents and Subcontractors
to whom DBI provides Protected Information that is received from, or created or received by DBI on behalf of the Plan to comply with
the applicable requirements of the Electronic Transaction Rule.
4.2 Sponsor Transmissions. Electronic transmissions between DBI and the Sponsor are not required to comply with the
Electronic Transaction Rule. Accordingly, the Sponsor hereby represents and warrants that all electronic transmissions with respect to
the Plan between the Sponsor (either directly or through its designated agent) and DBI relating to enrollment and disenrollment
information and premium payment information as each are covered by the Electronic Transaction Rule are sent or received by the
Sponsor (either directly or through its designated agent) in the Sponsor's capacity as an employer and are not sent or received by the
Plan.
Article V—Obligations of Plan
5.1 Privacy Notice. Upon request, the Plan will provide DBI with a copy of its notice of privacy practices pursuant to 45
CFR§ 164.520.
5.2 Authorizations. The Plan will notify DBI of any changes in or revocations of Individual authorizations for use or
disclosure of Protected Information to the extent that such changes or revocations may affect DBI's use or disclosure of Protected
Information.
5.3 Officials. The Plan will notify DBI of the current name and contact information of the Plan Administrator, the Privacy
Official and any other person that has the authority to act on behalf of the Plan with respect to the provisions contained in this
Agreement.
5.4 Plan Amendments. Sponsor represents that it has amended its Plan documents to include specific provisions to
restrict the use or disclosure of PHI and to ensure adequate procedural safeguards and accounting mechanisms for such uses or
disclosures, in accordance with the Privacy Rule.
5.5 Additional Certification. The Plan represents and warrants that: (a) it has amended its plan documents, in
accordance with 45 CFR § 164.504(f), so as to allow the Plan to receive Protected Information; (b) it has received a certification from
the Sponsor in accordance with 45 CFR§ 164.504(f)(2)(ii), and will provide a copy of such certification to DBI upon request; and (c)the
plan document amendments permit the Plan to receive Protected Information (including detailed invoices, reports and statements from
DBI); and (d) the Plan has determined, through its own policies and procedures and in compliance with 45 CFR§ 164.502(b), that the
Protected Information that it receives from DBI (including the detailed invoices, reports and statements) contains the minimum
information necessary for the Plan to carry out its Payment and Health Care Operations activities.
Article VI—Amendment and Termination
6.1 Amendment. No change, modification, or attempted waiver of any of the provisions of this Agreement shall be
binding upon any party hereto unless reduced to writing and signed by the party against whom enforcement is sought. DBI agrees to
25
Business Associate Agreement
take such action as is necessary to amend this Agreement from time to time as the Plan reasonably determines necessary to comply
with HIPAA, or any other applicable law, rule or regulation.
6.2 Term. The Term of this Agreement shall be effective on the date first written above (except as otherwise noted
herein) and shall terminate when all of the Protected Information received from the Plan, or created or received by DBI on behalf of the
Plan, is destroyed in accordance with the Plan's authorization or is returned to the Plan (or its designated agents) pursuant to Section
6.4.
6.3 Termination. If one party to this Agreement (the"Non-Breaching Party") has knowledge of a material violation of this
Agreement by the other party to this Agreement (the "Breaching Party'), as determined in good faith by the Non-Breaching Party, the
Non-Breaching Party must promptly:
(a) Provide an opportunity for the Breaching Party to end and to cure the material violation within a reasonable
time specified by the Non-Breaching Party, and if the Breaching Party does not end and cure the material violation within such time
(including reasonable extensions that the Non-Breaching Party determines are necessary) to the satisfaction of the Non-Breaching
Party, the Non-Breaching Party shall immediately terminate the Services rendered by DBI and any agreement or contract related
thereto; or
(b) If a cure is not possible as determined by the Non-Breaching Party in its sole discretion, the Non-Breaching
Party shall immediately terminate the Services rendered by DBI and any agreement or contract related thereto.
6.4 Effect of Termination. Upon termination pursuant to Section 6.3, the Plan within a reasonable time thereafter must
inform DBI to either destroy or return to the Plan (or any agents designated by the Plan) the Protected Information that DBI and its
Agents and Subcontractors maintain in any form, and DBI and its Agents and Subcontractors shall retain no copies of the Protected
Information. However, in many situations DBI maintains one or more backup copies of Protected Information for auditing, data
management and other related purposes and DBI has determined that destruction of all copies of Protected Information that it
maintains is infeasible. Therefore, after termination of the Services and pursuant to 45 CFR§ 164.504(e)(2)(ii)(J), this Agreement shall
remain in effect and DBI shall continue to observe and shall ensure that its Agents and Subcontractors continue to observe its
obligations under this Agreement to the extent copies of the Protected Information are retained by DBI and shall limit further uses and
disclosures of Protected Information to the purposes that make its return or destruction infeasible and that are consistent with the
Privacy Rule.
Article VII—Electronic Security Standards
7.1 Definitions. When used in this Article,the following terms shall have the meanings set forth as follows:
(a) "Electronic Media"shall have the meaning given to it in 45 CFR§ 160.103.
(b) "Electronic Protected Information" shall mean Protected Information received from the Plan or created,
received, maintained or transmitted by DBI on behalf of the Plan that is transmitted by Electronic Media or maintained in Electronic
Media.
(c) "Security Incident"shall have the meaning given to it in 45 CFR§ 164.304.
7.2 Requirements. Pursuant to 45 CFR§ 164.314(a)(2)(i), DBI shall:
(a) Comply with the applicable requirements of the Security Rule, including the requirement that DBI implement,
maintain and document administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality,
integrity, and availability of Electronic Protected Information to the extent required by the Security Rule;
26
Business Associate Agreement
(b) Report (pursuant to the terms and conditions of Section 7.3) to the Privacy Official (or such other person
designated for this purpose) any Security Incident of which DBI becomes aware and which occurred during the applicable reporting
period;
(c) Require each of its Agents to whom DBI provides Electronic Protected Information to agree to implement
administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability
of the Electronic Protected Information that is provided to the agent to the extent required by the Security Rule; and
(d) Enter into a contract or other arrangement with each of its Subcontractors that create, receive, maintain or
transmit Electronic Protected Information on behalf of DBI pursuant to which the Subcontractor agrees to comply with the applicable
requirements of the Security Rule.
7.3 Reporting Protocols. All reports required by Section 7.2(b) shall be provided pursuant to the terms and conditions
specified in this Section.
(a) Attempted Security Incidents. Reporting for any Security Incident involving the attempted unauthorized
access, use, disclosure, modification or destruction of Electronic Protected Information (collectively, an "Attempted Security Incident")
shall be provided pursuant to the standard reporting protocols of DBI (as determined by DBI).
(b) Successful Security Incident. Reporting for any Security Incident involving the successful unauthorized
access, use, disclosure, modification or destruction of Electronic Protected Information (collectively, a "Successful Security Incident")
shall be provided to the Plan pursuant to the standard reporting protocols of DBI (as determined by DBI); provided, that (i) the reports
shall at a minimum include the date of the incident, the parties involved (if known, including the names of Individuals affected), a
description of the Successful Security Incident, a description of the Electronic Protected Information involved in the incident and any
action taken to mitigate the impact of the Successful Security Incident and/or prevent its future recurrence and (ii) the reports shall
satisfy the minimum requirements for Security Incident reporting that may be required from time to time by the Secretary. In addition,
Successful Security Incidents shall be reported to the Plan as soon as administratively practicable after the occurrence of the incident
taking into account the severity and nature of the incident. Notwithstanding the foregoing, the Plan may request details about one or
more Successful Security Incidents, and DBI shall have thirty(30)days thereafter to furnish the requested information.
(c) Breach of Unsecured PHI. To the extent that a Security Incident described in this Section 7.3 also
constitutes a Breach of Unsecured PHI, the provisions of this Section 7.3 shall not apply, but rather the provisions of Section 2.8 shall
apply.
7.4 Mitigation. DBI agrees to mitigate, to the extent practicable, any harmful effect that is known to DBI relating to any
Security Incident.
7.5 Access by Secretary. DBI shall make available to the Secretary DBI's internal practices, books and records
(including its policies and procedures) relating to the safeguards established by DBI with respect to Electronic Protected Information for
the purpose of enabling the Secretary to assess DBI and/or the Plan's compliance with the Security Rule. DBI shall inform the Privacy
Official of any request sent by the Secretary on behalf of the Plan that is received by DBI, unless DBI is prevented by applicable law
from doing so..
Article VIII—General
8.1 Other Agreements. The Plan and DBI acknowledge and affirm that this Agreement is in no way intended to address
or cover all aspects of the relationship of the Plan and DBI and of the Services that are rendered by DBI to and on behalf of the Plan.
Rather, this Agreement deals only with those matters that are specifically addressed herein. Further, this Agreement supersedes any
prior business associate agreements entered into by DBI and the Plan (or any predecessor to the Plan),and shall apply to all Protected
Information existing as of the effective date of this Agreement or created or received thereafter while this Agreement is in effect.
8.2 Indemnification. Any indemnification relating to violations of this Agreement by DBI or the Plan (or the Sponsor on
behalf of the Plan)shall be addressed to the extent applicable by the Services Agreement.
27
Business Associate Agreement
8.3 Severability. The provisions of this Agreement shall be severable, and the invalidity or unenforceability of any
provision (or part thereof)of this Agreement shall in no way affect the validity or enforceability of any other provisions (or remaining part
thereof). If any part of any provision contained in this Agreement is determined by a court of competent jurisdiction, or by any
administrative tribunal, to be invalid, illegal or incapable of being enforced, then the court or tribunal shall interpret such provisions in a
manner so as to enforce them to the fullest extent of the law.
8.4 Interpretation. The provisions of this Agreement shall be interpreted in a manner intended to achieve compliance
with HIPAA. Whenever the Agreement uses the term "including"followed by a specific item or items, or there is a passage having a
similar effect, such passages of the Agreement shall be construed as if the phrase"without limitation"followed such term (or otherwise
applied to such passage in a manner that avoids limitations on its breadth of application). Where the term "and/or' is used in this
Agreement, the provision that includes the term shall have the meaning the provision would have if"and" replaced "and/or," but it shall
also have the meaning the provision would have if"or"replaced"and/or." Any reference to a section or provision of HIPAA shall include
any amendment or clarification of such section or provision contained in the HIPAA Omnibus Rule and any regulation, rule or guidance
issued by the Secretary following the effective date of this Agreement.
8.5 Counterparts. Any number of counterparts of this Agreement may be signed and delivered, each of which shall be
considered an original and all of which,together, shall constitute one and the same instrument.
8.6 Binding Effect. The provisions of this Agreement shall be binding upon and shall inure to the benefit of the parties
hereto and their heirs, assigns and successors in interest. The Plan shall have the right to assign this Agreement to any successor or
surviving health plan, and all covenants and agreements hereunder shall inure to the benefit of and be enforceable by any such
assignee.
8.7 No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, and nothing herein
shall confer, upon any person other than the parties hereto any rights, remedies, obligations or liabilities whatsoever.
8.8 Applicable Law. The provisions of this Agreement shall be construed and administered to, and its validity and
enforceability determined under HIPAA. To the extent that HIPAA is not applicable in a particular circumstance, the provisions of this
Agreement shall be construed and administered to, and its validity and enforceability determined under the Employee Retirement
Income Security Act of 1974, as amended ("ERISA"). In the event that HIPAA and ERISA do not preempt state law in a particular
circumstance,the laws of the State of Texas shall govern.
8.9 State Privacy and Security Laws.
(a) General. Pursuant to 45 CFR § 160.203, DBI and the Plan acknowledge that HIPAA only preempts state
laws which are contrary to a HIPAA standard, requirement or implementation specification, provided that state laws which relate to the
privacy of Protected Information and are more stringent than the Privacy Rule are not preempted. Accordingly, the parties
acknowledge that certain State Privacy Laws affecting the privacy and/or security of personally identifiable information (e.g., name,
address, age, and social security number) relating to a Plan participant or beneficiary ("Privacy Restricted Data") may apply to the
Services provided by DBI to the extent such State Privacy Laws are not preempted by HIPAA. For purposes of this Section 8.9, "State
Privacy Laws" shall mean any applicable state and local privacy laws governing the creation, collection, storage, maintenance, access,
modification,transmission, use or disclosure of Privacy Restricted Data.
(b) State Privacy Laws. All Privacy Restricted Data created, collected, received or obtained by or on behalf of
DBI in the course of performing its Services shall be created, collected, received, obtained, stored, maintained, accessed, modified,
transmitted, used and disclosed in accordance with any and all applicable State Privacy Laws. DBI shall at all times perform the
Services in accordance with the State Privacy Laws and as not to cause the Sponsor or the Plan to be in violation of the State Privacy
Laws. DBI shall be fully responsible for any creation, collection, receipt, access, storage, maintenance, modification,transmission, use
and disclosure of Privacy Restricted Data performed by or on behalf of DBI that is in violation of any State Privacy Laws. DBI shall
remedy and mitigate the damages of any breach of privacy, security, integrity or confidentiality with respect to the unauthorized
creation, collection, receipt, storage, maintenance, access, modification, transmission, use or disclosure (a "State Breach") of Privacy
Restricted Data that is or may be in violation of any State Privacy Laws.
28
Business Associate Agreement
(c) Notification. DBI shall notify the Privacy Official (using the procedures that apply to Breaches of Unsecured
PHI under Section 2.8(c)) of any State Breaches by or on behalf of DBI of Privacy Restricted Data that is or may be in violation of any
State Privacy Laws. In addition, DBI shall also notify the affected Plan participants and beneficiaries(using the procedures that apply to
Breaches of Unsecured PHI under Section 2.8(b)) of any State Breaches by or on behalf of DBI of Privacy Restricted Data that is in
violation of any State Privacy Laws and any state or local governmental agencies, authorities or other entities, but only to the extent
required by such State Privacy Laws.
(d) HIPAA Coordination. The parties acknowledge that in certain situations the provisions of both Section 2.8
and this Section 8.9 shall apply. If both Sections 2.8 and 8.9 apply in a given situation, DBI shall comply with both Sections 2.8 and 8.9
to the extent applicable.
8.10 Obligation of Plan and DBI. To the extent that DBI carries out the HIPAA obligations of the Plan (including the
obligations set forth in Section 2.8 and Article III), DBI shall comply with the applicable requirements of HIPAA as they apply to the Plan
in the performance of such obligations on behalf of the Plan.
29
Business Associate Agreement
II\1 WITNESS 1Ni-iEREOF,the parties hereto have executed this Agreement by their duly authorized o1 icials on the date set forih
above.
Signed for Employer by: Signed for Discovery Benefits by:
Susan Alan,Is,Assistant City Manager Suzanne Rehr, Chief Compliance Officer/EVP
1000'Throckmorfon street, Fort Worth, TX 761102 4321 20"'Avenue S, Fargo, ND 58103
M&C: Not Required
,kPPROVED AS TO ISO oi'A AIND LEGALITY:
A���Z
Assistant City A c n
r t rte,
F 1
1 * °�
�' oq
by°
o
er
'r )Ci eomtary
O �y
•�. )��O .e�°