The URL can be used to link to this page

Home My WebLink AboutContract 47354 (2)• • CijTY SFCRETARY ooit`t 1 ,,_'^Jc`.'7 f{ ��iLJn BUSINESS ASSOCIATE AGREEMENT This Business A c' to Agreement("Agreeinent")is entered into on this 1 g day of � C'' Mfltfk1»1*ffective Date" and between the Ci o Fort Worth on behalf )� by � f of itself and its group health and welfare plans (collectively the "Covered Entity") and Milliman, Inc. ("Business Associate"). RECITALS: WHEREAS, Business Associate performs or assists in performing a function or activity on behalf of Covered Entity that involves the use and/or disclosure of the Covered Entity's "protected health information" (such information, as defined in 45 C.F.R. 160-103, as such provision is currently drafted and if applicable subsequently updated, amended, or revised; referred to herein as "Protected Health Information" or "PHI"); and WHEREAS, the parties desire to enter into this Business Associate Agreement to govern the use and/or disclosure of Protected Health Information as required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule"), and the Security Standards for the Protection of Electronic Protected Health Information (the "Security Rule") promulgated thereunder (collectively, the "HIPAA Privacy Rules and/or Security Standards"). NOW, THEREFORE, the parties hereto agree as follows: 1. Definitions. When used in this Agreement and capitalized, the following terms have the following meanings: (a) "Breach" shall have the same meaning as the term "Breach" in 45 C.F.R. §164.402. (b) "Electronic Protected Health Information" or "ePHI" shall mean Protected Health Information transmitted by electronic media or maintained in electronic media. (c) "Individual" shall have the same meaning as the term "Individual" in 45 C.F.R. §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g). (d) "Privacy Rule" shall mean the Standards for Privacy of Individual Identifiable Health Information as set forth at 45 C.F.R. Parts 160 and 164 Subparts A and E. (e) "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. City of Fort Worth Business Associate Agreement OFFICIAL RECORD CITY SECRETARY FT. WORTH, TX Page 1 of 9 (f) "Required by Law" shall have the same meaning as the term "required by law" in 45 C.F.R. § 164.103. (g) "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee. (h) "Security Incident" shall mean any attempted or successful unauthorized access, use, disclosure, modification or destruction of information or systems operations in an electronic information system. (i) "Security Rule" shall mean the Standards for Security of PHI, including ePHI, as set forth at 45 C.F.R. Parts 160 and 164 Subparts A and C. (j) "Unsecured Protected Health Information' shall mean protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary. Tents used but not defined in this Agreement shall have the same meaning as those tenns in the HIPAA Privacy Rules and/or Security Standards. 2. Obligations and Activities of Business Associate Regarding PHI. (a) Business Associate agrees not to use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law. (b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. (c) Business Associate agrees to ensure that any agents, including sub- contractors (excluding entities that are merely conduits), to whom it provides PHI agree to substantially the same restrictions and conditions that apply to Business Associate with respect to such information. (d) Business Associate agrees to provide access, at the request of Covered Entity, and in a reasonable time and manner designated by Covered Entity, to PHI in a Designated Record Set that is not also in Covered Entity's possession, to Covered Entity in order for Covered Entity to meet the requirements under 45 C.F.R. § 164.524. (e) Business Associate agrees to make any amendment to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 in a reasonable time and manner designated by Covered Entity. (f) Business Associate agrees to make internal practices books and records relating to the use and disclosure of PHI available to the Secretary, in a reasonable time and manner as designated by the Covered Entity or Secretary, for purposes of the Secretary deteitnining Covered Entity's compliance with the Privacy Rule. Business Associate shall promptly notify Covered Entity upon receipt or notice of any request by City of Fort Worth Business Associate Agreement Page 2 of 9 the Secretary to conduct an investigation with respect to PHI received from the Covered Entity. (g) Business Associate agrees to document any disclosures of PHI that it makes that are not excepted under 45 C.F.R. § 164.528(a)(1) as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. (h) Business Associate agrees to provide to Covered Entity, in a time and manner designated by Covered Entity, information collected in accordance with paragraph (g) above, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. (i) Business Associate agrees to use or disclose PHI pursuant to the request of Covered Entity; provided, however, that Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as otherwise expressly permitted herein. 3. Permitted Uses and Disclosures of PHI by Business Associate. (a) Business Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, Covered Entity in accordance with the tennis of this Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity. (b) Business Associate may use PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate. (c) Business Associate may disclose PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate if: (i) such disclosure is Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that such information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person agrees to notify Business Associate of any instances of which it is aware that the confidentiality of the information has been breached. (d) Business Associate shall limit the PHI to the extent practicable, to the limited data set or if needed by the Business Associate, to the minimum necessary to accomplish the intended purpose of such use, disclosure or request subject to exceptions set forth in the Privacy Rule. City of Fort Worth Business Associate Agreement Page 3 of 9 (e) Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). (f) Business Associate may deidentify PHI in accordance with the requirements of the Privacy Rule; provided that all identifiers are destroyed or returned in accordance with this Agreement. 4. Obligations of Covered Entity Regarding PHI. (a) Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such notice. (b) Covered Entity shall provide Business Associate with any changes in, or revocation of, authorization by an Individual to use or disclose PHI, if such changes affect Business Associate's permitted or required uses and disclosures. (c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R § 164.522, if such restrictions affect Business Associate's permitted or required uses and disclosures. (d) Covered Entity shall require all of its employees, agents and representatives to be appropriately infoiuied of its legal obligations pursuant to this Agreement and the Privacy Rule and Security Standards required by HIPAA and will reasonably cooperate with Business Associate in the perfonufance of the mutual obligations under this Agreement 5. Security of Protected Health Information. (a) Business Associate represents that it has implemented policies and procedures to ensure that its receipt, maintenance, or transmission of all PHI, either electronic or otherwise, on behalf of Covered Entity complies with the applicable administrative, physical, and technical safeguards required protecting the confidentiality, availability and integrity of PHI as required by the HIPAA Privacy Rules and Security Standards. (b) Business Associate agrees that it will ensure that agents or subcontractors agree to implement the applicable administrative, physical, and technical safeguards required to protect the confidentiality, availability and integrity of PHI as required by HIPAA Privacy Rules and Security Standards. (c) Business Associate agrees to report to Covered Entity any successful Security Incident (as defined 45 C F.R. Part 164.304) of which it becomes aware. Business Associate agrees to report the Security Incident to the Covered Entity as soon as reasonably practicable, but not later than 10 business days from the date the Business City of Fort Worth Business Associate Agreement Page 4 of 9 Associate becomes aware of the incident The parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents of which no additional notice to Covered Entity shall be required. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log -on attempts, denials of service, and any combination of the above, so long as such incidents do not result in unauthorized access, use or disclosure of Covered Entity's PHI. (d) Business Associate agrees to establish procedures to mitigate, to the extent possible, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement. (e) Business Associate agrees to promptly notify Covered Entity upon discovery of any Breach of Unsecured Protected Health Information (as defined in 45 C.F.R. § § 164.402 and 164.410) and provide to Covered Entity, to the extent available to Business Associate, all information required to permit Covered Entity to comply with the requirements of 45 C.F.R. Part 164 Subpart D. (f) Covered Entity agrees and understands that the Covered Entity is independently responsible for the security of all PHI in its possession (electronic or otherwise), including all PHI that it receives from outside sources including the Business Associate. 6. Term and Termination (a) Term. This Agreement shall be effective as of the Effective Date and shall remain in effect until the Business Associate relationship with the Covered Entity is terminated in accordance with this Section 6 herein, and all PHI is returned, destroyed or is otherwise protected as set forth in Section 6(e). (b) Termination for Cause by Covered Entity. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach. If Business Associate does not cure the breach within 30 days from the date that Covered Entity provides notice of such breach to Business Associate, Covered Entity shall have the right to immediately terminate this Agreement and any existing underlying services agreement between Covered Entity and Business Associate. (c) Termination by Business Associate. This Agreement may be terminated by Business Associate upon 30 days prior written notice to Covered Entity in the event that Business Associate, acting in good faith, believes that the requirements of any law, legislation, consent decree, judicial action, governmental regulation or agency opinion, enacted, issued, or otherwise effective after the date of this Agreement and applicable to PHI or to this Agreement, cannot be met by Business Associate in a commercially reasonable manner and without significant additional expense. City of Fort Worth Business Associate Agreement Page 5 of 9 (d) Termination for Convenience. Either party may terminate this Agreement for convenience, for any reason, upon sixty (60) days written notice to the other party. (e) Effect of Termination. Upon termination of this Agreement for any reason, at the request of Covered Entity, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall not retain any copies of the PHI unless return or destruction is deemed infeasible. If the return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI For purposes of illustration only and not to limit the set of circumstances that could potentially make return or destruction infeasible, it would be infeasible for Business Associate to return or destroy certain PHI that is part of work product that must be retained for document retention/archival purposes, as well as PHI that is stored as a result of backup e-mail systems that store e-mails for emergency backup purposes. 7. Amendment The parties may agree to amend this Agreement from time to time in any other respect that they deem appropriate. This Agreement shall not be amended except by written instrument executed by the parties. 8. Indemnification Business Associate shall indemnify and hold harmless Covered Entity from and against any and all costs, expenses, claims, demands, causes of action damages, reasonable attorneys fees and judgments that arise out of or that may be imposed upon, incurred by, or brought against Covered Entity to the extent directly resulting from a breach of this Agreement or any violation of the Privacy Rule or other applicable HIPAA regulations by Business Associate. The indemnification obligations provided for in this Section will commence on the effective date of this Agreement and will survive its termination. 9. Severability. The parties intend this Agreement to be enforced as written. However, (i) if any portion or provision of this Agreement is to any extent declared illegal or unenforceable by a duly authorized court having jurisdiction, then the remainder of this Agreement, or the application of such portion or provision in circumstances other than those as to which it is so declared illegal or unenforceable, will not be affected thereby, and each portion and provision of this Agreement will be valid and enforceable to the fullest extent permitted by law; and (ii) if any provision, or part thereof, is held to be unenforceable because of the duration of such provision, the Covered Entity and the Business Associate agree that the court making such determination will have the power to modify such provision, and such modified provision will then be enforceable to the fullest extent permitted by law. City of Fort Worth Business Associate Agreement Page 6 of 9 10. Notices. All notices, requests, consents and other communications hereunder will be in writing, will be addressed to the receiving party's address set forth below or to such other address as a party may designate by notice hereunder, and will be either (i) delivered by hand, (ii) made facsimile transmission (iii) sent by overnight courier, or (iv) sent by registered mail or certified mail, return receipt requested, postage prepaid. If to the Covered Entity: If to the Business Associate: Assitant City Manager for HR 1000 Throckmorton Fort Worth, Texas 76102 with copy to: City Attorney's Office at same address 11. Regulatory References. Milliman, Inc. 71 S. Wacker Drive, 31st Floor Chicago, IL, 60606 A reference in this Agreement to a section in the Privacy Rule or Security Rule means the referenced section or its successor, and for which compliance is required. 12. Headings and Captions. The headings and captions of the various subdivisions of the Agreement are for convenience of reference only and will in no way modify or affect the meaning or construction of any of the terms or provisions hereof. 13. Entire Agreement. This Agreement sets forth the entire understanding of the parties with respect to the subject matter set forth herein and supersedes all prior agreements arrangements and communications, whether oral or written, pertaining to the subject matter hereof. 14. Binding Effect. The provisions of this Agreement shall be binding upon and shall inure to the benefit of both parties and their respective successors and assigns. 15. No Waiver of Rights, Powers and Remedies. No failure or delay by a party hereto in exercising any right, power or remedy under this Agreement, and no course of dealing between the parties hereto, will operate as a waiver of any such right, power or remedy of the party. No single or partial exercise of any right, power or remedy under this Agreement by a party hereto, nor any abandonment or discontinuance of City of Fort Worth Business Associate Agreement Page 7 of 9 steps to enforce any such right, power or remedy, will preclude such party from any other or further exercise thereof or the exercise of any other right, power or remedy hereunder. The election of any remedy by a party hereto will not constitute a waiver of the right of such party to pursue other available remedies. No notice to or demand on a party not expressly required under this Agreement will entitle the party receiving such notice or demand to any other or further notice or demand in similar or other circumstances or constitute a waiver of the right of the party giving such notice or demand to any other or further action in any circumstances without such notice or demand. The tettus and provisions of this Agreement may be waived, or consent for the departure therefrom granted, only by written document executed by the party entitled to the benefits of such terms or provisions. No such waiver or consent will be deemed to be or will constitute a waiver or consent with respect to any other tetuts or provisions of this Agreement, whether or not similar Each such waiver or consent will be effective only in the specific instance and for the purpose for which it was given, and will not constitute a continuing waiver or consent. 16. Governing Law. This Agreement will be governed by and construed in accordance with the laws of the State of Texas, to the extent not preempted by applicable federal law. 17. Interpretation It is the parties' intent to comply strictly with all applicable laws, including without limitation, HIPAA, state statutes or regulations (collectively, the "Regulatory Laws' ), in connection with this Agreement In the event there shall be a change in the Regulatory Laws, or in the reasoned interpretation of any of the Regulatory Laws or the adoption of new federal or state legislation, any of which are reasonably likely to materially and adversely affect the manner in which either party may perfoun or be compensated under this Agreement or which shall make this Agreement unlawful, the parties shall promptly enter into good faith negotiations regarding a new arrangement or basis for compensation pursuant to this Agreement that complies with the law, regulation or policy and that approximates as closely as possible the economic position of the parties prior to the change. In addition, the parties hereto have negotiated and prepared the terms of this Agreement in good faith with the intent that each and every one of the teiuis, covenants and conditions herein be binding upon and inure to the benefit of the respective parties. 18 Review of Counsel. The parties acknowledge that each party and its counsel have had the opportunity to review and revise this Agreement and that the normal rules of construction to the effect that any ambiguities are to be resolved against the drafting party shall not be employed in the interpretation of this Agreement or exhibits hereto. 19 Signature Authority. The person signing this Agreement hereby warrants that he or she has the legal authority to execute this Agreement on behalf of his or her respective party, and that such binding authority has been granted by proper order, resolution, ordinance or other authorization of the entity. The other party is fully entitled to rely on this warranty and representation in entering into this Agreement City of Fort Worth Business Associate Agreement Page 8 of 9 20. Conflicts. In the event that any terms of this Agreement are inconsistent with the terms of the underlying agreement for services, then the terms of this Agreement shall control. 21. Independent Contractors. Business Associate and Covered Entity are independent contractors and this Agreement will not establish any relationship of partnership, joint venture, employment, franchise or agency between Business Associate and Covered Entity. Neither Business Associate nor Covered Entity will have the power to bind the other or incur obligations on the other party's behalf without the other party's prior written consent, except as otherwise expressly provided in this Agreement. IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the Effective Date. COVE ': NTITY: By: By. Name: Susan Alanis N - me: Title: Assistant City Manager ATTEST: MgrriCay's ect APPROVED AS TO FARM AND LEGALITY: Yz/L IA uillermo (Will) S. Trevino, Asst. City Attorney No M&C Required BUSINESS ASSOCIATE: 4)4).--1; </plAt 0 I 17 :Iene It (r) \5ntiv/bA Title: ion J rJ�-�' j 1 OFFICIAL RECORD CITY SECRETARY Ft WORTH, TX City of Fort Worth Business Associate Agreement Page 9 of 9