HomeMy WebLinkAboutContract 45388 (2)CITY SECRETA17 -
2
CONTRACT NO, e nee, -es sr. p 771ASI
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (the "Agreement") is entered into by and
between City of Fort worth ("Plan Sponsor") and Higginbotham Insurance
Agency ("Business Associate") (together referred to as the "Parties") effective
0 9/01 /2013
WHEREAS, the Group Health Plan ("Plan") sponsored by Plan Sponsor is a
group health plan as defined in Title 45, Parts 160 and 164 of the Code of Federal
Regulations (the "Privacy Regulations") and Title 45, Parts 160, 162 and 164 of the Code
of Federal Regulations (the "Security Regulations") (together, the "Privacy and Security
Regulations") adopted pursuant to the Health Insurance Portability and Accountability
Act of 1996 (°HTJPAA°);
WHEREAS, Business Associate and Plan Sponsor entered into an agreement
("Underlying Agreement") whereby Business Associate will perform services on behalf
of the Plan; and
WHEREAS, the Parties wish to set forth their understandings with regard to the
use and disclosure of Protected Health hnformation ("PHI") by Business Associate in
performance of its obligations in compliance with the Privacy and Security Regulations
(as amended to incorporate Subtitle D of the Health Information Technology for
Economic and Clinical Health Act, Title XIII of Public Law 111-005 (42 U.S.C,A,
Section 17921 et seq., subchapter III, Privacy) ("HITECJI")) and the Texas Health and
SafetyCode sections 181 and 182(as amended by HB300 (82"`�Legislature),
In consideration of the mutual promises set forth below, the parties hereby agree
as follows:
1. Definitions. Capitalized terms shall have the meanings given to them in
the Privacy and Security Regulations, which are incorporated herein by reference.
2, Use and Disclosure of Protected Health Information.. The Plan Sponsor
and Business Associate hereby agree to comply with the privacy and security
requirements of HIPAA, as set forth in the Privacy and Security Regulations. Business
Associate shall use and/or disclose PHI only to the extent necessary in furtherance of
Business Associate's obligations and duties under the Underlying Agreement with the
Plan Sponsor and as authorized or permitted by the Privacy and Security Regulations.
Business Associate shall disclose PHI to other business associates of the Plan to the
extent necessary for purposes of the Plan's Payment and Health Care Operations,
provided such other business associates have business associate agreements in place with
the Plan Sponsor as required by the Privacy Regulations (and a copy of the applicable
provisions of such other business associate agreements will be provided to Business
Associate upon request). Business Associate shall disclose PHI to the Plan Sponsor to
the extent necessary for the Plan Sponsoris-=administfastieftra 'vities that constitute
Payment or Health Care Operations, r �� ent has been amended as
yP � gyp' �'��. ��� �.
CITY SECRETARY
Pt1NORTH0 TX
RECEIVED FEB 2 7 2014
required by the Privacy Regulations (and a copy of the applicable provisions of the Plan
document will be provided to Business Associate upon request). Business Associate may
disclose Summary Health Information to the Plan Sponsor for the purpose of
(a) obtaining bids for health or stop loss insurance for the Plan, or (b) modifying,
amending or terminating the Plan.
3. Prohibition on Unauthorized Use or Disclosure of PHI, Business
Associate shall not use or disclose any PHI received from or on behalf of the Plan, except
as permitted or required by the Underlying Agreement, this Agreement, the Privacy and
Security Regulations, and as required by law or as otherwise authorized in writing by the
Plan. Business Associate shall comply with the applicable provisions of: (a) the Privacy
and Security Regulations; (b) state laws, rules and regulations applicable to individually -
identifiable health information not preempted by federal law; and (c) the Plan's health
information privacy policies and procedures.
4. Business Associate's Operations. Business Associate may use PHI it
creates for or receives from the Plan, in its capacity as a Business Associate, to the extent
necessary for Business Associate's proper management and administration or to carry out
Business Associate's legal responsibilities but only if:
(a) The disclosure is required by law; or
(b) Business Associate obtains reasonable assurance, evidenced by
written contract, from any person or organization to which Business Associate shall
disclose such PI -II that such person or organization shall:
(i) Hold such PHI in confidence and use or further disclose it
o nly for the purpose for which Business Associate disclosed it to the person or
o rganization or as required by law; and
(ii) Notify Business Associate (who shall in turn promptly
n otify the Plan) of any instance of which the person or organization becomes aware in
which the confidentiality of such PHI was breached as soon as possible.
5. Data Aggregation Services. Business Associate inay use PHI to provide
Data Aggregation Services related to the Plan's health Care Operations.
6. PHI Safeguards Business Associate shall develop, implement, maintain
and use appropriate administrative, technical and physical safeguards to prevent the
improper use or disclosure of any PHI relating to the Plan,
7. Electronic Health Information Security and Integrity. Business Associate
represents and warrants that it is compliant with all applicable requirements of the
Security Regulations Business Associate further represents and warrants that it has fully
developed and implemented, and maintains and uses appropriate administrative, technical
and physical security measures consistent with and in compliance with the Security
Regulations to preserve the integrity, confidentiality and availability of all electronic PHI
that it creates, receives, maintains or transmits on behalf of the Plan. Business Associate
shall document and keep its security measures current.in accordance with the Security
Regulations.
8, Protection of Exchanged Information in Electronic Transactions, If
Business Associate conducts any Standard Transaction for or on behalf of the Plan,
Business Associate shall comply, and shall require any subcontractor or agent conducting
such Standard Transaction to comply, with each applicable requirement of the Privacy
and Security Regulations.
9. Subcontractors and Agents. Business Associate shall require each of its
subcontractors or agents to whom Business Associate may provide PHI on behalf of the
Plan to agree to written contractual provisions that impose at least the same obligations to
protect such PHI as are imposed on Business Associate by this Agreement and the
Privacy and Security Regulations Business Associate shall maintain a list of all
subcontractors and agents to which it provides the Plan's PHI, and it will provide the list
to the Plan upon request.
10. Access to PHI, Business Associate shall provide access, at the request of
the Plan, to PHI in a Designated Record Set, to the Plan or, as directed by the Plan, to an
Individual to meet the requirements under Title 45, Section 164.524 of the CFR or
applicable state law. Business Associate shall provide access in the time and manner set
forth in the Plans health information privacy policies and procedures.
11.. Amending PHI. Business Associate shall make any amendment(s) to PHI
in a Designated Recoil Set that the Plan directs or agrees to pursuant to Title 45,
Section 164.526 of the CFR at the request of the Plan or an Individual in the time and
manner set forth in the Plan's health information privacy policies and procedures.
12. Accounting for Disclosures of PHI,.
(a) Business Associate shall document all disclosures of PHI and
information related to such disclosures as would be required for the Plan to respond to a
request by an Individual for an accounting of disclosures of PHI in accordance with
Title 45, Section 164.528 of the CFR.
(b) Business Associate agrees to provide the Plan, in the time and
manner set forth in the Plan's health information privacy policies and procedures,
information collected in accordance with Section 12(a) above, to permit the Plan to
respond to a request by an Individual for an accounting of disclosures of PHI in
accordance with Title 45, Section 164.528 of the CFR. Business Associate shall provide
the accounting diiectly to an Individual upon request by the Plan,
1.3. Access to Books and Records. Business Associate shall make its internal
practices, books and records relating to the use and disclosure of PHI received from or on
behalf of the Plan available to the Plan and to DIHHS or its designee for the purpose of
determining the Plan's compliance with the Privacy Regulations.
14. Reporting. As described below, Business Associate shall report to the
Plan in writing any "Event."
(a) Definition. For purposes of this Agreement, "Event" shall mean
any use or disclosure of PHI not permitted (1) undei the Privacy Regulations including
events that rise to the level of a Breach, (2) under this Agreement or (3) by law, or that is
a Security Incident
(b) Event Reporting. Business Associate shall provide written notice
as soon as practicable to the Plan's Privacy Official (contact information listed below) of
any Event of which it has reasonable suspicion or discovers. This notice shall identify a
contact person with whom the Plan may correspond regarding the Event. Within sixty
(60) days from the date of initial notice, Business Associate shall provide the Plan a
written report identifying or describing: (i) the affected Individual whose Unsecured PHI
has been or is reasonably believed to have been accessed, acquired of disclosed; (ii) the
incident, including the date of the Event and the date of the discovery of the Event, if
known; (iii) who made the unauthorized use and/or received the unauthorized disclosure;
(iv) the types of Unsecured PHI involved in the Event; (v) any specific steps the affected
Individual should take to protect him or herself from potential harm related to the Event;
(vi) what the Business Associate is doing to investigate the Event, to mitigate losses and
to protect against further Events; (vii) contact procedures for how the affected Individual
can obtain further information from the Business Associate; (viii) a iecommended plan of
notifications to affected Individuals, HHS and/or the media, as may be appropriate or
required by law; and (ix) such other information including the risk issessment analysis
prepared by the Business Associate, as reasonably requested by the Plan's Privacy
Official. Business Associate shall conduct the risk assessment to determine whether a
Breach occurred and inform the Plan of its assessment. If in the opinion of the Plan the
incident qualifies as a Breach the Business Associate shall carry out the appropriate
notification responsibilities, after receiving the Plan's approval of the Business
Associate's plan of proposed notifications and the specific content of such notifications.
Business Associate shall require fill of its subcontractors and agents who experience an
Fvent related to the Plan to report the Event to the Business Associate in such a time so
that the Business Associate shall comply with the notification requirements described in
this section.
Plan Privacy Official:
Higginbotham Privacy Official:
Fax:
Fax;
Margaret Wise, Assistant HR Director
1000 Throckmorton Street
Fort Worth, Texas 76102
817.392.8869
Ross Carmichael or VP of Compliance
500 W. 13`1' Street
Fort Worth, TX 76102
(817) 882-9341
15. Sale of PHI. Business Associate shall not receive direct or indirect
payment in exchange for any PHI relating to the Plan or its Individuals in such a way as
to violate Texas Health and Safety Code sections 181 and 182 as amended by HB300
(82" Legislature), unless Business Associate receives authorization by all affected
Individuals, except as permitted under the Privacy Regulations, including 45 CFR Part
164.
16. Marketing. Business Associate shall not receive direct or indirect
payment for marketing communications which include PHI relating to the Plan or its
Individuals without authorization from the affected Individuals in such a way as to
violate Texas Health and Safety Code sections 181 and 182 as amended by HB300 (82nd
Legislature), unless such communication is permitted under the Privacy Regulations,
including 45 CFR Part 164.
17. Restrictions on Uses, Disclosures and Requests.
(a) Business Associate will limit all uses, disclosures and requests of
PHI, including electronic PHI, to the Limited Data Set to the extent possible or, if that is
not sufficient, to the minimum necessary to accomplish the intended purpose of such use,
disclosure or request, to the extent required by the Privacy Regulations. Business
Associate shall maintain a written policy delineating the standards it will use in
determining the minimum necessary information for its uses and disclosures of PHI in
accordance with standards set forth in the Privacy Regulations.
(b) Upon the request of an Individual, Business Associate will not
disclose such Individual s PHI for purposes of Payment or Health Care Operations if the
Individual paid in full out of pocket for the health care item or service to which the PHI
relates, in accordance with 45 CFR section 164.522.
18. Mitigation. Business Associate agrees to mitigate, to the extent
practicable, any harmful effect that is known to Business Associate of a use or disclosure
of PHI by Business Associate in violation of the requirements of this Agreement.
19. Termination for Cause. As required by the Privacy Regulations, if the
Plan or Business Associate ("Non Breaching Party `) becomes awaie that the other entity
to this Agreement has engaged in a material breach (' Breaching Party"), then the Non -
Breaching Party shall:
(a) Provide an opportunity for the Breaching Party to cure the breach.
If the Breaching Party does not cure the breach or end the violation within the tune
specified by the Non -Breaching Party, then the Non-Ireaching Party shall have the right
to terminate this Agreement and the Underlying Agreement, if termination is feasible.
(b) Immediately terminate this Agreement and the Underlying
Agreement if cure is not possible and if termination is feasible,
(c) II leither termination nor cure is feasible, Business Associate shall
report the violation to the Secretary.
20. Return or Destruction of Health Information.
(a) Except as provided in Section 20(b) below, and subject to any record retention
provisions of the Underlying Agreement, upon termination, cancellation, expiration or other
conclusion of this Agreement and the Underlying Agreement, Business Associate shall return to the
Plan or destroy all PHI created or received by Business Associate on behalf of the Plan. This
provision shall also apply to PHI that is in the possession of subcontractors or agents of Business
Associate.
(b) In the event that the Business Associate determines, in its discretion, that
returning or destroying the PHI is infeasible, Business Associate shall retain the PHI, extend the
protections of this Agreement to such PHI and maintain the confidentiality of all such PHI, foi so long
as Business Associate maintains such PIII. The obligations of Business Associate under this Section
20(b) shall survive termination of this Agreement and the Underlying Agreement.
21. Obligations of Plan Sponsor.
(a) The Plan Sponsor shall provide Business Associate a copy of the Plan's Notice
of Privacy Practices.
(b) The Plan Sponsor shall notify Business Associate of any restriction to the use or
disclosure of PHI that the Plan has agreed to (and any revocation of such a restriction), to the extent
that such restriction may affect Business Associate's use or disclosure of PHI.
(c) The Plan Sponsor shall notify Business Associate of any change in, or
revocation of, permission by and Individual to use or disclose PHI, to the extent that such change or
revocation may affect Business Associate's use or disclosure of PHI.
(d) The Plan Sponsor shall not request Business Associate to use or disclose PHI in
any manner that would not be permissible under the Privacy Regulations if done by the Plan, except as
permitted in Sections 4 and 5 above.
22. Automatic Amendment. Upon the effective date of any amendment to the Privacy and
Security Regulations and any applicable regulations thereunder with respect to PHI, the Agreement
shall automatically be deemed to be amended to incorporate such amendment to the Privacy and
Security Regulations and applicable regulations so that Business Associate and the Plan remain in
compliance with the Privacy and Security Regulations and applicable regulations.
23. Hold Harmless Business Associate shall indemnify and hold Plan Sponsor and its
affiliates, employees, directors, trustees and agents harmless from and against all obligations,
liabilities, penalties, taxes, costs, damages, losses or expenses (including reasonable attorneys' fees) of
any sort which may be imposed on or incurred by the Plan m connection with, or arising out of, a
Breach by Business Associate or any of its subcontractors or the performance or breach of Business
Associate's or any of its subcontractors' responsibilities and obligations under the Privacy and Security
Regulations or this Agreement.
To the extent allowed by Texas law, Plan Sponsor shall indemnify and hold Business Associate
and its affiliates, employees, directors, trustees and agents harmless from and against all obligations,
liabilities, penalties, taxes, costs, damages, losses or expenses (including reasonable
attorneys' fees) of any sort which may be imposed on or incurred by the Plan in
connection with, or arising out of, a Breach by the Plan or any of its subcontractors or the
performance or breach of the Plan's or any of its subcontractors' responsibilities and
obligations under the Privacy and Security Regulations or this Agreement.
24. Counterparts. This Agreement may be executed in any number of
counterparts, each of which shall be deemed an original and such counterparts shall
constitute one and the sane instrument.
25. Independent Contractor. The Parties are and shall remain independent
contractors throughout the tern of this Agreement. Nothing in this Agreement or
otherwise shall be construed to constitute Business Associate and the Plan Sponsor as
partners, joint ventures, agents or anything other than independent contractors.
26. Facsimile Signature. Signature pages may be transmitted by facsimile, e-
mail or other electronic means, Upon delivery via facsimile, e-mail or other electronic
means, a signature shall be deemed an original and shall be admissible in evidence.
27, Governing Law. This Agreement shall be governed by the laws of the
State of Texas (without regard to conflict of laws principles), except to the extent such
laws are preempted by applicable federal law. Any claim, dispute, controversy or other
matter arising under or related to this Agreement shall be subject to the sole and
exclusive jurisdiction of the federal and state courts located in Tarrant County, Texas,
and all Parties hereto waive any claims of inconvenience or lack of personal jurisdiction
with respect to such courts.
28. Entire Agreement, This Agreement embodies the entire agreement and
understanding between the Parties hereto with respect to the subject matter hereof, and
supersedes all prior oral or written agreements and understandings relating to the subject
matter hereof. No statement, representation, warranty, covenant or agreement of any kind
not expressly set forth in this Agreement shall affect, or be used to interpret, change or restrict, the express terms and provisions of this Agreement,
29, Final Agreement. This Agreement supersedes all prior Business Associate
Agreements between the parties with respect to the Underlying Agreement.
IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to
be duly executed in its name and on its behalf, effective as of 09/01/2013
f-� C/ cat' 'fir* Ithri*C
BY; / CL—fLaA":0
Its{
\sir
FQRMAPPRQVWASTO
It\A
tT't"S'!T ,I Y ATTORNEY
tvi-k C 0:0
•
•
Higginbotham Insurance Agency, Inc.
By: Ross Ca rmi ch ae
Its: Vice President of Compliance and Operation
��i O
evil
ti 1, ,_q
A en ge
O m is
0 ra
tdF m n
3, 0
-%
FI