HomeMy WebLinkAboutContract 28546 CITY SECRETARY
CONTRACT NO.
Business Associate Agreement
Compliance with Privacy Standards
This Business Associate Agreement ("Agreement"), effective o ,
2003("Effective Date"), is entered into by and between Taxsaver Plan (the "Business
Associate") and City of Fort Worth Flexible Spending Account Benefit Plan (the
"Covered Entity") (each a "Party" and collectively the "Parties").
CITATION TO THE CODE OF FEDERAL REGULATIONS REFER TO THE
PRIVACY REGULATIONS PUBLISHED ON DECEMBER 28,2000 AND SHALL
BE READ TO INCLUDE AND REQUIRE ALL SUBSEQUENT,UPDATED,
AMENDED OR REVISED PROVISIONS RELATING TO HIPAA'S PRIVACY
REGULATION.
1.1 Intent.
The purpose of this Agreement is to set out the rights and responsibilities of the
parties under the Standards for Privacy of Individually Identifiable Health
Information under the Health Insurance Portability and Accountability Act (the
"Privacy Standards"). The intent is to provide the protections required by the
Privacy Standards, but to retain for the parties the greatest latitude and flexibility
permitted under those standards in order to facilitate the prompt and efficient
provision of services under this Agreement. The terms of this Agreement shall be
interpreted and applied consistent with this intent and with the Privacy Standards,
As used in this Agreement, "Protected Health Information" has the meaning set out in the
Privacy Standards; generally, Protected Health Information means information about an
individual's health, including information about payment for health care, and which either
identifies the individual or with respect to which there is a reasonable basis to believe the
information can be used to identify the individual. For purposes of this Agreement,
Protected Health Information shall refer only to Protected Health Information received
from the Covered Entity or created or received by the Business Associate on behalf of the
Covered Entity.
1.2 Permitted Uses and Disclosures.
(a) The Covered Entity may disclose Protected Health Information to the Business
Associate for purposes of administration of the health care spending account and
data aggregation (all as defined by the Privacy Standards) and, subject to the terms
of this Agreement, the Business Associate shall be permitted to us and
such Protected Health Information for these purposes. '
1 of 7
(b) The Business Associate shall use or disclose the Protected Health Information
only as authorized by this Agreement or as required by law, and shall not use or
disclose the Protected Health Information in a manner that would violate the
Privacy Standards if the use or disclosure were made by the Covered Entity itself.
(c) However, the Business Associate may use and disclose Protected Health
Information to the extent necessary for the proper management and administration
of its own business or to carry out its legal responsibilities; provided that any
disclosure made for these purposes shall be made only if: (1) it is required by law,
or(2)the Business Associate obtains reasonable assurances from the person to
whom the information is disclosed that(a) the Protected Health Information will
be held confidentially and used or disclosed only as required by law or for the
purpose for which Business Associate disclosed it to such person, and (b) the
person will notify the Business Associate if it becomes aware of any instance in
which the confidentiality of the information is breached.
1.3 Responsibilities of the Parties with respect to Protected Health Information.
(a) Responsibilities of the Covered Entity. With regard to the use and/or disclosure
of Protected Health Information by the Business Associate, the Covered Entity
hereby agrees:
(1) To establish written practices and procedures for the use and disclosure
of Protected Health Information in accordance with the Privacy
Standards and shall provide the Business Associate with copies of all
such practices and procedures. The Covered Entity shall promptly
provide the Business Associate with copies of any amendments or
updates of such practices and procedures. Without limitation, the
Covered Entity shall provide the following:
(1) A copy of the Covered Entity's Notice of Privacy Practices and
all amendments that the Covered Entity provides to individuals pursuant to
45 C.F.R. 164.520.
(ii) Any changes in, or withdrawals of, the consent or authorization
provided to the Covered Entity by individuals pursuant to 45 C.F.R. 164.506 or
164.508.
(iii) Any notification in writing and in a timely manner of any
arrangements permitted or required of the Covered Entity under 45 C.F.R. part
160 and 164 that may impact in any manner the use and/or disclosure of Protected
Health Information by the Business Associate under the Agreement.
pp 55 c'`✓di
BAA_ftw.doc 2 of 7 3/28/03
(2) To establish procedures and protocols that establish standards limiting the
amount of Protected Health Information that may be disclosed to or requested
from the Business Associate to the amount reasonably necessary to achieve
the purpose of the use or disclosure.
(3) To the extent it may affect the Business Associate's duties under this
Agreement, provide documentation of any restrictions to the use or disclosure
of Protected Health Information to which the Covered Entity has agreed in
accordance with the Privacy Standards.
(4)To the extent it may affect the Business Associate's duties under this
Agreement, provide documentation of any changes in, or revocations of,
permission to use or disclose Protected Health Information by the individual
who is the subject of the Protected Health Information.
(5)To not request or authorize the Business Associate to use or disclose Protected
Health Information in any manner that would not be permissible under the
Privacy Standards if done by the Covered Entity; provided,the Covered Entity
may request that the Business Associate provide data aggregation services.
Without limitation, the Covered Entity shall not request or authorize the
Covered Entity to disclose Protected Health Information:
(i) To employees of the sponsor of the Covered Entity unless the
Covered Entity has received proper certification that the Covered Entity
documents have been amended as required by the Privacy Standards and the
Covered Entity sponsor has agreed to the restrictions imposed by the Privacy
Standards. The Covered Entity shall provide the Business Associate with a
written list of the employees of the Covered Entity sponsor and other
individuals under the Covered Entity sponsor's control who are engaged in
administrative functions for the Covered Entity and who are authorized to
have access to Protected Health Information. Business Associate shall provide
Protected Health Information only to those listed individuals. The Covered
Entity shall promptly provide any updates to the list.
(ii) To agents or subcontractors of the Covered Entity sponsor
unless such agent or subcontractor has entered into an agreement subjecting
the agent or subcontractor to the same restrictions and conditions respecting
the Protected Health Information that apply to the Covered Entity sponsor.
The Covered Entity shall provide the Business Associate with a written list of
such agents and subcontractors who have entered into such agreements, and
Business Associate shall provide Protected Health Information only to those
entities. The Covered Entity shall promptly provide any updates to this list.
(iii) To any business associate unless a business associate contract
is in effect in accordance with the Privacy Standards. The Covered Entity shall
provide the Business Associate with a written list of these busine s associates
BAA ftw.doc 3 of 7 -
and other agents and subcontractors of the Covered Entity sponsor who are
authorized to have access to Protected Health Information. Business Associate
shall provide Protected Health Information only to those listed entities. The
Covered Entity shall promptly provide any updates to the list.
(iiii)In excess of the minimum necessary standards established
pursuant to Section 1.3(a) hereof.
(b) Responsibilities of the Business Associate With regard to its use and/or
disclosure of Protected Health Information, The Business Associate hereby agrees
to the following:
(1) The Business Associate is entitled to rely on any request or authorization by the
Covered Entity to use or disclose PHI as being made in accordance with the terms
of this Section 1.3, but reserves the right to refuse to disclose Protected Health
Information in its sole discretion if it reasonably believes that such disclosure may
result in a violation of the Privacy Standards.
(2) Report to the Covered Entity, in writing, any use and/or disclosure of the
Protected Health Information that is not permitted by this Agreement of which the
Business Associate becomes aware within 30 days of the discovery.
(3) Establish procedures for mitigating any deleterious effects from any improper use
and/or disclosures of the Protected Health Information that the Business Associate
reports to the Covered Entity.
(4) Use commercially reasonable efforts to maintain the security of the Protected
Health Information and to prevent unauthorized use and/or disclosure of such
Protected Health Information.
(5) Require all of its subcontractor and agents that receive or use, or have access to
Protected Health Information under this Agreement to agree to enter into a
contract which requires the same restrictions and conditions that apply to the
Business Associates pursuant to Section 1.3 of this Agreement.
(6) The Business Associate shall make Protected Health Information and its records
available to the extent necessary to comply with the Privacy Standards
requirements to provide access to individuals upon request; to permit an
individual to amend his records; to permit accounting of disclosures; or to comply
with the terms of an audit by the Health and Human Services, all as set out below.
Any such access shall be provided within 30 business days of receipt of written
request by an authorized person, and shall be provided during normal business
hours.
(a) Upon receipt of written instruction by the Covered Entity, Business
Associate will provide access to Protected Health Information in a
designated record set to the Covered Entity or to the individual to
whom the Protected Health Information pertains, provided the
Covered Entity certifies that such disclosure is in accordance with
the individual's right under the Privacy Standards to ha e_acu
BAA_ftw.doc 4 of 7 3/28/63
his own Protected Health Information. If the Covered Entity
determines, and notifies the Business Associate in writing, that the
Protected Health Information is subject to amendment in
accordance with the Privacy Standards, the Business Associate
shall make any amendments to such Protected Health Information
requested by the Covered Entity or by such individual within 60
days following receipt of the Covered Entity's written instruction.
(b) Upon receipt of written instruction by the Covered Entity, Business
Associate will provide an accounting within 30 days of any
disclosures made with respect to an individual's Protected Health
Information during the preceding six years to the extent required by
the Privacy Standards. Business Associate shall only be responsible
to account for any disclosures made by it, its agents and
subcontractors. Business Associate shall not be responsible to
account for any disclosures made by other entities that may be
reflected in its records.
(c) Business Associate will make its privacy practices, books and
records, as they apply to the Protected Health Information,
available to the extent necessary to comply with an audit by the
Secretary of Health and Human Services in accordance with the
Privacy Standards.
1.4 Terms and Termination of Contract.
(a) Term. This Agreement shall become effective on the Effective Date and shall
continue in effect until all obligations of the Parties have been met, unless terminated as
provided in the Section 1.4.
(b) Termination. Notwithstanding any other conditions on termination of this
Agreement, the Covered Entity may terminate this Agreement if the Business Associate
engages in a pattern of activity or practice that constitutes a material breach of its
obligations under this Agreement. Upon termination of this Agreement, the Business
Associate shall return or destroy all Protected Health Information then in its possession
which was received from, or created or received by, the Business Associate on behalf of
the Covered Entity, and shall not retain any copies of such Protected Health Information;
provided, if return or destruction is not feasible, the Business Associate agrees to extend
the protections of this Agreement to the Protected Health Information and limit further
use and disclosure to those purposes that make the return or destruction infeasible. The
Business Associate may charge a fee if it is required to maintain any such records
following termination of this Agreement.
1.5 Representation and Warranties
(a) Mutual Representation and Warranties of the Parties. Each Party represents and
warrants to the other Party:
2 c•,(I'I7 U 4 C:
✓�:Y,Y' Y il�0
BAA ftw.doc 5 of 7
(1) that it is duly organized, validly existing, and in good standing under the laws of
the jurisdiction in which it is organized or licensed, it has the full power to enter
into this Agreement and to perform its obligation hereunder, and that the
performance by it or its obligation under this Agreement have been duly
authorized by all necessary corporate or other actions.
(2) That neither the execution of this Agreement, nor its performance hereunder, will
directly or indirectly violate or interfere with the terms of another agreement to
which it is a party.
(3) That it will reasonably cooperate with the other Party in the performance of the
mutual obligation under this Agreement.
1.6 Indemnification
The Parties agree to indemnify, defend and hold harmless each other and each other's
employees, directors, officers, subcontractors, agents or other members of its workforce,
each of the foregoing hereinafter referred to as "indemnified party," against all actual and
direct losses suffered by the indemnified Party and all liability to third parties arising
from or in connection with any breach of this Agreement or any warranty hereunder or
from any negligence or wrongful acts or omissions, including failure to perform its
obligation under the Privacy Regulation, by the indemnifying party or its employees,
directors, officers, subcontractors, agents or other members of its workforce. Accordingly,
on demand, to the extent permitted by applicable law without waiver of sovereign
immunity, the indemnifying Party shall reimburse any indemnified party for any and all
actual and direct losses, liabilities, fines, penalties, cost or expenses which may be
imposed upon any indemnified party by reason of aany suit, claim, action, proceeding or
demand by any third party which results from the indemnifying party's breach hereunder.
1.7 Miscellaneous
(a) Amendments; Waiver. This Agreement may not be modified, nor shall any
provision hereof be waived or amended, except in a writing duly signed by authorized
representatives of the Parties. A waiver with respect to one event shall not construe as
continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
(b) No Third Party Beneficiaries. Nothing express or implied in this Agreement is
intended to confer, nor shall anything herein confer, upon any person other than the
Parties and their respective successors or assigns of the Parties, any rights, remedies,
obligations, or liabilities whatsoever.
(c) Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail
or express courier to such Party's address given below.
If to Business Associate, to:
Taxsaver Plan
4131 N. Cenral Expressway Suite 105
Dallas, Tx 75204
SRIo
BAA_ftw.doc 6 of 7 3/28/03
t
If to Covered Entity, to:
City of Fort Worth
1000 Throckmorton Risk Management
Fort Worth, TX 76102
Attn: HIPAA Privacy Officer
(d) Protected Health Information. Protected Health Information shall have the meaning
as set out in its definition at 45 C.F.R. 164.501, as such provision is currently drafted and
as it is subsequently updated, amended or revised.
IN WITNESS WHEREOF<each of the undersigned has caused this Agreement to be
duly executed in its name and on behalf effective as of If,1'i 2003.
COVERED ENTITY: BUSINESS ASSOCIATE:
_City of Fort Worth_ axsave la
B& By:
Print Name: - Print Name: Charles Lny
Print Title: Print Title: President
Date: 411J4 l ? Date: February 17, 2003
A PRO
rn
ATTESTED BY
r
BAA.doc 7 of 7 2/19/03