HomeMy WebLinkAboutContract 28546 (2)CfiY ��c�E�A�� �'� �
�ON��AC�' � .
Business Associate A�reement
Compliance with Prrvacy Standards
This Business Associa�e Agreement ("A�reement"), effective �� " � � _ �� .
2003("Effective Date"), is entered into by and between Taxsaver Plan (the "Business
Associate") and City of Fort Worth Flexible Spending Account Bene�it Plan (the
��Covered Entity") (each a"Paii37" and collectively tUe "P�1B5"�.
CITATION TO THE CODE OF FEDERAL REGULATIONS REFER TO THE
PRIVACY REGULATI�NS PUBLISHED ON DECEMBER 2�, 2000 AND SHALL
BE READ T4 INCLUDE AND REQUIRE ALL SUBSEQUENT, UPDATED,
AMENDED OR REVISED PROVISIONS RELATING TO HIl'AA'S PRNACY
REGULATION.
1.1 Intent.
The purpase of this Agree�nent is to set out the rights and responsibilities af the
parties under the Standards for Privacy of Tndividually Identifiable Health
Ir�formation under the Healih Insurance Portability and Aecountability Act (the
"Pz•ivacy Standards"}. The intent is to p�•o�ide the protectians req�zired by the
Privacy Standarc�s, but to retain for the parties the greatest latitude and flexibility
permitted under t�►ose standards in order to facilitate the proin�t and efficienY
provision of services under this Agreement. The terms of this Agreement shall be
interpreted and applied consistent with this intent and with the Privacy Standards.
As used in this Agreement, "Protected Health Infarmation" has the meaning set out in the
Privacy Standards; generally, Protected Health Information means information about an
inc�i�idllal's health, including inform��ion aUaL�t plyment for hea�th c�t�e, �nd which Eith�r
ide�tifies the individ�al or with respect to which there is a reasanable basis to believe the
information ean be used to identify the individual. For purposes of this Agr�ernent,
Protected Health Inforznation shall refer only to Protected Health Ynformation received
from the Cavered Entity or created ar received by the Busine�s Associate on behalf of the
Co�ered Entit�.
1.2 Permitted Uses and Disclosares.
{a} The Covered Entity may discIose Protected Health Information to the Business
Associate for purposes of adminzstt'a�ian of the healCh care spending accaunt and
data aggregation (all as defined by tY�� Privacy Standards) and, subject to the te:rms
of this Agreement, the Business Associate shall be pexmitted ta us €��c� as�_
such Protected Health Information for these puipases. �~
�
� � �
� � o�� � - -- ��zs�
(b) The Business Associate shall ase ar disclo�e tI�e Pratected Health Ir�format�an
only as autharized by this Agreement or as required by law, and shall not use or
disclose the Protected Health Information in a manner that would violate the
Privacy Standards if the use or disclosure were made by the Covered Entity itself.
(c) However, the Susiness Associate may use and disclose Protected Health
Information to �he extent necessary far the proper managemen� and aclministratian
of its own business or to carry out i�s legal respansibili�ies; pro�ided tha� any
disclosure made for these purposes shaIl be made only if: (1 } it is required by law,
or (2} the Business Assaciate obtains reasonable assurance� frarn the person to
vwhom the information is disclosed that (a) the Protected Health Information wi11
be held confidentially and used or disclosed only as required by law or for the
purpose far which Business Associate disclosed it to such persan, and {b) the
person will notify the Business Associate if it becomes aware af any instance in
which the confidentiality af the information is breached.
1.3 Responsibilit'res of the Partxes with respect to Protected Health Information.
(a) Responsibilities of the Covered Entity. With regard to the use and/or disclosure
af Protected Health Information by the Business Associate, the Covered Entity
hereby agrees:
(1) To establish written practices and procedures for the use and disclosure
of Protected He�lth Trtformatian in aceordance with the Privacy
Staiidarcls and shall provide the Business Associate with copies af all
such p�-actices and procedures, The Cavered Entity shall promptly
provide the Business Associaie wii4� copies of any arnendm�nis or
updates of such practices and procedures. Without limita�ion, the
Covered Entity sha1l pro�ide the following:
(i) A co�y of the Covered Entity's Notice of Privacy Practices znc!
all amendments that the Co�ered Entity provides to individuals pursuant to
45 C.F.R. 1b4.S2Q.
(ii) Any changes in, or withdrawals of, the consent or authorization
provided to the Covered Entity by individuals pursuant to 45 C.F.R. 164.506 or
16�.508.
(iii) Any noti�ication in writxng and in a tirnely manner of any
a�t'angements pernutted or r�quired of the Covered Entity under 45 C.F.R. part
16D and 164 that may impact in any manner the use and/or disclosure of Protected
Health Information by the Business Associa�e under the Agreament.
BAA_ftw.dvc
j �.;� � 171: Jiti I� +
I �� I' .�1 `a(�,
u xlh b
��V'. ' ���.
2 of 7 3128103
(2) To establish procedures and protoeols that establish standards limiting the
amnunt of Protected Hea�th Info�:rnat�on that may be disclosed ta o:r requested
from the Business Associate ta the amo�nt reasanably necessary ta achieve
the purpose of the use or disclosure.
(3) To the extent it may affect the Business Associate's duties under this
Agreement, provide documentation of any restrictions to the use or disclosure
of Protected Health Informatian to which the Covered Entity has agreed in
accordance with th� Privacy �tandards.
(4) To the extent it may aifect th.e Business Associate's duties under this
Agreement, provid� documentation of any changes in, ar revocations of,
permission to use or disclose Protected Health Information by the individ�al
who is the sub�ect oi the Protected Health In%rmation.
(5) To not request ar authorize the Business Associate to use or disclase Protected
Health Information in any manner that would not be permissible under the
Privacy Standards if dane by the Cavered E�.taty; provided, the Cvvered Entity
may request thai �he Business Associate provide data aggregation service�.
Without lirnitation, the Covered En�sty shall not �•equesi or authorize the
Covered En�ity to disclose Protected HeaIth Information:
(i} To ezxzplayees of the sponsor of the Covered Entity unless ihe
Covered Entity has reeeived proper ceriification that the Covered Entity
docuineilts have l�een anle►�c�ed as req�.�ii•ed lly tl�e Pt�vacy Stand�rds ai7d tl�e
Covered Entity sponsor h�s agreed to the restrictions im�osed by the Privacy
Standards. The Covered Entity shall provide the Business Associate with �
written list of the employees af the Cove�•ed Entity sponsor ar�d other
inclividuals under the Cover�d Entity sponsor's cont�oI who are engaged in
administrative functions for the Co�ered En#ity and who are authorized to
ha�e access to Pi-otected Health Infoz-mation. Business Associate shaII provide
Pratected Health Information only to those ]isted individuals. The Covered
Entxty st�all promp�ly provide any upda�es to the list.
(ii) To agents or subcontractors of the Covered Entity sponsor
unless such agent or subcant�'actor has entered zn.to an agreement subjecting
the agent or subcontractor to ihe same restrictions and conditions respecting
the Protected Health Information that apply to the Covered Entity sponsor.
The Cove�ed Entiiy shall provide the Business Associate with a written list of
s�tch agents and subcont�-actors who have ente�ed into such agreements, and
Business Associate sha11 pravide Pratected Health Information on�y to those
entities. Th� Covered Entity shall promptly provide any updates to this list.
(iii) To any business associate unless a business associate contract
�s in effect in aceordance with the Privacy Standaz�ds. The Covered Entity shall
provide th� Business Associate with a written list of these busine�s ,��+��iRt.ss
�
�
BAA ftw.doc 3 af 7 �fv�
�'w�
b.�
�
F
and other agents and subcontractors of the Covered Entity sponsor who are
auihorized ta ha�e access ta Protected Health Information. Business Associate
shall pravide P:rotected Health In%rmation anly to those lisied entities. The
Covered Entity shali promptly pravide any updat�s to the list.
(iiii} In �xcess of the minimum necessary standards established
pursuant to Section 1.3(a) hezeof.
{b} Res�onsibilities of the Business Associate With regard to its use and/or
disclosure of Pratected Health Information, The Business Associate �ereby agrees
to the iollowing:
(1) The Business Associate is entitled to rely on any request or authai-ization by the
Carrered En�ity to use ar disclose PHI �s being �nade in accoxdance with the terxns
af this Sectian 1.3, but reserves the right to refuse to disclose Protected Health
Information in its sol�; discretion if it reasonably believes that such disclosnre may
resuli in a violation of the Privacy Standards.
(2) Report to the Cavered En�ity, in writing, any use and/or ciisclosure of the
Protected Health Infarma�ion that is not permitted by this Agreemez�t of whieh the
Business Associate becomes aware within 30 days of the discovery.
(3) Establish procedures for mitigating any deleterious effacts from any i�nproper use
andlor disclosures of the Protected Health Infoima�ion that the Business Associate
reports to th� Covered Entity.
{4) Use commereially rcasonable efforts to maintain the secLu�ity of the Protected
Heajlh Infoi�rnation and to preveilt unairthorizcd itse and/or disclosur� af s�ich
Protected Health Tnformation.
{5} Require all of iis subcontractor and. agents that receive or use, or have access to
Protected Healtt� Infarmation under this Agz-eez�nent to agree to enter it�to a
contract which requu•es the same restrictions and conditions that apply to the
Business Associates pursuant to Section 1.3 of this Agrecment.
(6) The Business Associaie shall m11ce Protected He�lth Information �nd its records
available ta the extent necessazy to cQmply with the Privacy Standards
requirements to provide access to individ��als upon request; ta permit an
individual to amend his records; to permit accounting af disclosures; or to cornply
with tl�e terrns of an audit by the Health and Human Ser�ices, all as set oui below.
Any such access shall be p:rovided within 30 business days of receipfi af written
request by an authorized persan, and shall be p:rnvided during normal business
hours.
(a} Upon receipt of written instruction by the Cavered Entity, Business
Associate will provide access to Protected Health Infarma�ion in a
designated record set ta the Covered Entity or to the indir�idual to
whom the Protected Health Information pertains, provided the
Covered Entity certifies that such disclosure is in accordanee with
the individual's right under the Privacy Standards to ha�e �:,�,�,d�
� ��
T�?!
i.
BAA ftw.doc 4 of 7 3128/03
his own Protected Health Information. If the Covered Entity
determines, and notiiies the Business Associate in writing, that �he
Protected Health Information is subject ia amendment in
accordance with the Privacy Standards, the B�siness Associate
shall make any amendments to such Protected Health Information
requested by the Co�ered Entity or by such individual within 6a
days following receipt of the Covered Entity's written instruction.
(b} Upon receipt o� written i�struction by the Co�ered Entity, Business
Associate will provide an accounting within 30 days of any
disclosures made with respect to an individual's Protected Health
Information during the preceding six years to the extent required by
the Privacy Standards. Business Associate shall a:n�y be responsible
to aceou�t for any disclosures made by it, its agents and
subcontractors. Business Associate shall not be responsible to
account for any disclasures made by ather entities that may be
refl�cted in its records.
(c) Business Associate will make its privacy practices, i�ooks and
records, as they apply to the Protected Healt� Information,
av�i�able to the extenY necessary ta campZy with an audit by the
Secretary of Health and Human Services in accardance with t�e
Privacy �tandards.
1.� T�rms an�l Termiciation of Contract.
(a) Terin. This Agreement shall become e�fec�ive on the Effective Date and shall
continue in effect until all obligations of the Parties have been met, t�nless terminated as
provided in th� Section 1.4.
(6} Termination. Notwithstanding any other conditions on termination of this
Agrcement, the Covered Entity may terminate this Agreement if tl�e Busiizess Assoeiate
engages zn a pattern of activity ar practice that canstitutes a material breach af its
obligations under this Agreement. Upon termination of this Agreement, the Business
Associaie shall return or dest�ay all Protected Health Tnformation then in its possession
which was received irom, or cxeated ar received by, t1�e B�zsiness Associate an behal� oi
the Cavexed Entity, and sI�ail not retain any copies of such Protected Health Information;
provic�ed, if return or destruction is nat feasible, the Business Associate agrees to extend
the proteetions of this Agreement to fihe Protected Hea�th Information and Zimi� further
use and disclosure to those purposes that make the return or destruction infeasible. The
Business Assaciate may charge a fee if it is required to maintain any such records
following termination of this Agreement.
1.5 Representation and Warranties
(a) Mutual Representation and Wa�tranties af the Parties. Each Party represents and
watrants ta the other Party: __
� _,y .
� ,�;��,u
I ^ ����
BAA ftw.doc 5 of 7 3r�ani��
(l.) khat it is duly organized, validly ex:isting, and in good standing under the laws of
the jurisdictian in wi�ieh it is arganized or licensed, it has the full power �o enter
into this Agreement and to perform its obligation hereunder, and that the
performance by it or its obIigation under this Agre�ment have been duly
authorized by all necessary corporate or other actions.
(2) That neither the execution Qf this Agreement, nor its performance hereunder, will
directly or zndirectty violate or interfere with the terms of another agreement to
which it is a party.
(3) That it will reasonably cooperate with the other Party in the performance of the
mutual obligation under this Agteament.
1.6 Indemnif�catxon
The Parties agree to indemnify, defand and hold harmless each other and each other's
emp]oyees, direetors, afficers, subcontractors, agents az- other meml�ers of its workforce,
each of the foregoing hereinafter referred to as "indemnified party," against all actuaI and
direct losses suffered by the indemnified Party and all Iiability to third p�ties aiYsing
frozx� or in connection wiih any breack� of this Agreement or any warranty hereunder or
from any neg�igence or wrongFul acts or omissions, including fa�lure ta perform its
obligation under the Privacy Regulation, by the indemnifying �aarty or its employees,
directors, officers, subcontractors, agents or other members of its worlc�orce. Accordingly,
on demand, to the extent pe��nifited by applicable law without vvaiver of sovereign
immunity, the indemnifying Party sha11 reimburse �ny ix�demnified party for any �nd all
actL�al and direet 3osse�, liabilities, fines, penalYies, cast or expenses which may be
imposed upon any indemnified party by reason of aany suit, claim, action, proceeding or
demand �ay any third party which resuIts from the ind�mnifyii�g party's breacl� heretmcler.
7..7 Misce�la�aeous
(a) Amendinents; Waiver. This Agreemeni may ixot Ue mndifieci, na�- shall any
provision hereof be waived or amended, except in a writing duly signed by authorized
representatives of the Parties. A waiver with respect to one event shaIl not construe as
continuing, or as a l�ar to or waiver of any right or remedy as ta subsequent e�ez�ts.
(l�) No Third Party Bcneficiaries. Nothing express or implied in this Agr�ement is
intended to canfer, nor shall a�aything hexein confer, upon any persan other than the
Parties and their resp�ctive succ�ssors or assigns n� the Paz-t�es, any rights, remedies,
ohligations, or liabilities whatsoe�er.
(e) Notices. Any notices to be gi�en hereunder to a Party shall Ue made via U.S. Mail
or expgess courier to such Party's address given below.
If to Business Associate, to:
Taxsaver Plan
4131 N. Cenral Expressway Suite 1Q5
Dallas, Tx 752U�
ii���il'}� � -:v � ra�:�
ti�� ��
�� �����
,
BAA ftw.doc 6 af7 3128103
If to Covered Entity, to:
City of Fort Worth
1Q00 Throckmorton Risk Mana�ement
Fort Worth, TX 76102
Attn: HIPAA Privacy Offcer
(d) Pratected Health Informatian. Protected Health Information shall have the meaning
as set out in its definition at 45 C.F.R. 164.501, as such provisian is cunently drafted and
as it is subsequently updated, amended or revised.
IN WITNESS WHEREOF< each of the undersigned has caused this Agreement to be
duly executed in its name and on behalf effective as of �`" l� 2Q03.
COVERED ENTITY:
____CiLy o� Fart Worth_
� � �, ��
: T .. ,1..1 ` \
r i
� .�:� �.1. li� ���._�, - r
Print Title:
Date: �� � l `1 �
p,�'P��V�s� � � �(� �i�iof ���'i �,.�L�t�E a ��
�`, � . � �at¢
! ; -�lt�t�1�!' �
����� ��
_ ,- !
�.�
BUSINESS ASSOCIATE:
:
Print Name: Charles
Print Title: President
Date: February 17, 2003
` \
'� .. , � i
� VM �� � J ��4`.., i.;,
v��� ���. �
, ��. -z:� }���t ���� �
� ;�;:!� �i�
BAA.dac '1 of 7 2119103