The URL can be used to link to this page

Home My WebLink AboutContract 45272 C1111 SSE CRETARY CONTRACT Am BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ("Agreement") is entered into on this 23'd day of Decema ber, 20,13(the "Effective Date"), by and between CITY' OF FT, WORTH on behalf of the Group Hie,alth and Welfare Plans of CITY OF FT. WORTH, ("Covered Entity") and Galllalgher Benefit Services, Inc. ("Business Associate"). RECITALS- WHEREAS, over Entity and Business Associate mutually desire to out,linie their individual responsibilities wit respect, to the use a,nd/or disclosure of Protected Health Information ("PHI") as mandated by the Privacy Rule from u,lgated under the Administrative Simplifications subtitle of the Health Insurance Portability aind, Accountability Act of 1996 ("HI PAW") including gall pertinent regulations issued by the U.S. Department of Health and Human Services as outlined in 4,5 C.F.R. Parts, 160, 162 and 164; (''HIP Privacy Rules andlor Security Standards,") an d WHEREAS,, Covered Entity end Business Associate u,ndersta,nd and agree that th,e HIPAA Privacy, Ru�ll,ies and, Security Standards requires the Covered Entity and Business Associate enter into a Business Associate Agreement whi,ch, shall govern the use and/or disclosure of PHI and the security of PHI and e,PHI. NOW,,THEREFORE,, the parties hereto, agree as follows: 1. Definitions. When used in this Agreement and capitalized, the following terms, have the following meanings: (a,) "Breach" shall have the same meaning as the term "'Breach"" in 45 C.F.R. §164.402. (b) "Electronic Protected Health, Information" or "ePHI'" shall have the, same meaning as the term "Electronic Protected Health, Information" in 4,5 C.F.R. § 160-103- (c) Individuall" shall have the same meaning as the term "Individual" in 45 C.F.R. 1610,.103 an shall include a person who qualifies as a, personal representative in accordance with 45 C.F.R. §11,614.502(g)., (d) "Privacy Rule"" shall mean the Standards for Privacy of Individual Identifiable Health, Information, as set forth at 45 C.F.R. Part 160 an,d 45 C.F.R. Part 164 Subparts,A and E., 11111 a eaning (e) Protected Health Information"" or "PHI"' shall have the same rn as the term protected health information" in 1451 C. . . § 160.103, limited to th,e OFFICIAL RECORD ITY SECRETARY RTHv a luding curity BOSS>Ma,jidatory Standards>Docar etits>Busi ness Associate Agreement in,c IVED JAN 0 8 B14 information created or received' by Business Associate from or on behalf of Covered Entity. (f) "Required by Law"" shall have the same mea,ning as the term "required by law" in 45 C.F.R. § 164.103. (g) "'Secretary"' shall have the same meaning as the term "Secretary," in 45 C.F.R. § 160.103.1 (h) °'Security Incident"shall have the same meaning as the term "Se u ity Incident" in 45 C.F.R. § 164.304. (1) "Security Rule*"shall mean the Standards for Security of PHI, including ePHI, as set forth at 45 C.F.R. Part 160 and 45 C.F.R. Part 164 Subparts A and C. (J) "'Unsecured Protected Health Information" shall have the same meaning as the term "'Unsecured Protected Health Information"' in 45 C.F.R. § 164.402- Terms, used but not defined in this Agreement shall have the same meaning as those terms in the HIPAA re�guilatio�ns. 241 Ii anions and Activities of BuMiness,Associate Rggarding PHA. (a) Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law. (b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. (c) Business Associate agrees to ensure that any agents, including sub- contractors (excluding entities that are merely conduits that transport information but do not access it other than on a raindorn or infrequent basis as necessary for the performance of the transportation service or as required by law), to whom it provides PHI agree, to the same restrictions and conditions that apply to Business Associate with respect to such information., (d) Business Associate agrees to provide access., at the request of Covered Entity, and in a reasonable time and manner designated by Covered Entity, to PHI in a Designated Record Set that is not also in Covered Entity's possession, to Covered Entity in, order for Covered Entity to meet the requirements, Linder 45 C.F.,R. § 164-524. BOS,S>Mandatory Standards>Documents>Rusin ess Associate Agreement including Security 06-2013 Page 2 of 9 (e) Business Associate agrees to make any amendment to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 in al reasonable time and manner designated by Covered Entity., (f) Business Associate agrees to make internal practices books and records relating to the use and disclosure of PHI avail ablle to the Secretary, in a reasonable time and manner as designated by the Covered Entity or Secretary, for p,urposes, of the Secretary determini ng Covered Entity's comp:liance with the Privacy Rule. Business Associate shall immediately notify Covered Entity upon receipt or notice of any request by the Secretary to conduct an investigation with respect to PHI received from the Covered Entity. (g) Business Associate agrees to document any disclosures of PHI that are not excepted under 45 C.F.R. § 164.528(a)(1) as would be required for Covered Entity to respond to a requles,t by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528- (h) Business, Associate agrees, to provide to Covered Entity or an, Individual, in a time and manner designiated by Covered Entity, information collected in accordance with, paragraph (g) above, to permit Covered Entity to, respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164-528. (1) Business Associate agrees to use or disclose PHI pursuant to the, request of Covered Entity; provided, however, that Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. 3. Permitted Uses and Disclosures of PHI by Business Assoc1ate. (a) Bu mess Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, Covered Entity in accordance with Business ►ssociate's then current service agreement with the Covered Entity, provid,eld that such use or disclosure would not violate the Privacy Rule if done by Covered Entity. (b) Business Associate may use PHI for the proper, mainialgemeint and administration of Business Associate, and to carry out the legal responsibilities of Business Associate. (c) Business Associate ma ay disclose PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate if: (i) such disclosure is Required by Law, or BOSS>Man datory Standards,>Doctinients>Business Associate Agreement inclUding Security 06-2013 Pliage 3 of 9 00 Business Associate obtains from the person to whom the information is disclosed reasonable assurances that meet the requirements of HI,P,AA (including, but not limited to a Separate agreement with the person) and that provide that such information will remain confidential and ulsed or further disclosed only as Required by Law or for the purposes, for which it was disclosed to the person, and the person agrees to notify Business Associate of any instances of which, it is aware that the confidentiality of the information has been breached. (d) Business Associate shall limit the PHI to the extent practicable, to the limited data set or if needed by the Business, Associate, to the minimum necessary to accomplish the intended purpose of such use, disclosure or request subject to exceptions set forth in the Privacy Rule. (e) Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C. .I § 164.504(e)(2)('i)(B). 4. ObRizations of Covered Re Emit -garding PHI. (a) Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces, in accordance with 45 C-F.R. § 164.520, as well as any changes to such notice:. (bi) Covered, Entity shall provide Business Associate with any chainges in, or revocation, of, authorization by an Individual to use or disclose PHI, if such changes affect Business Associate's perm,itted, or required uses and disclosures. (c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.,R. § 164-52211 if such restrictions affect Business Associate's permitted or required uses and disclosures. (d), Covered Entity shall, require all of its employees, agents, and representatives to be appropriately informed of its legal, obligations pursuant to this Agreement and the Privacy Rule and Security Standards required by HIPAA and gill reasonably cooperate with Business Associate in the performance of the mutual obligations under this Agreement. Sol Securit y of Protected Health Information. (a) Business Associate has implemented policies, and procedures, to ensure that its receipt, maintenance, or transmission of all PHI (including, ePHO, e ither electronic or otherwise, on behalf of Covered Entity complies, with the BOSS>Mandatory Standards>Do cement s>Burin ess.Associate Agreement including Security 06-2013 Page 4, of 9 applica,ble administrative, physicall, and technical safeguards required protecting the confidentiality, availability and integrity of PHI as requ,iried by the HI' AA Privacy Rules and Security Standards. (b) Business Associate agrees that it will ensure that agents or subcontractors agree to implemient the applicable, administrative, physical, and technical safeguards required to protect the confidentiality, availability and integrity of PHI (including ePHI) as required by HIPAA Privacy Rules and Security Standards. (c) Business, Associate agrees to report to Covered Entity any Security Incident of which it becomes aware. Business Associate agrees to report the Security Incident to the Covered Entity as soon as reasonably practicable, but not later than 10 business days from the date the Business Associate becomes aware of the incident. (d) Business, Associate agrees to establish procedures to mitigate, to the, extent possible, any harmful effect that is known, to or reasonably anticipated by Business Associate of a use or disclosure of PHI, by Business Associate in violation of this Agreement. (e) In accordance with the requirements of 45 C.F.R. § 164.410, Business Associate agrees to immediately notify Covered Entity upon discovery of any Breach of Unsecured Protected Health Information and provide to Covered Entity, to the extent available to Business Associate, all information required to permit Covered Entity to comply with the requirements of 45 C.F.R. Part 164 Subpart D. (f) Covered Entity agrees and understands that the Covered Entity is independently responsible for the security of all PHI in its possession (electronic or otherwise), including all PHI that it receives from outside sources inc,luding the Business Associate. (g) Business Associate agrees, and understands that the Business Associate is, independently responsible for the security of all PHI in its possession, (electronic or otherwise,), including all PHI that it receives from outside sources including other Business,Associates or the Covered Entity. 6. Term, and Termination. (a), Term. This Agreement shall be effective as of the, Effective Date and shall remain in effect until the Business Associate relationship with the Covered Entity is terminated and all PHI is returned, destroyed or is otherwise protected as set forth iin Section 6(d). BOSS>Mandatory Stan .air ds,>Deem nts>Bus i ness,Associate Agreement including Security 06-2013 Page 5 of 9 (b) Termination for Cause by Covered Entity. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach. If Business Associate does not cure the breach, wilthin, 30 days from the date that Covered Entity provides notice of such breach to Business, Associate,, Covered Entity shall have the right to immediately terminate, this Agreement and the underlying services agreement between Covered Entity and Business Associate. (c) Termination by Business Associate.. This Agreement may be terminated by Business Associate upon 30 days prior written notice to Covered Entity in the event that Business Associate,, acting in good faith,, bellieves that the requirements of any law, legislation, consent decree, judicial action, governmental regulation or agency opinion, enacted, issued, or otherwise effective after the date of this Agreement and applicable to PHI or to, this Agreement, cannot be met by Business Associate in a commercially reasonable manner and without significant addii,tioinal, expense. (d) Effect of Termination. Upon termination of -this Agreement for ally reason, at the request of Covered Entity, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall not retain any copies, of the PHI unless return or destruction is deemeld infeasible. If the return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement, to, such PHI and limit further uses and disclosures of such PHI' to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. For purposes of illustration only and not to lim it the set of circumstances that could potentially make return or destruction infeasible, it would be infeasible for Blusiness, Associate to return or destroy certain PHI that is part of work prodiuct that midst be retained for document retention, arch,ival purposes, as well as PHI that is stored as a result of backup, e-mail systems that store e-mails for emergency backup purposes. 7'. Amendment. The parties may agree, to amend this Agreement from time to time in any other respect that they deem appropriate. This Agreement shall not be amiended except by written instrument executed by the parties. 8. Indemnification. Business Associate shall indemnify and hold harmless Covered Entity from and against any and all costs, expenses, claims, demands, causes of action, damages, attorneys' feels and judgments that arise out of or that may be 'imposed upon, incurred by, or brought against Covered Entity to the extent resulting from a breach of this Agreement or any BOSS,>Mandatory Stand ards>Documents>Business Associate Agreement including Security 06-2013 Page 6 of'9 violation of the Privacy Rule or other applicable H1 regulations by Business, Associate. The indemnification obligations provided for In this Section will commence on the Effective Date of this Agreement and will suirvive its termina ioln. To the extent allowed under Texas law,, Covered Entity shaill Indemnify and hold harmless, Business Associate from and against any are all" costs,, expenses, claims, demands,, causes ofaction, damages, attorneys," fees and judgments that arise out of or are ire ipos,ed upon, incurred, by, or brought against Business Associate to the ext'ent directly resulting from a breach of tl"""eis Agreement or, a,ny viola tion of the Privacy Rule, or other applicable HIPAA regulations, by Covered Entity. The indemnification obligations provided for in this Section will commence on the Effective Date of this Agreement and will survive its termination. 9. S ru The parties intend this Agreement to, be enforced as, written. Holwever, (i), if any port,ion or pr ovi i r of thiiis Agreement is to any extent declared illegail or unenforceiable by a duly authorized court having Jurisdiction, then the remainder of this Agreement, oir the application of such portion or provision in circumstances other than those as to which it is so declared illegal or un nforceable, will not, be affected thereby, and each portion and provision of this Agreement will be valid and enforceable to the fullest extent permitted by law; and (ii) if any provision, or part thereof, is held to be unenforceable because of the duration of such provision, the Covered Entity and the Business Associate agree that the court making such determination will have the power to modify such provision'. and such modified provision will then be enforceable tio the, full is extent permitted', by law. lo. Notices. All notices., requests, consents and other communications hereunder will be in writing, will be addressed to the receiving party-si address set forth below or to such other address as a party may designate by notice hereunder, and will be either (i) delivered by band, (iii) made facsimile transmissi on, (ill') sent by overnight courier, or (iv) sent by registered mail or certified mall, return receipt requested, postage prepaid. If to the Covered Entity.11 00 1111111A.A!Jt� 0, '07 40 If to the Business,Associate: Gal!,�Zhe_r Benefit Services, Inc. BOSS. Mandatory Standards>Documents>Busi ness Associate Agreement including Security 06-2013 Page of 91 .1 References. reference in this Agreement to a section in the Privacy Rule means the referenced section or its successor, and for which compliance is required, 12. Headings and Captions. The headings and captions of the various subdivisions of the Agreement are for convenience of' reference only and Will in no way modify or affect the meaning or construction of any of the terms or provisions hereof. 3. Entire A reernuent. This Agreement sets forth the entire understanding of the, parties with respect to the subject matter set forth herein anid supersedes all, prior greements, arrangements and communications, whether oral or written, pertaining to the subject matter hereof. 14. Bindiing Effect. The provisions of this Agreement shall he binding upon and shall inure to the benefit of both parties and their respective successors and assigns. 15. N a i'ver of Rights, P owers, and Remedies. No failure or delay by a party hereto in exercising any right, power or remedy under this Agreement, and no course of' dealing, between the parties hereto, will operate, as a waiver of any such right, power or remedy of the party.. No single or partial exercise of any right, power or remedy under this Agreement by a party hereto, nor any abandonment or discontinuance of steps to enforce any such right, power or remedy, will preclude such party from any other or further exercise thereof or the elxercise of any other right, power or remedy hereunder. The election of any remedy by a party hereto will not constitute a wrw a,iver of the right of such party to plursue other available rem:edie . No notice to or demand on a party not expressly required under thiis Agreement will entitle the party receiving such notice or demand to any other or further notice or demand in similar or other circumstances or constitute a waiver of the right of the party ,giving such notice or demand to any other or further action in any circumstances without such notice or clemand. The terms and provisions of this Agreement may he waived,ed, or consent for the deplarture therefrom granted, only by written document elxecuted by the party entitled to the benefits of such terms or provisions. No such waiver or consent will he deemed to be or will constitute a waiver or consent with respect to any ether terms or provisions of this BOSS>Mandatolry Standa ds>Diocum e nt >BLIS i ness Associate A reer .ent including Security 06-2013, Page 8 of Agreement, whether or not similar. Each such waiver or consent will be effective only in the specific instance and for the purpose for which it was given, and will not constitute a, continuing waiver or consent. 16. Governin Law. This Agreement will be governed by and construed in accordance with the laws of the State of Texas. 170 Interpretation. It is the parties" intent to comply strictly with all applicable laws, including without limitation., HIPAA,, state statutes, or regulations (collectively, the "Regulatory Laws"), in connection with this Agreement. In the event there shiall, be a change in the Regulatory Laws, or in the reasoned interpretation of any of the Regulatory Laws or the adoption of new federal or state legislation, any of which are reasonably likely to materially and adversely affect the manner in which either party may perform or be compensated under this Agreement or which shall make this Agreement unlawful, the parties shall' immediately enter into good faith negotiations regarding a new arrangement or basis for compensation pursuant to this Agreement that compliies with the law,, regulation or policy and that approximiates as, closely as possible the economic position of the parties prior to, the change. In addition, the parties hereto have negotiated and prepared the terms of this Agreement in good faith with the intent that each and every one of the terms, covenants and conditions herein be binding upon and inure to the benefit of the respective parties. To the extent this Agreement is in violation of applicable law, then the parties agree to negotiate in good, faith to amend this Agreement, to the extent possible consistent with its purposes, to conform to law. IN WITNESS WHEREOF, the, partiels have executed this Business Associate Agreement as of the Effective, Date. BUSINESS ASSOCIATE-. COVERED ENTITY: J G,ALLA E IT SE 000, B By y a 14/-S Narne: N a m e at r,,,/ Title: Gf by:le E AS 0 FORM, AND LEGALITY. V ""010110 WO S ex ftll tie rds>Doc ume nts>Business Associate Agreement including Security 06-2013 y CiTy SF.CRETAR Page 9 of 9 FT VIORTH9 TX