The URL can be used to link to this page

20080805 Creative Benefits Inc Letter re Privacy Notice 111 Creative a Benefits, August 5,2008 AUG 2008 Christy Brummet City of Rancho Palos Verdes-3468 30940 Hawthorne Blvd Rancho Palos Verdes,CA 90275 Dear Christy: Creative Benefits, Inc. provides the attached privacy notice to you in order to comply with The Gramm-Leach-Bliley Act of 1999 and the National Association of Insurance Commissioners' Model Regulation. We have always treated our prospects and client's data with the utmost of care and integrity. Our business depends on your trust and correct handling of the data we receive. The Gramm-Leach-Bliley Act of 1999 (GLB) requires "financial institutions" to safeguard customer information and to provide notice of privacy practices to their customers. GLB's sweeping definition of"financial institution" includes insurers and entities required to be licensed by a state department of insurance("licensed entities").As California requires entities that process and administer claims for health plans (including Health Care Flexible Spending Accounts) to be licensed, GLB likely applies to TPAs. GLB does not directly impact insurers and licensed entities; rather, it requires states to pass laws implementing the GLB requirements. Most financial institutions were required to be in full compliance with GLB by July 1,2001. Employers themselves are not required to comply unless they otherwise fall within the definition of"financial institution." Although GLB and HIPAA both address privacy of personal information, GLB differs from HIPAA in several ways. Whereas HIPAA applies to individually identifiable health information and imposes administrative obligations on the internal handling of such information, GLB is generally a less prescriptive law that primarily requires notice of an organization's privacy practices without mandating specific privacy or security measures. Specifically, GLB requires state laws to provide the following: • financial institutions must provide notices of privacy practices to the customers of a financial institution upon establishment of the customer relationship and annually thereafter;and • financial institutions are prohibited (with some limited exceptions) from disclosing non- public information about customers to non-affiliated entities unless the customer has had notice of the proposed disclosure and an opportunity to opt out of the disclosure. Creative Benefits,Inc. CBI Benefit Administrators License#0B36514 www.creativebenefits.com Office—956 Vale Terrace Dr.,Vista,CA 92084 Mail—P.O.Box 1928,Vista,CA 92085-1928 p(760)758-4600 f(760)758-4610 • Under the National Association of Insurance Commissioners' Model Regulation that has been adopted by many states, if the insurer of a group health plan (or a licensed entity) will not be sharing non-public information about a consumer, then it may satisfy its notice obligation by providing a notice to the policyholder(e.g.,the employer),rather than to each individual insured. Our compliance with GLB is in addition to the extensive measures,we take to comply with HIPAA.We hope that you continue to feel confident in your partnership with Creative Benefits. Please don't hesitate to contact me with any questions you may have. If you feel that you are not the appropriate person for this information,please pass it on accordingly. Sincerely, Jody L. Dietel, CFCI Chief Executive Officer&Chief Operating Officer Enclosure Creative Benefits,Inc. CBI Benefit Administrators License#0B36514 www.creativebenefits.com Office—956 Vale Terrace Dr.,Vista,CA 92084 Mail—P.O.Box 1928,Vista,CA 92085-1928 p(760)758-4600 f(760)758-4610 Is HIPAA HEALTH PRIVACY AGREEMENT This HIPAA HEALTH Definitions. PRIVACY AGREEMENT (the For purposes of this Agreement: "Agreement") is entered into on 20 by and between • "Designated Record Set" will have the same meaning given to the term City of Rancho Palos Verdes (hereinafter "designated record set" in 45 C.F.R. the "Employer"), and Creative Benefits, Inc. 164.501. as agent of the Employer (hereinafter the "Service Provider") and is effective as of the • "Individual" will have the same date set forth below. This Agreement is meaning as the term "individual" in incorporated into and made apart of the 45 C.F.R. §164.501 and will p include a person who qualifies as a Creative Benefits, Inc. Agreement to personal representative in Provide Administrative Services between accordance with 45 C.F.R. Service Provider and Employer. This §164.502(g). Agreement is intended to comply with the privacy requirements set forth in 45 CFR • "Privacy Rule" will mean the q Standards for Privacyof Individually 164.502(f)(2)(B), and any other applicable provisions of 45 CFR Parts 160 and 164 Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, subparts A and E (the "Privacy Rules"), Subparts A and E. issued pursuant to the Health Insurance Portability and Accountability Act of 1996, • "Protected Health Information"will Public Law 104-191 ("HIPAA"). have the same meaning as the term "protected health information"in 45 Service Provider recognizes that in C.F.R. §164.501, limited to the the course of performing services for the information created or received by Employer, it will have access to, create, the Service Provider from or on and/or receive from the Employer Protected behalf of the Employer. Health Information ("PHI"). For purposes herein, PHI shall be limited to the • Representative will include the information created or received from the Service Provider's managing Employer or on its behalf byService members (as applicable), trustees, partners (as applicable) and Provider. Whenever used in this generalpp Agreement, other capitalized terms shall financial and legal advisors. g P have the respective meaning set forth below, • "Required by Law" will have the unless a different meaning shall be clearly same meaning as the term "required required by the context. In addition, other by law"in 45 C.F.R. § 164.501. capitalized terms used in this Agreement, • "Secretary" will mean the Secretary but not defined herein, shall have the same meaningas those terms are defined in the of the Department of Health and Human Services or his designee. Privacy Rules. 1. Confidentiality. At all times, both during and after the termination of its relationship with the Employer for any reason, Service Provider and its Representatives will not use, disclose, or give HIPAA Agreement 05 CLIENT#3468 Page 1 • others any of the Protected Health Provider agrees to provide access to Information in any manner whatsoever, such PHI that it maintains in a except as provided in paragraphs 2 and 3 of Designated Record Set to the this Agreement, and will hold and maintain Individual to whom the PHI relates the Protected Health Information in in accordance with 45 CFR § confidence. The Service Provider will 164.524. Furthermore, at the ensure that appropriate safeguards are in request of the Employer, Service place to prevent the use or disclosure of the Provider agrees to make Protected Health Information otherwise amendments to PHI that it than as permitted by this Agreement. maintains in a Designated Record Set as directed by the Employer and 2. Permitted Uses and Disclosures. to incorporate any amendments to PHI in accordance with 45 CFR § (a) Except as otherwise limited 164.526. in this Agreement, Service Provider may use or disclose PHI, provided (d) Service Provider may that such use or disclosure of PHI disclose Protected Health would not violate the Privacy Rules, Information to its agents or as follows: (a) as permitted or subcontractors with a bona fide need required in this Appendix and in the to know such Protected Health Service Agreement; (b) as Required Information, but only if, prior to by Law in accordance with 45 CFR such disclosure, such agents or § 164.512; (c) for the proper subcontractors provide reasonable management and administration of assurances that they will agree to the Service Provider; (d) to fulfill any same restrictions and conditions present or future legal that apply to Service Provider with responsibilities; (e) for Data respect to such Protected Health Aggregation services to the Plan (as Information. defined in 45 CFR § 164.501); or (f) any use and disclosure of PHI 3. Required Disclosures and Use. that has been de-identified within Service Provider may disclose the Protected the meaning of 45 CFR§ 164.514. Health Information revealed to it by Service Provider a rees to Employer if and to the extent that such (b) g disclosure is Required byLaw or court order document any disclosures of q Protected Health Information and or as otherwise permitted by law. Further, the information related to such Service Provider agrees to make its internal disclosures to res and to an practices, books, and records, including p policies and procedures, relating to the use accounting of disclosures of Protected Health Information if and disclosure of Protected Health re uested byEm to er in Information received from, or created or q p y received by the Service Provider on behalf of accordance with 45 C.F.R. and toprovide such the Employer available to the Secretary, as §164.528 requested bythEmployer or desi nated by documentation to Employer as it qe g may request from time to time. the Secretary, for purposes of the Secretary determining Employer's compliance with (c) In the event that Service the Privacy Rule. Provider maintains PHI in a Designated Record Set, Service HIPAA Agreement 05 CLIENT#3468 Page 2 c • • 4. Required Notice to the Service any changes to the names or Provider. In accordance with 45 C.F.R. positions of employees listed in §164.520, and to the extent that such a subsection 6(a) as Designated limitation may affect the Service Provider's Persons. Service Provider has no use or disclosure of Protective Health duty to inquire whether the list of Information, the Employer will notify the Designated Persons is accurate. Service Provider of any limitation(s) in its (c) Employer shall indemnify notice of privacy practices, including, and hold harmless Service Provider without limitation, any changes in, or (and its employees) for anyand all revocation of,permission by an Individual to liability Service Provider may incur use or disclose Protected Health as a result of anyimproper use or Information. Employer will also notify the p disclosure of PHI by the Employer Service Provider of any restriction to the use or a Designated Person(s). or disclosure of Protected Health g Information that Employer has agreed to in accordance with 45 C.F.R. § 164.522, to the 7. Electronic Data Interchange. The extent that such restriction may affect parties acknowledge that, as an agent of the Service Provider's use or disclosure of Employer, Service Provider is not bound to Protected Health Information. comply with the provisions of the Standards for Electronic Transactions Rule (as set 5. Required Notice to the Employer. forth in 45 CFR Parts 160 and 162). The Service Provider will report to the Employer has instructed Service Provider to Employer any use or disclosure of Protected continue to use the electronic(and/or paper) Health Information otherwise than as data interchange format(s) it is currently provided by this Agreement within ten days using on Employer's behalf. If Employer of becoming aware of such use or disclosure. desires that a specific transaction be conducted in a specified format, a written 6. Disclosure to Employees of the request specifying the specific transaction(s) Employer. must be provided. Service Provider may choose to agree or disagree, and can assess (a) Except with respect to an additional charge for converting data disclosures under Section 3 of this from/to a Standard Transaction format. Agreement, the Employer 8. Term/Termination. acknowledges and agrees that the Service Provider shall only disclose (a) Term. This Agreement PHI in itsossession to the p shall be effective as of the later of(i) employees who are identified by the April 14, 2003, (ii) such later Employer (Designated Persons) on g effective date of the Privacy Rule, or the attached Designated Persons 111 the date set forth above, and appendix in accordance with 45 shall terminate asrovided in C.F.R. § 164.504(f), and that such P Section 8(b) or upon thirty(30)days disclosures are solely for purposes of written notice bythe Employer or Eto carrying n outplan administration P y g the Service Provider. functions that the Employer performs for its Group Health Plan. (b) Termination for Cause. (b) Employer agrees to timely Upon Employer's knowledge of a notify Service Provider in writing of material breach of this Agreement HIPAA Agreement 05 CLIENT#3468 Page 3 ill III by Service Provider, the Employer (2) In the event that Service shall either: Provider determines, in its sole discretion, that returning or (1) Provide an opportunity for destroying the Protected Health Service Provider to cure the information is infeasible, Service breach or end the violation and Provider shall provide to Employer terminate this Agreement and notification of the conditions that any agreement between the make return or destruction parties with respect to the infeasible. In the event that Service services set forth in the Provider determines that return or Administrative Services destruction of the Protected Health Appendix if Service Provider Information is infeasible, Service does not cure the breach or end Provider will continue to extend the the violation within the time protections of this Agreement to specified by the Employer;or such Protected Health Information and limit further uses and (2) Immediately terminate this disclosures of such Protected Health Agreement between the parties Information to those purposes that with respect to the services set make the return or destruction forth in the Administrative infeasible, for so long as the Service Services Appendix if Service Provider maintains such Protected Provider has breached a material Health Information. term of this Agreement and cure is not possible;or 9. No Third Party Beneficiaries. Nothing express or implied in this (3) If neither termination nor Agreement is intended to confer, nor shall cure is feasible, Employer shall anything herein confer, upon any person report the violation to the other than Employer, Service Provider and Secretary. their respective successors or assigns, any rights,remedies or obligations whatsoever. (c) Effect of Termination. 10. Successors and Assigns. This (1) Upon termination of this Agreement and each party's obligations Agreement, for any reason, hereunder will be binding on the Service Provider shall return or representatives, assigns, and successors of destroy all Protected Health such party and will inure to the benefit of Information received from the assigns and successors of such party; Employer, or created or received provided, however, that the rights and by Service Provider on behalf of obligations of the Service Provider Employer. This provision shall hereunder are not assignable to apply to Protected Health subcontractors. Information that is in the possession of subcontractors or 11. Notices. All notices, requests, agents of Service Provider. consents and other communications Service Provider shall retain no hereunder will be in writing, will be copies of the Protected Health addressed to the receiving party's address set Information. forth below or to such other address as a party may designate by notice hereunder, HIPAA Agreement 05 CLIENT#3468 Page 4 and will be either (i) delivered by hand, (ii) the remainder of this Agreement, or the made facsimile transmission, (iii) sent by application of such portion or provision in overnight courier, or (iv) sent by registered circumstances other than those as to which or certified mail, return receipt requested, it is so declared illegal or unenforceable,will postage prepaid. not be affected thereby, and each portion and provision of this Agreement will be If to the Employer: valid and enforceable to the fullest extent City of Rancho Palos Verdes permitted by law; and(ii)if any provision,or 30940 Hawthorne Blvd part thereof, is held to be unenforceable Rancho Palos Verdes,CA 90275 because of the duration of such provision, Facsimile: 310.544.5291 the Employer and the Service Provider agree that the court making such determination If to the Service Provider: will have the power to reduce the duration Creative Benefits,Inc. of such provision, and/or to delete specific P.O. Box 1928 words and phrases, and in its reduced form Vista CA 92085-1928 such prevision will then be enforceable and Facsimile:760.643.0996 will be enforced. 12. Entire Agreement. This Agreement 15. Interpretation. The parties hereto g g acknowledge and agree that both (i) the rule embodies the entire agreement and g g understandin between the arties hereto of construction to the effect that any g P ambiguities against the drafting with respect to the subject matter hereof and es are resolved su ersedes all rior oral or written party and (ii) the terms and provisions of P P this Agreement,will be construed fairlyas to agreements and understandings relating to g ll the subject matter hereof. No statement, parties hereto and not in favor of or against aparty,regardless of which partywas representation, warranty, covenant or of anykind not expressly set forth generally responsible for the preparation of agreement P Y in this Agreement will affect, or be used to this Agreement. interpret, change or restrict, the express terms and provisions of this Agreement. 16. Headings and Captions. The headings and captions of the various subdivisions of this Agreement are for 13. Modifications and Amendments. convenience of reference only and will in no The terms and provisions of this Agreement way modify, or affect the meaning or may be modified or amended only by construction of any of the terms or written agreement executed by the parties provisions hereof. hereto and any such amendment will comply with the requirements of the Privacy Rule 17. No Waiver of Rights, Powers and and the Health Insurance Portability and Remedies. No failure or delay by a party Accountability Act of 1996, Pub. L.No. hereto in exercising any right, power or 104-191. remedy under this Agreement, and no course of dealing between the parties hereto, 14. Severability. The parties intend this will operate as a waiver of any such right, Agreementto be enforced as written. power or remedy of the party. No single or However, (i) if any portion or provision of partial exercise of any right, power or this Agreement will to any extent be remedy under this Agreement by a party declared illegal or unenforceable by a duly hereto, nor any abandonment or authorized court having jurisdiction, then discontinuance of steps to enforce any such HIPAA Agreement 05 CLIENT#3468 Page 5 right, power or remedy, will preclude such accordance with the laws of the State of party from any other or further exercise Controlling Law. thereof or the exercise of any other right, power or remedy hereunder. The election of 19. Counterparts. This Agreement may any remedy by a party hereto will not be signed in counterparts, which together constitute a waiver of the right of such party will constitute one agreement. to pursue other available remedies. No notice to or demand on a party not expressly 20. Electronic PHI. To the extent that required under this Agreement will entitle CB creates, receives, maintains or transmits the party receiving such notice or demand to electronic PHI on behalf of the Plan, CB any other or further notice or demand in agrees to comply with any applicable similar or other circumstances or constitute a provisions of the Rule on Security Standards waiver of the rights of the party giving such with respect to electronic PHI as of the notice or demand to any other or further applicable regulatory compliance date, action in any circumstances without such including but not limited to implementing notice or demand. The terms and administrative, physical and technical provisions of this Agreement may be waived, safeguards (including written policies and or consent for the departure there from procedures) that reasonably and granted, only by written document executed appropriately protect the confidentiality, by the party entitled to the benefits of such integrity, and availability to electronic PHI terms or provisions. No such waiver or that it creates, receives, maintains or consent will be deemed to be or will transmits on behalf of the Plan as required constitute a waiver or consent with respect by the Rule on Security Standards and to any other terms or provisions of this ensure that any agents or subcontractors that Agreement, whether or not similar. Each assist CB agree in writing to comply with such waiver or consent will be effective only the Rule on Security Standards. In addition, in the specific instance and for the purpose CB agrees to immediately report to Plan for which it was given, and will not Sponsor in writing any Security Incident of constitute a continuing waiver or consent. which CB becomes aware. 18. Governing Law. This Agreement will be governed by and construed in HIPAA Agreement 05 CLIENT#3468 Page 6 IN WITNESS WHEREOF, the parties have caused this Agreement to be signed by their duly authorized representatives or officers,effective as of ,20 EMPLOYER: Signature of Authorized Representative Print Name Title SERVICE PROVIDER: Jody L. Dietel, CFCI Chief Executive Officer& Chief Operating Officer Creative Benefits,Inc. HIPAA Agreement 05 CLIENT#3468 Page 7 ( f 0 0 Designated Persons Appendix Please list all employees of the Employer to whom Creative Benefits, Inc. may provide PHI in the performance of its duties as set forth in the HIPAA Health Privacy Agreement to which this Appendix is attached and the Services Agreement to which the Agreement is incorporated. Employer Name: City of Rancho Palos Verdes Please Print Full Name and Email Address 1. 2. 3. 4. HIPAA Agreement 05 CLIENT#3468 Page 8 • Privacy Notice Protecting the privacy and security of the personal information of your plan participants and other covered persons (collectively, "Covered Persons") is very important to Creative Benefits, Inc. ("Creative Benefits"). This Privacy Notice is designed to let you know the types of information we collect from and about Covered Persons, and how we use and safeguard that information. We will provide you with a Privacy Notice annually, as long as we continue to provide administrative services to your employee benefit plan (the "Plan"). If our privacy practices change, we will provide you with a revised Privacy Notice. Our Privacy Notice governs Participant Information, which includes both personally identifiable financial and medical information about Covered Persons and their relationship with us. The Notice only applies to individuals who obtain services from Creative Benefits for personal, family or household purposes. Confidentiality and Security. We restrict access to Participant Information to our employees, agents, service providers and vendors on a need-to-know basis. We also maintain physical, administrative and technical safeguards to protect the confidentiality and security of Participant Information. Collection Practices. We collect Participant Information that we believe will be necessary or helpful in administering the Plan. Thisincludes the following: • Information from the employer or the Covered Person (including names, addresses, Social Security numbers, financial and marital status, health and dependent child-care information, benefit elections and employment information); • Information about the employer's or the Covered Persons' transactions with Creative Benefits (including payment and banking information and claims, which can include drug receipts and medical information); Disclosure Practices. Creative Benefits may disclose the nonpublic personal financial information we collect, as described above, as well as information about Covered Persons' transactions with us (such as election amounts, premiums and payment history) to our agents or other third parties who perform services for us or functions on our behalf, including our bank and mailing vendors. Creative Benefits may also disclose the nonpublic personal financial information we collect to other third parties as authorized by the Covered Person, or as required or permitted by law. Creative Benefits will not use or share with other parties any nonpublic personal health information about Covered Persons except as authorized by the Covered Person or as permitted by law, including for the servicing of the Plan by Creative Benefits or on our behalf. Creative Benefits will not further disclose any Participant Information about a former Covered Person other than as may be required or permitted by law.