Loading...
Maniaci Insurance Services Inc BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "A reement" is made and entered into this TH g "Agreement") �8 day of 5E'TEMER. , 20 13, by and between Maniaci Insurance Services, Inc. ("Business Associate") and CrrY o� ?nHc�+oc.os ��("Covered Entity"). WHEREAS, Title II of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") requires that Covered Entity and Business Associate enter into an Agreement complying with certain requirements of HIPAA, as described at 45 CFR § 164.504; and WHEREAS, Company, acting on behalf of Covered Entity and as Plan Sponsor of Covered Entity, desires to ensure complete compliance with HIPAA as described in this Business Associate Agreement. NOW THEREFORE, Covered Entity and Business Associate enter into the following Business Associate Agreement. I. DEFINITIONS a. Specific definitions. (i) Data Aggregation. With respect to PHI created or received by Business Associate in its capacity as a Business Associate of Covered Entity, the term "Data Aggregation" means the combining of such PHI by Business Associate with PHI received by Business Associate in its capacity as business associate of another entity to permit data analyses that relate to the'health care operations of the respective entities. (ii) Designated Record Set. The term "Designated Record Set" means a group of records maintained by or for the Covered Entity that is: (A) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (B) Used by or for the Covered Entity to make decisions about Individuals. For purposes of this paragraph, the term"record"means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disclosed by or for the Covered Entity. (iii) Individual. The term "Individual" shall have the same meaning as the term "individual" in 45 CFR §160.103, and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g). ©2013 Fisher&Phillips LLP 1 (iv) Privacy Rule. The term "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E, as from time to time amended. (v) Protected Health Information. The term "Protected Health Information" ("PHI") shall mean individually identifiable health information maintained and transmitted in any form or medium, including, without limitation, all information(including demographic, medical, and financial information), data, documentation, and materials which are created or received by a.health care provider, school, health plan, employer, or health care clearinghouse, and relate to: (A)the past, present,or future physical or mental health or condition of an Individual; (B)the provision of health care to an Individual; or(C)the past, present, or future payment for the provision of health care to an Individual, and that identifies or could reasonably be used to identify an Individual. PHI does not include: (1)health information that has been de-identified in accordance with the standards for de-identification contained in the Privacy Rule, (2) employment records held by the Company in its role as employer, (3) education records covered by the Family Educational Rights and Privacy Act (20 USC 1232g),or(4) information regarding an Individual who has been deceased for at least 50 years.. (vi) Required By Law. The term "Required By Law" shall have the same meaning as "required by law" in 45 CFR §164.103. (vii) Secretary. The term "Secretary" shall mean the Secretary of the Department of Health and Human Services("HHS") or his or her designee. II. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE a. Business Associate acknowledges that in providing services to Covered Entity, it will create,receive, use or disclose PHI. b. Business Associate agrees that it will not use or disclose PHI except as permitted or required by this Agreement, or as Required By Law. c. Business Associate agrees that it will use appropriate safeguards to prevent use or disclosure of PHI other than as provided in this Agreement. d. Business Associate agrees to mitigate,to the extent practicable, any harmful effects known to it which are caused by a use or disclosure of PHI by it or by one of its agents or subcontractors in violation of the requirements of this Agreement. e. Business Associate agrees that it will report to Covered Entity any use or disclosure of PHI not allowed by this Agreement by it or by one of its agents or subcontractors if it becomes aware of the use or disclosure. ©2013 Fisher&Phillips LLP 2 f. Business Associate agrees that it will ensure that any agent or subcontractor to whom it provides PHI pertaining to Covered Entity agrees in writing to the same restrictions and conditions that this Agreement imposes on Business Associate. Such written agreement shall require the Business Associate's agent or subcontractor to notify Covered Entity of any HIPAA breach. g. Business Associate agrees to provide an appropriate Individual with access to PHI in a Designated Record Set in the manner required of Covered Entity pursuant to the requirements of 45 CFR §164.524. h. Business Associate agrees to allow an appropriate Individual to make amendment(s)to PHI in a Designated Record Set in the manner required of Covered Entity pursuant to the requirements of 45 CFR §164.526. i. Business Associate agrees to make its internal practices, books, and records (including PHI pertaining to Covered Entity) available to the Secretary or the Covered Entity for purposes of determining Covered Entity's or Business Associate's compliance with the Privacy Rule. j. Business Associate agrees to document disclosures of PHI and information related to these disclosures so it or Covered Entity may respond to requests by Individuals for an accounting of disclosures of PHI pursuant to the requirements of 45 CFR §164.528. k. Business Associate agrees to provide PHI in the possession or control of Business Associate to appropriate Individuals in order to respond to requests for an accounting of disclosures of PHI pursuant to the requirements of 45 CFR §164.528. 1. Business Associate's responses to requests for action with respect to PHI described in this Section II shall be completed in a manner which complies with the timeliness requirements contained in the Privacy Rules. Also, Business Associate's disclosure of PHI to the Covered Entity or an Individual shall be in an electronic format if Business Associate maintains such PHI in an electronic health record, if the Individual so chooses. m. Business Associate agrees(check the applicable box): X To notify Covered Entity if there is a breach of unsecure PHI pursuant to the requirements of 45 CFR § § 164.410. X To notify Covered Entity and affected Individuals if there is a breach of unsecure PHI pursuant to the requirements of 45 CFR § § 164.404 and 164.410. III. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE a. General Use and Disclosure Provisions. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI pertaining to Covered Entity for the purposes set forth in the parties' service agreement, if the use or disclosure would not violate the ©2013 Fisher&Phillips LLP 3 Privacy Rule if done by Covered Entity or violate the minimum necessary policies and procedures of Covered Entity. b. Specific Use and Disclosure Provisions: (i) Except as otherwise limited in this Agreement, Business Associate may use PHI for its own proper management and administration or to carry out its legal responsibilities, provided the disclosures are Required By Law or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (ii) Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). (iii) Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1). IV. OBLIGATIONS OF THE COVERED ENTITY a. To Inform Business Associate. Covered Entity will inform Business Associate of its privacy practices and any agreed restrictions on PHI as follows: (i) Covered Entity shall advise Business Associate of any limitations in the notice of privacy practices that Covered Entity produces in accordance with 45 CFR §164.520,to the extent that such limitation may affect Business Associate's use or disclosure of PHI. (ii) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI,to the extent that such changes affect Business Associate's use or disclosure of PHI. (iii) Covered Entity shall notify Business Associate of any restrictions on use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522,to the extent that such restrictions may affect Business Associate's use or disclosure of PHI. b. Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would violate the Privacy Rule if done by Covered Entity, except that Business Associate may in its discretion use or disclose PHI for Data Aggregation and/or management and administrative activities of Business Associate. D 2013 Fisher&Phillips LLP 4 V. COMPLIANCE WITH HIPAA SECURITY REGULATIONS a. Business Associate shall: (i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI it creates, receives, maintains or transmits on behalf of Covered Entity as required to comply with HIPAA Security Regulations at 45 CFR Parts 160, 162 and 164. (ii) Ensure that any agents, including but not limited to contractors and subcontractors,to which Business Associate provides PHI pertaining to Covered Entity, agree to implement reasonable and appropriate safeguards to protect it. (iii) Have a system in place to report to Covered Entity any security incident of which Business Associate becomes aware. "Security incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. VI. STANDARDS FOR ELECTRONIC TRANSACTIONS a. In connection with Standard Transactions, as defined in HIPAA, Business Associate will: (i) Comply with all applicable provisions of the HIPAA Standard for Electronic Transactions Rule on or before the compliance date (the "Transactions Compliance Deadline") when exchanging information in covered electronic transactions. Business Associate will comply with any future required transactions or code set standards adopted by HHS on or before the required compliance date. "Standards for Electronic Transactions Rule" means the final regulations issued by HHS concerning Standard Transactions and Code Sets under HIPAA Rules, 45 CFR Parts 160 and 162, as may thereafter be amended. "Transactions" means the types of information exchange between two parties to carry out financial or administrative activities related to health care as defined in the Standards for Electronic Transactions Rule. (ii) Ensure that any agents, including but not limited to contractors and subcontractors,that assist Business Associate in conducting Standard Transactions on behalf of Covered Entity, agree in writing to comply with the Standards for Electronic Transactions Rule. (iii) Not change the definition, data condition, or use of any data element or segment. ©2013 Fisher&Phillips LLP 5 (iv) Not add any data elements or segments to the maximum defined data set in a Standard Transaction. (v) Not use any code or data elements that are either marked "not used' in the standard's implementation specification or are not in the standard's implementation specification(s). (vi) Not change the meaning or intent of the standard's implementation specification(s). VII. TERM AND TERMINATION a. Term. This Agreement shall be effective as of the date stated above and shall terminate when all PHI pertaining to Covered Entity which Business Associate maintains is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy PHI, protections are extended to such information in accordance with the Termination provisions in this Section. b. Termination for Cause. If a party learns of a material breach by the other party,the party shall: (1) provide a reasonable opportunity for the other party to cure the breach or end the violation, or(2) if the other party does not cure the breach or end the violation within the time specified by the non-breaching party,terminate this Agreement and any underlying service agreement upon written notice to the other party that it has breached a material term of this Agreement and there is no cure. c. Effect of Termination: (i) Except as provided in paragraph (c)(ii) of this Section VII, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI relating to Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of this PHI. (ii) In the event that Business Associate reasonably determines that returning or destroying the PHI is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon Business Associate's reasonable determination that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of PHI to those purposes that make the return or destruction not feasible, for as long as Business Associate maintains the PHI. VIII. MISCELLANEOUS a. Regulatory References. Reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended. ©2013 Fisher&Phillips LLP 6 b. Amendment. The Parties agree to take such action as may be necessary to amend this Agreement from time to time for Covered Entity or Business Associate to comply with the requirements of the Privacy Rule and other requirements of HIPAA. c. Survival. The respective rights and obligations of Business Associate under Sections VII(c)(i) and (ii) of this Agreement shall survive termination of this Agreement. d. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity or Business Associate to comply with the Privacy Rule and other requirements of HIPAA. This Agreement shall be interpreted without regard to the rule that a document is to be construed against the party which drafts it. e. Complete Integration. This Agreement forms the entire agreement between the parties relating to the subject matter hereof, and supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written, unless expressly incorporated herein. Further,this Agreement may not be modified except in a writing signed by the duly authorized representatives of both parties. If any provision or part of this Agreement is found to be invalid, the remaining provisions shall remain in full force and effect. f. Successors and Assigns. This Agreement will inure to the benefit of and be binding upon the successors and assigns of Covered Entity and Business Associate. However,this Agreement is not assignable by either party without the prior written consent of the other party, except that Business Associate may assign or transfer this Agreement to any entity owned or under common control with Business Associate. Written consent will not be unreasonably withheld. g. Not a Fiduciary, Plan Administrator or Agent. Business Associate shall not be considered a fiduciary plan administrator or agent of any of Covered Entity's employee benefit plans or the Company. h. No Third Party Beneficiaries. This Agreement is entered into for the benefit of Covered Entity, Business Associate, and the Company. There are no third party beneficiaries to this Agreement. Business Associate's obligations are to Covered Entity and Company only. i. Confidentiality. Except as otherwise provided in the Privacy Rule or this Agreement, neither party will disclose the terms of this Agreement to any third party without the other party's written consent. j. Counterparts. This Agreement may be executed in two or more counterparts, each of which may be deemed an original. k. Indemnification and Hold Harmless. If the Business Associate is found to be a federal common law agent of the Covered Entity, the Business Associate agrees to indemnify and hold the Covered Entity harmless from any and all liabilities or damages, including ©2013 Fisher&Phillips LLP 7 penalties, costs or attorneys' fees, resulting directly or indirectly from its breach of the terms of this Agreement, or resulting directly or indirectly from any breach of the HIPAA Rules by one of its employees, agents or contractors IX. ACKNOWLEDGEMENT AND SIGNATURES THE PARTIES ACKNOWLEDGE THAT THEY HAVE READ THIS AGREEMENT, UNDERSTAND IT, AND AGREE TO BE BOUND BY ITS TERMS. Business Associate Covered Entity(Employer) By: ,© By:�� A. I I I I.°I I°lid I I I Title: President Title: HR MANAGER Date: September 2, 2013 Date: SEAT I S, 25613 ©2013 Fisher&Phillips LLP 8