The URL can be used to link to this page

Home My WebLink AboutFlex Plan Services Inc74, I G . lo BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "AgreemenY") is entered into between Fiex-Plan Services, Inc. and CityofAuburn (Company Name) acting on behalf of the CityofAuburn Fiexible Benefits Plan effective as of February4,2010 (Effective Date or Date Signed). The parties intend to use this Agreement to satisfy the Business Associate Contract requirements in the regulations at 45 CFR 164.502(e) and 164.504(e), issued under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and any requirements relating to Business Associates contained in the regulations issued pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"). Any prospective amendment to the laws referenced shall automatically amend this agreement to incorporate said changes without further action. Definitions 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 Terms used but not otherwise defined in this Agreement shall have the same meaning as the meaning ascribed to those terms in HIPAA, HITECH, and any current and future regulations or official guidance promulgated under HIPAA or HITECH. Breach. "Breach" shall have the same meaning as the term "breach" in 45 CFR 164.402. Business Associate. "Business Associate" shall mean Flex-Plan Services, Inc. ("Flex-Plan"). Covered Entity. "Covered Entity" shall mean CityofAubum Flexible Benefits Plan Electronic Protected Health Information. "Electronic Protected Health Information" ("EPHI") shall have the same meaning as the term "electronic Protected Health Information" in 45 CFR 160.103. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). Privacy Ru/e. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E. Protected Health /nformation. "Protected Health Information" ("PHI") shall have the same meaning as the term "protected health information" in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. Required by Law. "Required by Law° shall have the same meaning as the term "Required by Law" in 45 CFR 164.103. Secretary. "Secretary" shall mean the U.S. Secretary of the Department of Health and Human Services or his or her designee. Security Incident. "Security IncidenY" shall have the same meaning as the term "security incidenY" in 45 CFR 164.304. Security Rule. "Security Rule" shall mean the Security Standards and Implementation Specifications at 45 CFR Part 160 and Part 164, subpart C. 1.13 Standards for E/ectronic Transactions Rule. "Standards for Electronic Transactions Rule" means the final regulations issued by HHS concerning standard transactions and code sets under the Administration Simplification provisions of HIPAA, 45 CFR Part 160 and Part 162. 1.14 Unsecured Protected Health Information. "Unsecured Protected Health Information" shall mean Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in regulations or as otherwise defined in section 13402(h) of HITECH. 020210.1 II. Obligations and Activities of Flex-Plan 2.1 Flex-Plan agrees to not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. 2.2 Flex-Plan agrees to take reasonable steps to limit the use, disclosure, and requests for, PHI to the Minimum Necessary to accomplish the intended purpose. The Minimum Necessary standard does not apply to: 1) disclosures or requests by a health care provider for treatment purposes; (2) disclosures to the Individual who is the subject of the information; (3) uses or disclosures made pursuant to an Individual's authorization; (4) uses or disclosures required for compliance with HIPAA; (5) disclosures to the Department of Health and Human Services ("HHS") when disclosure of information is required under the Privacy Rule for enforcement purposes; (6) uses or disclosures that are required by other law. 2.3 Flex-Plan agrees to develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. Flex-Plan will implement administrative, physical, and technical safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI that Flex-Plan, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. 2.4 Flex-Plan shall notify Covered Entity of any Breach of Unsecured PHI of which it becomes aware. Such notice shall include, to the extent possible, the information listed in 2.4.2. A Breach shall be treated as discovered as of the first day on which such Breach is known to Flex-Plan, other than the individual committing the Breach, or should reasonably have been known to Flex-Plan to have occurred. 2.4.1 Notice shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a Breach by Flex-Plan. 2.4.2 Notice of a Breach shall include, to the extent possible the following: (i) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known. (ii) A description of the types of Unsecured PHI that were involved in the Breach (such as full name, Social Security number, date of birth, home address, or account number). (iii) The steps Individuals should take to protect themselves from potential harm resulting from the Breach. (iv) A brief description of any action taken to investigate the Breach, mitigate losses, and to protect against any further Breaches. (v) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. 2.4.3 If a law enforcement official determines that a notification or notice would impede a criminal investigation or cause damage to national security, such notification, notice or posting shall be delayed in the same manner as provided under 45 CFR 164.528(a)(2). 2.4.4 Flex-Plan will provide notice of Breach to the Individual(s) affected and such notice shall include, to the extent possible, the information listed in 2.4.2, unless, upon occurrence of a Breach, Covered Entity requests to disseminate or Flex-Plan and Covered Entity agree that Covered Entity will disseminate the notice(s). Any notice provided by Covered Entity to the Individual(s) shall comply with the content requirements listed in section 2.4.2. as well as any requirements provided under HIPAA, HITECH, and other applicable government guidance. 2.5 Flex-Plan agrees to report to Covered Entity any use or disclosure of the PHI not provided for by this Agreement and/or any Security Incident of which it becomes aware. 2 ozo2lo.l 2.6 Flex-Plan agrees to obtain reasonable assurances that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Flex-Plan on behalf of, Covered Entity agrees to be bound by the same restrictions and conditions that apply to Flex-Plan, with respect to such information. Moreover, Flex-Plan shall ensure that any such agent or subcontractor agrees to implement reasonable and appropriate safeguards to protect Covered Entity's PHI. 2.7 Flex-Plan agrees to make internal practices, books, and records, including policies and procedures and PHI relating to the use and disclosure of PHI received from, or created or received by Flex-Plan on behaif of, the Covered Entity available to the Secretary, within ten (10) business days after receipt of written request or otherwise as designated by the Secretary for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. 2.8 Flex-Plan agrees to document disclosures of PHI and information related to such disclosures as required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528. Flex-Plan will not be obligated to record disclosures of PHI or otherwise account for disclosures of Covered Entity's PHI 2.9 Flex-Plan agrees to provide to Covered Entity or to an Individual, within ten (10) business days after receipt of written request, information collected in accordance with Section 2.8 of this Agreement, in order to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528. 2.10 Flex-Plan agrees to provide access, at the request of Covered Entity and within ten (10) business days after receipt of written request, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524. 2.11 Flex-Plan agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual within ten (10) business days after receipt of written request. 2.12 In the event that Flex-Plan transmits or receives any Covered Electronic Transaction on behalf of the Covered Entity, it shall comply with all applicable provisions of the Standards for Electronic Transactions Rule to the extent Required by Law, and shall ensure that any agents that assist Flex- Plan in conducting Covered Electronic Transactions on behalf of the Covered Entity agree in writing to comply with the Standards for Electronic Transactions Rule to the extent Required by Law. 2.13 Flex-Plan shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual unless the Covered Entity obtained from the Individual, in accordance with 45 CFR 164.508, a valid authorization that includes a specification whether the PHI can be further exchanged for remuneration by the entity receiving PHI. III. Permitted Uses and Disclosures by Business Associate 3.1 Except as otherwise limited in this Agreement, Flex-Plan may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity related to The Administrative Services Agreement between Flex-Plan and Covered Entity. 3.2 Except as otherwise limited in this agreement, Flex-Plan may disclose PHI for the proper management and administration of Flex-Plan, provided that such disclosures are Required by Law, or Flex-Plan obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Flex-Plan of any instance of which it is aware in which the confidentially of the information has been Breached. 3.3 Except as otherwise limited in this agreement, Flex-Plan may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B). 3.4 Except as otherwise limited in this Agreement, Flex-Plan may use PHI for the proper management and administration of Flex-Plan or to carry out the legal responsibilities of Flex-Plan. 3.5 Flex-Plan may use PHI to report violations of law to appropriate Federal and State authorities, consistentwith 164.5020)(1). 020210.1 IV. Obligations of Covered Entity 4.1 Covered Entity shall notify Flex-Plan of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may affect Flex-Plan's use or disclosure of PHI. 4.2 Covered Entity shall notify Flex-Plan of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Flex-Plan's use or disclosure of PHI. 4.3 Covered Entity shall notify Flex-Plan of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Flex-Plan's use or disclosure of PHI. V. Permissible Requests by Covered Entity 5.1 Covered Entity shall not request Flex-Plan to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except for uses or disclosures for the purposes of data aggregation, management, and administrative activities of Flex-Plan. VI. Term and Termination 6.1 Term. This Agreement shall be effective as of the date that it is entered into, and shall terminate when all of the PHI provided by Covered Entity to Flex-Plan, or created or received by Flex-Plan on behalf of Covered Entity, is destroyed or returned to Covered Entity, or if it is infeasible to retum or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section. 6.2 Termination for Cause. Upon Covered Entity's knowledge of a material Breach of the terms hereof by Flex-Plan, Covered Entity shall provide written notice to Flex-Plan of the Breach, and Flex-Plan shall have the opportunity to cure that Breach within the time period reasonably required to cure that Breach. In the event that Flex-Plan does not cure the Breach or end the violation within that time period, then Covered Entity shall be entitled to provide notice of termination of the terms hereof. 6.3 Effect of Termination. 6.3.1 It is agreed that due to the manner in which PHI is retained and the retention requirements of the Internal Revenue Service, returning or destroying all of the PHI received from Covered Entity or created or received by Flex-Plan on behalf of Covered Entity, is infeasible. Therefore, Flex-Plan shall extend the protections of this Agreement to such PHI, and shall limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Flex-Plan maintains such PHI. VII. Miscellaneous 7.1 Definitions. Terms used, but not otherwise defined in this Agreement shall have the meaning specified under HIPAA, including its statute, regulations and other official government guidance. 7.2 Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended. 7.3 Amendmenf. This Agreement shall automatically amend to incorporate changes by Congressional act or by regulations of the Secretary of HHS that affect Business Associate or Covered Entity's obligations under this Agreement. 7.4 Survival. The respective rights and obligations of Flex-Plan under Section 6.3.1 of this Agreement shall survive the termination of the term of this Agreement. 7.5 No Third-Party Rights. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever. 7.6 Goveming Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Washington to the extent not preempted by the Privacy and Security Rules or other applicable federal law. 4 020210.1 IN WITNESS WHEREOF, the Parties hereto have executed this Agreement effective as of the date first stated above. Flex-Plan Services, Inc. By: _0~~ Tina Shozen Title: Privacy Officer Date: 2/2/2010 Covered Entity: City of Auburn City of Auburn on behalf of the Flexible Benefits Plan gy~, F-f- Title: Director of Human Resources Date: 2/4/2010 020210.1