The URL can be used to link to this page

Business Associate Agreement BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT("Agreement") made and entered into on this 15th day of February, 2005, by and between City of Salina ("Covered Entity"), and Delta Dental Plan of Kansas, Inc. ("Business Associate"). W! TN E § § E I H: That WHEREAS, Business Associate performs certain functions on behalf of and/or provides certain services that qualifies it as Covered Entity's "business associate" pursuant to 42 c.F.R. § 160.103; and WHEREAS, in the performance of such functions and/or the provision of such services, Business Associate may require access to PHI (as that term is defined below) in Covered Entity's possession, custody, or control, or may create or receive PHI on behalf of Covered Entity for the limited purposes identified in Exhibit 1 hereto; and WHEREAS, pursuant to the Federal Standards for Privacy of Individually Identifiable Health Information, 42 C.F.R. Parts 160 and 164, Covered Entity cannot disclose PHI to, or authorize the creation or receipt of PHI on its behalf by, Business Associate unless Covered Entity obtains from Business Associate satisfactory assurances that Business Associate will properly safeguard such information; and WHEREAS, Business Associate is willing to provide such assurances to Covered Entity. NOW, THEREFORE, for good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, the parties agree as follows: 1. Definitions As used herein, the following terms shall have the following meanings: 1.1 Disclose and Disclosure shall mean the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. 1.2 Electronic Protected Health Information or EPHI shall have the same meaning as the terms "Electronic Protected Health Information" or "E-PHI" in 45 CFR § 160.103. 1.3 Individual shall mean the person who is the subject of the PHI. . . 2. 1.4 Privacy Regulation shall mean the federal Standards for Individually Identifiable Health Information, 45 c.F .R. Parts 160 and 164. 1.5 Protected Health Information or PHI shall mean information, including demographic information collected from an individual, transmitted or maintained in any form or medium, including but not limited to oral communication and electronic media (as defined at 45 C.F.R. § 162.103), that (i) is received by Covered Entity or an agent acting on behalf of Covered Entity; (ii) relates to past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual; and (iii) identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual. PHI does not include education records covered by the Family Educational Right and Privacy Act at 20 V.S.C. § 1232g and records described at 20 V.S.C. § 1232g( a)( 4)(B)(iv». 1.5 Receive, Receiving, and Receipt shall mean, with respect to PHI, to come into possession, custody, or control; to perceive; to create; to gain the ability to come into possession, custody, or control, or to gain the ability to perceive PHI in whatever form (oral, visual, written, electronic, or otherwise). 1.6 Secretary shall mean the Secretary of the Department of Health and Human Services. 1.7 Security Incident shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 1.8 Security Rule shall mean the Security Standards for the Protection of Electronic Protected Health as set forth at 45 C.F .R. Parts 160 and 164 Subparts A and C. 1.9 V se shall mean the sharing, employment, application, utilization, examination, or analysis of information within an entity that maintains such information. Restrictions on Uses and Disclosures of PHI. The following restrictions shall apply at all times following Business Associate's receipt of PHI until such time as PHI no longer is in Business Associate's possession, custody, or control: 2.1 Business Associate shall not use PHI for any purpose other than IIJDA./£ ) excepting only as necessary for the proper management and administration of 2.2 Business Associate or to carry out any of the legal responsibilities of the Business Associate. Business Associate shall not disclose PHI to a third party unless the following conditions are met: 2.2.1 The disclosure is required for one of the following: 2.2.1.1 2.2.1.2 2.2.1.2 to accomplish one or more of those purposes identified above; for the proper management and administration of Business Associate; or to carry out any of the legal responsibilities of the Business Associate. 2.2.2 The disclosure is made to one of the following: 2.2.2.1 2.2.2.2 2.2.2.3 2.2.2.4 to the individual who is the subject of the PHI; to a subcontractor with which Business Associate has entered into a written agreement that (a) requires the subcontractor to safeguard PHI under conditions consistent with and providing at least as much protection for the PHI as this Agreement, including, but not limited to, provisions requiring the subcontractor to promptly notify Business Associate of any unauthorized use or disclosure of PHI; (b) includes a provision stating that the subcontractor shall not be deemed to have an ownership interest in PHI; and (c) requires the subcontractor to return or destroy all PHI under terms consistent with Section 5.3 of this Agreement upon termination of Business Associate's agreement with the subcontractor; to a person or entity to which Business Associate has a legal obligation to disclose PHI, provided that Business Associate give Covered Entity prior written notice and an opportunity to intervene, unless Business Associate is prohibited from giving such notice by order of a court of competent jurisdiction; or to a person or entity to which Business Associate is permitted to disclose PHI under the Privacy Regulation. 2 , . 3. 3.1 3.2 2.2.3 In disclosing PHI to a third party, Business Associate shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the disclosure; and 2.2.4 Business Associate shall document its disclosures of PHI to third parties as follows: 2.2.4.1 Business Associate shall document each and every disclosure of PHI to a third party with the exception of the following: (1) disclosures necessary to carry out treatment, payment and health care operations; (2) disclosures to Individuals of PHI about them; (3) disclosures to persons involved in the Individual's care or other notification purposes; (4) disclosures for national security or intelligence purposes; (5) disclosures to correctional institutions or law enforcement officials; or (6) disclosures that occurred prior to April 15, 2003. 2.2.4.2 For each disclosure required to be documented, the Business Associate shall document the following information: (1) the date of the disclosure; (2) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (3) a brief description of the PHI disclosed; and (4) a brief statement of the purpose of and basis for such disclosure. 2.2.4.3 Within 10 days of receiving a written request from Covered Entity, Business Associate shall provide to Covered Entity such information as is requested to permit Covered Entity to respond to a request by an Individual for an accounting of the disclosures of the Individual's PHI that occurred during the six years prior to the date of the Individual's request (or shorter, if so requested) in accordance with 45 C.F.R. § 164.528(b)(1). Responsibilities of Business Associate With Respect To PHI. Appropriate Safeguards. Business Associate shall implement appropriate safeguards to prevent any use or disclosure of PHI other than those permitted by this Agreement. Notice of Improper Use or Disclosure. Business Associate shall notify Covered Entity in writing of any use or disclosure of PHI contrary to the terms of this Agreement of which Business Associate becomes aware within five business days of having become aware of such use or disclosure. 3 . . 3.3 3.4 3.5 3.6 3.7 4. Term A vailability of PHI. Business Associate shall make available PHI to an Individual as required by 45 C.F.R. § 164.524. Amendments or Corrections. Business Associate shall make PHI available for amendment and to incorporate any amendments or corrections to PHI in accordance with 45 C.F.R. § 164.526. Access to Books and Records. Business Associate shall make its internal practices, books, and records relating to its uses and disclosures of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, upon the Secretary's request, for purposes of determining Covered Entity's compliance with the Privacy Regulation. Compliance with the Security Rule. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity, and shall ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it. Business Associate shall report to the Covered Entity any Security Incident of which it becomes aware, in the following time and manner: 3.6.1 Any actual, successful Security Incident will be reported to Covered Entity in writing, within five (5) business days of the date on which Business Associate becomes aware of such actual successful Security Incident; and 3.6.2 Any attempted, unsuccessful Security Incident, of which Business Associate becomes aware, will be reported to Covered Entity in writing, on a reasonable basis, at the written request of Covered Entity. If the Security Rule is amended to remove the requirement to report unsuccessful attempts at unauthorized access, this Section (2)(1)(ii) shall no longer apply as of the effective date of the amendment of the Security Rule. Ensuring Compliance. Business Associate shall, upon prior written request, make available during normal business hours at Business Associate's offices all records, books, agreements, policies, and procedures relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity to Covered Entity within 30 days for purposes of enabling Covered Entity to determine Business Associate's compliance with the terms of this Agreement. 4 . . 4.1 Term. This Agreement shall become effective upon commencement of the parties' relationship and shall continue in effect so long as Business Associate continues to performs certain functions on behalf of and/or provides certain services that qualifies it as Covered Entity's "business associate" pursuant to 42 C.F.R. § 160.103, unless terminated as provided in Section 5. Certain provisions and requirements of this Agreement shall survive its expiration or other termination in accordance with Section 7.1. 5. Termination 5.1 5.2 5.3 6. 6.1 Material Breach. A breach by Business Associate of any provision of this Agreement, as determined by Covered Entity, shall constitute a material breach of this Agreement and any other agreement or business relationship between Covered Entity and Business Associate arising out of or related to the use PHI and shall provide grounds for immediate termination of such agreement(s) by Covered Entity. Reasonable Steps To Cure Breach. If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach of this Agreement and does not terminate this Agreement pursuant to section 5.1, then Covered Entity shall take reasonable steps to cure such breach. If Covered Entity's efforts to cure such breach are unsuccessful, as determined by Covered Entity, Covered Entity shall either: (a) terminate this Agreement, if feasible; or (b) if termination of this Agreement is not feasible, Covered Entity shall report Business Associate's breach to the Secretary. Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate has maintained in any form, and shall retain no copies of such PHI. If return or destruction is not feasible, Business Associate shall continue to extend the protections of this Agreement to such PHI, and limit its use or disclosure of such PHI to those purposes that make the return or destruction of such PHI infeasible. Indemnification Indemnification. The parties agree to indemnify, defend, and hold harmless each other and each other's respective employees, directors, officers, subcontractors, agents or other members of its workforce (each an "Indemnified Party") against all actual and direct losses suffered by the Indemnified Party and all liability to third parties arising out of or in connection with any breach of this Agreement or from any negligence or wrongful acts or omissions, including failure to perform its obligations under the Privacy Regulations, by the Party providing indemnification (the "Indemnifying Party") or its employees, directors, officers, subcontractors, 5 . . . . . . 7. 7.1 7.2 7.3 7.4 7.5 7.6 agents or other members of its workforce. Accordingly, on demand, the Indemnifying Party shall reimburse any Indemnified Party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorney's fees) which may be imposed upon any Indemnified Party by reason of any suit, claim, action, proceeding or demand by any third party resulting from the Indemnifying Party's breach under this Agreement. Miscellaneous Survival. The respective rights and obligations of Business Associate and Covered Entity under the provisions of Sections 5.3, 6.1, and 7.3, and Section 2 solely with respect to PHI that Business Associate retains following termination pursuant to Section 5.3, shall survive termination of this Agreement indefinitely. Amendments and Waiver. This Agreement may not be modified, nor shall any provision be waived or amended, except in a writing duly signed by authorized representatives of the parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever. Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail, express courier, and/or facsimile to the address or facsimile number given below. Counterparts and Facsimiles. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals. Injunctive Relief. Notwithstanding any rights or remedies provided for in this Agreement, Covered Entity retains all rights to seek injunctive relief to prevent or stop the unauthorized use and/or disclosure of PHI by Business Associate or any third party that received PHI from Business Associate. IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf effective as of the 15th day of February, 2005. 6 , . . . .: . COVERED ENTITY BØ--~ Pnnt Name Denni 5 M. Ki 55 i nger Print Title City Manager Date March 25,2005 BUSINESS ASSOCIATE By ~~/~-'/ P ~' Address 300 W. A5 h Salina, KS 67401 Facsimile No. 785-820-8532 Print Name Michael D. Ellis Print Title Director, Audits and Compliance Date February 15, 2005 Address 1010 N. Main St. Wichita, KS 67203 Facsimile No. 316-462-3393 7