Loading...
HomeMy WebLinkAboutC-1987n HIPAA BUSINESS ASSOCIATE ADDENDUM: GROUP HEALTH PLAN 5- This HIPAA Business Associate Addendum ( "Business Associate Addendum ") supplements and is made a part of the group dental contract ( "Agreement ") by and between the employer identified on the signatory page ( "Employer ") on behalf of the group health plan identified in the Agreement ( "Group Health Plan ") and Delta Dental Plan of California ( "Delta "). This Business Associate Addendum is effective on April 14, 2003. RECITALS Whereas, the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 and related regulations require that contracts between covered entities and entities known as business associates comply with enumerated standards and requirements; Whereas, the Employer is the sponsor of the Group Health Plan; and in such capacity, the Employer executes this Business Associate Addendum on behalf of and in accordance with the Group Health Plan; Whereas, Delta's interaction with the Group Health Plan, its business associates, the Employer and their agents makes Delta a business associate of the Group Health Plan as described or defined under HIPAA; Whereas, the purpose of this Business Associate Addendum is to satisfy the HIPAA standards and requirements; Now therefore, in consideration of the mutual promises below, the Employer, the Group Health Plan and Delta agree as follows: SECTION 1- DEFINITIONS 1.1 "HIPAA" shall mean the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 and related regulations, Title 45 Parts 160 and 164 of the Code of Federal Regulations, as amended from time to time. 1.2 "Protected Health Information" (PHI) shall have the same meaning as defined in HIPAA and shall apply to those individuals who are eligible and/or enrolled in the Group Health Plan's dental benefit program administered by Delta. 1.3 Terms used, but not otherwise defined, in this Business Associate Addendum shall have the same meaning as those terms have in HIPAA. 11/18/02 SECTION 2 - BUSINESS ASSOCIATE AGREEMENT 2.1 The provisions of this Section 2 control over any provision in the Agreement that conflicts with this Section 2. 2.2 Permitted Uses and Disclosures. a. Delta shall use and/or disclose PHI received by Delta in accordance with the uses and disclosures described in Exhibit A. b. Delta shall not use or further disclose PHI other than as permitted or required by this Business Associate Addendum, any law or regulation. C. Except as otherwise limited by this Business Associate Addendum, Delta may use and disclose PHI for the proper management and administration of Delta or to carry out Delta's legal responsibilities if: (a) the disclosure is required by law or (b) Delta obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient. In addition, the recipient must agree to notify Delta of any instances of which the recipient is aware in which the confidentiality of the PHI has been breached. 2.3 Appropriate Safeguards. Delta agrees to use appropriate safeguards to prevent its use or disclosure of PHI other than as provided for by this Business Associate Addendum, 2.4 Mitigation. Delta agrees to mitigate, to the extent practicable, any harmful effect that is known to Delta of a use or disclosure of PHI by Delta in violation of the requirements of this Business Associate Addendum. 2.5 Resorting of Disclosures of PHI. Delta shall report to the Group Health Plan, or its designated business associate, any use or disclosure of PHI by Delta not provided for in this Business Associate Addendum of which Delta becomes aware. 2.6 Aunts and Contractors. Delta shall ensure that any Delta agent or subcontractor to whom Delta discloses PHI agrees, in writing, to be bound by the same restrictions and conditions that apply to Delta through this Business Associate Addendum. 2.7 Access to and Availability of PHI. Delta shall, in accordance with HIPAA and as appropriate: a. Provide access to the requested PHI within Delta's possession. The Group Health Plan shall within a reasonable amount of time forward to Delta any requests the Group Health Plan receives from the individual. Delta shall be responsible for responding to all individual requests for access to the PHI within Delta's possession. b. Amend, notify appropriate recipients of any amendment, and incorporate any amendment to the requested PHI within Delta's possession. The Group Health Plan shall within a reasonable amount of time forward to Delta any requests the Group Health Plan receives from the individual. Delta shall be responsible 2 11/18/02 for responding to all individual requests for amendment to the PHI within Delta's, or its business associate's, possession. Provide an accounting of disclosures of PHI as required by HIPAA. The Group Health Plan shall within a reasonable amount of time forward to Delta any requests the Group Health Plan receives from the individual. Delta shall be responsible for responding to all individual requests for accounting of disclosures made by Delta or its business associates. Delta agrees to track all such disclosures of PHI that would be required to respond to a request for accounting of disclosures of PHI as required by HIPAA. 2.8 Availability of Delta's Internal Practices, Books and Records. Delta agrees to make its internal practices, books and records, including policies and procedures and PHI, relating to its use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Group Health Plan's and Delta's compliance with this Business Associate Addendum and the HIPAA privacy standards. 2.9 Employer Responsibilities. Employer and/or Group Health Plan, as appropriate, shall be responsible for their compliance with HIPAA's administrative requirements resulting from the Employer's and/or Group Health Plan's activities, if applicable, including but not limited to, privacy officer designation, training, etc. Employer agrees to timely: a. Forward any request it receives to the appropriate party as set forth in section 2.7 above, b. Provide Delta with the notice of any limitation(s) in its notice of privacy practices in accordance with 45 CFR 164.520, to the extent that such limitation(s) may affect Delta's use or disclosure of PHI. Notify Delta of any restriction to the use or disclosure of PHI that the Group Health Plan has agreed to in accordance with 45 CFR 164.522, to the extent that such limitation(s) may affect Delta's use or disclosure of PHI; and d. Notify Delta, in writing, of any arrangement permitted or required of the Group Health Plan under HIPAA that may impact in any manner Delta's use or disclosure of PHI under the Agreement or this Business Associate Addendum, including, but not limited to, any agreement by the Group Health Plan to restrict the use or disclosure of any PHI as permitted by HIPAA. Unless otherwise specifically provided in this Business Associate Addendum, Delta shall only be responsible to comply with limitations conveyed by the Employer in accordance with this Section 2.9. The Employer will notify Delta of changes in the notice or other relevant material. e. Distribute Delta's notice of privacy practices to all enrollees within the time frames required by HIPAA if the group dental program is an insured or risk program. 3 11/18/02 2.10 Term and Termination of the Agreement and this Business Associate Addendum. a. Term. The term of this Business Associate Addendum shall be effective on the date set forth in the first paragraph and shall continue until the Agreement is terminated. b. Termination for Cause. The Employer may terminate this Business Associate Addendum and the Agreement upon the Employer's knowledge that Delta has materially breached this Business Associate Addendum if, within sixty (60) days after receipt of written notice of such material breach, Delta fails to take action to cure the breach or end the violation. C. In the event of any termination of this Business Associate Addendum, Delta shall return or destroy all PHI that Delta still maintains in any form and shall retain no copies. If return or destruction is not feasible because such PHI is necessary to fulfill Delta's legal responsibilities or other management and administrative purposes, Delta shall retain the PHI and shall continue to protect the confidentiality of PHI as required by this Business Associate Addendum. Delta shall limit any use or disclosure of PHI to those purposes that make the return or destruction of PHI infeasible. Delta agrees to require that any PHI in the possession of its agents or subcontractors retained, returned or destroyed, as applicable. d. The following sections shall survive termination of this Agreement: 2.7, 2.8, 5.2, and 5.3. 2.11 Notice of Privacy Practices, The Employer represents and warrants that the Group Health Plan's notice of privacy practices, if applicable, shall not, subject to HIPAA's requirement, limit or restrict Delta's use or disclosure of PHI as necessary for Delta to perform the services described in the Agreement. SECTION 3 - DISCLOSURE TO PLAN SPONSOR 3.1 Amendment of the Aareement. Delta and Employer agree to amend the Agreement as set forth in this section to allow the Group Health Plan and/or Delta to disclose PHI to the Employer. Employer agrees to identify to Delta the Employer's employees, classes of employees or other persons to whom Delta shall disclose PHI. 3.2 Notice of Privacy Practices. If Delta will disclose PHI to the Employer pursuant to this section, the Employer represents and warrants that the Group Health Plan's notice of privacy practices, if applicable, shall advise the individual of such disclosure. 3.3 Disclosure of PHI to Plan Sponsor. The Employer represents and warrants that if the prior conditions in Sections 3.1 and 3.2 have been met, Delta may disclose PHI to the employees, classes of employees and other persons identified by Employer to carry out the plan administration functions. Delta shall not disclose PHI to such persons for the purpose of employment- related actions or decisions or in connection with any other benefit plan of the Employer. 4 11/18/02 M 3.4 Identification of Employees and Other Persons. The Employer agrees that Delta may rely upon the most recent list of employees or classes of employees (or update thereof) provided by the Employer. 3.5 Disclosure of Summary Health Information. Sections 3.1 and 3.2 do not apply to disclosures of summary information as defined in HIPAA. Delta may disclose to the Employer summary health information: a. To obtain premium bids for providing dental benefits coverage under the Group Health Plan; b. To modify, amend or terminate the Group Health Plan; or As otherwise permitted by HIPAA. 3.6 Amendment of Group Contract as Group Health Plan Documents. Employer and Delta acknowledge that the Agreement constitutes the group health plan document for the dental program administered by Delta. This section 3.6 shall serve as the amendment to the group health plan document as required by HIPAA to permit Delta to disclose PHI to the Employer. The provisions of this Section 3.6 control over any provision in the Agreement that conflicts with this section. a. Employer Certification. The following terms of this section incorporate the requirements of HIPAA to permit the Group Health Plan or Delta to lawfully disclose PHI to the Employer or its agents. This section shall serve as the Employer's certification as required by HIPAA. b. Permitted Uses and Disclosures. Employer, its directors, officers, employees, contractors and agents shall use and/or disclose PHI received by Employer solely in accordance with the uses and disclosures described in Exhibit B which is attached to and made a part of this Business Associate Addendum. ii. Employer shall not, and shall ensure that its directors, officers, employees contractors and agents do not, use or further disclose PHI in any manner except as permitted or required by this Business Associate Addendum or as required by law or regulation. C, Agents and Subcontractors. Employer shall ensure that any agent or subcontractor that will have access to PHI from Employer agrees to be bound by the same restrictions, terms and conditions that apply to Employer pursuant to this Business Associate Addendum. d. Employment- Related Actions and Decisions. The Employer shall not use or disclose PHI for employment- related actions or decisions or in connection with any other benefit plan of the Employer. e. Reporting of Disclosures of PHI. Employer shall, as soon as possible after becoming aware of an actual or suspected disclosure of PHI in violation of this Business Associate Addendum by Employer, its officers, directors, employees, 11/18/02 tOrr+' subcontractors or agents or by a third party to which Employer disclosed PHI pursuant to this Business Associate Addendum, report any such disclosure to the Group Health Plan. f. Access to and Availability of PHI. Employer shall in compliance with HIPAA requirements: i. Make available to the Group Health Plan, its business associate, or Delta, as appropriate, the requested PHI to respond to an individual's request for access to PHI. ii. Provide to the Group Health Plan, its designated business associate, or Delta, as appropriate, the requested PHI to respond to a request for amendment and shall incorporate any amendment received from the Group Health Plan, its designated business associate or Delta. iii. Make available to the Group Health Plan, its designated business associate, or Delta, as appropriate, the requested PHI to respond to an individual's request for an accounting of disclosures of PHI. The Employer agrees to track all disclosures of PHI that would be required to respond to a request for accounting of disclosures of PHI as required by HIPAA. g. Availability of Business Associate's Internal Practices Books and Records. Employer agrees to make its internal practices, books and records relating to the use and disclosure of PHI received from the Group Health Plan or Delta available to the Secretary of Health and Human Services for purposes of determining the Group Health Plan's and Employer's compliance with the HIPAA privacy standards. h. Return or Destruction of PHI. Employer shall return or destroy all PHI received from the Group Health Plan or its agent that the Employer maintains in any form and shall retain no copies when such PHI is no longer needed for the purpose for which the disclosure was made. If return or destruction is not feasible, Employer shall continue to protect the confidentiality of PHI as required by this Business Associate Addendum and limit any use or disclosure of PHI to those purposes that make the return or destruction of PHI infeasible. Adequate Separation. Employer shall ensure adequate separation as required by HIPAA by doing the following: i. Employer shall identify the Employer's employees, classes of employees or other persons to whom the Group Health Plan, its agent, or Delta shall disclose PHI. ii. Employer shall restrict access to PHI and use of PHI by such employees or other persons to the plan administration functions that Employer performs for the Group Health Plan. 6 11/18/02 In M iii. Employer shall implement an effective mechanism for resolving any issues of noncompliance by such employees or other persons, and such mechanism shall be consistent with the terms of this Business Associate Addendum. SECTION 4 — DISCLOSURE TO BUSINESS ASSOCIATE 4.1 The Employer represents and warrants that prior to requesting Delta to disclose PHI to the Group Health Plan's business associate(s), the Group Health Plan, or the Employer on the Group Health Plan's behalf, shall have entered into a business associate contract or have other satisfactory arrangement with such business associate(s) that complies with the requirements of HIPAA. 4.2 Disclosure to a business associate pursuant to this Section 4 shall not include a disclosure to the Employer nor to its identified employees. SECTION 5 — GENERAL 5.1 Amendment to Business Associate Addendum. Employer and Delta agree to amend this Business Associate Addendum as necessary to comply with federal or state laws or regulations relating to the administrative simplification provisions of HIPAA. 5.2 Indemnification by Delta. Delta agrees to indemnify, defend and hold harmless the Group Health Plan, or the Employer on the Group Health Plan's behalf, and their employees, directors, officers, subcontractors, agents or other members of its workforce, each of the foregoing hereinafter referred to as "Indemnified Party," against all actual and direct losses suffered by the Indemnified Party and all liability to third parties arising from or in connection with Delta's breach of sections 2 or 3 of this Business Associate Addendum. Accordingly, on demand, Delta shall reimburse any Indemnified Party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys' fees) which may for any reason be imposed upon any Indemnified Party by reason of any suit, claim, action, proceeding or demand by any third party which results from Delta's breach hereunder. Delta's obligation to indemnify any Indemnified Party shall survive the expiration or termination of this Business Associate Addendum for any reason. 5.3 Indemnification by Group Health Plan or Employer. The Group Health Plan, or the Employer on the Group Health Plan's behalf, agrees to indemnify, defend and hold harmless Delta and its employees, directors, officers, subcontractors, agents or other members of its workforce, each of the foregoing hereinafter referred to as "Indemnified Party," against all actual and direct losses suffered by the Indemnified Party and all liability to third parties arising from or in connection with the Group Health Plan's or Employer's breach of Sections 2, 3 or 4 of this Business Associate Addendum. Accordingly, on demand, the Group Health Plan or Employer shall reimburse any Indemnified Party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys' fees) which may for any reason be imposed upon any Indemnified Party by reason of any suit, claim, action, proceeding or demand by any third party which results from the Group Health Plan's or Employer's breach hereunder. The obligation to indemnify any Indemnified Party shall survive the expiration or termination of this Business Associate Addendum for any reason. 7 11/18/02 M 5.4 Interoretation. This Business Associate Addendum shall be interpreted to allow the parties to comply with HIPAA, provided, however, that nothing herein shall be construed to grant rights beyond those provided under HIPAA or applicable law. IN WITNESS WHEREOF, Employer and Delta have duly executed this Business Associate Addendum as of the date listed below. Employer represents and warrants that it is signing this Agreement in its capacity as the sponsor of the Group Health Plan and not in a capacity of a business associate to the Group Health Plan. Employer: City of Arcadia Delta Dental Group Number: 0062 Signature: 'UnWg Print Name: William R. Kelly Print Title: City Manager Date: g4*401 Delta Dental Plan of California Signature: Print Name: Kenneth E. Bernardi Print Title: Vice President, Underwriting & Actuarial Services Date: February 14, 2003 RECOMMENDED BY: Tracey L. Hause Administrative Services Director APPROVED AS TO FORM: Stephen P. Deitsch City Attorney 8 11/18/02 M M EXHIBIT A TO HIPAA BUSINESS ASSOCIATE ADDENDUM: GROUP HEALTH PLAN Delta's Permitted Uses and Disclosures: Except as otherwise limited in this Business Associate Addendum, Delta shall use and disclose PHI: A. To perform the functions, activities, or services for, or on behalf of, the Group Health Plan as specified in the Agreement, provided that such use or disclosure would not violate HIPAA if done by the Group Health Plan. B. For the Group Health Plan's treatment, payment and health care operations as defined and permitted under HIPAA with respect to Delta's administration of the dental benefits program for the Group Health Plan as described in the group dental contract. C. For Delta's treatment, payment and health care operations as defined and permitted under HIPAA with respect to Delta's administration of the dental benefits program for the Group Health Plan as described in the group dental contract. D. To Delta's agents or subcontractors as necessary for Delta to perform the services described in the Agreement. E. To the Group Health Plan's or Employer's business associate, agent or subcontractor as requested by the Employer. F. To provide Data Aggregation services to the Group Health Plan if mutually agreed upon between Group Health Plan and Delta. G. To provide to or obtain de- identification services for the Group Health Plan if mutually agreed upon between Group Health Plan and Delta. H. As otherwise required or permitted by HIPAA or federal or state law. I. To report violations of law to appropriate federal or state authorities, consistent with 45 CFR §164.502 0) (1). As otherwise requested by the Employer or the Group Health Plan that is not in violation of HIPAA. 9 11/18/02 M M EXHIBIT B TO HIPAA BUSINESS ASSOCIATE ADDENDUM: GROUP HEALTH PLAN Employer's Uses and Disclosures Employer shall use and disclose PHI only in compliance with HIPAA and for the purpose of providing plan administration functions to the Group Health Plan. Plan administrative functions are defined as administration functions performed by the plan sponsor of a group health plan on behalf of the group health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor. 10 11 /18 /02