HomeMy WebLinkAboutC-1987n
HIPAA BUSINESS ASSOCIATE ADDENDUM:
GROUP HEALTH PLAN
5-
This HIPAA Business Associate Addendum ( "Business Associate Addendum ") supplements and
is made a part of the group dental contract ( "Agreement ") by and between the employer identified
on the signatory page ( "Employer ") on behalf of the group health plan identified in the
Agreement ( "Group Health Plan ") and Delta Dental Plan of California ( "Delta "). This Business
Associate Addendum is effective on April 14, 2003.
RECITALS
Whereas, the administrative simplification provisions of the Health Insurance Portability and
Accountability Act of 1996 and related regulations require that contracts between covered entities
and entities known as business associates comply with enumerated standards and requirements;
Whereas, the Employer is the sponsor of the Group Health Plan; and in such capacity, the
Employer executes this Business Associate Addendum on behalf of and in accordance with the
Group Health Plan;
Whereas, Delta's interaction with the Group Health Plan, its business associates, the Employer
and their agents makes Delta a business associate of the Group Health Plan as described or
defined under HIPAA;
Whereas, the purpose of this Business Associate Addendum is to satisfy the HIPAA standards
and requirements;
Now therefore, in consideration of the mutual promises below, the Employer, the Group Health
Plan and Delta agree as follows:
SECTION 1- DEFINITIONS
1.1 "HIPAA" shall mean the administrative simplification provisions of the Health Insurance
Portability and Accountability Act of 1996 and related regulations, Title 45 Parts 160 and
164 of the Code of Federal Regulations, as amended from time to time.
1.2 "Protected Health Information" (PHI) shall have the same meaning as defined in HIPAA
and shall apply to those individuals who are eligible and/or enrolled in the Group Health
Plan's dental benefit program administered by Delta.
1.3 Terms used, but not otherwise defined, in this Business Associate Addendum shall have
the same meaning as those terms have in HIPAA.
11/18/02
SECTION 2 - BUSINESS ASSOCIATE AGREEMENT
2.1 The provisions of this Section 2 control over any provision in the Agreement that
conflicts with this Section 2.
2.2 Permitted Uses and Disclosures.
a. Delta shall use and/or disclose PHI received by Delta in accordance with the uses
and disclosures described in Exhibit A.
b. Delta shall not use or further disclose PHI other than as permitted or required by
this Business Associate Addendum, any law or regulation.
C. Except as otherwise limited by this Business Associate Addendum, Delta may
use and disclose PHI for the proper management and administration of Delta or
to carry out Delta's legal responsibilities if: (a) the disclosure is required by law
or (b) Delta obtains reasonable assurances from the recipient that the PHI will be
held confidentially and used or further disclosed only as required by law or for
the purpose for which it was disclosed to the recipient. In addition, the recipient
must agree to notify Delta of any instances of which the recipient is aware in
which the confidentiality of the PHI has been breached.
2.3 Appropriate Safeguards. Delta agrees to use appropriate safeguards to prevent its use or
disclosure of PHI other than as provided for by this Business Associate Addendum,
2.4 Mitigation. Delta agrees to mitigate, to the extent practicable, any harmful effect that is
known to Delta of a use or disclosure of PHI by Delta in violation of the requirements of
this Business Associate Addendum.
2.5 Resorting of Disclosures of PHI. Delta shall report to the Group Health Plan, or its
designated business associate, any use or disclosure of PHI by Delta not provided for in
this Business Associate Addendum of which Delta becomes aware.
2.6 Aunts and Contractors. Delta shall ensure that any Delta agent or subcontractor to
whom Delta discloses PHI agrees, in writing, to be bound by the same restrictions and
conditions that apply to Delta through this Business Associate Addendum.
2.7 Access to and Availability of PHI. Delta shall, in accordance with HIPAA and as
appropriate:
a. Provide access to the requested PHI within Delta's possession. The Group Health
Plan shall within a reasonable amount of time forward to Delta any requests the
Group Health Plan receives from the individual. Delta shall be responsible for
responding to all individual requests for access to the PHI within Delta's
possession.
b. Amend, notify appropriate recipients of any amendment, and incorporate any
amendment to the requested PHI within Delta's possession. The Group Health
Plan shall within a reasonable amount of time forward to Delta any requests
the Group Health Plan receives from the individual. Delta shall be responsible
2 11/18/02
for responding to all individual requests for amendment to the PHI within Delta's,
or its business associate's, possession.
Provide an accounting of disclosures of PHI as required by HIPAA. The Group
Health Plan shall within a reasonable amount of time forward to Delta any
requests the Group Health Plan receives from the individual. Delta shall be
responsible for responding to all individual requests for accounting of disclosures
made by Delta or its business associates. Delta agrees to track all such
disclosures of PHI that would be required to respond to a request for accounting
of disclosures of PHI as required by HIPAA.
2.8 Availability of Delta's Internal Practices, Books and Records. Delta agrees to make its
internal practices, books and records, including policies and procedures and PHI, relating
to its use and disclosure of PHI available to the Secretary of Health and Human Services
for purposes of determining Group Health Plan's and Delta's compliance with this
Business Associate Addendum and the HIPAA privacy standards.
2.9 Employer Responsibilities. Employer and/or Group Health Plan, as appropriate, shall be
responsible for their compliance with HIPAA's administrative requirements resulting
from the Employer's and/or Group Health Plan's activities, if applicable, including but not
limited to, privacy officer designation, training, etc. Employer agrees to timely:
a. Forward any request it receives to the appropriate party as set forth in section 2.7
above,
b. Provide Delta with the notice of any limitation(s) in its notice of privacy
practices in accordance with 45 CFR 164.520, to the extent that such limitation(s)
may affect Delta's use or disclosure of PHI.
Notify Delta of any restriction to the use or disclosure of PHI that the Group
Health Plan has agreed to in accordance with 45 CFR 164.522, to the extent that
such limitation(s) may affect Delta's use or disclosure of PHI; and
d. Notify Delta, in writing, of any arrangement permitted or required of the Group
Health Plan under HIPAA that may impact in any manner Delta's use or
disclosure of PHI under the Agreement or this Business Associate Addendum,
including, but not limited to, any agreement by the Group Health Plan to restrict
the use or disclosure of any PHI as permitted by HIPAA. Unless otherwise
specifically provided in this Business Associate Addendum, Delta shall only be
responsible to comply with limitations conveyed by the Employer in accordance
with this Section 2.9. The Employer will notify Delta of changes in the notice or
other relevant material.
e. Distribute Delta's notice of privacy practices to all enrollees within the time
frames required by HIPAA if the group dental program is an insured or risk
program.
3 11/18/02
2.10 Term and Termination of the Agreement and this Business Associate Addendum.
a. Term. The term of this Business Associate Addendum shall be effective on the
date set forth in the first paragraph and shall continue until the Agreement is
terminated.
b. Termination for Cause. The Employer may terminate this Business Associate
Addendum and the Agreement upon the Employer's knowledge that Delta has
materially breached this Business Associate Addendum if, within sixty (60) days
after receipt of written notice of such material breach, Delta fails to take action to
cure the breach or end the violation.
C. In the event of any termination of this Business Associate Addendum, Delta shall
return or destroy all PHI that Delta still maintains in any form and shall retain no
copies. If return or destruction is not feasible because such PHI is necessary to
fulfill Delta's legal responsibilities or other management and administrative
purposes, Delta shall retain the PHI and shall continue to protect the
confidentiality of PHI as required by this Business Associate Addendum. Delta
shall limit any use or disclosure of PHI to those purposes that make the return or
destruction of PHI infeasible. Delta agrees to require that any PHI in the
possession of its agents or subcontractors retained, returned or destroyed, as
applicable.
d. The following sections shall survive termination of this Agreement: 2.7, 2.8, 5.2,
and 5.3.
2.11 Notice of Privacy Practices, The Employer represents and warrants that the Group
Health Plan's notice of privacy practices, if applicable, shall not, subject to HIPAA's
requirement, limit or restrict Delta's use or disclosure of PHI as necessary for Delta to
perform the services described in the Agreement.
SECTION 3 - DISCLOSURE TO PLAN SPONSOR
3.1 Amendment of the Aareement. Delta and Employer agree to amend the Agreement as set
forth in this section to allow the Group Health Plan and/or Delta to disclose PHI to the
Employer. Employer agrees to identify to Delta the Employer's employees, classes of
employees or other persons to whom Delta shall disclose PHI.
3.2 Notice of Privacy Practices. If Delta will disclose PHI to the Employer pursuant to this
section, the Employer represents and warrants that the Group Health Plan's notice of
privacy practices, if applicable, shall advise the individual of such disclosure.
3.3 Disclosure of PHI to Plan Sponsor. The Employer represents and warrants that if the
prior conditions in Sections 3.1 and 3.2 have been met, Delta may disclose PHI to the
employees, classes of employees and other persons identified by Employer to carry out
the plan administration functions. Delta shall not disclose PHI to such persons for the
purpose of employment- related actions or decisions or in connection with any other
benefit plan of the Employer.
4 11/18/02
M
3.4 Identification of Employees and Other Persons. The Employer agrees that Delta may rely
upon the most recent list of employees or classes of employees (or update thereof)
provided by the Employer.
3.5 Disclosure of Summary Health Information. Sections 3.1 and 3.2 do not apply to
disclosures of summary information as defined in HIPAA. Delta may disclose to the
Employer summary health information:
a. To obtain premium bids for providing dental benefits coverage under the Group
Health Plan;
b. To modify, amend or terminate the Group Health Plan; or
As otherwise permitted by HIPAA.
3.6 Amendment of Group Contract as Group Health Plan Documents. Employer and Delta
acknowledge that the Agreement constitutes the group health plan document for the
dental program administered by Delta. This section 3.6 shall serve as the amendment to
the group health plan document as required by HIPAA to permit Delta to disclose PHI to
the Employer. The provisions of this Section 3.6 control over any provision in the
Agreement that conflicts with this section.
a. Employer Certification. The following terms of this section incorporate the
requirements of HIPAA to permit the Group Health Plan or Delta to lawfully
disclose PHI to the Employer or its agents. This section shall serve as the
Employer's certification as required by HIPAA.
b. Permitted Uses and Disclosures.
Employer, its directors, officers, employees, contractors and agents shall
use and/or disclose PHI received by Employer solely in accordance with
the uses and disclosures described in Exhibit B which is attached to and
made a part of this Business Associate Addendum.
ii. Employer shall not, and shall ensure that its directors, officers,
employees contractors and agents do not, use or further disclose PHI in
any manner except as permitted or required by this Business Associate
Addendum or as required by law or regulation.
C, Agents and Subcontractors. Employer shall ensure that any agent or
subcontractor that will have access to PHI from Employer agrees to be bound by
the same restrictions, terms and conditions that apply to Employer pursuant to
this Business Associate Addendum.
d. Employment- Related Actions and Decisions. The Employer shall not use or
disclose PHI for employment- related actions or decisions or in connection with
any other benefit plan of the Employer.
e. Reporting of Disclosures of PHI. Employer shall, as soon as possible after
becoming aware of an actual or suspected disclosure of PHI in violation of this
Business Associate Addendum by Employer, its officers, directors, employees,
11/18/02
tOrr+'
subcontractors or agents or by a third party to which Employer disclosed PHI
pursuant to this Business Associate Addendum, report any such disclosure to the
Group Health Plan.
f. Access to and Availability of PHI. Employer shall in compliance with HIPAA
requirements:
i. Make available to the Group Health Plan, its business associate, or Delta,
as appropriate, the requested PHI to respond to an individual's request for
access to PHI.
ii. Provide to the Group Health Plan, its designated business associate, or
Delta, as appropriate, the requested PHI to respond to a request for
amendment and shall incorporate any amendment received from the
Group Health Plan, its designated business associate or Delta.
iii. Make available to the Group Health Plan, its designated business
associate, or Delta, as appropriate, the requested PHI to respond to an
individual's request for an accounting of disclosures of PHI. The
Employer agrees to track all disclosures of PHI that would be required to
respond to a request for accounting of disclosures of PHI as required by
HIPAA.
g. Availability of Business Associate's Internal Practices Books and Records.
Employer agrees to make its internal practices, books and records relating to the
use and disclosure of PHI received from the Group Health Plan or Delta available
to the Secretary of Health and Human Services for purposes of determining the
Group Health Plan's and Employer's compliance with the HIPAA privacy
standards.
h. Return or Destruction of PHI. Employer shall return or destroy all PHI received
from the Group Health Plan or its agent that the Employer maintains in any form
and shall retain no copies when such PHI is no longer needed for the purpose for
which the disclosure was made. If return or destruction is not feasible, Employer
shall continue to protect the confidentiality of PHI as required by this Business
Associate Addendum and limit any use or disclosure of PHI to those purposes
that make the return or destruction of PHI infeasible.
Adequate Separation. Employer shall ensure adequate separation as
required by HIPAA by doing the following:
i. Employer shall identify the Employer's employees, classes of employees
or other persons to whom the Group Health Plan, its agent, or Delta shall
disclose PHI.
ii. Employer shall restrict access to PHI and use of PHI by such employees
or other persons to the plan administration functions that Employer
performs for the Group Health Plan.
6 11/18/02
In
M
iii. Employer shall implement an effective mechanism for resolving any
issues of noncompliance by such employees or other persons, and such
mechanism shall be consistent with the terms of this Business Associate
Addendum.
SECTION 4 — DISCLOSURE TO BUSINESS ASSOCIATE
4.1 The Employer represents and warrants that prior to requesting Delta to disclose PHI to
the Group Health Plan's business associate(s), the Group Health Plan, or the Employer on
the Group Health Plan's behalf, shall have entered into a business associate contract or
have other satisfactory arrangement with such business associate(s) that complies with
the requirements of HIPAA.
4.2 Disclosure to a business associate pursuant to this Section 4 shall not include a disclosure
to the Employer nor to its identified employees.
SECTION 5 — GENERAL
5.1 Amendment to Business Associate Addendum. Employer and Delta agree to amend this
Business Associate Addendum as necessary to comply with federal or state laws or
regulations relating to the administrative simplification provisions of HIPAA.
5.2 Indemnification by Delta. Delta agrees to indemnify, defend and hold harmless the
Group Health Plan, or the Employer on the Group Health Plan's behalf, and their
employees, directors, officers, subcontractors, agents or other members of its workforce,
each of the foregoing hereinafter referred to as "Indemnified Party," against all actual and
direct losses suffered by the Indemnified Party and all liability to third parties arising
from or in connection with Delta's breach of sections 2 or 3 of this Business Associate
Addendum. Accordingly, on demand, Delta shall reimburse any Indemnified Party for
any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or
expenses (including reasonable attorneys' fees) which may for any reason be imposed
upon any Indemnified Party by reason of any suit, claim, action, proceeding or demand
by any third party which results from Delta's breach hereunder. Delta's obligation to
indemnify any Indemnified Party shall survive the expiration or termination of this
Business Associate Addendum for any reason.
5.3 Indemnification by Group Health Plan or Employer. The Group Health Plan, or the
Employer on the Group Health Plan's behalf, agrees to indemnify, defend and hold
harmless Delta and its employees, directors, officers, subcontractors, agents or other
members of its workforce, each of the foregoing hereinafter referred to as "Indemnified
Party," against all actual and direct losses suffered by the Indemnified Party and all
liability to third parties arising from or in connection with the Group Health Plan's or
Employer's breach of Sections 2, 3 or 4 of this Business Associate Addendum.
Accordingly, on demand, the Group Health Plan or Employer shall reimburse any
Indemnified Party for any and all actual and direct losses, liabilities, lost profits, fines,
penalties, costs or expenses (including reasonable attorneys' fees) which may for any
reason be imposed upon any Indemnified Party by reason of any suit, claim, action,
proceeding or demand by any third party which results from the Group Health Plan's or
Employer's breach hereunder. The obligation to indemnify any Indemnified Party shall
survive the expiration or termination of this Business Associate Addendum for any
reason.
7 11/18/02
M
5.4 Interoretation. This Business Associate Addendum shall be interpreted to allow the
parties to comply with HIPAA, provided, however, that nothing herein shall be construed
to grant rights beyond those provided under HIPAA or applicable law.
IN WITNESS WHEREOF, Employer and Delta have duly executed this Business Associate
Addendum as of the date listed below.
Employer represents and warrants that it is signing this Agreement in its capacity as the sponsor
of the Group Health Plan and not in a capacity of a business associate to the Group Health Plan.
Employer: City of Arcadia
Delta Dental Group Number: 0062
Signature: 'UnWg
Print Name: William R. Kelly
Print Title: City Manager
Date: g4*401
Delta Dental Plan of California
Signature:
Print Name: Kenneth E. Bernardi
Print Title: Vice President, Underwriting & Actuarial Services
Date: February 14, 2003
RECOMMENDED BY:
Tracey L. Hause
Administrative Services Director
APPROVED AS TO FORM:
Stephen P. Deitsch
City Attorney 8
11/18/02
M
M
EXHIBIT A TO HIPAA BUSINESS ASSOCIATE ADDENDUM: GROUP
HEALTH PLAN
Delta's Permitted Uses and Disclosures:
Except as otherwise limited in this Business Associate Addendum, Delta shall use and disclose
PHI:
A. To perform the functions, activities, or services for, or on behalf of, the Group Health
Plan as specified in the Agreement, provided that such use or disclosure would not
violate HIPAA if done by the Group Health Plan.
B. For the Group Health Plan's treatment, payment and health care operations as defined and
permitted under HIPAA with respect to Delta's administration of the dental benefits
program for the Group Health Plan as described in the group dental contract.
C. For Delta's treatment, payment and health care operations as defined and permitted under
HIPAA with respect to Delta's administration of the dental benefits program for the
Group Health Plan as described in the group dental contract.
D. To Delta's agents or subcontractors as necessary for Delta to perform the services
described in the Agreement.
E. To the Group Health Plan's or Employer's business associate, agent or subcontractor as
requested by the Employer.
F. To provide Data Aggregation services to the Group Health Plan if mutually agreed upon
between Group Health Plan and Delta.
G. To provide to or obtain de- identification services for the Group Health Plan if mutually
agreed upon between Group Health Plan and Delta.
H. As otherwise required or permitted by HIPAA or federal or state law.
I. To report violations of law to appropriate federal or state authorities, consistent with 45
CFR §164.502 0) (1).
As otherwise requested by the Employer or the Group Health Plan that is not in violation
of HIPAA.
9 11/18/02
M
M
EXHIBIT B TO HIPAA BUSINESS ASSOCIATE ADDENDUM:
GROUP HEALTH PLAN
Employer's Uses and Disclosures
Employer shall use and disclose PHI only in compliance with HIPAA and for the purpose of
providing plan administration functions to the Group Health Plan. Plan administrative functions
are defined as administration functions performed by the plan sponsor of a group health plan on
behalf of the group health plan and excludes functions performed by the plan sponsor in
connection with any other benefit or benefit plan of the plan sponsor.
10 11 /18 /02