The URL can be used to link to this page

Home My WebLink AboutAddenda - RFP - P751 BENEFITS CONSULTANTMERCER Human Resource Consulting April 30, 2003 Mr. Vincent Pascale, Jr. Benefits Administrator City of Fort Collins P.O. Box 580 Fort Collins, CO 80522-0580 Subject: HIPAA Business Associate Agreement Dear Vincent: 370 17th Street, Suite 4000 Denver, CO 80202-5619 303 376 0800 Fax 303 376 0087 wvvw.m6rcerHR.com Enclosed, for the City of Fort Collins' files, is a fully executed original of the HIPAA Business Associate Agreement between the City of Fort Collins, acting on behalf of the City of Fort Collins Group Health Plan and the City of Fort Collins Flexible Benefits Plan and Mercer Human Resource Consulting, Inc. Thank you for your assistance and for sending me replacements when the documents originally sent were "lost". Sincerely, r Linda L. Miller LLM:RCS:maf Enclosure g?practice\h&g\cityrtc\hipaa\executed ba Itcdoc Marsh & McLennan Companies Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the "Agreement") is made and entered into by and between The City of Fort Collins, acting on behalf to the City of Fort Collins Group Health Plan and the City of Fort Collins Flexible Benefits Plan (hereinafter "Covered Entity") and Mercer Human Resource Consulting, Inc. (hereinafter "Business Associate"). Recitals WHEREAS, the Department of Health and Human Services ("HHS") has promulgated regulations at 45 C.F.R. Parts 160-164, implementing the privacy requirements set forth in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (the "Privacy Rules"); WHEREAS, the Privacy Rules provide, among other things, that a covered entity is permitted to disclose Protected Health Information (as defined below) to a business associate and allow the business associate to obtain and receive Protected Health Information, if the covered entity obtains satisfactory assurances in the form of a written contract that the business associate will appropriately safeguard the Protected Health Information; WHEREAS, Business Associate will have access to, create and/or receive certain Protected Health Information in conjunction with the services being provided by Business Associate to Covered Entity, thus necessitating a written agreement that meets the applicable requirements of the Privacy Rules. Both parties have mutually agreed to satisfy the foregoing regulatory requirements through this Agreement. NOW THEREFORE, Covered Entity and Business Associate agree as follows: Definitions. The following terns shall have the meaning set forth below: (a) C.F.R. "C.F.R." means the Code of Federal Regulations. (b) Designated Record Set. "Designated Record Set" has the meaning assigned to such term in 45 C.F.R. 164.501. (c) Individual. "Individual" shall have the same meaning as the term "individual" in 45 C.F.R. 164.501 and shall include a person who qualifies as the Individual's personal representative in accordance with 45 C.F.R. 164.502 (g). (d) Protected Health Information "Protected Health Information" shall have the same meaning as the term "Protected Health Information", as defined by 45 C.F.R. 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity. (e) Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 C.F.R. 164.501 (f) Secretarv. "Secretary" shall mean the Secretary of HHS or his designee. U Wpaamem Maa.eoc 2. Obligations and Activities of Business Associate (a) Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law. (b) Business associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. (d) Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. (e) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. (f) Business Associate agrees to provide access to Protected Health Information in a Designated Record Set, in the time and manner Required by Law, to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the requirements under 45 C.F.R. 164.524. (g) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set pursuant to 45 C.F.R. 164.526 at the request of Covered Entity or an Individual, and in the time and manner Required by Law. (h) Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate, on behalf of Covered Entity, available to the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. (i) Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. 0) Business Associate agrees to provide to Covered Entity, upon request and in the time and manner Required by Law, an accounting of disclosures of an individual's Protected Health Information, collected in accordance with Section 2(i) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. If Covered Entity requests an accounting of an Individual's Protected Health Information more than once in any twelve (12) month period, Business Associate will impose a reasonable fee for such accounting in accordance with 45 C.F.R. 164.528(c). 2 (k) Business Associate acknowledges that it shall request from the Covered Entity and so disclose to its affiliates, subsidiaries, agents and subcontractors or other third parties, only the minimum Protected Health Information necessary to perform or fulfill a specific function required or permitted hereunder. (1) Business Associate shall use commercially reasonable efforts to maintain the security of the Protected Health Information and to prevent unauthorized uses or disclosures of such Protected Health Information. (m) If Business Associate conducts any Standard Transactions on behalf of Covered Entity, Business Associate shall comply with the applicable requirements of 45 C.F.R. Part 162. 3. Permitted Uses and Disclosures by Business Associate 3.1 General Use and Disclosure Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform its obligations and services to Covered Entity, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity. 3.2 Specific Use and Disclosure Provisions (a) Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. (b) Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (c) Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity. 4. Obligations of Covered Entity. 4.1 Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions (a) Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520, as well as any changes to that notice. (b) Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, if such changes affect Business Associate's permitted or required uses and disclosures. (c) Covered Entity shall notify Business Associate, in writing, of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522. (d) Covered Entity acknowledges that it shall provide to, or request from, the Business Associate only the minimum Protected Health Information necessary for Business Associate to perform or fulfill a specific function required or permitted hereunder. 4.2 Permissible Requests by Covered Entity Covered Entity represents and warrants that it has the right and authority to disclose Protected Health Information to Business Associate for Business Associate to perform its obligations and provide services to Covered Entity, and Business Associate's use of the Protected Health Information to perform its obligations and provide services to Covered Entity requested by Covered Entity does not violate the Privacy Rules, Covered Entity's privacy notice or any applicable law. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. 5. Term and Termination (a) Term. The provisions of this Agreement shall take effect April 14, 2003, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the provisions in this Section. (b) Termination for Cause. Upon the parties mutual agreement that there has been a material breach by Business Associate which does not arise from any breach by Covered Entity, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within a mutually agreeable time, or immediately terminate this Agreement if cure of such breach is not possible. (c) Effect of Termination. (1) Except as provided in paragraph (2) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall request, in writing, Protected Health Information that is in the possession of subcontractors or agents of Business Associate. (2) In the event the Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall extend the protection of this Agreement to such Protected Health Information, limited to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. 4 6. Miscellaneous (a) Reeulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required. (b) Amendment. Upon the enactment of any law or regulation affecting the use or disclosure of Protected Health Information, or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, and by mutual agreement, amend the Agreement in such manner as such party determines necessary to comply with such law or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to agree on an amendment within thirty (30) days thereafter, then either of the parties may terminate the Agreement on thirty (30) days written notice to the other party. (c) Survival. The obligations of Business Associate under section 5(c)(2) of this Agreement shall survive the termination of this Agreement. (d) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits both parties to comply with the Privacy Rule. In the event of any inconsistency or conflict between this Agreement and any other agreement between the parties, the terns, provisions and conditions of this Agreement shall govern and control. (e) No third pgty beneficiary. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever. (f) Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Colorado. IN WITNESS WHEREOF, the parties hereto have executed this Agreement. The City of Fort Collins, acting on behalf to the City of Fort Collins Group Health Plan and the City of Fort Collins Flexible Benefits Plan By. me: tle: MEE Lo Date: 2 -,NSULTING, INC. Date: zT0 '�?