The URL can be used to link to this page

Home My WebLink AboutAddenda - RFP - P902 BENEFITSAdministrative Services Human Resources Department City of Fort Collins April 10, 2003 Ms. Betty Weaver Vision Service Plan 1050171h Street, Suite 1885 Denver, CO 80265 RE: HIPAA Compliance Documents Dear Betty: Enclosed are the following HIPAA compliance documents: • Verification of Plan Amendment — one copy • Business Associate Agreement — two copies Please sign both copies of the Business Associate Agreement, and -return one to me for our files. Thank you for your assistance. Very truly yours, Vincent H. Pascale, Jr. Benefits Administrator 215 North Mason - PCI. Bo)c 580 •Tort = o] in;, C' s 8053 % ,;58U • !97 , � -6535 TDD N70122 h004 a w w f ,-ov -om Verification of Adoption of Plan Document Regarding HIPAA Privacy Compliance for the City of Fort Collins Group Vision Plan The Plan Sponsor of the above referenced Plan hereby verifies to Vision Service Plan, that the Plan Sponsor has adopted a plan document or amended its plan document to incorporate the provisions of 45 CFR §164.504(f)(2) and that the Plan Sponsor has agreed to be bound by such adopted or amended plan document and the provisions of 45 CFR §164.504(02) and other applicable parts of the privacy regulation. The Plan Sponsor acknowledges that by signing this verification, the Plan Sponsor is representing and warranting that the Plan Sponsor has taken action that is reasonably necessary to establish and maintain the Plan Sponsor's compliance with the adopted or amended plan document and with the applicable provisions of the HIPAA privacy regulation. B SE C) 7 N e: ames B. O'Neill II, CPPO D r or of Purchasing and Risk Management April 10, 2003 City of Fort Collins Group Health Plan Business Associate Agreement with Vision Service Plan The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations prohibit The City of Fort Collins Group Health Plan ("Covered Entity") from disclosing Protected Health Information ("PHI") to a business associate ('Business Associate") without adequate satisfactory assurance that the information will be appropriately safeguarded. Since, under 45 CFR §164.504(3)(1), the Vision Service Plan ("VSP") is a Business Associate that may receive PHI, as that phrase is defined in the regulations, it is mandatory that VSP fully comply with the terms and conditions set forth below. The parties agree that this Agreement shall be incorporated into any existing or future contracts and shall be construed as a material requirement of any business association or action whether by written contract or otherwise. In the event of any conflict between this Agreement and any written terms and conditions of any other agreement, this Business Associate Agreement shall govern with regard to HIPAA issues only. The parties agree, subject to subparagraph VIII (c) to modify this Agreement upon the issuance of or change in applicable local, state, or federal statutes, rules and regulations or orders of the courts ("law") affecting the confidentiality and/or privacy of patient Records. Definitions. Capitalized terms in this Agreement are defined in the text or as follows: a) "Agreement' means this Agreement, as well as the underlying agreement that this agreement is a part of, and to which this agreement may be incorporated by reference. b) "Covered Entity' means (1) a health plan (as defined in 45 CFR §160.103), (2) a health care clearing house (as defined in 45 CFR §160.103), or a health care provider who transmits any health information in electronic form in connection with a transaction covered by the regulations issued under the administrative simplification provisions of vered (45 CFR Subtitle A, Subchapter C). HIPAA c) "Designated Record Set' means PHI maintained by or for Covered Entity including but not necessarily limited to the enrollment, payment, claims, adjudication, case or medical management records, and any other record used, in whole or in part, to make decisions about Individuals. d) 'Individual' means a person who is the subject of PHI and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g). e) 'Protected Health Information" or "PHI' means individually identifiable health information that is or has been electronically maintained or electronically transmitted by a covered entity, as well as such information when it takes on other form that is (1) Created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment of health care to an individual. (3) PHI excludes individually identifiable health information in (i) Education records covered by the Family Educational Right and Privacy Act, as amended, 20 USC 1232g; (ii) Records described at 20 USC 1232g(a)(40)(iv); and (iii) Employment records held by a covered entity in its role as employer. if. Obligations and Activities of VSP The parties agree and acknowledge that VSP, in performing its services hereunder, may receive from Covered Entity PHI. VSP agrees that it will: a) Not use or further disclose the information other than as permitted or required by the Agreement or required by law; b) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by this Agreement; c) Agree to mitigate, to the extent practicable, any harmful effect that is known to VSP of a use or disclosure of PHI by VSP in violation of the requirements of this Agreement; d) Agree to immediately report to Covered Entity any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware; e) Agree to ensure that any subcontractors or agents to whom VSP provides PHI received from Covered Entity, or created or received by VSP on behalf of Covered Entity, agree to the same restrictions and conditions that apply to VSP with respect to such information; i Agree to provide access, at the request of Covered Entity, within 30 calendar days, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity to an Individual in order to meet the requirements under 45 CFR §164.524; g) Agree to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual, and to do so within 30 calendar days; h) Make its internal practices, books, and records relating to the use and disclosure of PHI including policies and procedures and PHI received from, or created by VSP on behalf of the Covered Entity, available to the Secretary of Health and Human Services (or any officer or employee to whom authority has been delegated) and to the Covered Entity or purposes of determining compliance with applicable federal law; i) Agree to document such disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; j) VSP agrees to provide to the Covered Entity or an Individual, within 30 calendar days, information regarding the receipt of PHI by VSP from the Covered Entity on the Individual in order to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528. Permitted Uses and Disclosures by VSP a) Except as otherwise limited in this Agreement, VSP may use or disclose PHI to perform functions, activities or services for, or on behalf of, the Covered Entity, pursuant to the Agreement between the Covered Entity and VSP, provided that such use or disclosure would not violate the Privacy rule if done by the Covered Entity or the minimum necessary policies and procedures of the Covered Entity; b) Except as otherwise limited in this Agreement, VSP may use PHI to provide Data Aggregation services to the Covered Entity as permitted by 42 CFR §164.504(3)(2)(i)(B); c) VSP may use PHI to report violations of law to appropriate Federal and State authorities, consistent with §164.5020)(1). IV Obligations of Covered Entity a) Covered Entity shall notify VSP of any limitation(s) in its Notice of Privacy Practices of Covered Entity in accordance with 45 CFR §164.520, to the extent that such limitation may affect VSP's use or disclosure of PHI; b) Covered Entity shall notify VSP of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect VSP's use or disclosure of PHI; c) Covered Entity shall notify VSP of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect VSP's use or disclosure of PHI. V. Permissible Requests by Covered Entity a) Covered Entity shall not request VSP to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. VI. Term and Termination a) At termination of the contract or business arrangement, VSP will, if feasible, return or destroy all PHI received from, or created or received by VSP on behalf of Covered Entity that VSP still maintains in any form. VSP agrees it will retain no copies of such PHI or, if such return or destruction is not feasible, extend the protections of its contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. b) Term. The Term of this Agreement shall be effective as of April 14, 2003, and shall terminate when all of the PHI provided by Covered Entity to VSP, or created or received by VSP on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this section. c) Termination for Cause. Covered Entity may terminate its contract(s) or business association with VSP if Covered Entity determines that VSP has violated a material term of the contract, to include this Agreement. Vill Miscellaneous a) Indemnification. VSP agrees to and shall indemnify and hold harmless Covered Entity, its Board of Trustees, officers, agents, employees and personnel against any and all claims, demands, suits, losses, causes of action, or liability which Covered Entity may sustain as a result of VSP's material breach of its duties within the terms of this Agreement, or liability of Covered Entity for any act or conduct of VSP adjudged to constitute fraud, misrepresentation, or violation of any law, including violation of any statute or regulation. b) Policies and Procedures. The parties acknowledge that the contract or business association is subject to all applicable bylaws, rules and regulations, and written or published policies and procedures of Covered Entity regarding privacy and information handling. VSP agrees to be bound by such policies as may be in effect and changed from time to time as though they were a part of any contract and after the date hereof. c) Legal Requirements. The parties recognize that this Agreement is subject to and agree to comply with applicable local, state and federal statutes and rules and regulations, and orders of the courts. Any provision of applicable statutes, rules and regulations, or court orders, whether now existing or enacted or promulgated after the effective date of this Agreement, that invalidate any term of this Agreement, that are inconsistent with any term of it, or that would cause performance hereof by one or both of the parties hereto to be in violation of law shall be deemed to have superseded the terms of this Agreement and this Agreement shall be automatically amended to achieve compliance with applicable law; provide, however, that if such amendment does not preserve in all material respects the underlying economic and financial arrangements between the parties, the contract may be terminated by written notice by either party. d) Audit of Records. Covered Entity's audit of VSP's records, or any waiver of its right to do so, does not relieve VSP of its responsibilities under this Agreement and any liability for violations of law or regulations. e) Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and HIPAA. f) Survival. The respective rights and obligations of VSP under Section (II) of this Agreement shall survive the termination of this Agreement. g) Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule. In witness whereof, the undersigned acknowledge that they have read this Agreement and commit to be bound by its terms and conditions. COVERED ENTITY City of Fort Collins Group Health Plan C)k9-,e Si ure of Covered Entity Representative James B. O'Neill II, CPPO Director of Purchasing and Risk Management Printed Name of Covered Entity Representative Signatur Date BUSINESS ASSOCIATE Vision Service Plan 1 Signature of Business Associate Representative Gary Brooks, Senior Vice President VSP Operations Printed Name of Business Associate Representative Signature Date