HomeMy WebLinkAbout2017-121EBUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is made and effective
this ist day of October, 2017 (the "Effective Date"), by and between the Southeast Series of
Locton Companies, LLC ("Lockton"), Indian River County ("Client") and the group health
plan(s) maintained by Client ("Plan").
WHEREAS, Plan has engaged Lockton to provide certain health and welfare insurance
brokerage and/or consulting services that may include, as applicable, Pharmacy Analytic
Services, InfoLocki1 Services and other consulting services as mutually agreed to by the parties
(collectively, "Services"), which may or will necessitate Disclosure of Protected Health
Information as defined per 45 C.F.R 160.103 ("PHI") to Lockton; and
WHEREAS, the parties to this Agreement are committed to compliance with the Privacy,
Security, Breach Notification, Standard Transactions and Enforcement Rules of the Health
Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing
regulations at 45 C.F.R. Parts 160 to 164 ("HIPAA Regulations") and any current and future
regulations promulgated under HIPAA or the Health Information Technology for Economic and
Clinical Health Act as incorporated in the American Recovery and Reinvestment Act of 2009
(the "HITECH Act");
WHEREAS, Client is authorized to enter into this agreement on behalf of Plan;
NOW, THEREFORE, in consideration of the foregoing recitals and other good and
valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties
hereby agree to maintain the privacy and security of PHI as set forth herein:
ARTICLE 1. DEFINITIONS
Definitions of words used in this Agreement will be governed by HIPAA.
"InfoLock® Services" means the performance of data analytic consulting
services for the Client, including but not limited to: medical and pharmacy claims, Health
Risk Assessment and biometric screening information to identify possible trends in
chronic disease, high-cost claims, and utilization patterns.
"Pharmacy Analvtics Services" means the performance of consulting services
for the Client, including but not limited to: data modeling, benchmarking, auditing,
marketing of the program or Requests for Proposals (RFP), diagnostic analysis, reporting
and related pharmacy financial and clinical information consulting services.
"Privacy Rule" means the Standards for Privacy of Individually Identifiable
Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and E.
"Secretary" means the Secretary of Health and Human Services (HHS) or any
other officer or employee of HHS to whom the authority involved has been delegated.
Lockton Business Associate Agreement_rev42015
"Security Rule" means the Security Standards and Implementation
Specifications at 45 C.F.R. Parts 160 and 164, Subparts A and C.
"Standards for Electronic Transactions Rule" means the final regulations
issued by Health and Human Services concerning standard transactions and code sets
under the Administrative Simplification provisions of HIPAA, 45 C.F.R. Parts 160 and
162.
All terms used, but not otherwise defined, in this Agreement shall have the same
meaning as those terms in the HIPAA Rules.
ARTICLE 2. OBLIGATIONS AND ACTIVITIES OF LOCKTON
2.1 Lockton agrees to not Use or further Disclose PHI other than as permitted or
required by this Agreement or as Required By Law.
2.2 Lockton agrees to use appropriate safeguards to prevent the Use or Disclosure of
the PHI other than as provided for by this Agreement.
2.3 Lockton agrees to implement administrative, physical, and technical safeguards
and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI.
2.4 Lockton agrees to notify the Plan of any Security Incident or Use or Disclosure of
PHI not permitted by this Agreement of which Lockton is aware, including any Breach of
Unsecured PHI as required by 45 C.F.R. 164.410. Such notice shall be provided within three (3)
business days and shall include, to the extent possible, information that is required to be included
in notification to the individual under 45 C.F.R. 164.404.
2.4.1 Lockton and Plan agree that unsuccessful attempts at unauthorized access or
system interference occur frequently and that there is no significant benefit for data
security from requiring the documentation and reporting of such unsuccessful intrusion
attempts. In addition, both parties agree that the cost of documenting and reporting such
unsuccessful attempts as they occur would outweigh any potential benefit gained from
reporting them. Consequently, both Lockton and Plan agree that this Agreement shall
constitute the documentation, notice and written report of such unsuccessful attempts at
unauthorized access or system interference as required above and by 45 C.F.R. Part 164,
Subpart C and that no further notice or report of such attempts with be required. By way
of example (and not limitation in any way), the Parties consider the following to be
illustrative (but not exhaustive) of unsuccessful Security Incidents when they do not
result in unauthorized access, use, disclosure, modification, or destruction of e -PHI or
interference with an information system:
1. Pings on a Party's firewall,
2. Port scans,
Lockton Business Associate Agreement_rcv42015
3. Attempts to log on to a system or enter a database with an invalid
password or username,
4. Denial -of -service attacks that do not result in a server being taken off-line,
and
5. Malware (e.g., worms, viruses).
Otherwise, Lockton will document as required by 45 C.F.R. Part 164, Subpart C and
report to Client (i) any successful unauthorized access, use, disclosure, modification, or
destruction of Plan's Electronic Protected Health Information of which Lockton becomes
aware, or (ii) any successful unauthorized interference with system operations in
Lockton's Information System containing Plan's Electronic Protected Health Information
of which Lockton becomes aware. Such reports will be provided within ten (10) business
days of when Lockton becomes aware of the incident.
2.5 Lockton may disclose PHI to subcontractors, vendors and/or other third parties,
including affiliates of Lockton, to the extent necessary to perform the Services. To the extent any
subcontractor, vendor and/or other third party creates, receives, maintains or transmits PHI of the
Plan on behalf of Lockton, Lockton agrees to ensure that any such subcontractor, vendor and/or
other third party agrees in writing to the same restrictions and conditions that apply to Lockton
with respect to such PHI.
2.6 To the extent any affiliate of Lockton creates, receives, maintains or transmits
PHI of Plan to provide Services to Client pursuant to this Agreement, Lockton agrees to ensure
that such affiliate agrees in writing to the same restrictions and conditions that apply to Lockton
with respect to such PHI.
2.7 At the request of the Plan, Lockton agrees to provide access to PHI in a
Designated Record Set, as directed to an Individual in order to meet the Plan's obligations under
45 C.F.R. 164.524.
2.8 Lockton agrees to make any amendment(s) to PHI in a Designated Record Set as
directed by or agreed to by Plan and to take any other measures necessary to satisfy the Plan's
obligations pursuant to 45 C.F.R. 164.526.
2.9 Lockton agrees to make internal practices, books, and records, relating to the Use
and Disclosure of PHI received from, or created or received by Lockton on behalf of, the Plan
available to the Secretary, in a time and manner mutually agreed upon by Lockton and the Plan
or as designated by the Secretary, for purposes of the Secretary determining the Plan's
compliance with HIPAA.
2.10 Lockton agrees to document such Disclosures of PHI and, provide such
information to Plan as would be required for the Plan to respond to a request by an individual for
an Accounting of Disclosures of PHI in accordance with 45 C.F.R. 164.528.
Lockton Business Associate Agrecmcnt_rev42015
2.11 To the extent Lockton is to carry out one or more of Plan's obligations with
respect to HIPAA, Lockton will comply with the requirements of HIPAA in the performance of
such obligations.
ARTICLE 3. PERMITTED USES AND DISCLOSURES BY LOCKTON
Lockton will Use or Disclose PHI including, without limitation, claim, eligibility,
financial and other data received from, or created or received on behalf of Plan consistent with
the minimum necessary requirements applicable to Plan set forth in 45 C.F.R. 164.514(d) and
only:
3.1 As permitted or required by this Agreement or applicable law, or to perform
Services on behalf of Client and Plan as described in this Agreement, but not in such a manner
that would violate HIPAA.
3.2 For the proper management and administration of Lockton or to carry out the
responsibilities of Lockton, provided that Lockton will only Disclose PHI pursuant to this
Paragraph 3.2 where such Disclosure is Required By Law or Lockton obtains reasonable
assurances from the person to whom the PHI is Disclosed that it will remain confidential and
Used or further Disclosed only as Required By Law or for the purpose for which it was
Disclosed to the person, and the person notifies Lockton of any instances of which it is aware in
which the confidentiality of the information is breached;
3.3 To create de -identified information in compliance with 45 C.F.R. 164.514(a) -(c).
Once PHI has been de -identified, it shall no longer be considered PHI and shall not be subject to
the confidentiality obligations or restrictions on Disclosure set forth in this Agreement unless
otherwise required by law;
3.4 To provide Data Aggregation Services on behalf of the Plan, including, without
limitation, Disclosure of PHI to subcontractors, vendors and/or other third parties, as may be
necessary to allow Lockton to perform the Services; to Use and store PHI in a benchmark
database; and to Disclose de -identified and disassociated data for population benchmarking and
normative reporting purposes.
3.5 To Use PHI to report violations of law to appropriate Federal and State authorities
consistent with the Privacy Rule;
3.6 As Required by Law.
ARTICLE 4. OBLIGATIONS OF CLIENT
4.1 Client shall make all necessary amendments to Plan documents to permit Use and
Disclosure of PHI by Lockton as described in this Agreement.
4.2 Client shall provide Lockton with a list of person(s) ("Designee") who perform
functions for the Plan or for the Client as Plan Sponsor to whom it is permissible for Lockton to
Disclose PHI. To the extent Client has limited the amount of PHI that may be Disclosed to a
Lockton Business Associate Agreement_rev42015
Designee, Client shall notify Lockton of such limitation. Client shall immediately notify
Lockton of any changes in a Designee or the extent of PHI that may be disclosed to a Designee.
4.3 Client shall provide Lockton with the PIan's notice of privacy practices, as well as
any changes to such notice. Client shall ensure that such notice of privacy practices permits the
Use and Disclosure of PHI by Lockton as described in this Agreement.
4.4 Client will provide necessary authorization or instruction to the administrator of
the Plan to facilitate the release of PHI to Lockton.
4.5 Client shall provide Lockton with any changes in, or revocation of, permission by
an individual to Use or Disclose PHI, if such changes affect Lockton's Use or Disclosure of PHI
under this Agreement.
4.6 Client shall notify Lockton of any restriction to the Use or Disclosure of PHI that
the Client has agreed to on behalf of the Plan in accordance with 45 C.F.R. 164.522.
4.7 Client shall not request Lockton Use or Disclose PHI in any manner that would
not be permissible under HIPAA if done by the Plan.
4.8 Client will not Use or Disclose any information received from Lockton for
employment-related actions and decisions or in connection with any other benefit or employee
benefit plan of Client.
ARTICLE 5. TERM AND TERMINATION OF THE AGREEMENT
5.1 Term. This Agreement shall be effective as of the Effective Date. This
Agreement shall continue until all of the PHI provided by the Plan to Lockton, or created or
received by Lockton on behalf of the Plan, is destroyed or returned to the Plan, unless otherwise
terminated as described in Paragraph 5.2.
5.2 Termination for Cause. If Lockton violates any material term of this
Agreement, the Client shall provide an opportunity for Lockton to cure the breach or end the
violation. If Lockton does not cure the breach or end the violation within 90 days, Client may
immediately terminate this Agreement.
5.3 Effect of Termination.
(A) Upon termination of this Agreement and consistent with Florida Law,
Lockton shall, if feasible, return or destroy all PHI received from the Plan, or created or received
by Lockton on behalf of the Plan. This provision shall also apply to PHI that is in the possession
of subcontractors, vendors and/or other third parties engaged by Lockton to assist in the
provision of Services. Lockton shall retain PHI only as described in Subparagraph (B) below.
(B) Lockton shall retain only that PHI for which return or destruction is
infeasible or retention is necessary for Lockton to continue its proper management and
administration or to carry out its legal responsibilities. Lockton shall continue to use appropriate
Lockton Business Associate Agreement_rev42015
safeguards, comply with H1PAA, and adhere to the terms of this Agreement with respect to PHI
for as long as Lockton retains the PHI.
ARTICLE 6. MISCELLANEOUS PROVISIONS
6.1 Regulatory Reference. A reference in this Agreement to a section in HIPAA or
to a section of the Code of Federal Regulations means the section as in effect or as amended, and
for which compliance is required.
6.2 Amendment. The Client and Lockton agree to take such action as is necessary to
amend this Agreement from time to time as is necessary for the Plan to comply with the
requirements of HIPAA, including the provisions of HITECH. This Agreement may be
amended by the Client and Lockton by the express mutual written agreement of both parties.
This Agreement contains the entire Business Associate Agreement between the parties and
supersedes all other understandings and agreements, oral or written, between the parties
regarding privacy of PHI.
6.3 Survival. The respective rights and obligations of Lockton under Paragraph 5.3
of this Agreement shall survive the termination of this Agreement.
6.4 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a
meaning that permits the Plan and Lockton to comply with HIPAA. When a section of the
Agreement calls for Lockton to respond to a request from the Plan in conjunction with a
regulation specifically cited in the section, Lockton may rely on the Plan's request as verification
by the Plan that the request is made in compliance with the regulation. Lockton is not
responsible for confirming that the Plan's request is made in compliance with the specific
regulation.
6.5 Indemnification. Lockton shall indemnify Client and hold harmless against any
loss, cost, damage, claim or expense (including reasonable attorney's fees) arising from the
party's improper Use and/or Disclosure of PHI through negligence or intentional wrongdoing or
from breach of this Agreement.
6.6 Governing Law and Venue. This Agreement shall be governed by HIPAA and,
where not covered by HIPAA or other federal law, the laws of the State of Florida. Venue of
any dispute whall by in Indian River County and if in Federal Court, the Southern District of
Florida.
6.7 Terms. Where the context of the Agreement requires, the singular shall include
the plural and the masculine gender shall include the feminine. Headings or titles of sections are
for general information only and this Agreement shall not be construed by reference to such
titles.
6.8 Assignment. This Agreement shall be binding upon and inure to the benefit of
the parties hereto and their respective successors and permitted assigns. If any provision of this
Agreement is held invalid or unenforceable, such invalidity or unenforceability shall not affect
any other provision, and this Agreement shall be construed and enforced as if such provision had
not been included.
Lockton Business Associate Agreement_rev42015
6.9 Third Party Beneficiaries. Nothing express or implied in this Agreement is
intended to confer, nor shall anything herein confer, upon any person other than Lockton, or the
Client and their respective successors or assigns, any rights, remedies, obligations or liabilities
whatsoever.
This Agreement is executed and effective on the Effective Date first written above.
Southeast Series of Lockton Companies, LLC
BY: JA.fAitei P -74241-1.&C
Title: EVP
Date: / 7
Indian River County, on behalf
and Client
...._:
:c7.
By:
o ep E. escher-ede .:
......„24. .
.... e .-
,
T. Chairman, Board of Count4Pqp e
..;... . :, ...... rs
Ivo
Date:
ATTEST: Jeffrey R. Smith, Clerk of Court and
Canptrc1ie, APPROVED AS TO FORM
AND LEGALSUFFICIENCY
BY:
Lockton Business Associate Agreement_rev42015
BY
AN REINGOLD
OUNTY ATTORNEY
ason E. Brown
nty Administrator