HomeMy WebLinkAbout2019-097CBusiness Associate Agreement
This Business Associate Agreement ("BAA") is made and entered into as of the last date signed
below ("Effective Date") by and between Indian River County Board of County Commissioners,
as plan sponsor of its group health plan ("Covered Entity") and Save On SP, LLC ("Business
Associate"), (individually "Party"; collectively, the "Parties"), in connection with the specialty
pharmacy co -pay assistance program offered and administered by Business Associate through Covered
Entity's pharmacy benefit management arrangement with Express Scripts Holding Company (the
"Program").
RECITALS
WHEREAS, as a result of the administration of the Program, Business Associate will create,
receive, maintain or transmit PHI (as defined herein) on behalf of Covered Entity, or otherwise have access
to PHI to perform its obligations under the Program; and
WHEREAS, the Health Insurance Portability and Accountability Act of 1996 and its implementing
regulations, as may be amended from time to time, and the Health Information Technology for Economic
and Clinical Health Act and its implementing regulations, as may be amended from time to time
(collectively referred to as "HIPAA") requires the Parties to enter into an agreement pertaining to Business
Associate's access, use and disclosure of PHI; and
WHEREAS, the Parties enter into this BAA to satisfy the requirements of HIPAA, including the
requirements for business associate agreements, and to supplement and supersede any conflicting or
inconsistent terms and provisions of the Program subject to HIPAA, including any exhibits or other
attachments thereto and all documents incorporated therein by reference.
NOW THEREFORE, for and in consideration of the recitals above, the Parties' respective
obligations under the Program and this BAA, compliance with HIPAA, and other good and valuable
consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties enter into this
BAA and agree as follows:
SECTION 1— DEFINITIONS
Capitalized terms used but not otherwise defined in this BAA have the same meaning as those
terms in HIPAA.
1.1 Breach Notification Requirements. "Breach Notification Requirements" means the requirements
of 42 USC § 17932 and the rules issued thereunder, including 45 CFR Part 164, Subpart D.
1.2 Business Associate. "Business Associate" has the same meaning as the term "business associate"
at 45 CFR § 160.103 and, in reference to the Party to. this BAA, means SaveonSP.
1.3 Covered Entity. "Covered Entity" has the same meaning as the term "covered entity" at 45 CFR
§ 160.103, and in reference to the Party to this BAA, means client's group health plan.
1.4 Individual. "Individual" has the same meaning as the term "individual" in 45 CFR § 160.103 and
includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
1.5 Protected Health Information ("PHI"). "Protected Health Information" has the same meaning
as the term "protected health information" in 45 CFR § 160.103, limited, for purposes of this BAA to
information created, received, maintained, transmitted or accessed by Business Associate for or on behalf
of Covered Entity.
1.6 Unsecured Protected Health Information ("Unsecured PHI"). "Unsecured Protected Health
Information" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized
individuals through the use of a technology or methodology specified by the Secretary in guidance issued
under section 13402(h)(2) of Pub. L. 111-5.
SECTION 2 — OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
2.1 Prohibition on Unauthorized Use or Disclosure. Business Associate will not use or disclose PHI
other than as required to perform its obligations pursuant to the Program, as permitted or required by this
BAA, or as required by law.
2.2 Safeguards. Business Associate will implement appropriate administrative, technical, and
physical safeguards (including written policies and procedures) and comply, where applicable, with subpart
C of Part 164 of HIPAA to prevent the use or disclosure of PHI other than as provided for by this BAA.
2.3 Duty to Identify, Mitigate, Document, and Report. With respect to (i) a use or disclosure of PHI
by Business Associate in violation of the requirements of this BAA, (ii) a discovered Breach of Unsecured
PHI, or (iii) a suspected or known security incident, excluding inconsequential incidents that occur on a
daily basis such as scans or "pings" that are not allowed past Business Associate's firewalls (collectively
referred to hereinafter as "Occurrences"), Business Associate agrees:
(a) Identify. To identify and appropriately respond to any suspected or known Occurrences;
(b) Mitigate. Mitigate, to the extent practicable, any harmful effect known to Business
Associate related to any Occurrences;
(c) Document. Document any Occurrences and the outcome;
(d) Report. Report any Occurrences to Covered Entity in writing within ten (10) business
days of the Occurrence; and
(e) Additional Requirements. Comply with the additional requirements of Section 4.1 of
this BAA.
2.4 Subcontractors and Agents. Business Associate agrees to ensure that any subcontractors or
agents that create, receive, maintain, or transmit PHI for the Business Associate on behalf of the Covered
Entity agree in writing to restrictions and conditions that are no less stringent than those that apply to the
Business Associate pursuant to this BAA with respect to such information and will implement reasonable
and appropriate safeguards to protect it. If Business Associate learns of a pattern of activity or practice of
a subcontractor that constitutes a breach or violation of the subcontractor's obligation under the contract or
other arrangement with Business Associate, Business Associate must take reasonable steps to cure the
breach or end the violation, as applicable, and if such steps are unsuccessful, terminate the contract or
arrangement if feasible.
2.5 Access and Amendment of PHI. To the extent that Business Associate maintains PHI in a
designated record set for, or on behalf of, Covered Entity:
Responsibility. Business Associate is responsible to make available and timely respond
to requests to access or amend such PHI, by an Individual or the Individual's designee, and
to otherwise take any measures necessary to satisfy Covered Entity's obligations under
HIPAA.
Limited Delegation of Authority. Covered Entity delegates to Business Associate sole
authority to determine on behalf of Covered Entity whether to deny a request for access or
amendment of such PHI, provided that this delegation is revocable at will by Covered
Entity upon notice to Business Associate.
2.6 Accounting of Disclosures.
(a) Disclosure Tracking and Accounting. Business Associate agrees to document such non-
routine disclosures of PHI, any required information related to such disclosures, and
otherwise maintain and timely provide to Covered Entity or directly to an Individual, upon
request, the information required for an accounting of disclosures in the time and manner
required by, and as otherwise necessary to satisfy Covered Entity's obligations under
HIPAA.
Accounting of Disclosures of Electronic Health Records. If and to the extent Business
Associate uses or maintains an Electronic Health Record that includes PHI, Business
Associate will respond to requests from Individuals for an accounting of disclosures as
described, and in the time and manner required by HIPAA. Business Associate
acknowledges that Covered Entity will, in response to a request for an accounting by an
Individual, provide to Individual a list of business associates and contact information as
permitted by HIPAA.
Survival of Accounting Obligation. Business Associate agrees to maintain an accounting
of disclosures described in subsection (a) above for a period of six (6) years after
termination of this BAA.
2.7 Inspection of Books and Records. Business Associate agrees to make internal practices, books,
and records relating to its use and disclosure of PHI pursuant to the Program or this BAA available to the
Secretary, in a time and manner designated by the Secretary, for purposes of determining compliance with
HIPAA.
2.8 Compliance with HIPAA. Except as otherwise set forth herein, to the extent that Business
Associate is obligated by the Program or this BAA to carry out one or more of Covered Entity's obligations
under HIPAA, Business Associate agrees to comply with those requirements under HIPAA that apply to
Covered Entity in the performance of such obligations.
2.9 Compliance with Standard Transactions and Code Sets. If Business Associate conducts in
whole or part a Transaction for or on behalf of Covered Entity, Business Associate will comply, and will
require any subcontractor or agent involved with the conduct of such Transaction to comply, with each
applicable standard, implementation specification, or other requirement as set forth in HIPAA.
2.10 Demands for Production of PHI.
(a) Receipt by Business Associate. If Business Associate receives a subpoena, civil or
administrative demand, or any other demand for production of PHI, other than an
Individual right request, Business Associate shall provide a copy of such demand to
Covered Entity within five (5) business days of receipt. To the extent the PHI that is the
subject of the demand is in the possession of Business Associate and a response is
warranted according to the standards set forth under HIPAA, Business Associate shall
timely respond to the document demand.
Receipt by Covered Entity. If Covered Entity receives a subpoena, civil or administrative
demand, or any other demand for production of PHI, other than an Individual right request,
Business Associate shall provide to Covered Entity any PHI responsive to such demand
and shall assist and cooperate with Covered Entity in responding to such document demand
in a timely manner and in accordance with the standards set forth under HIPAA.
SECTION 3 — PERMITTED USES AND DISCLOSURES
3.1 Business Associate Services. Business Associate may use or disclose PHI as only required by
law, or as necessary to perform its obligations and services set forth in the Program or this BAA, provided
that such use or disclosure would not violate HIPAA if carried out by Covered Entity.
3.2 Minimum Necessary. Business Associate will comply with the minimum necessary standard as
defined under HIPAA in its uses and disclosures of, and requests for, PHI and, to the extent practicable,
will restrict its uses and disclosures to a Limited Data Set.
3.3 Other Permitted Uses. Business Associate may also, but only if necessary and as specifically
permitted or required by the Program and in accordance with HIPAA, use and disclose PHI as follows:
(i) for the proper management and administration, or to carry out the legal responsibilities, of Business
Associate, provided any disclosures are required by law or Business Associate obtains reasonable
assurances from the person to whom the information is disclosed that the information will remain
confidential and only used or further disclosed as required by law or for the purposes for which it was
disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in
which the confidentiality of the information has been breached; and (ii) if applicable, for the provision of
data aggregation services to the Covered Entity relating to the health care operations of Covered Entity.
SECTION 4 — BREACH IDENTIFICATION AND NOTIFICATION
4.1 Monitoring and Reporting Incidents. Throughout the term of this BAA, Business Associate will
take reasonable steps to monitor the unauthorized acquisition, access, use, and disclosure (subsequently
referred to collectively as use or disclosure) of PHI, and will have a policy that requires any unauthorized
use or disclosure of PHI to be reported promptly to Business Associate's Privacy Officer or designated
individual as well as to Covered Entity.
4.2 Determination Whether Unauthorized Use or Disclosure Constitutes Breach. Upon receiving
a report of unauthorized use or disclosure, Business Associate will undertake a risk assessment to determine
whether the unauthorized use or disclosure constitutes a Breach of Unsecured PHI. Business Associate will
make and retain records of such determinations, including the basis for determinations that unauthorized
uses or disclosures are not Breaches of Unsecured PHI. All risk assessments and determinations will be
shared with Covered Entity as soon as possible, and in no event later than ten (10) business days following
the initial report. Covered Entity will make the final determination as to whether or not the unauthorized
use or disclosure constitutes a Breach and shall be responsible for providing ay required notifications.
4.3 Proposed Notice to Covered Entity. If requested by Covered Entity, Business Associate will
provide Covered Entity with a draft of the proposed notice to the Individual(s), HHS, and to the media (if
applicable) as required by the Breach Notification Requirements within a sufficient time prior to the
required distribution of the notice for review and approval by Covered Entity.
SECTION 5 — TERM & TERMINATION
5.1 Term. This BAA is effective as of the date first written above and shall terminate when all PHI is
returned to Covered Entity or, with prior permission of Covered Entity, destroyed or, if it is infeasible to
return or destroy PHI, protections are extended to such PHI in accordance with the termination provisions
of this Section 5.
5.2 Termination for Cause. Covered Entity may terminate this BAA if Covered Entity determines
that Business Associate has breached any provision of this BAA or otherwise violated HIPAA. Covered
Entity will provide written notice to Business Associate and an opportunity for Business Associate to cure
the breach or end the violation within thirty (30) business days of such written notice, unless cure is not
possible. If Business Associate fails to cure the breach or end the violation within the specified time period
or cure is not possible, this BAA shall automatically and immediately terminate, unless termination is
infeasible. Business Associate acknowledges that, if cure is not possible and termination of the BAA is
infeasible, Covered Entity has the right to report the violation to the Secretary.
5.3 Termination after Repeated Violations. Covered Entity may terminate this BAA if Covered
Entity determines that Business Associate has repeatedly breached any provision of this BAA or otherwise
violated HIPAA.
5.4 Obligations Upon Termination. Business Associate's obligations to protect the privacy and
security of PHI shall be continuous and shall survive termination, cancellation, expiration or other
conclusion of this BAA. Upon termination of this BAA:
(a) Except as provided in paragraph (b) of this Section 5.4, Business Associate shall return or,
if Covered Entity gives written permission, destroy PHI in whatever form or medium and
retain no copies of such PHI.
(b) In the event that Business Associate determines that returning or destroying the PHI is
infeasible, Business Associate shall extend the protections of this BAA (and of any
additional requirements imposed by subsequent changes to HIPAA) to such PHI and limit
further uses and disclosures of such PHI to those purposes that make the return or
destruction infeasible for so long as Business Associate maintains such PHI.
SECTION 6 — INDEMNIFICATION AND LIMITATION OF LIABILITY
6.1 Indemnification.
(a) Business Associate shall indemnify and hold Covered Entity harmless from and against
any claims, expenses (including reasonable attorneys' fees) and liabilities arising from
Business Associate's gross negligence or willful misconduct, provided that Business
Associate shall have no indemnity obligation to the extent any such claim is attributable to
(b)
Covered Entity's negligence or willful misconduct or breach of its obligations under this
BAA.
Covered Entity shall indemnify and hold Business Associate harmless from and against
any claims, expenses (including reasonable attorneys' fees) and liabilities arising from
Covered Entity's negligence, willful misconduct or breach of this BAA provided that
Covered Entity shall have no indemnity obligation to the extent any such claim is
attributable to Business Associate's gross negligence, willful misconduct or material breach
of its obligations under this BAA.
6.2 Limitation of Liability. BUSINESS ASSOCIATE SHALL NOT HAVE ANY LIABILITY TO
COVERED ENTITY OF ANY TYPE (INCLUDING, BUT NOT LIMITED TO, CONTRACT,
NEGLIGENCE, AND TORT LIABILITY), FOR ANY SPECIAL, INCIDENTAL, INDIRECT,
CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING, BUT NOT LIMITED TO THE LOSS
OF OPPORTUNITY, LOSS OF USE, OR LOSS OF REVENUE OR PROFIT, IN CONNECTION WITH
OR ARISING OUT OF THIS BAA OR THE PROGRAM, EVEN IF SUCH DAMAGES MAY HAVE
BEEN FORESEEABLE, EXCEPT AS MAY OTHERWISE ARISE UNDER APPLICABLE LAW. IN
NO EVENT WILL BUSINESS ASSOCIATE BE LIABLE TO COVERED ENTITY FOR ANY
AMOUNT THAT IN THE AGGREGATE EXCEEDS THE LESSER OF (I) BUSINESS ASSOCIATE'S
SHARE OF THE PROGRAM FEES COVERED ENTITY PAID TO BUSINESS ASSOCIATE UNDER
THE PROGRAM DURING THE PRECEDING TWELVE (12) MONTHS, AND (II) TWO MILLION
DOLLARS. LIABILITY OF COVERED ENTITY SHALL BE ONLY TO THE EXTENT ALLOWABLE
UNDER SECTION 768.28, OF FLORIDA STATUTES. THIS PROVISION IS NOT DEEMED TO BE
A WAIVER OF COVERED ENTITY'S SOVEREIGN IMMUNITY, AS APPLICABLE.
SECTION 7 — MISCELLANEOUS
7.1 Regulatory References. A reference in this BAA to a section of HIPAA means the section as in
effect or as amended and for which compliance is required.
7.2 Ownership of PHI. Business Associate acknowledges and agrees that all PHI subject to the terms
of the Program or this BAA is owned exclusively by Covered Entity, unless such PHI contains confidential
or proprietary information of the Business Associate.
7.3 Amendment. The Parties agree to take such action as is necessary to amend this BAA from time
to time as is necessary for compliance with the requirements of HIPAA or any other applicable law.
7.4 Assignment. Neither Party may assign its respective rights and obligations under this BAA without
the prior written consent of the other Party, except to a parent or subsidiary company.
7.5 Survival. A change, waiver, or discharge of any liability or obligation under this BAA on any one
or more occasions shall not constitute or be deemed a waiver of performance of any continuing or other
obligation or prohibit enforcement of any obligation on any other occasion. In the event that any provision
of this BAA is determined by a court of competent jurisdiction to be invalid or unenforceable, the remainder
of the provisions of this BAA will remain in full force and effect.
7.6 Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with
HIPAA. In the event of an inconsistency between the provisions of this BAA and one or more mandatory
provisions of HIPAA, the HIPAA provisions control. Where provisions of this BAA are different than
those mandated by HIPAA, but are nonetheless permitted, the provisions of this BAA control.
7.7 Third -Party Beneficiaries. This BAA is intended for the benefit of the Parties only. Nothing
express or implied is intended to confer or create, nor be interpreted to confer or create, any rights, remedies,
obligations, or liabilities to or for any third party.
7.8 Business Associate as Independent Contractor. The Parties acknowledge that Business
Associate is an independent contractor and not an agent of Covered Entity.
7.9 Governing Law. This BAA shall be governed by the laws of the State of Florida.
7.10 Notification. To the extent notice is required to be provided under any provision in this BAA,
notice shall be provided to each respective Party as follows:
Covered Entity:
Business Associate:
Indian River County Board of
County Commissioners
1801 27th Street
Vero Beach, FL 32960
SaveonSP
Attn: Jody Miller, President
611 Jamison Road, Suite 201
Elma, NY 14059
IN WITNESS WHEREOF, the Parties have each caused this BAA to be executed by an
authorized representative, as of the date f C 0§1?;above.
G........•
BV4INESS ASSOCIATE
By
COVERED ENTITY
By:
Name: Bob Solari
Title:
Chairman
IVa}ne: Jody Miller
•
co- N oo Title: President
Date: July 16, 2019
APPROVED AS TO FORM
AND LEGAL SUFFICIENCY
DYLAN REINGOLD
COUNTY ATTORNEY
Attest: Jeffrey R. Smith, Clerk of
Circuit Court and Comptroller
J.allo•
Deputy Clerk
Date:
-713 2a19
JOINDER AGREEMENT
THIS JOINDER AGREEMENT is made and entered as of this 1st day of October, 2019 ("Effective Date"), by and
among SAVE ON SP, LLC, a New York Limited Liability Company, having its principal place of business at 611 Jamison
Rd, Suite 201, Elma, New York 14059 ("SaveonSP"), RX BENEFITS, INC., an Alabama corporation, having its principal
place of business at 3700 Colonnade Parkway, Suite 600, Birmingham, Alabama 35243 ("RxBenefits"), and INDIAN
RIVER COUNTY BOARD OF COUNTY COMMISSIONERS ("RxBenefits Client").
WHEREAS, SaveonSP and RxBenefits are parties to a Specialty Drug Co -Pay Assistance Program Agreement,
effective January 1, 2018, and amended from time to time ("Agreement"); and
WHEREAS, SaveonSP and RxBenefits are willing to allow RxBenefits Client to become a party to the Agreement
in order that RxBenefits Client may avail itself of SaveonSP's services under the Agreement.
NOW, THEREFORE, in consideration of the premises and of the covenants and agreements set forth herein and
other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as
follows:
1. Agreement to be Bound. RxBenefits Client shall become a party to the Agreement as of the Effective Date and
shall be fully bound by, and subject to, all of the applicable covenants, terms and conditions of the Agreement
as a party.
2. Implementation of SaveOn Program. SaveonSP shall obtain the historical co -pay credit information from
RxBenefits for RxBenefits Client and communicate to RxBenefits and RxBenefits Client prior to
implementation for invoicing purposes ("historical copay credit"). If such historical co -pay information is not
available, RxBenefits and/or RxBenefits Client shall provide to SaveonSP plan design documentation and
communication prior to implementation.
SaveonSP shall work with RxBenefits and RxBenefits Client to develop the SaveOn Program drug list for
RxBenefits Client and communicate to RxBenefits and RxBenefits Client prior to implementation.
SaveonSP shall provide the additional SaveOn Program Services to RxBenefits Client as set forth in Exhibit A
of the Agreement.
3. Successors and Assigns. This Joinder Agreement shall bind and inure to the benefit of and be enforceable by
the parties, and their respective successors and assigns.
4. Counterparts. This Joinder Agreement may be executed in separate counterparts, each of which shall be an
original and all of which taken together shall constitute one and the same document.
5. Governing Law. This Joinder Agreement shall be governed by and construed in accordance with the laws of
the State of New York.
6. Headings. The headings of this Joinder Agreement are inserted for convenience only and shall not affect the
interpretation of this Joinder Agreement.
Page 1 of 2
IN WITNESS WHEREOF, the parties have executed this Joinder Agreement as of the day and year first above written.
Rx Benefits, nc.: Save On SP, LLC:
By: , I k I By:
Print: Lauren Simmons Print: c7D Ok j77) ,
Title: Director of Compliance and Legal Affairs Title: 1 ol&y7-t--
Date: —7/ 31/2-0/ G']
Date:
RxBenefits Client
By:
Print: Bob Solari
Title: Chairman
Date: July 16, 2019
APPROVED AS TO FORM
AND LEGAL SUFFICIENCY
BY
DYLAN REINGOLD
COUNTY ATTORNEY
Attest: Jeffrey R. Smith, Clerk of
Circuit Court and Comptroller
•
Deputy Cie*
Page 2 of 2