5.i) Southwest West Central HSA Master Service Agreement 2014Southwest/West Central Service Cooperative
HSA Master Service
Agreement
With MII Life Incorporated d/b/a
SelectAccount
SOUTHWEST/WEST CENTRAL SERVICE COOPERATIVE
HSA MASTER SERVICE AGREEMENT
WITH
Mil LIFE INCORPORATED
This HSA Master Service Agreement (the "Agreement") is between MII Life, Incorporated dba
SelectAccount ("SelectAccount"), and Southwest/West Central Service Cooperative (the
"Service Cooperative"), for the benefit of itself and other public Employers that are participant
members of the Service Cooperative (the "Employer" or "Employers"). SelectAccount and the
Service Cooperative (or an Employer, in the case of an adopting Employer) may be referred to
jointly as the "Parties," or individually as a "Party." The purpose of this Agreement is to
provide uniform pricing, services, terms, and conditions for the administration of health savings
accounts ("HSAs") that are established by employees of the Employers. The Agreement is
established pursuant to the authority of the Service Cooperative to engage in cooperative
purchasing services under Minnesota Statutes Section 123A.21.
This Agreement is effective as of January 1, 2014. Fee increases for Employers adopting this
agreement shall be effective on the renewal date for each Employer's HSA -eligible high
deductible health ("Plan"). SelectAccount will provide the services described herein for HSAs
and Employers at any time during the term of this Agreement. SelectAccount is not an
attorney, tax advisor or investment advisor and does not render legal, tax or investment advice
in connection with the creation, adoption or operation of HSAs. Employers will seek the advice
of counsel, as needed, as to matters that might arise in connection with design, adoption or
operation of their employee benefit and compensation arrangements, including agreements to
contribute or permit contributions to HSAs on behalf of employees. .
SelectAccount is a corporation organized and domiciled in Minnesota and is authorized by law
to provide HSA custodian and administrative services.
1
SERVICES TO BE PROVIDED BY SELECTACCOUNT
SelectAccount agrees to provide the services described below in exchange for the payment of
the administrative fees set forth in Attachment A.
1. Administrative Services.
a. The Employer has chosen SelectAccount as the HSA custodian for contributions
by employees and the Employer. Once the contributions are deposited into the
HSA, an HSA accountholder is free to request a distribution of the funds or to
transfer them to another HSA custodian or trustee. The Employer does not
sponsor or maintain the HSAs. The HSA accountholder is responsible for the
establishment of the HSA, entering into an agreement with the HSA custodian or
trustee and following the terms of that agreement.
b. SelectAccount will accept HSA contributions and deposit the funds into the HSA
established by the HSA accountholder as soon as administratively feasible.
C. SelectAccount will arrange for initial employee enrollment communication
meetings at client's request. Any meeting held at a location outside Minnesota
will be subject to an additional charge, as set forth in Attachment A.
d. SelectAccount will provide general administrative, accounting, record keeping,
fiscal and other related services in connection with funding the HSA's.
e. SelectAccount will record contribution additions, changes, and terminations
permitted under the HSA Benefit. Employer will furnish this information to
SelectAccount in a format acceptable to SelectAccount.
f. SelectAccount will provide Employers secure web portal to administer
enrollment, payrolls, reports, Employer profile, secured Email messaging and
other functions needed for administration of HSA contributions.
g. SelectAccount will provide HSA accountholders with SelectAccount and
Minnesota Service Cooperatives cobranded secure web portal and interactive
voice response "IVR" access to account balance information, transaction history,
investment performance, investment realignment options, and secured Email
messaging.
h. Preferred Electronic Pricing Incentives. Prices will vary based on attainment by
Employers with certain electronic communications and payment standards.
Targets for preferred pricing are as follows:
2
Preferred Requirements
2014
2015
2016
2017
Group Portal Utilization
Account holders on ACH
Account holders on Crossover or Debit Card
100%
45%
90%
100%
60%
100%
100%
70%
100%
100%
90%
100%
Utilize electronic communication with account holders whenever possible
2
For Plan years beginning in 2014, all Employers will receive preferred pricing
under Table 1 of Attachment A (or Table 3, for those Employers that do not have
group health plan coverage through the Service Cooperatives), whether or not
they meet the targets for the Plan year. In the fourth quarter of Plan years
beginning in 2014, the Service Cooperative and Employers will receive a report
showing which groups have met the goals and which ones have not. Those
groups that have not met 2014 goals will be assessed the higher rates in Table 2
(or Table 4, for those Employers that do not have group health plan coverage
through the Service Cooperatives), for the entire Plan year beginning in 2015.
Rates will be determined going forward in the same manner using the chart
above and Tables 1 through 4 of Attachment A.
2. Documents
SelectAccount shall provide the reports, documents, and testing described in this
section via electronic format whenever possible. If electronic distribution by
SelectAccount is available, the Plan Administrator may still request and receive paper
mailing and distribution subject to additional fees paid by the Plan Administrator.
a. SelectAccount will provide communication materials necessary to communicate
the HSA Benefit to employees. SelectAccount will provide an employee brochure
(pre -enrollment) and verification packet (post -enrollment) for distribution to
employees by the Employer.
b. SelectAccount shall furnish enrollment and contribution election forms and HSA
participation agreements.
3
LIMITATION OF LIABILITY AND INDEMNIFICATION
1. Employer agrees that all information supplied to SelectAccount by Employer will be
accurate and that SelectAccount may reasonably rely upon it without any obligation for
further inquiry. Employer will be responsible for any losses or damages, including
adverse tax consequences, resulting from any action taken or not taken by
SelectAccount in reliance on such information except as a result of an act or omission by
SelectAccount that was criminal, fraudulent, dishonest or grossly negligent. Employer
agrees to hold SelectAccount harmless and to indemnify SelectAccount from any such
losses or damages, including payment of reasonable attorney's fees, except as
otherwise limited above.
2. SelectAccount will perform its duties and obligations under this Agreement in a timely
fashion and with the requisite level of care. SelectAccount agrees to hold Employer
harmless and to indemnify Employer from any losses or damages, including payment of
reasonable attorney's fees, incurred as a result of any an act or omission by
SelectAccount that was criminal, fraudulent, dishonest or grossly negligent.
3. SelectAccount is not, in any way, to be deemed an insurer, underwriter or guarantor
with respect to any HSA Benefit. Nothing in this Agreement shall be deemed to impose
upon SelectAccount any obligation to any employee of Employer or any participant in
the HSA Benefit.
4
TERM AND TERMINATION
1. Service Year. It is intended that the Service Years under this Agreement correspond to
the Plan years for each Employer. The initial Service Year of this Agreement will begin on the
first day of the Plan year that begins on or after January 1, 2014, and will end on the last day of
the 12th month thereafter. Pricing is guaranteed for each Employer for a period of four (4)
years from the first day of the Plan year beginning on or after January 1, 2014. By way of
example, pricing will be guaranteed for Employers with Plan years that begin on January 1,
2014 until December 31, 2017.This Agreement replaces and supersedes all prior Agreements, if
any, between SelectAccount and Employer with respect to the subject matter of this
Agreement, effective as of the next Service Year for the applicable Plan(s). Each Service Year for
adopting Employers shall be as reflected in the applicable Adoption Agreement.
2. Automatic Renewal. This Agreement will automatically renew for an additional Service
Year on the day following the last day of the prior Service Year unless the Parties have replaced
this Agreement with a new Agreement or this Agreement is terminated as outlined below. If
the Agreement is renewed for an additional Service Year, the Parties will be obligated to
provide services and make payments for services as set forth in this Agreement and the
Attachments.
3. Termination for Material Breach. Either Party may terminate this Agreement effective
upon written notice to the other Party in the event of material breach, which includes, but is
not limited to, (a) failure to pay any amounts when due under this Agreement so long as such
default is not cured within a mutually agreed upon time period, or SelectAccount has a
reasonable expectation that such default will not be cured, and (b) failure to provide services
under this Agreement. In all situations where a Party elects to terminate this Agreement as a
result of the material breach of the other Party, the non -breaching Party may, in its sole
discretion, provide the breaching Party with a grace period to cure its breach, but such grace
period shall not waive any of the rights or remedies the non -breaching Party has against the
breaching Party. For clarification and not in limitation of the foregoing, adopted agreements
shall be deemed separate and binding agreements between adopting Employers and
SelectAccount, and shall be deemed to survive termination of this Agreement or any other
adopted Agreement unless terminated separately according to their own terms.
4. Termination without Cause. This Agreement (or, as applicable, any adopted Agreement)
may be terminated by SelectAccount, the Service Cooperative, or an adopting Employer (with
respect to their interest) at any time, by giving written notice to the other Party at least sixty
(60) days prior to the termination date.
5. Obligations after Termination. SelectAccount will have no responsibility to provide
services to Employer after the termination of this Agreement.
5
GENERAL TERMS
1. Assignment of the Agreement. This Agreement may not be assigned by SelectAccount or
Employer without the prior written consent of the other Party, which will not be unreasonably
withheld. Any attempt to assign, in total, the rights, duties or obligations under this Agreement
without such consent will be void and may, at the option of the other Party, constitute a material
breach. Notwithstanding this prohibition on assignment of the entire Agreement, either Party
may subcontract with another entity to perform specific services described herein (whether or
not the right to subcontract has been specifically reserved) without consent of the other Party but
will remain wholly responsible for the performance of such subcontracted services.
2. Notices. All notices required or permitted to be given by this Agreement will be in
writing, and shall be deemed given when either personally delivered, sent by first class mail or
overnight delivery to a Party at the respective addresses stated below:
Employer: SelectAccount will retain on file all contact and address
information for adopting Employers. Notices to the Service
Cooperative shall be sent to the following address:
Southwest/West Central Service Cooperative
Attention: Cliff Carmody
1420 East College Drive
Marshall, MN 56258
SelectAccount: Via hand delivery or courier:
Reed Erickson
Vice President Compliance and Risk Management
1200 Yankee Doodle Road, Route S1-40
Eagan, MN 55121-2202
Via U.S. Mail:
Box 64193
Route S1-40
St Paul, MN 55164
A Party may change its address for receiving notices upon ten (10) days advance written
notice to the other Party.
3. Severability. If any provision of this Agreement is held to be invalid, illegal or
unenforceable, the validity, legality or enforceability of the remaining provisions will not in any
way be affected or impaired thereby.
4. Status of an Independent Contractor. The Parties make this Agreement and will function
as independent contractors and not as an agent of one another. Neither Party will state or imply
M
the contrary to anyone. The employees and agents of each Party will not be treated for any
purpose as the agents or employees of the other Party.
5. Mandatory Arbitration. Employer and SelectAccount agree that any dispute related to or
arising between the Parties under this Agreement will be subject to mandatory, binding
arbitration to be held in the county of Dakota, state of Minnesota. The arbitration panel will
consist of three arbitrators, one selected by Employer, one selected by SelectAccount and the
third mutually agreed upon by Employer and SelectAccount. Should the Parties be unable to
agree on a third arbitrator, the Parties agree that the "alternate striking" procedures of the
American Arbitration Association will be used to select the third arbitrator for the Parties. The
Parties may also agree to have only the third arbitrator or another person selected by the Parties
conduct the arbitration.
With respect to damages awarded in arbitration, the arbitration panel may award only
reasonable compensatory damages and may not award punitive damages, liquidated damages,
any multiple of compensatory damages or any other award in excess of compensatory damages.
6. Governing law/Exclusive Jurisdiction. Except as they may be subject to federal law
(including the Code), any questions, disputes or litigation concerning or arising from this
Agreement will be governed by the laws of the State of Minnesota. Although the Parties agree to
mandatory, binding arbitration, should any litigation ensue, the Parties agree that a federal court
within the State of Minnesota will be the exclusive forum for litigation regarding the
interpretation or enforcement of this Agreement, unless the federal court determines that it does
not have jurisdiction over the subject matter of the dispute, in which case the Parties agree that
any action will be brought in a state court in Minnesota.
7. Errors and Omissions. It is understood and agreed that neither Party will be prejudiced in
any way due to clerical error, omission, accident or oversight in connection with formulation or
execution of this Agreement provided that corrections are reported to the other Party as soon as
discovered.
8. Entire Agreement and Integration. This Agreement (including any Attachments)
constitutes the entire, final agreement between SelectAccount and Employer and supersedes any
previous agreement between the Parties with respect to the administrative services for the HSA
Benefit. Each Party acknowledges that it has not relied on any representations from the other
Party that are not set forth in this Agreement. No modification or amendment of this Agreement
(or any Attachment) is valid unless made in writing and signed by both Parties.
9. Construction. It is fully understood and agreed to by both Parties that this Agreement will
not be construed against SelectAccount as the drafter of the Agreement.
10. Audit. Upon sixty (60) days advance written notice by Employer, SelectAccount agrees
to provide Employer's designated auditor with access to information needed to conduct an
audit of records maintained by SelectAccount related to Member eligibility or customer service.
The initial notice to SelectAccount will state the scope of the audit, identify the information that
is needed, and propose sampling methodologies. The audit will be limited to the Servicing Year
in which the audit is conducted and the immediately preceding Servicing Year. The Parties
7
agree to collaborate in good faith to develop an agreement that meets the needs of both
Parties and outlines the agreed upon terms for conducting the audit. All auditors will be
required to adhere to SelectAccount's procedures for maintaining the security of all
information furnished by SelectAccount, and required to sign confidentiality agreements prior
to the release of any information by SelectAccount. Any third party auditor must be acceptable
to SelectAccount. SelectAccount will be entitled to receive copies of the draft and final audit
reports, and will have the right to review and comment on audit findings prior to or
simultaneous with the release of such report to Employer. SelectAccount's comments will be
noted in the final report. Audits requested by Employer will be limited to one every two years.
Employer will bear any expenses incurred by Employer or its auditor. Employer will also
reimburse SelectAccount for its costs for any on-site audit that exceeds two business days.
Employer will be charged for additional audits based on the actual cost to SelectAccount.
9
SOUTHWEST/WEST CENTRAL SERVICE COOPERATIVE
HSA MASTER SERVICE AGREEMENT
WITH
MII LIFE INCORPORATED dba SELECTACCOUNT
SIGNATURES
Date:A-1-7 /
Date: 1
�-/
Southwest/West Central Service Cooperative
Signed:
Name: a�1
Title: t61(t a L." �( b OrE,J�-
SelectAccount
Accepted:
Reed Erickson
Title: Vice President Compliance and Risk
Manap,ement
M
SOUTHWEST/WEST CENTRAL SERVICE COOPERATIVE
HSA MASTER SERVICE AGREEMENT
WITH
MII LIFE INCORPORATED dba SELECTACCOUNT
ATTACHMENT A
FEES
This Attachment A to the Agreement between the Employer shown in the Adoption Agreement
("Employer") and Mil Life Incorporated dba SelectAccount (the "Parties") describes the fees
payable to SelectAccount under such Agreement.
If Employer pays the administrative fee on behalf of employees, such payment will billed to
Employer. The Monthly Per Participant Fee is based on the number of employees who have an
HSA as of the last day of the prior month. SelectAccount will submit a bill to Employer by the
15th day of each month for the Monthly Per Participant Fee owed for such month. If Employers
utilize ACH for the payment of Account Fees, their group billing contact will be notified via
email that an ACH pull has been scheduled and fees will be withdrawn from their bank accounts
within two business days. The billing contact will receive one email notification per invoice
generated. Employers should review bill immediately upon receipt and notify SelectAccount
within sixty (60) calendar days of any adjustments to HSA accountholder's fees. Requests for
adjustment after sixty (60) calendar days will not be accepted.
If employees are required to pay the administrative fee, SelectAccount will debit the fee from
the employee's HSA annually. SelectAccount will bill the Pay -the -provider fee to the Employer
on a monthly basis.
Pricing set forth in this Attachment A is guaranteed for each Employer for a period of four (4)
years from the first day of the Plan Year beginning on or after January 1, 2014. By way of
example, pricing will be guaranteed for Employers with Plan Years that begin on January 1,
2014 until December 31, 2017. Pricing will be guaranteed for Employers with Plan Years that
begin on October 1, 2014 until September 30, 2018.
B-1
One Time
Performance Guarantee Cumulative Maximum 1$50,000
Setup Fee I Waived
Annual
2014
Cafeteria Non-Discrimination Testing Waived
2016
Trust Fee Waived
Monthly
$0.60
Per Participant Per Month Fees:
$0.60
Coop Members With Coop Blue Cross Insurance With Preferred Electronic Incentive Table 1
HSA Basic
Coop Members With Coop Blue Cross Insurance Without Preferred Electronic Incentive Table 2
$1.20
Coop Members Without Coop Health Insurance With Preferred Electronic Incentive Table 3
$1.20
Coop Members Without Coop Health Insurance Without Preferred Electronic Incentive Table 4
$2.11
VEBA For NonCoop Members Table 5
$2.11
Debit Card $0.00
VEBA Thrift
Optional Quarterly Statement fee (applies to all participants in groups that elect this option) $0.25
$0.60
Optional Pay -The -Provider fee (applies to all participants in groups that elect this option including
those who opt out of Pay -The -Provider). $0.50
$0.60
Optional Basic Investment Account $1.50
$1.20
Prices are on a per account holder, per month basis
$1.20
The Basic Investment Account is optional and NO fee is charged if account is NOT activated
VEBA Premium
Must have a Base Balance of $1,000 to open a Basic Investment Account
Table 1- Coop Member & Coop Blue Cross Health Coverage Meeting
Preferred Electronic Requirements Per Participant Per Month
2014
2015
2016
2017
HSA Thrift
$0.60
$0.60
$0.60
$0.60
HSA Basic
$1.20
$1.20
$1.20
$1.20
HSA Premium
$2.11
$2.11
$2.11
$2.11
VEBA Thrift
$0.60
$0.60
$0.60
$0.60
VEBA Basic
$1.20
$1.20
$1.20
$1.20
VEBA Premium
$2.11
$2.11
$2.11
$2.11
HRA
$2.11
$2.11
$2.11
$2.11
FSA
$2.11
$2.11
$2.11
$2.11
Wellness only
$0.60
$0.60
$0.60
$0.60
Stacked:
Funded Thrift / FSA
$2.11
$2.11
$2.11
$2.11
Funded Basic / FSA
$2.11
$2.11
$2.11
$2.11
Funded Premium/ FSA
$2.11
$2.11
$2.11
$2.11
HRA / FSA
$2.11
$2.11
$2.11
$2.11
HSA / VEBA
Rate of Highest
HSA /VEBA
product
Preferred Requirements
2014 2015 2016 2017
Group Portal Utilization
100% 100% 100% 100%
Account holders on ACH
45% 60% 70% 90%
Account holders on Crossover or Debit Card
90% 100% 100% 100%
Utilize electronic communication with account holders whenever possible
$0.10 per participant per month will be rebated to the Service Cooperative that made coverage available to the Employer.
L•1%
Table 2 - Coop Member & Coop Blue Cross Health Coverage NOT
Meeting Preferred Electronic Requirements Per Participant Per Month
2014
2015
2016
2017
HSA Thrift
$0.60
$0.60
$0.60
$0.60
HSA Basic
$1.20
$1.20
$1.20
$1.20
HSA Premium
$2.11
$2.11
$2.11
$2.11
VEBAThrift
$0.60
$0.60
$0.60
$0.60
VEBA Basic
$1.20
$1.20
$1.20
$1.20
VEBA Premium
$2.11
$2.11
$2.11
$2.11
HRA
$2.11
$2.21
$2.31
$2.41
FSA
$2.11
$2.21
$2.31
$2.41
Wellness only
$0.60
$0.60
$0.60
$0.60
Stacked:
Funded Thrift/ FSA
$2.11
$2.21
$2.31
$2.41
Funded Basic / FSA
$2.11
$2.21
$2.31
$2.41
Funded Premium/ FSA
$2.11
$2.21
$2.31
$2.41
HRA / FSA
$2.11
$2.21
$2.31
$2.41
HSA / VEBA
Rate of Highest
HSA /
VEBA product
$0.10 per participant per month will be rebated to the Service Cooperative that made coverage available to the Employer.
M
Table 3 - Coop Member & No Coop Health Coverage Meeting Preferred
2014
2015
2016
2017
Electronic Requirements Per Participant Per Month
2014
2015
2016
2017
HSA Thrift
$0.95
$0.95
$0.95
$0.95
HSA Basic
$2.40
$2.40
$2.40
$2.40
HSA Premium
$3.85
$3.85
$3.85
$3.85
VEBA Thrift
$0.95
$0.95
$0.95
$0.95
VEBA Basic
$2.40
$2.40
$2.40
$2.40
VEBA Premium
$3.85
$3.85
$3.85
$3.85
HRA
$4.30
$4.30
$4.30
$4.30
FSA
$4.30
$4.30
$4.30
$4.30
Wellness only
$0.95
$0.95
$0.95
$0.95
Stacked:
$4.30
$4.40
$4.50
$4.60
Funded Thrift / FSA
$4.30
$4.30
$4.30
$4.30
Funded Basic / FSA
$4.30
$4.30
$4.30
$4.30
Funded Premium/ FSA
$4.30
$4.30
$4.30
$4.30
HRA/ FSA
$4.30
$4.30
$4.30
$4.30
HSA / VEBA
Rate of Highest
HSA /VEBA
product
Preferred Requirements
2014 2015 2016 2017
Group Portal Utilization
100% 100% 100% 100%
Account holders on ACH
45% 60% 70% 90%
Account holders on Crossover or Debit Card
90% 100% 100% 100%
Utilize electronic communication with account holders whenever possible
50% of the difference to Table 1 will be rebated to the Service Cooperative that made coverage available to the Employer.
Table 4 - Coop Member & No Coop Health Coverage NOT Meeting
Preferred Electronic Requirements Per Participant Per Month
2014
2015
2016
2017
HSA Thrift
$0.95
$0.95
$0.95
$0.95
HSA Basic
$2.40
$2.40
$2.40
$2.40
HSA Premium
$3.85
$3.85
$3.85
$3.85
VEBAThnft
$0.95
$0.95
$0.95
$0.95
VEBA Basic
$2.40
$2.40
$2.40
$2.40
VEBA Premium
$3.85
$3.85
$3.85
$3.85
HRA
$4.30
$4.40
$4.50
$4.60
FSA
$4.30
$4.40
$4.50
$4.60
Wellness only
$0.95
$0.95
$0.95
$0.95
Stacked:
Funded Thrift / FSA
$4.30
$4.40
$4.50
$4.60
Funded Basic / FSA
$4.30
$4.40
$4.50
$4.60
Funded Premium/ FSA
$4.30
$4.40
$4.50
$4.60
HRA / FSA
$4.30
$4.40
$4.50
$4.60
HSA / VEB IRate
of Highest
HSA /
VEBA product
150% of the difference to Table 2 will be rebated to the Service Cooperative that made coverage available to the Employer.
M
Table 5 - NonCoop Member VEBA
2014
2015
2016
2017
VEBAThrift
$2.60
$2.60
$2.60
$2.60
VEBA Basic
$3.20
$3.20
$3.20
$3.20
VEBA Premium
$4.11
$4.11
$4.11
$4.11
50% of the difference to Table 2 will be rebated to the Service Cooperative that made coverage available
to the Employer.
Base Account Crediting Rates
Thrift
Basic
Premium
Saver
Saver
Saver
$0 to $499
0.05%
0.25%
1.05%
$500 to $999
0.05%
0.25%
1.05%
$1,000 to $1,499
0.10%
0.40%
1.05%
$1,500 to $2,499
0.10%
0.40%
1.05%
$2,500 to $4,999
0.10%
0.40%
1.05%
$5,000 to $9,999
0.20%
0.50%
1.10%
$10,000 to $24,999
0.30%
0.75%
1.25%
$25,000 to $49,999
0.50%
1.00%
1.75%
$50,000 or greater
0.70%
1.25%
2.00%
New and existing VEBA groups may select from the Thrift Saver, Basic
Saver or Premium Saver
options as shown above at setup or renewal. Crediting rates may be adjusted without notice at
any time. Rates shown as of April 2014.
IR
ATTACHMENT B
BUSINESS ASSOCIATE ADDENDUM
This Business Associate Addendum ("BAA") between MII Life Incorporated d/b/a
SelectAccount ("Business Associate") and the Minnesota Service Cooperative VEBA Committee
and adopting Employers on behalf of the Minnesota Service Cooperative VEBA Plan and Trust
("Covered Entity") is attached to and made part of the Minnesota Service Cooperatives VEBA
Service Agreement with MII Life Incorporated d/b/a SelectAccount (the "Agreement") as such
Agreement may be renewed from time to time. Business Associate and Covered Entity agree
that this BAA replaces any prior Business Associate Agreements or prior Attachment B's.
Covered Entity and Business Associate mutually agree to comply with the requirements of the
implementing regulations of the Health Insurance Portability and Accountability Act of 1996
("HIPAA"), as modified by the Health Information Technology for Economic and Clinical Health
Act (the "HITECH Act"). Specifically, the "HIPAA Rules" means the Privacy, Security, Breach
Notification, and Enforcement Rules at 45 CFR Part 106 and Part 164. The HIPAA Privacy Rule is
the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and
164, subparts A and E. The HIPAA Security Rule is the HIPAA Security Standards at 54 CFR Parts
160 and 164, Subpart C. The HIPAA Breach Notification Rule is the Notification in the Case of
Breach of Unsecured Protected Health Information, as set forth at 45 CFR Part 164, subpart D.
Business Associate recognizes and agrees that it is obligated by law to meet the applicable
provisions of the HIPAA Rules.
I. Privacy of Protected Health Information.
A. Permitted Uses and Disclosures. Business Associate is permitted to use and
disclose Protected Health Information ("PHI") that it creates or receives on
Covered Entity's behalf or receives from Covered Entity (or another business
associate of Covered Entity) and to request PHI on Covered Entity's behalf
(collectively, "Covered Entity's PHI") only as follows:
1. Functions and Activities on Covered Entity's Behalf. To perform
functions, activities, services, and operations on behalf of Covered Entity,
consistent with the Privacy Rule. More specifically, except as otherwise
limited in this BAA, Business Associate is permitted to use and disclose
PHI to perform the functions, activities, or services for, or on behalf of,
Covered Entity as specified in the above named Agreement, provided
that such use or disclosure would not violate the Privacy Rule if done by
Covered Entity or the minimum necessary policies and procedures of
Covered Entity.
2. Business Associate's Operations. For Business Associate's proper
management and administration or to carry out Business Associate's
legal responsibilities, provided that, with respect to disclosure of Covered
Entity's PHI, either:
a. The disclosure is Required by Law; or
b. Business Associate obtains reasonable assurance (and, upon
request of Covered Entity, provides written evidence of such
assurance) from any person or entity to which Business Associate
will disclose Covered Entity's PHI that the person or entity shall:
1. Hold Covered Entity's PHI in confidence and use or further
disclose Covered Entity's PHI only for the purpose for
which Business Associate disclosed Covered Entity's PHI to
the person or entity or as Required by Law; and
2. Immediately (and no later than three (3) days after the
suspected or known breach) notify Business Associate
(who shall in turn notify Covered Entity in accordance with
Section IIID of this BAA) of any instance of which the
person or entity becomes aware in which the
confidentiality of Covered Entity's PHI was breached.
B. Minimum Necessary and Limited Data Set. Business Associate's use, disclosure
or request of PHI shall utilize a Limited Data Set if practicable. Otherwise,
Business Associate shall, in its performance of the functions, activities, services,
and operations specified in Section I.A.1above, make reasonable efforts to use,
to disclose, and to request of a Covered Entity only the minimum amount of
Covered Entity's PHI reasonably necessary to accomplish the intended purpose
of the use, disclosure or request. In addition, Business Associate agrees to
implement and follow appropriate minimum necessary policies in the
performance of its obligations under this BAA.
C. Prohibition on Unauthorized Use or Disclosure. Business Associate shall neither
use nor disclose Covered Entity's PHI, except as permitted or required by this
BAA or in writing by Covered Entity or as Required by Law. This BAA does not
authorize Business Associate to use or disclose Covered Entity's PHI in a manner
that will violate 45 C.F.R. Part 164, Subpart E "Privacy of Individually Identifiable
Health Information" ("Privacy Rule") if done by Covered Entity, except as set
forth in Section I.A.2 of this BAA.
1. Sale of PHI Prohibited. Business Associate shall not directly or indirectly
receive any remuneration in exchange for Covered Entity's PHI.
2. Marketing of PHI. Business Associate shall not directly or indirectly
receive any remuneration for any use or disclosure of PHI for marketing
purposes.
D. Information Safeguards.
1. Privacy of Covered Entity's PHI. Business Associate shall develop,
implement, maintain, and use appropriate administrative, technical, and
physical safeguards to protect the privacy of Covered Entity's PHI. The
safeguards must reasonably protect Covered Entity's PHI from any
intentional or unintentional use or disclosure in violation of the Privacy
Rule, 45 CFR Part 164, Subpart E and this BAA, and limit incidental uses or
N -M
disclosures made pursuant to a use or disclosure otherwise permitted by
this BAA. Business Associate shall document such safeguards, and, upon
request, provide such safeguards to Covered Entity.
2. Security of Covered Entity's Electronic PHI. Business Associate shall
develop, implement, maintain, and use administrative, technical, and
physical safeguards that reasonably and appropriately protect the
confidentiality, integrity, and availability of Electronic PHI that Business
Associate creates, receives, maintains, or transmits on Covered Entity's
behalf as required by the Security Rule, 45 C.F.R. Part 164, Subpart C.
Business Associate also shall develop and implement policies and
procedures and meet the Security Rule documentation requirements.
Upon request, Business Associate shall provide such policies and
procedures to Covered Entity. Business Associate shall encrypt all
portable media on which Electronic PHI is stored, using a non-proprietary
algorithm of at least 256 -bit cipher strength.
E. Subcontractors and Agents. Business Associate shall require any of its
subcontractors and agents, to which Business Associate is permitted by this BAA
or in writing by Covered Entity to disclose Covered Entity's PHI, to provide
reasonable assurance (and, upon request of Covered Entity, provide written
evidence of such assurance) that such subcontractor or agent will comply with
the same privacy and security safeguard obligations with respect to Covered
Entity's PHI that are applicable to Business Associate under this BAA.
F. State Law Compliance. Business Associate shall comply with all applicable state
laws not preempted pursuant to 45 Code of Federal Regulations Part 160,
Subpart B.
II. Compliance with Transaction Standards. If Business Associate conducts in whole or
part electronic Transactions on behalf of Covered Entity for which DHHS has established
Standards, Business Associate shall comply, and shall require any subcontractor or agent
it involves with the conduct of such Transactions to comply, with each applicable
requirement of the Transaction Rule, 45 C.F.R. Part 162. Business Associate shall not
enter into, or permit its subcontractors or agents to enter into, any Trading Partner
Agreement in connection with the conduct of Standard Transactions on behalf of
Covered Entity that:
A. Changes the definition, data condition, or use of a data element or segment in a
Standard Transaction;
B. Adds any data element or segment to the maximum defined data set;
C. Uses any code or data element that is marked "not used" in the Standard
Transaction's implementation specification or is not in the Standard
Transaction's implementation specification; or
D. Changes the meaning or intent of the Standard Transaction's implementation
specification.
III. Individual Rights.
A. Access. Business Associate will respond, within thirty (30) days to each request
by an individual (or the individual's personal representative) to inspect or obtain
copies of Covered Entity's PHI about the individual that is in Business Associate's
custody or control, consistent with the requirements of 45 CFR Section 164.524,
so that Covered Entity may meet its access obligations under 45 C.F.R. § 164.524.
Covered Entity delegates to Business Associate the sole authority to determine
whether to deny access to such requested PHI solely with respect to duties
assumed by Business Associate under the Agreement. Business Associate shall
make such information available in an electronic format where directed by the
individual.
B. Amendment. Business Associate will respond within sixty (60) days and in
accordance with Privacy Rules to each request by an individual (or the
individual's personal representative) to amend Covered Entity's PHI about the
individual that is in Business Associate's custody or control, consistent with the
requirements of 45 CFR Section 164.526, so that Covered Entity may meet its
amendment obligations under 45 C.F.R. § 164.526. Covered Entity delegates to
Business Associate the sole authority to determine whether to grant a request to
amend PHI, and amend the PHI as requested if such request for amendment is
granted.
C. Disclosure Accounting. So that Business Associate can meet disclosure
accounting obligations under 45 C.F.R. § 164.528 that are delegated to it by
Covered Entity, Business Associate shall record the following information
("Disclosure Information") for each disclosure of Covered Entity's PHI, that
Business Associate makes to Covered Entity or to a third party.
1. Disclosure Information Generally. Except for repetitive disclosures of
Covered Entity's PHI as specified in Section III.C.2 below and for
disclosures for large research studies as specified in Section III.C.3 below,
the Disclosure Information that Business Associate must record for each
accountable disclosure are the requirements set forth in the HIPAA
Privacy Rule, including but not limited to: (i) the disclosure date, (ii) the
name and (if known) address of the entity to which Business Associate
made the disclosure, (iii) a brief description of Covered Entity's PHI
disclosed, and (iv) a brief statement of the purpose of the disclosure.
2. Disclosure Information for Repetitive Disclosures. For repetitive
disclosures of Covered Entity's PHI that Business Associate makes for a
single purpose to the same person or entity (including Covered Entity),
the Disclosure Information that Business Associate must record is either
the Disclosure Information specified in Section III.C.1 above for each
accountable disclosure, or (i) the Disclosure Information specified in
Section III.C.1 above for the first of the repetitive accountable
disclosures, (ii) the frequency, periodicity, or number of the repetitive
IN:J
accountable disclosures, and (iii) the date of the last of the repetitive
accountable disclosures.
3. Disclosure Information for Large Research Activities. For disclosures of
Covered Entity's PHI that Business Associate makes for particular
Research involving 50 or more individuals and for which an Institutional
Review Board or Privacy Board has waived authorization during the
period covered by an individual's disclosure accounting request, the
Disclosure Information that Business Associate must record is (i) the
name of the Research protocol or activity, (ii) a plain language description
of the Research protocol or activity, including its purpose and criteria for
selecting particular records, (iii) a brief description of the type of Covered
Entity's PHI disclosed for the Research, (iv) the dates or periods during
which Business Associate made or may have made these disclosures,
including the date of the last disclosure that Business Associate made
during the period covered by an individual's disclosure accounting
request, (v) the name, address, and telephone number of the Research
sponsor and of the researcher to whom Business Associate made these
disclosures, and (vi) a statement that Covered Entity's PHI relating to an
individual requesting the disclosure accounting may or may not have
been disclosed for a particular Research protocol or activity. Business
Associate shall, upon request of Covered Entity or an individual
requesting the disclosure accounting, assist Covered Entity or the
individual to contact the Research sponsor and the researcher if it is
reasonably likely that Covered Entity's PHI relating to the individual was
disclosed for the particular Research protocol or activity.
D. Reporting of Disclosure Information. Business Associate shall report the
Disclosure Information to Covered Entity within five (5) days following the
accountable disclosure.
E. Maintenance of Disclosure Information. Unless otherwise provided by
applicable law, Business Associate shall maintain the Disclosure Information for
at least 11 years following the date of the accountable disclosure to which the
Disclosure Information relates.
F. Individual Disclosure Requests. Business Associate will respond within sixty (60)
days and in accordance with Privacy Rules to each request by an individual (or
the individual's personal representative) for an accounting of Disclosures solely
with respect to duties assumed by Business Associate under the Agreement,
consistent with the requirements of 45 CFR Section 164.528, so that Covered
Entity may meet its disclosure obligations under 45 C.F.R. § 164.528. Covered
Entity delegates to Business Associate the sole authority to determine whether
to grant a request to amend PHI, and amend the PHI as requested if such request
for amendment is granted.
G. Restriction Agreements and Confidential Communications. Business Associate
will respond within sixty (60) days to each request by an individual (or the
individual's personal representative) to (i) restrict use or disclosure of Covered
B-10
Entity's PHI pursuant to 45 C.F.R. § 164.522(a), or (ii) require confidential
communication about Covered Entity's PHI pursuant to 45 C.F.R. § 164.522(b), so
that.Covered Entity may meet its obligations under 45 C.F.R. § 164.522. Covered
Entity delegates to Business Associate the sole authority to determine whether
to grant a request to restrict use or disclosure of PHI or provide confidential
communication about PHI solely with respect to duties assumed by Business
Associate under the Agreement.
H. Contact Person. Business Associate agrees to provide a contact person or office
responsible for receiving enrollee privacy or security complaints or questions
solely with respect to duties assumed by Business Associate under the
Agreement.
IV. Privacy Obligation Breach and Security Incidents.
A. Reporting.
1. Privacy Breach. Business Associate shall report to Covered Entity any use
or disclosure of Covered Entity's PHI not permitted by this BAA or in
writing by Covered Entity. In addition, Business Associate shall report,
following discovery and without unreasonable delay, but in no event later
than five (5) days following discovery, any "Breach" of "Unsecured
Protected Health Information" as these terms are defined by the Breach
Notification Regulation. However, in providing such notice, Business
Associate will ensure that it does not disclose PHI to Covered Entity.
2. Security Incident. The Security Rules define a "Security Incident" as an
attempted or successful unauthorized access, use, disclosure,
modification or destruction of information or interference with system
operations in an information system, involving electronic PHI ("e -PHI")
that is created, received, maintained or transmitted by or on behalf of a
Party. Since the Security Rules include attempted unauthorized access,
use, disclosure, modification or destruction of information, Covered
Entity needs to have notice of attempts to bypass electronic security
mechanisms. The Parties recognize and agree that the significant
number of meaningless attempts to, without authorization, access use,
disclose, modify or destroy a -PHI will make a real-time reporting
requirement formidable for Business Associate. Therefore, the Parties
agree to the following reporting procedures for Security Incidents that
result in unauthorized access, use, disclosure, modification or destruction
of information or interference with system operations ("Successful
Security Incidents") and for Security Incidents that do not so result
("Unsuccessful Security Incidents").
For Unsuccessful Security Incidents, the Parties agree that this paragraph
constitutes notice of such Unsuccessful Security Incidents. By way of
example, the Parties consider the following to be illustrative of
Unsuccessful Security Incidents when they do not result in actual
B-11
unauthorized access, use, disclosure, modification or destruction of a -PHI
or interference with an information system:
• Pings on Business Associate's firewall,
• Port scans,
• Attempts to log on to a system or enter a database with an invalid
password or username,
• Denial -of -service attacks that do not result in a server being taken
off-line, and
• Malware (worms, viruses, etc.)
However, in providing such notice, Business Associate will ensure that it
does not disclose PHI to Covered Entity.
B. Breach Notification.
1. Monitoring and Reporting Incidents of Unauthorized Use or Disclosure
of Unsecured PHI. Business Associate will take reasonable steps to
monitor the unauthorized acquisition, access, use, and disclosure
(subsequently referred to as use or disclosure) of Unsecured PHI relating
to Covered Entity. In particular, individuals who use or disclose PHI
relating to Covered Entity on behalf of Business Associate will be required
to report all such unauthorized use or disclosure to Business Associate's
Privacy Official or designated individual.
2. Determination Whether Unauthorized Use or Disclosure Constitutes
Breach. Upon receiving a report of unauthorized use or disclosure,
Business Associate will undertake a risk assessment to determine
whether there is a low probability that the PHI has been compromised
pursuant to the Breach Notification Regulation. The Business Associate
will make and retain records of such determinations, including the basis
for determinations that unauthorized uses or disclosures are not
Breaches of Unsecured PHI.
3. Notice to Affected Individuals of Breach. If the unauthorized use or
disclosure constitutes a Breach, the Business Associate will notify the
Individual(s) whose Unsecured PHI was used or disclosed improperly in
accordance with the Breach Notification Requirements via written notice,
substitute notice or notice in urgent situations, as appropriate. Business
Associate shall be responsible for any and all costs relating to such notice.
Written notices will be written in plain language and will include, to the
extent possible:
A. a brief description of what happened, including the date of the
Breach and the date of discovery of the Breach;
B-12
B. a description of the types of Unsecured PHI involved (without,
however, including specific PHI);
C. any steps Individuals should take to prevent potential harm
resulting from the Breach;
D. a brief description of what the Business Associate is doing (i) to
investigate the Breach, (ii) to mitigate harm to Individuals and
(iii) to protect against further Breaches; and
E. contact procedures for Individuals to ask Business Associate
questions or learn additional information, including a toll-free
telephone number, e-mail address, website, or postal address.
Such notification will be provided without unreasonable delay and in no
case later than 60 calendar days after discovery of the Breach. Business
Associate will provide Covered Entity with a copy of the notice it
determines is required by this paragraph 3 prior to its distribution for
review and approval by Covered Entity, which approval will not be
unreasonably withheld. However, in providing such notice, Business
Associate will ensure that it does not disclose PHI to Covered Entity.
4. Notice to Media of Breaches Involving More Than 500 Residents of
Same State or Jurisdiction. If a Breach involves more than 500 residents
of the same State or jurisdiction, the Business Associate will notify the
media in accordance with the Breach Notification Requirements.
Business Associate shall be responsible for any and all costs relating to
such notice. Such notification will be provided without unreasonable
delay and in no case later than 60 calendar days after discovery of the
Breach. Business Associate will provide Covered Entity with a copy of the
notice it determines is required by this paragraph 4 prior to its
distribution for review and approval by Covered Entity, which approval
will not be unreasonably withheld.
S. Notice to Covered Entity of Breaches Involving 500 or More Individuals.
If a Breach involves 500 or more individuals the Business Associate will
notify Covered Entity with all the appropriate information so Covered
Entity can notify HHS in the manner specified in the Breach Notification
Requirements and on the HHS website. Business Associate will provide
such notification without unreasonable delay and in no case later than 30
calendar days after discovery of the Breach.
6. Maintenance of Log and Annual Notice to Covered Entity of Breaches
Involving Less than 500 Individuals. The Business Associate will maintain
a log of Breaches involving less than 500 Individuals and, not later than
30 days after the end of each calendar year, notify Covered Entity with all
the appropriate information so Covered Entity can notify HHS in the
B-13
manner specified in the Breach Notification Requirements and on the
HHS website.
7. Delayed Notification. Notwithstanding paragraph 3 or 4 above, if a law
enforcement official provides Business Associate with a statement that
the notification required under paragraph 3 or 4 above would impede a
criminal investigation or cause damage to national security, then Business
Associate may delay the notification for the period of time set forth in the
statement. If the law enforcement official provides an oral statement,
then Business Associate shall document the statement in writing,
including the name of the law enforcement official making the statement,
and may delay the notification required under paragraph 3 or 4 for no
longer than thirty (30) days from the date of the oral statement, unless
the law enforcement official provides a written statement during that
time that specifies a different time period. Business Associate shall be
obligated to maintain evidence to demonstrate that the required
notification under this paragraph was made.
C. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any
harmful effect that is known to Business Associate of a Use or Disclosure of PHI
by Business Associate in violation of the requirements of this BAA, including, but
not limited to, reimbursing Covered Entity for any and all costs related to credit -
monitoring of Covered Entity's members.
D. Termination of BAA.
1. Right to Terminate for Breach. Covered Entity may terminate this BAA
(as well as any other agreement to which this BAA is attached) if it
determines, in its sole discretion, that Business Associate has breached
any provision of this BAA and upon written notice to Business Associate
of the breach, Business Associate fails to cure the breach within ten (10)
days after receipt of the notice. Covered Entity may exercise this right to
terminate this BAA by providing Business Associate written notice of
termination, stating the failure to cure the breach of the BAA that
provides the basis for the termination. Any such termination will be
effective immediately or at such other date specified in Covered Entity's
notice of termination. If for any reason Covered Entity determines that
Business Associate has breached the terms of this BAA and such breach
has not been cured, but Covered Entity determines that termination of
the BAA is not feasible, Covered Entity may report such breach to the U.S.
Department of Health and Human Services.
2. Termination Upon Expiration or Termination of Related Agreement(s).
In the event any underlying agreement(s) to which this BAA is attached
expires or is terminated, this BAA shall also be terminated, effective as
the date of the expiration or termination of the underlying agreement(s).
3. Obligations on Termination.
*MV
a. Return or Destruction of Covered Entity's PHI as Feasible. Upon
termination or other conclusion of this BAA, Business Associate
shall, if feasible, return to Covered Entity or destroy Covered
Entity's entire PHI in whatever form or medium, including all
copies thereof and all data, compilations, and other works derived
therefrom that allow identification of any individual who is a
subject of Covered Entity's PHI. Business Associate shall require
any subcontractor or agent, to which Business Associate has
disclosed Covered Entity's PHI as permitted by Section LE of this
BAA, to if feasible return to Business Associate (so that Business
Associate may return it to Covered Entity) or destroy all of
Covered Entity's PHI in whatever form or medium received from
Business Associate, including all copies thereof and all data,
compilations, and other works derived therefrom that allow
identification of any individual who is a subject of Covered Entity's
PHI, and certify on oath to Business Associate that all such
information has been returned or destroyed. Business Associate
shall complete these obligations as promptly as possible, but not
later than thirty (30) days following the effective date of the
termination or other conclusion of this BAA.
b. Procedure When Return or Destruction Is Not Feasible. Business
Associate shall identify any of Covered Entity's PHI, including any
that Business Associate has disclosed to subcontractors or agents
as permitted by Section LE of this BAA, that cannot feasibly be
returned to Covered Entity or destroyed and explain why return
or destruction is infeasible. Where Covered Entity agrees that
such return or destruction is infeasible, Business Associate shall
limit its further use or disclosure of such information to those
purposes that make return or destruction of such information
infeasible. If Covered Entity does not agree, subparagraph 3.a.
above shall apply. Business Associate shall require such
subcontractor or agent to limit its further use or disclosure of
Covered Entity's PHI that such subcontractor or agent cannot
feasibly return or destroy to those purposes that make the return
or destruction of such information infeasible. Business Associate
shall complete these obligations as promptly as possible, but not
later than thirty (30) days following the effective date of the
termination or other conclusion of this BAA.
C. Continuing Privacy and Security Obligation. Business Associate's
obligation to protect the privacy and safeguard the security of
Covered Entity's PHI as specified in this BAA will be continuous
and survive termination or other conclusion of this BAA.
B-15
E. Indemnity. Business Associate shall indemnify and hold harmless Covered Entity
and any Covered Entity affiliate, officer, director, employee or agent from and
against any claim, cause of action, liability, damage, fines, penalties, cost or
expense, including attorneys' fees and court or proceeding costs, arising out of
or in connection with any non -permitted use or disclosure of Covered Entity's
PHI or other breach of this BAA by Business Associate or any subcontractor or
agent under Business Associate's control.
Covered Entity will indemnify and hold harmless Business Associate and any
Business Associate affiliate, officer, director, employee or agent from and against
any claim, cause of action, liability, damage, fines, penalties, cost or expense,
including attorneys' fees and court or proceeding costs, arising out of or in
connection with any non -permitted use or disclosure of Covered Entity's PHI or
other breach of this BAA by Covered Entity or any subcontractor or agent under
Covered Entity's control.
1. Right to Tender or Undertake Defense. If Covered Entity is named a
party in any judicial, administrative or other proceeding arising out of or
in connection with any non -permitted use or disclosure of Covered
Entity's PHI or other breach of this BAA by Business Associate or any
subcontractor or agent under Business Associate's control, Covered
Entity will have the option at any time either (A) to tender its defense to
Business Associate, in which case Business Associate shall provide
qualified attorneys, consultants, and other appropriate professionals to
represent Covered Entity's interests at Business Associate's expense, or
(B) undertake its own defense, choosing the attorneys, consultants, and
other appropriate professionals to represent its interests, in which case
Business Associate will be responsible for and pay the reasonable fees
and expenses of such attorneys, consultants, and other professionals.
If Business Associate is named a party in any judicial, administrative or
other proceeding arising out of or in connection with any non -permitted
use or disclosure of Covered Entity's PHI or other breach of this BAA by
Covered Entity or any subcontractor or agent under Covered Entity's
control, Business Associate will have the option at any time either (A) to
tender its defense to Covered Entity, in which case Covered Entity will
provide qualified attorneys, consultants, and other appropriate
professionals to represent Business Associate's interests at Covered
Entity's expense, or (B) undertake its own defense, choosing the
attorneys, consultants, and other appropriate professionals to represent
its interests, in which case Covered Entity will be responsible for and pay
the reasonable fees and expenses of such attorneys, consultants, and
other professionals.
2. Right to Control Resolution. Covered Entity will have the sole right and
discretion to settle, compromise or otherwise resolve any and all claims,
causes of actions, liabilities or damages against it, notwithstanding that
Covered Entity may have tendered its defense to Business Associate. Any
B-16
such resolution will not relieve Business Associate of its obligation to
indemnify Covered Entity under this Section IV.E.
Business Associate will have the sole right and discretion to settle,
compromise or otherwise resolve any and all claims, causes of actions,
liabilities or damages against it, notwithstanding that Business Associate
may have tendered its defense to Covered Entity. Any such resolution
will not relieve Covered Entity of its obligation to indemnify Business
Associate under this Section IV.E.
V. General Provisions.
A. Inspection of Internal Practices, Books, and Records. Business Associate shall
make its internal practices, books, and records relating to its use and disclosure
of Covered Entity's PHI available to Covered Entity and to DHHS to determine
Covered Entity's compliance with the Privacy Rule, 45 C.F.R. Part 164, Subpart E,
and the Security Rule.
B. Definitions. The terms "Covered Entity," "Electronic Protected Health
Information," "Protected Health Information," "Standard," "Trading Partner
Agreement," and "Transaction" have the meanings set out in 45 C.F.R. § 160.103.
The term "Standard Transaction" has the meaning set out in 45 C.F.R. § 162.103.
The term "Required by Law" has the meaning set out in 45 C.F.R. § 164.103. The
terms "Health Care Operations," "Payment," "Research," and "Treatment" have
the meanings set out in 45 C.F.R. § 164.501. The term "Limited Data Set" has the
meaning set out in 45 C.F.R. § 164.514(e). The term "use" means, with respect
to PHI, utilization, employment, examination, analysis or application within
Business Associate. The terms "disclose" and "disclosure" mean, with respect to
PHI, release, transfer, providing access to or divulging to a person or entity not
within Business Associate. For purposes of this BAA, Covered Entity's PHI
encompasses Covered Entity's Electronic PHI. Any other capitalized terms not
identified in this BAA will have the meanings set forth in the HIPAA Rules.
C. Amendment to BAA. Upon the compliance date of any final regulation or
amendment to final regulation promulgated by DHHS that affects Business
Associate's use or disclosure of Covered Entity's PHI or Standard Transactions,
this BAA will automatically amend such that the obligations imposed on Business
Associate remain in compliance with the final regulation or amendment to final
regulation.
D. Privacy Notice. Business Associate agrees to include a draft notice, consistent
with the requirements in 45 C.F.R. § 164.520 and the terms of this Attachment,
in the summary plan descriptions of adopting Employers.
E. Privacy Official. Business Associate agrees to designate a privacy official who
will also act as the Covered Entity's privacy official solely with respect to duties
assumed by Business Associate under the Agreement.
F. Conflicts. In the event that this BAA is made part of another agreement
between the parties, the terms and conditions of this BAA will override and
Am
control any conflicting term or condition of such other agreement, provided that
this BAA shall not override any rights of the parties to terminate any such other
agreement in accordance with the terms and conditions of such other
agreement.