Loading...
5.i) Southwest West Central HSA Master Service Agreement 2014Southwest/West Central Service Cooperative HSA Master Service Agreement With MII Life Incorporated d/b/a SelectAccount SOUTHWEST/WEST CENTRAL SERVICE COOPERATIVE HSA MASTER SERVICE AGREEMENT WITH Mil LIFE INCORPORATED This HSA Master Service Agreement (the "Agreement") is between MII Life, Incorporated dba SelectAccount ("SelectAccount"), and Southwest/West Central Service Cooperative (the "Service Cooperative"), for the benefit of itself and other public Employers that are participant members of the Service Cooperative (the "Employer" or "Employers"). SelectAccount and the Service Cooperative (or an Employer, in the case of an adopting Employer) may be referred to jointly as the "Parties," or individually as a "Party." The purpose of this Agreement is to provide uniform pricing, services, terms, and conditions for the administration of health savings accounts ("HSAs") that are established by employees of the Employers. The Agreement is established pursuant to the authority of the Service Cooperative to engage in cooperative purchasing services under Minnesota Statutes Section 123A.21. This Agreement is effective as of January 1, 2014. Fee increases for Employers adopting this agreement shall be effective on the renewal date for each Employer's HSA -eligible high deductible health ("Plan"). SelectAccount will provide the services described herein for HSAs and Employers at any time during the term of this Agreement. SelectAccount is not an attorney, tax advisor or investment advisor and does not render legal, tax or investment advice in connection with the creation, adoption or operation of HSAs. Employers will seek the advice of counsel, as needed, as to matters that might arise in connection with design, adoption or operation of their employee benefit and compensation arrangements, including agreements to contribute or permit contributions to HSAs on behalf of employees. . SelectAccount is a corporation organized and domiciled in Minnesota and is authorized by law to provide HSA custodian and administrative services. 1 SERVICES TO BE PROVIDED BY SELECTACCOUNT SelectAccount agrees to provide the services described below in exchange for the payment of the administrative fees set forth in Attachment A. 1. Administrative Services. a. The Employer has chosen SelectAccount as the HSA custodian for contributions by employees and the Employer. Once the contributions are deposited into the HSA, an HSA accountholder is free to request a distribution of the funds or to transfer them to another HSA custodian or trustee. The Employer does not sponsor or maintain the HSAs. The HSA accountholder is responsible for the establishment of the HSA, entering into an agreement with the HSA custodian or trustee and following the terms of that agreement. b. SelectAccount will accept HSA contributions and deposit the funds into the HSA established by the HSA accountholder as soon as administratively feasible. C. SelectAccount will arrange for initial employee enrollment communication meetings at client's request. Any meeting held at a location outside Minnesota will be subject to an additional charge, as set forth in Attachment A. d. SelectAccount will provide general administrative, accounting, record keeping, fiscal and other related services in connection with funding the HSA's. e. SelectAccount will record contribution additions, changes, and terminations permitted under the HSA Benefit. Employer will furnish this information to SelectAccount in a format acceptable to SelectAccount. f. SelectAccount will provide Employers secure web portal to administer enrollment, payrolls, reports, Employer profile, secured Email messaging and other functions needed for administration of HSA contributions. g. SelectAccount will provide HSA accountholders with SelectAccount and Minnesota Service Cooperatives cobranded secure web portal and interactive voice response "IVR" access to account balance information, transaction history, investment performance, investment realignment options, and secured Email messaging. h. Preferred Electronic Pricing Incentives. Prices will vary based on attainment by Employers with certain electronic communications and payment standards. Targets for preferred pricing are as follows: 2 Preferred Requirements 2014 2015 2016 2017 Group Portal Utilization Account holders on ACH Account holders on Crossover or Debit Card 100% 45% 90% 100% 60% 100% 100% 70% 100% 100% 90% 100% Utilize electronic communication with account holders whenever possible 2 For Plan years beginning in 2014, all Employers will receive preferred pricing under Table 1 of Attachment A (or Table 3, for those Employers that do not have group health plan coverage through the Service Cooperatives), whether or not they meet the targets for the Plan year. In the fourth quarter of Plan years beginning in 2014, the Service Cooperative and Employers will receive a report showing which groups have met the goals and which ones have not. Those groups that have not met 2014 goals will be assessed the higher rates in Table 2 (or Table 4, for those Employers that do not have group health plan coverage through the Service Cooperatives), for the entire Plan year beginning in 2015. Rates will be determined going forward in the same manner using the chart above and Tables 1 through 4 of Attachment A. 2. Documents SelectAccount shall provide the reports, documents, and testing described in this section via electronic format whenever possible. If electronic distribution by SelectAccount is available, the Plan Administrator may still request and receive paper mailing and distribution subject to additional fees paid by the Plan Administrator. a. SelectAccount will provide communication materials necessary to communicate the HSA Benefit to employees. SelectAccount will provide an employee brochure (pre -enrollment) and verification packet (post -enrollment) for distribution to employees by the Employer. b. SelectAccount shall furnish enrollment and contribution election forms and HSA participation agreements. 3 LIMITATION OF LIABILITY AND INDEMNIFICATION 1. Employer agrees that all information supplied to SelectAccount by Employer will be accurate and that SelectAccount may reasonably rely upon it without any obligation for further inquiry. Employer will be responsible for any losses or damages, including adverse tax consequences, resulting from any action taken or not taken by SelectAccount in reliance on such information except as a result of an act or omission by SelectAccount that was criminal, fraudulent, dishonest or grossly negligent. Employer agrees to hold SelectAccount harmless and to indemnify SelectAccount from any such losses or damages, including payment of reasonable attorney's fees, except as otherwise limited above. 2. SelectAccount will perform its duties and obligations under this Agreement in a timely fashion and with the requisite level of care. SelectAccount agrees to hold Employer harmless and to indemnify Employer from any losses or damages, including payment of reasonable attorney's fees, incurred as a result of any an act or omission by SelectAccount that was criminal, fraudulent, dishonest or grossly negligent. 3. SelectAccount is not, in any way, to be deemed an insurer, underwriter or guarantor with respect to any HSA Benefit. Nothing in this Agreement shall be deemed to impose upon SelectAccount any obligation to any employee of Employer or any participant in the HSA Benefit. 4 TERM AND TERMINATION 1. Service Year. It is intended that the Service Years under this Agreement correspond to the Plan years for each Employer. The initial Service Year of this Agreement will begin on the first day of the Plan year that begins on or after January 1, 2014, and will end on the last day of the 12th month thereafter. Pricing is guaranteed for each Employer for a period of four (4) years from the first day of the Plan year beginning on or after January 1, 2014. By way of example, pricing will be guaranteed for Employers with Plan years that begin on January 1, 2014 until December 31, 2017.This Agreement replaces and supersedes all prior Agreements, if any, between SelectAccount and Employer with respect to the subject matter of this Agreement, effective as of the next Service Year for the applicable Plan(s). Each Service Year for adopting Employers shall be as reflected in the applicable Adoption Agreement. 2. Automatic Renewal. This Agreement will automatically renew for an additional Service Year on the day following the last day of the prior Service Year unless the Parties have replaced this Agreement with a new Agreement or this Agreement is terminated as outlined below. If the Agreement is renewed for an additional Service Year, the Parties will be obligated to provide services and make payments for services as set forth in this Agreement and the Attachments. 3. Termination for Material Breach. Either Party may terminate this Agreement effective upon written notice to the other Party in the event of material breach, which includes, but is not limited to, (a) failure to pay any amounts when due under this Agreement so long as such default is not cured within a mutually agreed upon time period, or SelectAccount has a reasonable expectation that such default will not be cured, and (b) failure to provide services under this Agreement. In all situations where a Party elects to terminate this Agreement as a result of the material breach of the other Party, the non -breaching Party may, in its sole discretion, provide the breaching Party with a grace period to cure its breach, but such grace period shall not waive any of the rights or remedies the non -breaching Party has against the breaching Party. For clarification and not in limitation of the foregoing, adopted agreements shall be deemed separate and binding agreements between adopting Employers and SelectAccount, and shall be deemed to survive termination of this Agreement or any other adopted Agreement unless terminated separately according to their own terms. 4. Termination without Cause. This Agreement (or, as applicable, any adopted Agreement) may be terminated by SelectAccount, the Service Cooperative, or an adopting Employer (with respect to their interest) at any time, by giving written notice to the other Party at least sixty (60) days prior to the termination date. 5. Obligations after Termination. SelectAccount will have no responsibility to provide services to Employer after the termination of this Agreement. 5 GENERAL TERMS 1. Assignment of the Agreement. This Agreement may not be assigned by SelectAccount or Employer without the prior written consent of the other Party, which will not be unreasonably withheld. Any attempt to assign, in total, the rights, duties or obligations under this Agreement without such consent will be void and may, at the option of the other Party, constitute a material breach. Notwithstanding this prohibition on assignment of the entire Agreement, either Party may subcontract with another entity to perform specific services described herein (whether or not the right to subcontract has been specifically reserved) without consent of the other Party but will remain wholly responsible for the performance of such subcontracted services. 2. Notices. All notices required or permitted to be given by this Agreement will be in writing, and shall be deemed given when either personally delivered, sent by first class mail or overnight delivery to a Party at the respective addresses stated below: Employer: SelectAccount will retain on file all contact and address information for adopting Employers. Notices to the Service Cooperative shall be sent to the following address: Southwest/West Central Service Cooperative Attention: Cliff Carmody 1420 East College Drive Marshall, MN 56258 SelectAccount: Via hand delivery or courier: Reed Erickson Vice President Compliance and Risk Management 1200 Yankee Doodle Road, Route S1-40 Eagan, MN 55121-2202 Via U.S. Mail: Box 64193 Route S1-40 St Paul, MN 55164 A Party may change its address for receiving notices upon ten (10) days advance written notice to the other Party. 3. Severability. If any provision of this Agreement is held to be invalid, illegal or unenforceable, the validity, legality or enforceability of the remaining provisions will not in any way be affected or impaired thereby. 4. Status of an Independent Contractor. The Parties make this Agreement and will function as independent contractors and not as an agent of one another. Neither Party will state or imply M the contrary to anyone. The employees and agents of each Party will not be treated for any purpose as the agents or employees of the other Party. 5. Mandatory Arbitration. Employer and SelectAccount agree that any dispute related to or arising between the Parties under this Agreement will be subject to mandatory, binding arbitration to be held in the county of Dakota, state of Minnesota. The arbitration panel will consist of three arbitrators, one selected by Employer, one selected by SelectAccount and the third mutually agreed upon by Employer and SelectAccount. Should the Parties be unable to agree on a third arbitrator, the Parties agree that the "alternate striking" procedures of the American Arbitration Association will be used to select the third arbitrator for the Parties. The Parties may also agree to have only the third arbitrator or another person selected by the Parties conduct the arbitration. With respect to damages awarded in arbitration, the arbitration panel may award only reasonable compensatory damages and may not award punitive damages, liquidated damages, any multiple of compensatory damages or any other award in excess of compensatory damages. 6. Governing law/Exclusive Jurisdiction. Except as they may be subject to federal law (including the Code), any questions, disputes or litigation concerning or arising from this Agreement will be governed by the laws of the State of Minnesota. Although the Parties agree to mandatory, binding arbitration, should any litigation ensue, the Parties agree that a federal court within the State of Minnesota will be the exclusive forum for litigation regarding the interpretation or enforcement of this Agreement, unless the federal court determines that it does not have jurisdiction over the subject matter of the dispute, in which case the Parties agree that any action will be brought in a state court in Minnesota. 7. Errors and Omissions. It is understood and agreed that neither Party will be prejudiced in any way due to clerical error, omission, accident or oversight in connection with formulation or execution of this Agreement provided that corrections are reported to the other Party as soon as discovered. 8. Entire Agreement and Integration. This Agreement (including any Attachments) constitutes the entire, final agreement between SelectAccount and Employer and supersedes any previous agreement between the Parties with respect to the administrative services for the HSA Benefit. Each Party acknowledges that it has not relied on any representations from the other Party that are not set forth in this Agreement. No modification or amendment of this Agreement (or any Attachment) is valid unless made in writing and signed by both Parties. 9. Construction. It is fully understood and agreed to by both Parties that this Agreement will not be construed against SelectAccount as the drafter of the Agreement. 10. Audit. Upon sixty (60) days advance written notice by Employer, SelectAccount agrees to provide Employer's designated auditor with access to information needed to conduct an audit of records maintained by SelectAccount related to Member eligibility or customer service. The initial notice to SelectAccount will state the scope of the audit, identify the information that is needed, and propose sampling methodologies. The audit will be limited to the Servicing Year in which the audit is conducted and the immediately preceding Servicing Year. The Parties 7 agree to collaborate in good faith to develop an agreement that meets the needs of both Parties and outlines the agreed upon terms for conducting the audit. All auditors will be required to adhere to SelectAccount's procedures for maintaining the security of all information furnished by SelectAccount, and required to sign confidentiality agreements prior to the release of any information by SelectAccount. Any third party auditor must be acceptable to SelectAccount. SelectAccount will be entitled to receive copies of the draft and final audit reports, and will have the right to review and comment on audit findings prior to or simultaneous with the release of such report to Employer. SelectAccount's comments will be noted in the final report. Audits requested by Employer will be limited to one every two years. Employer will bear any expenses incurred by Employer or its auditor. Employer will also reimburse SelectAccount for its costs for any on-site audit that exceeds two business days. Employer will be charged for additional audits based on the actual cost to SelectAccount. 9 SOUTHWEST/WEST CENTRAL SERVICE COOPERATIVE HSA MASTER SERVICE AGREEMENT WITH MII LIFE INCORPORATED dba SELECTACCOUNT SIGNATURES Date:A-1-7 / Date: 1 �-/ Southwest/West Central Service Cooperative Signed: Name: a�1 Title: t61(t a L." �( b OrE,J�- SelectAccount Accepted: Reed Erickson Title: Vice President Compliance and Risk Manap,ement M SOUTHWEST/WEST CENTRAL SERVICE COOPERATIVE HSA MASTER SERVICE AGREEMENT WITH MII LIFE INCORPORATED dba SELECTACCOUNT ATTACHMENT A FEES This Attachment A to the Agreement between the Employer shown in the Adoption Agreement ("Employer") and Mil Life Incorporated dba SelectAccount (the "Parties") describes the fees payable to SelectAccount under such Agreement. If Employer pays the administrative fee on behalf of employees, such payment will billed to Employer. The Monthly Per Participant Fee is based on the number of employees who have an HSA as of the last day of the prior month. SelectAccount will submit a bill to Employer by the 15th day of each month for the Monthly Per Participant Fee owed for such month. If Employers utilize ACH for the payment of Account Fees, their group billing contact will be notified via email that an ACH pull has been scheduled and fees will be withdrawn from their bank accounts within two business days. The billing contact will receive one email notification per invoice generated. Employers should review bill immediately upon receipt and notify SelectAccount within sixty (60) calendar days of any adjustments to HSA accountholder's fees. Requests for adjustment after sixty (60) calendar days will not be accepted. If employees are required to pay the administrative fee, SelectAccount will debit the fee from the employee's HSA annually. SelectAccount will bill the Pay -the -provider fee to the Employer on a monthly basis. Pricing set forth in this Attachment A is guaranteed for each Employer for a period of four (4) years from the first day of the Plan Year beginning on or after January 1, 2014. By way of example, pricing will be guaranteed for Employers with Plan Years that begin on January 1, 2014 until December 31, 2017. Pricing will be guaranteed for Employers with Plan Years that begin on October 1, 2014 until September 30, 2018. B-1 One Time Performance Guarantee Cumulative Maximum 1$50,000 Setup Fee I Waived Annual 2014 Cafeteria Non-Discrimination Testing Waived 2016 Trust Fee Waived Monthly $0.60 Per Participant Per Month Fees: $0.60 Coop Members With Coop Blue Cross Insurance With Preferred Electronic Incentive Table 1 HSA Basic Coop Members With Coop Blue Cross Insurance Without Preferred Electronic Incentive Table 2 $1.20 Coop Members Without Coop Health Insurance With Preferred Electronic Incentive Table 3 $1.20 Coop Members Without Coop Health Insurance Without Preferred Electronic Incentive Table 4 $2.11 VEBA For NonCoop Members Table 5 $2.11 Debit Card $0.00 VEBA Thrift Optional Quarterly Statement fee (applies to all participants in groups that elect this option) $0.25 $0.60 Optional Pay -The -Provider fee (applies to all participants in groups that elect this option including those who opt out of Pay -The -Provider). $0.50 $0.60 Optional Basic Investment Account $1.50 $1.20 Prices are on a per account holder, per month basis $1.20 The Basic Investment Account is optional and NO fee is charged if account is NOT activated VEBA Premium Must have a Base Balance of $1,000 to open a Basic Investment Account Table 1- Coop Member & Coop Blue Cross Health Coverage Meeting Preferred Electronic Requirements Per Participant Per Month 2014 2015 2016 2017 HSA Thrift $0.60 $0.60 $0.60 $0.60 HSA Basic $1.20 $1.20 $1.20 $1.20 HSA Premium $2.11 $2.11 $2.11 $2.11 VEBA Thrift $0.60 $0.60 $0.60 $0.60 VEBA Basic $1.20 $1.20 $1.20 $1.20 VEBA Premium $2.11 $2.11 $2.11 $2.11 HRA $2.11 $2.11 $2.11 $2.11 FSA $2.11 $2.11 $2.11 $2.11 Wellness only $0.60 $0.60 $0.60 $0.60 Stacked: Funded Thrift / FSA $2.11 $2.11 $2.11 $2.11 Funded Basic / FSA $2.11 $2.11 $2.11 $2.11 Funded Premium/ FSA $2.11 $2.11 $2.11 $2.11 HRA / FSA $2.11 $2.11 $2.11 $2.11 HSA / VEBA Rate of Highest HSA /VEBA product Preferred Requirements 2014 2015 2016 2017 Group Portal Utilization 100% 100% 100% 100% Account holders on ACH 45% 60% 70% 90% Account holders on Crossover or Debit Card 90% 100% 100% 100% Utilize electronic communication with account holders whenever possible $0.10 per participant per month will be rebated to the Service Cooperative that made coverage available to the Employer. L•1% Table 2 - Coop Member & Coop Blue Cross Health Coverage NOT Meeting Preferred Electronic Requirements Per Participant Per Month 2014 2015 2016 2017 HSA Thrift $0.60 $0.60 $0.60 $0.60 HSA Basic $1.20 $1.20 $1.20 $1.20 HSA Premium $2.11 $2.11 $2.11 $2.11 VEBAThrift $0.60 $0.60 $0.60 $0.60 VEBA Basic $1.20 $1.20 $1.20 $1.20 VEBA Premium $2.11 $2.11 $2.11 $2.11 HRA $2.11 $2.21 $2.31 $2.41 FSA $2.11 $2.21 $2.31 $2.41 Wellness only $0.60 $0.60 $0.60 $0.60 Stacked: Funded Thrift/ FSA $2.11 $2.21 $2.31 $2.41 Funded Basic / FSA $2.11 $2.21 $2.31 $2.41 Funded Premium/ FSA $2.11 $2.21 $2.31 $2.41 HRA / FSA $2.11 $2.21 $2.31 $2.41 HSA / VEBA Rate of Highest HSA / VEBA product $0.10 per participant per month will be rebated to the Service Cooperative that made coverage available to the Employer. M Table 3 - Coop Member & No Coop Health Coverage Meeting Preferred 2014 2015 2016 2017 Electronic Requirements Per Participant Per Month 2014 2015 2016 2017 HSA Thrift $0.95 $0.95 $0.95 $0.95 HSA Basic $2.40 $2.40 $2.40 $2.40 HSA Premium $3.85 $3.85 $3.85 $3.85 VEBA Thrift $0.95 $0.95 $0.95 $0.95 VEBA Basic $2.40 $2.40 $2.40 $2.40 VEBA Premium $3.85 $3.85 $3.85 $3.85 HRA $4.30 $4.30 $4.30 $4.30 FSA $4.30 $4.30 $4.30 $4.30 Wellness only $0.95 $0.95 $0.95 $0.95 Stacked: $4.30 $4.40 $4.50 $4.60 Funded Thrift / FSA $4.30 $4.30 $4.30 $4.30 Funded Basic / FSA $4.30 $4.30 $4.30 $4.30 Funded Premium/ FSA $4.30 $4.30 $4.30 $4.30 HRA/ FSA $4.30 $4.30 $4.30 $4.30 HSA / VEBA Rate of Highest HSA /VEBA product Preferred Requirements 2014 2015 2016 2017 Group Portal Utilization 100% 100% 100% 100% Account holders on ACH 45% 60% 70% 90% Account holders on Crossover or Debit Card 90% 100% 100% 100% Utilize electronic communication with account holders whenever possible 50% of the difference to Table 1 will be rebated to the Service Cooperative that made coverage available to the Employer. Table 4 - Coop Member & No Coop Health Coverage NOT Meeting Preferred Electronic Requirements Per Participant Per Month 2014 2015 2016 2017 HSA Thrift $0.95 $0.95 $0.95 $0.95 HSA Basic $2.40 $2.40 $2.40 $2.40 HSA Premium $3.85 $3.85 $3.85 $3.85 VEBAThnft $0.95 $0.95 $0.95 $0.95 VEBA Basic $2.40 $2.40 $2.40 $2.40 VEBA Premium $3.85 $3.85 $3.85 $3.85 HRA $4.30 $4.40 $4.50 $4.60 FSA $4.30 $4.40 $4.50 $4.60 Wellness only $0.95 $0.95 $0.95 $0.95 Stacked: Funded Thrift / FSA $4.30 $4.40 $4.50 $4.60 Funded Basic / FSA $4.30 $4.40 $4.50 $4.60 Funded Premium/ FSA $4.30 $4.40 $4.50 $4.60 HRA / FSA $4.30 $4.40 $4.50 $4.60 HSA / VEB IRate of Highest HSA / VEBA product 150% of the difference to Table 2 will be rebated to the Service Cooperative that made coverage available to the Employer. M Table 5 - NonCoop Member VEBA 2014 2015 2016 2017 VEBAThrift $2.60 $2.60 $2.60 $2.60 VEBA Basic $3.20 $3.20 $3.20 $3.20 VEBA Premium $4.11 $4.11 $4.11 $4.11 50% of the difference to Table 2 will be rebated to the Service Cooperative that made coverage available to the Employer. Base Account Crediting Rates Thrift Basic Premium Saver Saver Saver $0 to $499 0.05% 0.25% 1.05% $500 to $999 0.05% 0.25% 1.05% $1,000 to $1,499 0.10% 0.40% 1.05% $1,500 to $2,499 0.10% 0.40% 1.05% $2,500 to $4,999 0.10% 0.40% 1.05% $5,000 to $9,999 0.20% 0.50% 1.10% $10,000 to $24,999 0.30% 0.75% 1.25% $25,000 to $49,999 0.50% 1.00% 1.75% $50,000 or greater 0.70% 1.25% 2.00% New and existing VEBA groups may select from the Thrift Saver, Basic Saver or Premium Saver options as shown above at setup or renewal. Crediting rates may be adjusted without notice at any time. Rates shown as of April 2014. IR ATTACHMENT B BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ("BAA") between MII Life Incorporated d/b/a SelectAccount ("Business Associate") and the Minnesota Service Cooperative VEBA Committee and adopting Employers on behalf of the Minnesota Service Cooperative VEBA Plan and Trust ("Covered Entity") is attached to and made part of the Minnesota Service Cooperatives VEBA Service Agreement with MII Life Incorporated d/b/a SelectAccount (the "Agreement") as such Agreement may be renewed from time to time. Business Associate and Covered Entity agree that this BAA replaces any prior Business Associate Agreements or prior Attachment B's. Covered Entity and Business Associate mutually agree to comply with the requirements of the implementing regulations of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as modified by the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"). Specifically, the "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 106 and Part 164. The HIPAA Privacy Rule is the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and 164, subparts A and E. The HIPAA Security Rule is the HIPAA Security Standards at 54 CFR Parts 160 and 164, Subpart C. The HIPAA Breach Notification Rule is the Notification in the Case of Breach of Unsecured Protected Health Information, as set forth at 45 CFR Part 164, subpart D. Business Associate recognizes and agrees that it is obligated by law to meet the applicable provisions of the HIPAA Rules. I. Privacy of Protected Health Information. A. Permitted Uses and Disclosures. Business Associate is permitted to use and disclose Protected Health Information ("PHI") that it creates or receives on Covered Entity's behalf or receives from Covered Entity (or another business associate of Covered Entity) and to request PHI on Covered Entity's behalf (collectively, "Covered Entity's PHI") only as follows: 1. Functions and Activities on Covered Entity's Behalf. To perform functions, activities, services, and operations on behalf of Covered Entity, consistent with the Privacy Rule. More specifically, except as otherwise limited in this BAA, Business Associate is permitted to use and disclose PHI to perform the functions, activities, or services for, or on behalf of, Covered Entity as specified in the above named Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of Covered Entity. 2. Business Associate's Operations. For Business Associate's proper management and administration or to carry out Business Associate's legal responsibilities, provided that, with respect to disclosure of Covered Entity's PHI, either: a. The disclosure is Required by Law; or b. Business Associate obtains reasonable assurance (and, upon request of Covered Entity, provides written evidence of such assurance) from any person or entity to which Business Associate will disclose Covered Entity's PHI that the person or entity shall: 1. Hold Covered Entity's PHI in confidence and use or further disclose Covered Entity's PHI only for the purpose for which Business Associate disclosed Covered Entity's PHI to the person or entity or as Required by Law; and 2. Immediately (and no later than three (3) days after the suspected or known breach) notify Business Associate (who shall in turn notify Covered Entity in accordance with Section IIID of this BAA) of any instance of which the person or entity becomes aware in which the confidentiality of Covered Entity's PHI was breached. B. Minimum Necessary and Limited Data Set. Business Associate's use, disclosure or request of PHI shall utilize a Limited Data Set if practicable. Otherwise, Business Associate shall, in its performance of the functions, activities, services, and operations specified in Section I.A.1above, make reasonable efforts to use, to disclose, and to request of a Covered Entity only the minimum amount of Covered Entity's PHI reasonably necessary to accomplish the intended purpose of the use, disclosure or request. In addition, Business Associate agrees to implement and follow appropriate minimum necessary policies in the performance of its obligations under this BAA. C. Prohibition on Unauthorized Use or Disclosure. Business Associate shall neither use nor disclose Covered Entity's PHI, except as permitted or required by this BAA or in writing by Covered Entity or as Required by Law. This BAA does not authorize Business Associate to use or disclose Covered Entity's PHI in a manner that will violate 45 C.F.R. Part 164, Subpart E "Privacy of Individually Identifiable Health Information" ("Privacy Rule") if done by Covered Entity, except as set forth in Section I.A.2 of this BAA. 1. Sale of PHI Prohibited. Business Associate shall not directly or indirectly receive any remuneration in exchange for Covered Entity's PHI. 2. Marketing of PHI. Business Associate shall not directly or indirectly receive any remuneration for any use or disclosure of PHI for marketing purposes. D. Information Safeguards. 1. Privacy of Covered Entity's PHI. Business Associate shall develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards to protect the privacy of Covered Entity's PHI. The safeguards must reasonably protect Covered Entity's PHI from any intentional or unintentional use or disclosure in violation of the Privacy Rule, 45 CFR Part 164, Subpart E and this BAA, and limit incidental uses or N -M disclosures made pursuant to a use or disclosure otherwise permitted by this BAA. Business Associate shall document such safeguards, and, upon request, provide such safeguards to Covered Entity. 2. Security of Covered Entity's Electronic PHI. Business Associate shall develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that Business Associate creates, receives, maintains, or transmits on Covered Entity's behalf as required by the Security Rule, 45 C.F.R. Part 164, Subpart C. Business Associate also shall develop and implement policies and procedures and meet the Security Rule documentation requirements. Upon request, Business Associate shall provide such policies and procedures to Covered Entity. Business Associate shall encrypt all portable media on which Electronic PHI is stored, using a non-proprietary algorithm of at least 256 -bit cipher strength. E. Subcontractors and Agents. Business Associate shall require any of its subcontractors and agents, to which Business Associate is permitted by this BAA or in writing by Covered Entity to disclose Covered Entity's PHI, to provide reasonable assurance (and, upon request of Covered Entity, provide written evidence of such assurance) that such subcontractor or agent will comply with the same privacy and security safeguard obligations with respect to Covered Entity's PHI that are applicable to Business Associate under this BAA. F. State Law Compliance. Business Associate shall comply with all applicable state laws not preempted pursuant to 45 Code of Federal Regulations Part 160, Subpart B. II. Compliance with Transaction Standards. If Business Associate conducts in whole or part electronic Transactions on behalf of Covered Entity for which DHHS has established Standards, Business Associate shall comply, and shall require any subcontractor or agent it involves with the conduct of such Transactions to comply, with each applicable requirement of the Transaction Rule, 45 C.F.R. Part 162. Business Associate shall not enter into, or permit its subcontractors or agents to enter into, any Trading Partner Agreement in connection with the conduct of Standard Transactions on behalf of Covered Entity that: A. Changes the definition, data condition, or use of a data element or segment in a Standard Transaction; B. Adds any data element or segment to the maximum defined data set; C. Uses any code or data element that is marked "not used" in the Standard Transaction's implementation specification or is not in the Standard Transaction's implementation specification; or D. Changes the meaning or intent of the Standard Transaction's implementation specification. III. Individual Rights. A. Access. Business Associate will respond, within thirty (30) days to each request by an individual (or the individual's personal representative) to inspect or obtain copies of Covered Entity's PHI about the individual that is in Business Associate's custody or control, consistent with the requirements of 45 CFR Section 164.524, so that Covered Entity may meet its access obligations under 45 C.F.R. § 164.524. Covered Entity delegates to Business Associate the sole authority to determine whether to deny access to such requested PHI solely with respect to duties assumed by Business Associate under the Agreement. Business Associate shall make such information available in an electronic format where directed by the individual. B. Amendment. Business Associate will respond within sixty (60) days and in accordance with Privacy Rules to each request by an individual (or the individual's personal representative) to amend Covered Entity's PHI about the individual that is in Business Associate's custody or control, consistent with the requirements of 45 CFR Section 164.526, so that Covered Entity may meet its amendment obligations under 45 C.F.R. § 164.526. Covered Entity delegates to Business Associate the sole authority to determine whether to grant a request to amend PHI, and amend the PHI as requested if such request for amendment is granted. C. Disclosure Accounting. So that Business Associate can meet disclosure accounting obligations under 45 C.F.R. § 164.528 that are delegated to it by Covered Entity, Business Associate shall record the following information ("Disclosure Information") for each disclosure of Covered Entity's PHI, that Business Associate makes to Covered Entity or to a third party. 1. Disclosure Information Generally. Except for repetitive disclosures of Covered Entity's PHI as specified in Section III.C.2 below and for disclosures for large research studies as specified in Section III.C.3 below, the Disclosure Information that Business Associate must record for each accountable disclosure are the requirements set forth in the HIPAA Privacy Rule, including but not limited to: (i) the disclosure date, (ii) the name and (if known) address of the entity to which Business Associate made the disclosure, (iii) a brief description of Covered Entity's PHI disclosed, and (iv) a brief statement of the purpose of the disclosure. 2. Disclosure Information for Repetitive Disclosures. For repetitive disclosures of Covered Entity's PHI that Business Associate makes for a single purpose to the same person or entity (including Covered Entity), the Disclosure Information that Business Associate must record is either the Disclosure Information specified in Section III.C.1 above for each accountable disclosure, or (i) the Disclosure Information specified in Section III.C.1 above for the first of the repetitive accountable disclosures, (ii) the frequency, periodicity, or number of the repetitive IN:J accountable disclosures, and (iii) the date of the last of the repetitive accountable disclosures. 3. Disclosure Information for Large Research Activities. For disclosures of Covered Entity's PHI that Business Associate makes for particular Research involving 50 or more individuals and for which an Institutional Review Board or Privacy Board has waived authorization during the period covered by an individual's disclosure accounting request, the Disclosure Information that Business Associate must record is (i) the name of the Research protocol or activity, (ii) a plain language description of the Research protocol or activity, including its purpose and criteria for selecting particular records, (iii) a brief description of the type of Covered Entity's PHI disclosed for the Research, (iv) the dates or periods during which Business Associate made or may have made these disclosures, including the date of the last disclosure that Business Associate made during the period covered by an individual's disclosure accounting request, (v) the name, address, and telephone number of the Research sponsor and of the researcher to whom Business Associate made these disclosures, and (vi) a statement that Covered Entity's PHI relating to an individual requesting the disclosure accounting may or may not have been disclosed for a particular Research protocol or activity. Business Associate shall, upon request of Covered Entity or an individual requesting the disclosure accounting, assist Covered Entity or the individual to contact the Research sponsor and the researcher if it is reasonably likely that Covered Entity's PHI relating to the individual was disclosed for the particular Research protocol or activity. D. Reporting of Disclosure Information. Business Associate shall report the Disclosure Information to Covered Entity within five (5) days following the accountable disclosure. E. Maintenance of Disclosure Information. Unless otherwise provided by applicable law, Business Associate shall maintain the Disclosure Information for at least 11 years following the date of the accountable disclosure to which the Disclosure Information relates. F. Individual Disclosure Requests. Business Associate will respond within sixty (60) days and in accordance with Privacy Rules to each request by an individual (or the individual's personal representative) for an accounting of Disclosures solely with respect to duties assumed by Business Associate under the Agreement, consistent with the requirements of 45 CFR Section 164.528, so that Covered Entity may meet its disclosure obligations under 45 C.F.R. § 164.528. Covered Entity delegates to Business Associate the sole authority to determine whether to grant a request to amend PHI, and amend the PHI as requested if such request for amendment is granted. G. Restriction Agreements and Confidential Communications. Business Associate will respond within sixty (60) days to each request by an individual (or the individual's personal representative) to (i) restrict use or disclosure of Covered B-10 Entity's PHI pursuant to 45 C.F.R. § 164.522(a), or (ii) require confidential communication about Covered Entity's PHI pursuant to 45 C.F.R. § 164.522(b), so that.Covered Entity may meet its obligations under 45 C.F.R. § 164.522. Covered Entity delegates to Business Associate the sole authority to determine whether to grant a request to restrict use or disclosure of PHI or provide confidential communication about PHI solely with respect to duties assumed by Business Associate under the Agreement. H. Contact Person. Business Associate agrees to provide a contact person or office responsible for receiving enrollee privacy or security complaints or questions solely with respect to duties assumed by Business Associate under the Agreement. IV. Privacy Obligation Breach and Security Incidents. A. Reporting. 1. Privacy Breach. Business Associate shall report to Covered Entity any use or disclosure of Covered Entity's PHI not permitted by this BAA or in writing by Covered Entity. In addition, Business Associate shall report, following discovery and without unreasonable delay, but in no event later than five (5) days following discovery, any "Breach" of "Unsecured Protected Health Information" as these terms are defined by the Breach Notification Regulation. However, in providing such notice, Business Associate will ensure that it does not disclose PHI to Covered Entity. 2. Security Incident. The Security Rules define a "Security Incident" as an attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system, involving electronic PHI ("e -PHI") that is created, received, maintained or transmitted by or on behalf of a Party. Since the Security Rules include attempted unauthorized access, use, disclosure, modification or destruction of information, Covered Entity needs to have notice of attempts to bypass electronic security mechanisms. The Parties recognize and agree that the significant number of meaningless attempts to, without authorization, access use, disclose, modify or destroy a -PHI will make a real-time reporting requirement formidable for Business Associate. Therefore, the Parties agree to the following reporting procedures for Security Incidents that result in unauthorized access, use, disclosure, modification or destruction of information or interference with system operations ("Successful Security Incidents") and for Security Incidents that do not so result ("Unsuccessful Security Incidents"). For Unsuccessful Security Incidents, the Parties agree that this paragraph constitutes notice of such Unsuccessful Security Incidents. By way of example, the Parties consider the following to be illustrative of Unsuccessful Security Incidents when they do not result in actual B-11 unauthorized access, use, disclosure, modification or destruction of a -PHI or interference with an information system: • Pings on Business Associate's firewall, • Port scans, • Attempts to log on to a system or enter a database with an invalid password or username, • Denial -of -service attacks that do not result in a server being taken off-line, and • Malware (worms, viruses, etc.) However, in providing such notice, Business Associate will ensure that it does not disclose PHI to Covered Entity. B. Breach Notification. 1. Monitoring and Reporting Incidents of Unauthorized Use or Disclosure of Unsecured PHI. Business Associate will take reasonable steps to monitor the unauthorized acquisition, access, use, and disclosure (subsequently referred to as use or disclosure) of Unsecured PHI relating to Covered Entity. In particular, individuals who use or disclose PHI relating to Covered Entity on behalf of Business Associate will be required to report all such unauthorized use or disclosure to Business Associate's Privacy Official or designated individual. 2. Determination Whether Unauthorized Use or Disclosure Constitutes Breach. Upon receiving a report of unauthorized use or disclosure, Business Associate will undertake a risk assessment to determine whether there is a low probability that the PHI has been compromised pursuant to the Breach Notification Regulation. The Business Associate will make and retain records of such determinations, including the basis for determinations that unauthorized uses or disclosures are not Breaches of Unsecured PHI. 3. Notice to Affected Individuals of Breach. If the unauthorized use or disclosure constitutes a Breach, the Business Associate will notify the Individual(s) whose Unsecured PHI was used or disclosed improperly in accordance with the Breach Notification Requirements via written notice, substitute notice or notice in urgent situations, as appropriate. Business Associate shall be responsible for any and all costs relating to such notice. Written notices will be written in plain language and will include, to the extent possible: A. a brief description of what happened, including the date of the Breach and the date of discovery of the Breach; B-12 B. a description of the types of Unsecured PHI involved (without, however, including specific PHI); C. any steps Individuals should take to prevent potential harm resulting from the Breach; D. a brief description of what the Business Associate is doing (i) to investigate the Breach, (ii) to mitigate harm to Individuals and (iii) to protect against further Breaches; and E. contact procedures for Individuals to ask Business Associate questions or learn additional information, including a toll-free telephone number, e-mail address, website, or postal address. Such notification will be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach. Business Associate will provide Covered Entity with a copy of the notice it determines is required by this paragraph 3 prior to its distribution for review and approval by Covered Entity, which approval will not be unreasonably withheld. However, in providing such notice, Business Associate will ensure that it does not disclose PHI to Covered Entity. 4. Notice to Media of Breaches Involving More Than 500 Residents of Same State or Jurisdiction. If a Breach involves more than 500 residents of the same State or jurisdiction, the Business Associate will notify the media in accordance with the Breach Notification Requirements. Business Associate shall be responsible for any and all costs relating to such notice. Such notification will be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach. Business Associate will provide Covered Entity with a copy of the notice it determines is required by this paragraph 4 prior to its distribution for review and approval by Covered Entity, which approval will not be unreasonably withheld. S. Notice to Covered Entity of Breaches Involving 500 or More Individuals. If a Breach involves 500 or more individuals the Business Associate will notify Covered Entity with all the appropriate information so Covered Entity can notify HHS in the manner specified in the Breach Notification Requirements and on the HHS website. Business Associate will provide such notification without unreasonable delay and in no case later than 30 calendar days after discovery of the Breach. 6. Maintenance of Log and Annual Notice to Covered Entity of Breaches Involving Less than 500 Individuals. The Business Associate will maintain a log of Breaches involving less than 500 Individuals and, not later than 30 days after the end of each calendar year, notify Covered Entity with all the appropriate information so Covered Entity can notify HHS in the B-13 manner specified in the Breach Notification Requirements and on the HHS website. 7. Delayed Notification. Notwithstanding paragraph 3 or 4 above, if a law enforcement official provides Business Associate with a statement that the notification required under paragraph 3 or 4 above would impede a criminal investigation or cause damage to national security, then Business Associate may delay the notification for the period of time set forth in the statement. If the law enforcement official provides an oral statement, then Business Associate shall document the statement in writing, including the name of the law enforcement official making the statement, and may delay the notification required under paragraph 3 or 4 for no longer than thirty (30) days from the date of the oral statement, unless the law enforcement official provides a written statement during that time that specifies a different time period. Business Associate shall be obligated to maintain evidence to demonstrate that the required notification under this paragraph was made. C. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this BAA, including, but not limited to, reimbursing Covered Entity for any and all costs related to credit - monitoring of Covered Entity's members. D. Termination of BAA. 1. Right to Terminate for Breach. Covered Entity may terminate this BAA (as well as any other agreement to which this BAA is attached) if it determines, in its sole discretion, that Business Associate has breached any provision of this BAA and upon written notice to Business Associate of the breach, Business Associate fails to cure the breach within ten (10) days after receipt of the notice. Covered Entity may exercise this right to terminate this BAA by providing Business Associate written notice of termination, stating the failure to cure the breach of the BAA that provides the basis for the termination. Any such termination will be effective immediately or at such other date specified in Covered Entity's notice of termination. If for any reason Covered Entity determines that Business Associate has breached the terms of this BAA and such breach has not been cured, but Covered Entity determines that termination of the BAA is not feasible, Covered Entity may report such breach to the U.S. Department of Health and Human Services. 2. Termination Upon Expiration or Termination of Related Agreement(s). In the event any underlying agreement(s) to which this BAA is attached expires or is terminated, this BAA shall also be terminated, effective as the date of the expiration or termination of the underlying agreement(s). 3. Obligations on Termination. *MV a. Return or Destruction of Covered Entity's PHI as Feasible. Upon termination or other conclusion of this BAA, Business Associate shall, if feasible, return to Covered Entity or destroy Covered Entity's entire PHI in whatever form or medium, including all copies thereof and all data, compilations, and other works derived therefrom that allow identification of any individual who is a subject of Covered Entity's PHI. Business Associate shall require any subcontractor or agent, to which Business Associate has disclosed Covered Entity's PHI as permitted by Section LE of this BAA, to if feasible return to Business Associate (so that Business Associate may return it to Covered Entity) or destroy all of Covered Entity's PHI in whatever form or medium received from Business Associate, including all copies thereof and all data, compilations, and other works derived therefrom that allow identification of any individual who is a subject of Covered Entity's PHI, and certify on oath to Business Associate that all such information has been returned or destroyed. Business Associate shall complete these obligations as promptly as possible, but not later than thirty (30) days following the effective date of the termination or other conclusion of this BAA. b. Procedure When Return or Destruction Is Not Feasible. Business Associate shall identify any of Covered Entity's PHI, including any that Business Associate has disclosed to subcontractors or agents as permitted by Section LE of this BAA, that cannot feasibly be returned to Covered Entity or destroyed and explain why return or destruction is infeasible. Where Covered Entity agrees that such return or destruction is infeasible, Business Associate shall limit its further use or disclosure of such information to those purposes that make return or destruction of such information infeasible. If Covered Entity does not agree, subparagraph 3.a. above shall apply. Business Associate shall require such subcontractor or agent to limit its further use or disclosure of Covered Entity's PHI that such subcontractor or agent cannot feasibly return or destroy to those purposes that make the return or destruction of such information infeasible. Business Associate shall complete these obligations as promptly as possible, but not later than thirty (30) days following the effective date of the termination or other conclusion of this BAA. C. Continuing Privacy and Security Obligation. Business Associate's obligation to protect the privacy and safeguard the security of Covered Entity's PHI as specified in this BAA will be continuous and survive termination or other conclusion of this BAA. B-15 E. Indemnity. Business Associate shall indemnify and hold harmless Covered Entity and any Covered Entity affiliate, officer, director, employee or agent from and against any claim, cause of action, liability, damage, fines, penalties, cost or expense, including attorneys' fees and court or proceeding costs, arising out of or in connection with any non -permitted use or disclosure of Covered Entity's PHI or other breach of this BAA by Business Associate or any subcontractor or agent under Business Associate's control. Covered Entity will indemnify and hold harmless Business Associate and any Business Associate affiliate, officer, director, employee or agent from and against any claim, cause of action, liability, damage, fines, penalties, cost or expense, including attorneys' fees and court or proceeding costs, arising out of or in connection with any non -permitted use or disclosure of Covered Entity's PHI or other breach of this BAA by Covered Entity or any subcontractor or agent under Covered Entity's control. 1. Right to Tender or Undertake Defense. If Covered Entity is named a party in any judicial, administrative or other proceeding arising out of or in connection with any non -permitted use or disclosure of Covered Entity's PHI or other breach of this BAA by Business Associate or any subcontractor or agent under Business Associate's control, Covered Entity will have the option at any time either (A) to tender its defense to Business Associate, in which case Business Associate shall provide qualified attorneys, consultants, and other appropriate professionals to represent Covered Entity's interests at Business Associate's expense, or (B) undertake its own defense, choosing the attorneys, consultants, and other appropriate professionals to represent its interests, in which case Business Associate will be responsible for and pay the reasonable fees and expenses of such attorneys, consultants, and other professionals. If Business Associate is named a party in any judicial, administrative or other proceeding arising out of or in connection with any non -permitted use or disclosure of Covered Entity's PHI or other breach of this BAA by Covered Entity or any subcontractor or agent under Covered Entity's control, Business Associate will have the option at any time either (A) to tender its defense to Covered Entity, in which case Covered Entity will provide qualified attorneys, consultants, and other appropriate professionals to represent Business Associate's interests at Covered Entity's expense, or (B) undertake its own defense, choosing the attorneys, consultants, and other appropriate professionals to represent its interests, in which case Covered Entity will be responsible for and pay the reasonable fees and expenses of such attorneys, consultants, and other professionals. 2. Right to Control Resolution. Covered Entity will have the sole right and discretion to settle, compromise or otherwise resolve any and all claims, causes of actions, liabilities or damages against it, notwithstanding that Covered Entity may have tendered its defense to Business Associate. Any B-16 such resolution will not relieve Business Associate of its obligation to indemnify Covered Entity under this Section IV.E. Business Associate will have the sole right and discretion to settle, compromise or otherwise resolve any and all claims, causes of actions, liabilities or damages against it, notwithstanding that Business Associate may have tendered its defense to Covered Entity. Any such resolution will not relieve Covered Entity of its obligation to indemnify Business Associate under this Section IV.E. V. General Provisions. A. Inspection of Internal Practices, Books, and Records. Business Associate shall make its internal practices, books, and records relating to its use and disclosure of Covered Entity's PHI available to Covered Entity and to DHHS to determine Covered Entity's compliance with the Privacy Rule, 45 C.F.R. Part 164, Subpart E, and the Security Rule. B. Definitions. The terms "Covered Entity," "Electronic Protected Health Information," "Protected Health Information," "Standard," "Trading Partner Agreement," and "Transaction" have the meanings set out in 45 C.F.R. § 160.103. The term "Standard Transaction" has the meaning set out in 45 C.F.R. § 162.103. The term "Required by Law" has the meaning set out in 45 C.F.R. § 164.103. The terms "Health Care Operations," "Payment," "Research," and "Treatment" have the meanings set out in 45 C.F.R. § 164.501. The term "Limited Data Set" has the meaning set out in 45 C.F.R. § 164.514(e). The term "use" means, with respect to PHI, utilization, employment, examination, analysis or application within Business Associate. The terms "disclose" and "disclosure" mean, with respect to PHI, release, transfer, providing access to or divulging to a person or entity not within Business Associate. For purposes of this BAA, Covered Entity's PHI encompasses Covered Entity's Electronic PHI. Any other capitalized terms not identified in this BAA will have the meanings set forth in the HIPAA Rules. C. Amendment to BAA. Upon the compliance date of any final regulation or amendment to final regulation promulgated by DHHS that affects Business Associate's use or disclosure of Covered Entity's PHI or Standard Transactions, this BAA will automatically amend such that the obligations imposed on Business Associate remain in compliance with the final regulation or amendment to final regulation. D. Privacy Notice. Business Associate agrees to include a draft notice, consistent with the requirements in 45 C.F.R. § 164.520 and the terms of this Attachment, in the summary plan descriptions of adopting Employers. E. Privacy Official. Business Associate agrees to designate a privacy official who will also act as the Covered Entity's privacy official solely with respect to duties assumed by Business Associate under the Agreement. F. Conflicts. In the event that this BAA is made part of another agreement between the parties, the terms and conditions of this BAA will override and Am control any conflicting term or condition of such other agreement, provided that this BAA shall not override any rights of the parties to terminate any such other agreement in accordance with the terms and conditions of such other agreement.