The URL can be used to link to this page

Home My WebLink AboutAnthem/HR/Group Health Insurance PlanGroup Health Plan Business Associate Agreement This Business Associate Agreement ( "Agreement ") is effective as of January 1, 2015 and is made among Business Associate, and the Group Health Plan ( "Plan "), and the Employer ( "Employer ") named on the signature page of this Agreement. WITNESSETH AS FOLLOWS: WHEREAS, Employer has established and maintains a plan of health care benefits which is administered by the Employer or its designee as an employee welfare benefit plan as defined by Section 3(1) of the Employee Retirement Income Security Act of 1974 ( "ERISA "); WHEREAS, Employer has retained Business Associate to provide certain claims administrative services with respect to the Plan which are described and set forth in a separate Administrative Services Agreement among those parties ( "ASO Agreement "), as amended from time to time; WHEREAS, Employer is authorized to enter into this agreement on behalf of Plan; WHEREAS, the parties to this Agreement desire to establish the terms under which Business Associate may use or disclose 'Protected Health Information (as defined herein) such that the Plan may comply with applicable requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (45 C.F.R. Parts 160 -164) ( "HIPAA Privacy Regulation" and /or "HIPAA Security Regulation ") and the requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (the "H1TECH Act "), that are applicable to business associates, along with any guidance and /or regulations issued by the U.S. Department of Health and Human Services. NOW, THEREFORE, in consideration of these premises and the mutual promises and agreements hereinafter set forth, the Plan, Employer and Business Associate hereby agree as follows: PART 1— BUSINESS ASSOCIATE'S RESPONSIBILITIES I. PRIVACY OF PROTECTED HEALTH INFORMATION A. Confidentiality of Protected Health Information Except as permitted or required by this Agreement, Business Associate will not use or disclose Protected Health'Information without the authorization of the Individual who is the subject of such information or as required by law. B. Prohibition on Non - Permitted Use or Disclosure Business Associate will neither use nor disclose Individuals' Protected Health Information except (1) as permitted or required by this Agreement, or any other agreement between the parties, (2) as permitted in writing by the Plan or its Plan administrator, (3) as authorized by Individuals, or (4) as required by law. C. Permitted Uses and Disclosures Business Associate is permitted to use or disclose Individuals' Protected Health Information as follows: 1. Functions and Activities on Plan's Behalf Business Associate will be permitted to use and disclose Individuals' Protected Health Information (a) for the management, operation and administration of the Plan, (b) for the services set forth in the ASO Agreement, which include (but are not limited to) Treatment, Payment activities, and /or Health Care Operations as these terms are defined in this Agreement and 45 Code of Federal Regulations § 164.501, and (c) as otherwise required to perform its obligations under this Agreement and the ASO Agreement, or any other agreement between the parties WellPoint 05/15/13 1 provided that such use or disclosure would not violate the HIPAA Privacy or Security Regulations if done by the Plan and the HITECH Act, 2. Business Associate's Own Management and Administration a. Protected Health Information Use Business Associate may use Individuals' Protected Health Information as necessary for Business Associate's proper management and administration or to carry out Business Associate's legal responsibilities. b. Protected Health Information Disclosure Business Associate may disclose Individuals' Protected Health Information as necessary for Business Associate's proper management and administration or to carry out Business Associate's legal responsibilities only (i) if the disclosure is required by law, or (ii) if before the disclosure, Business Associate obtains from the entity to which the disclosure is to be made reasonable assurance, evidenced by written contract, that the entity will (x) hold Individuals' Protected Health Information in confidence, (y) use or further disclose Individuals' Protected Health Information only for the purposes for which Business Associate disclosed it to the entity or as required by law; and (z) notify Business Associate of any instance of which the entity becomes aware in which the confidentiality of any Individuals' Protected Health Information was breached. 3. Miscellaneous Functions and Activities a. Protected Health Information Use Business Associate may use Individuals' Protected Health Information as necessary for Business Associate to perform Data Aggregation services, and to create Deidentified Information, Summary Health Information and /or Limited Data Sets. b. Protected Health Information Disclosure Business Associate may disclose, in conformance with the HIPAA Privacy Regulation, Individuals' Protected Health Information to make Incidental Disclosures and to make disclosures of Deidentified Information, Limited Data Set Information, and Summary Health Information. 4. Minimum Necessary and Limited Data Set. Business Associate's use, disclosure or request of Protected Health Information shall utilize a Limited Data Set if practicable. Otherwise, Business Associate will make reasonable efforts to use, disclose, or request only the minimum necessary amount of Individuals' Protected Health Information to accomplish the intended purpose. D. Disclosure to Plan and Employer (and their Subcontractors) Other than disclosures permitted by Section I.0 above, Business Associate will not disclose Individuals' Protected Health Information to the Plan, its Plan administrator or Employer, or any business associate or subcontractor of such parties except as set forth in Section VIII. E. Disclosure to Business Associate's Subcontractors and Agents Business Associate will require its subcontractors and agents to provide reasonable assurance, evidenced by written contract, that such other entity will comply with the same privacy and security obligations with respect to Individuals' Protected Health Information as applies to Business Associate. 2 Form ASO BAA 05/15/2013 F. Reporting Non - Permitted Use or Disclosure, Breaches and Security Incidents 1. Non - permitted Use or Disclosure. Business Associate will promptly report to the Plan any use or disclosure of Individuals' Protected Health Information not permitted by this Agreement or in writing by the Plan or its Plan administrator, of which Business Associate becomes aware. Such report shall not include instances where Business Associate inadvertently misroutes Protected Health Information to a provider. 2. Security Incidents. In addition to reporting to Plan any use or disclosure of Protected Health Information not permitted by the Agreement, Business Associate will also report any Breach or security incidents of which Business Associate becomes aware. A security incident is an attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system, and involves only electronic Protected Health Information that is created, received maintained or transmitted by or on behalf of Business Associate, that is in electronic form. The parties acknowledge and agree that this section constitutes notice by Business Associate to Company of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Company shall be required. "Unsuccessful Security Incidents" shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI or NPFI. 3. Breach. Business Associate will promptly report to Plan any Breach of Unsecured PHI. Business Associate will cooperate with Plan in investigating the Breach and in meeting the Plan's obligations under the HITECH Act and other applicable Security Breach notification laws. In addition to providing notice to Plan of a Breach, Business Associate will provide any required notice to individuals and applicable regulators on behalf of Plan, unless Plan is otherwise notified by Business Associate G. Termination for Breach of Privacy Obligations Without limiting the rights of the parties set forth in the ASO agreement, each party will have the right to terminate this Agreement and the ASO Agreement if the other has engaged in a pattern of activity or practice that constitutes a material breach or violation of their obligations regarding Protected Health Information under this Agreement. Prior to terminating this Agreement as set forth above, the terminating party shall provide the other with an opportunity. to cure the material breach. If these efforts to cure the material breach are unsuccessful, as determined by the terminating party in its reasonable discretion, parties shall terminate the ASO Agreement and this Agreement, as soon as administratively feasible. If for any reason a party has determined the other has breached the terms of this Agreement and such breach has not been cured, but the non - breaching party determines that termination of the Agreement is not feasible, the party may report such breach to the U.S. Department of Health and Human Services. H. Disposition of Protected Health Information 1. Return or Destruction Upon ASO Agreement End The parties agree that upon cancellation, termination, expiration or other conclusion of the ASO Agreement, destruction or return of all Protected Health Information, in whatever form or medium (including in any electronic medium under Business Associate's custody or control) is not feasible given the regulatory requirements to maintain and produce such information for extended periods of time after such termination. In addition, Business Associate is required to maintain such 3 Form ASO BAA 05/152013 records to support its contractual obligations with its vendors and network providers. Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those consistent with applicable law for so long as Business Associate, or its subcontractors or agents, maintains such Protected Health Information. Business Associate may destroy such records in accordance with applicable law and its record retention policy that it applies to similar records. 2. Exception When Business Associate Becomes Plan's Health Insurance Issuer If upon cancellation, termination; expiration or other conclusion of the ASO Agreement, Business Associate (or an affiliate of Business Associate) becomes the Plan's health insurance underwriter, then Business Associate shall transfer any Protected Health Information that Business Associate created or received for or from Plan to that part of Business Associate (or affiliate of Business Associate) responsible for health insurance functions. 3. Survival of Termination The provisions of this Section I.H. shall survive cancellation, termination, expiration, or other conclusion of this Agreement and the ASO Agreement. 11. ACCESS, AMENDMENT AND DISCLOSURE ACCOUNTING A. Access 1. Business Associate will respond to an Individual's request for access to his or her Protected Health Information as part of Business Associate's normal customer service function, if the request is communicated to Business Associate directly by the Individual. Despite the fact that the request is not made to the Plan, Business Associate will respond to the request with respect to the Protected Health Information Business Associate and its subcontractors maintain in a manner and time frame consistent with requirements specified in the HIPAA Privacy Regulation. 2. In addition, Business Associate will assist the Plan in responding to requests by Individuals that are made to the Plan to invoke a right of access under the HIPAA Privacy Regulation by performing the following functions: Upon receipt of written notice (includes faxed and emailed notice) from the Plan, Business Associate will make available for inspection and obtaining copies by the Plan, or at the Plan's direction by the Individual (or the Individual's personal representative), any Protected Health Information about the Individual created or received for or from the Plan in Business Associate's custody or control, so that the Plan may meet its access obligations under 45 Code of Federal Regulations § 164.524, and, where applicable, the HITECH Act. Business Associate will stake such information available in an electronic format where required by the HITECH Act.. B. Amendment 1. Business Associate will respond to an Individual's request to amend his or her Protected Health Information as part of Business Associate's normal customer service functions, if the request is communicated to 'Business Associate directly by the Individual. Despite the fact that the request is not made to the Plan, Business Associate will respond to the request with respect to the Protected Health Information Business Associate and its subcontractors maintain in a manner and time frame consistent with requirements specified in the HIPAA Privacy Regulation. 4 Form ASO BAA 05/15/2013 2. In addition, Business Associate will assist the Plan in responding to requests by Individuals that are made to the Plan to invoke a right to amend under the HIPAA Privacy Regulation by performing the following functions: Upon receipt of written notice (includes faxed and mailed notice) from the Plan, Business Associate will.amend any portion of the Protected Health Information created or received for or from the Plan in Business Associate's custody or control, so that the Plan may meet its amendment obligations under 45 Code of Federal Regulations §164.526. C. Disclosure Accounting 1. Business Associate will respond to an Individual's request for an accounting of disclosures of his or her Protected Health Information as part of Business Associate's normal customer service function, if the request is communicated to the Business Associate directly by the Individual. Despite the fact that the request is not made to the Plan, Business Associate will respond to the request with respect to the Protected Health Information Business Associate and its subcontractors maintain in a manner and time frame consistent with requirements specified in the HIPAA Privacy Regulation. 2. In addition, Business Associate will assist the Plan in responding to requests by Individuals that are made to the Plan to invoke a right to an accounting of disclosures under the HIPAA Privacy Regulation by performing the following functions so that the Plan may meet its disclosure accounting obligation under 45 Code of Federal Regulations § 1 64.528: a. Disclosure Tracking, Business Associate will record each disclosure that Business Associate makes of Individuals' Protected Health Information, which is not excepted from disclosure accounting under Section 11.C.2.b. The information about each disclosure that Business Associate must record ( "Disclosure Information ") is (a) the disclosure date, (b) the name and (if known) address of the person or entity to whom Business Associate made the disclosure, (c) a brief description of the Protected Health Information disclosed, and (d) a brief statement of the purpose of the disclosure or a copy of any written request for disclosure under 45 Code of Federal Regulations §164.502(a)(2)(ii) or §164.512. Disclosure Information also includes any information required to be provided by the HITECH Act. For repetitive disclosures of Individuals' Protected Health Information that Business Associate makes for a single purpose to the same person or entity (including to the Plan or Employer), Business Associate may record (a) the Disclosure Information for the first of these repetitive disclosures, (b) the frequency, periodicity or number of these repetitive disclosures, and (c) the date of the last of these repetitive disclosures. b. Exceptions from Disclosure Tracking Business Associate will not be required to record Disclosure Information or otherwise account for disclosures of Individuals' Protected Health Information (a) for Treatment, Payment or Health Care Operations, (except where required by the HITECH Act, as of the effective dates of such requirements) (b) to the Individual who is the subject of the Protected Health Information, to that Individual's personal representative, or to another person or entity authorized by the Individual (c) to persons involved in that Individual's health care or payment for health care as provided by 45 Code of Federal Regulations § 164.510, (d) for notification for disaster relief purposes as provided by 45 Code of Federal Regulations § 164.510, (e) for national security or intelligence purposes, (f) to law enforcement officials or correctional institutions regarding inmates, (g) that are 5 Form ASO BAA 05/15/2013 incident to a use or disclosure that is permitted by this Agreement or the ASO Agreement, (h) as part of a limited data set in accordance with 45 Code of Federal Regulations § 164.514(e), or (i) that occurred prior to the Plan's compliance date. c. Disclosure Tracking Time Periods Unless otherwise provided by the HITECH Act and /or any accompanying regulations, Business Associate will have available for the Plan the Disclosure Information required by Section ILC.2.a above for the six (6) years immediately preceding the date of the Plan's request for the Disclosure Information. d. Provision of Disclosure Accounting Upon receipt of written notice (includes faxed and emailed notice) from the Plan, Business Associate will make available to the Plan, or at the Plan's direction to the Individual (or the Individual's personal representative), the Disclosure Information regarding the Individual, so the Plan may meet its disclosure accounting obligations under 45 Code of Federal Regulations § 164.528 and the HITECH Act. D. Confidential Communications Business Associate will respond to an Individual's request for a confidential communication as part of Business Associate's normal customer service function, if the request is communicated to Business Associate directly by the Individual. Despite the fact that the request is not made to the Plan, Business Associate will respond to the request with respect to the Protected Health Information Business Associate and its subcontractors maintain in a manner and time frame consistent with requirements specified in the HIPAA Privacy Regulation. If an Individual's request, made to Business Associate, extends beyond information held by Business Associate or Business Associate's subcontractors, Business Associate will inform the Individual to direct the request to the Plan, so that Plan may coordinate the request. Business Associate assumes no obligation to coordinate any request for a confidential communication of Protected Health Information maintained by other business associates of Plan. 2. In addition, Business Associate will assist the Plan in responding to requests by Individuals that are made to the Plan to invoke a right of confidential communication under the HIPAA Privacy Regulation by performing the following functions: Upon receipt of written notice (includes faxed and emailed notice) from the Plan, Business Associate will begin to send all communications of Protected Health Information directed to the Individual to the identified alternate address so that the Plan may meet its access obligations under 45 Code of Federal Regulations § 164.524. E. Restrictions 1. Business Associate will respond to an Individual's request for a restriction as part of Business Associate's normal customer service function, if the request is communicated to Business Associate directly by the Individual. Despite the fact that the request is not made to the Plan, Business Associate will respond to the request with respect to the Protected Health Information Business Associate and its subcontractors maintain in a manner and time frame consistent with requirements specified in the HIPAA Privacy Regulation. 2. In addition, Business Associate will promptly, upon receipt of notice from Plan, restrict the use or disclosure of Individuals' Protected Health Information, provided the Business Associate has agreed to such a restriction. Plan and Employer understand that Business Associate administers a variety of different complex health benefit arrangements, both 6 Form ASO BAA 05/15/2013 insured and self - insured, and that Business Associate has limited capacity to agree to special privacy restrictions requested by Individuals. Accordingly, Plan and Employer agree that it will not commit Business Associate to any restriction on the use or disclosure of Individuals' Protected Health Information for Treatment, Payment or Health Care Operations without Business Associate's prior written approval. III. SAFEGUARD OF PROTECTED HEALTH INFORMATION Business Associate will develop and maintain reasonable and appropriate administrative, technical and physical safeguards, as required by Social Security Act § 1173(d) and 45 Code of Federal Regulations §164530(a) and (c) and as required by the HITECH Act, to ensure and to protect against reasonably anticipated threats or hazards to the security or integrity of health information, to protect against reasonably anticipated unauthorized use or disclosure of health information, and to reasonably safeguard Protected Health Information from any intentional or unintentional use or disclosure in violation of this Agreement. Business Associate will also develop and use appropriate administrative, physical and technical safeguards to preserve the Availability of electronic Protected Health Information, in addition to preserving the integrity and confidentiality of such Protected Health Information. The "appropriate safeguards" Business Associate uses in furtherance of 45 Code of Federal Regulations §164.530(c), will also meet the requirements contemplated by 45 Code of Federal Regulations Parts 160, 162 and 164, as amended from time to time. IV. COMPLIANCE WITH STANDARD TRANSACTIONS Business Associate will comply with each applicable requirement for Standard Transactions established in 45 Code of Federal•Regulations Part 162 when conducting all or any part of a Standard Transaction electronically for, on behalf of, or with the Plan. V. INSPECTION OF BOOKS AND RECORDS Business Associate will make its internal practices, books, and records relating to its use and disclosure of Protected, Health Information created or received for or from the Plan available to the U.S. Department of Health and Human Services to determine Plan's compliance with 45 Code of Federal Regulations Parts 160 -64 or this Agreement. VI. MITIGATION FOR NON - PERMITTED USE OR DISCLOSURE Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. PART 2 — PLAN'S RESPONSIBILITIES VII. PLAN'S NOTICE OF PRIVACY PRACTICES A. Preparation of Plan's Notice of Privacy Practices. Plan shall be responsible for the preparation of its Notice of Privacy Practices ( "NPP "). To facilitate,this preparation, upon Plan's or Employer's request, Business Associate will provide Plan with its NPP that Plan may use as the basis for its own NPP. Plan will be solely responsible for the review and approva•of the content of its NPP, including whether its content accurately reflects Plan's privacy policies and practices, as well as its compliance with the requirements of 45 C.F.R. § 164.520. Unless advance written approval is obtained from Business Associate, the Plan shall not create any NPP that irnposes obligations on Business Associate that are in addition to or that are inconsistent with the NPP prepared by Business Associate or with the obligations assumed by Business Associate hereunder. 7 Form ASO BAA 05/15/2013 B. Distribution of Notice of Privacy Practice. Plan shall bear full responsibility for distributing its own NPP as.required by the Privacy Regulation. C. Changes to Protected Health Information. Plan shall notify Business Associate of any change(s) in, or revocation of, permission by an Individual to Use or Disclose Protected Health Information, to the extent that such change(s) may affect Business Associate's Use or Disclosure of such Protected Health Information. PART 3— DISCLOSURE OF PROTECTED HEALTH INFORMATION TO THE PLAN, EMPLOYER AND OTHER BUSINESS ASSOCIATES VHI. DISCLOSURE OF PROTECTED HEALTH INFORMATION The following. provisions apply to !disclosures of Protected Health Information to the Plan, Employer and other business associates of the Plan. A. Disclosure to Plan Unless otherwise provided by this Section VIII, all communications of Protected Health Information by Business Associate shall be directed to the Plan. B. Disclosure to -Employer Business Associate may provide Summary Health Information regarding the Individuals in the Plan to Employer upon Employer's written request for the purpose either (a) to obtain premium bids for providing health insurance coverage for the Plan, or (b) to modify, amend'or terminate the Plan.. Business Associate may provide information to Employer on whether an individual is participating in the Plan or is enrolled in or has disenrolled from any insurance coverage offered by the Plan, C. Disclosure to Other Business Associates and Subcontractors Business Associate may disclose Individuals' Protected Health Information to other entities or business associates of the Plan if the Plan authorizes Business Associate in writing to disclose Individuals' Protected Health Information to such entity or business associate, The Plan shall be solely responsible for ensuring that any contractual relationships with these entities or business associates and subcontractors comply with the requirements of 45 Code of Federal Regulations § 164.504(e) and § 164.504(0. PART 4—MISCELLANEOUS IX. AGREEMENT TERM This Agreement will continue in full force and effect for as long as the ASO Agreement remains in full force and effect. This Agreement will terminate upon the cancellation, termination, expiration or other conclusion of the ASO Agreement. X. AUTOMATIC AMENDMENT TO CONFORM TO APPLICABLE LAW Upon the effective date of any final regulation or amendment to final regulations with respect to Protected Health Information, Standard Transactions, the security of health information or other aspects of the Health Insurance Portability and Accountability Act of 1996 applicable to this Agreement or to the ASO Agreement, this Agreement will automatically amend such that the obligations imposed on the Plan, Employer, and Business Associate remain in compliance with such regulations, unless Business Associate elects to terminate the ASO Agreement by providing Employer notice of termination in accordance with the ASO Agreement at least thirty (30) days before the effective date of such final regulation or amendment to final regulations. 8 Form ASO BAA 05/15/2013 XI. CONFLICTS The provisions of this Agreement will override and control any conflicting provision of the ASO Agreement. All other provisions of the ASO Agreement remain unchanged by this Agreement and in full force and effect. XII. NO THIRD PARTY BENEFICIARIES The parties agree that there are no intended third party beneficiaries under this Agreement. This provision shall survive cancellation, termination, expiration, or other conclusion of this Agreement and the ASO Agreement. XIII. INTERPRETATION Any ambiguity in this Agreement or the ASO Agreement or in operation of the Plan shall be resolved to maintain compliance with the Regulations enacted pursuant to HIPAA Administrative Simplification, XIV. DEFINITIONS Unless otherwise defined in this Agreement, the capitalized terms set forth herein have the meanings ascribed to them under the HIPAA Privacy Regulation andfor HIPAA Security Regulation or the HITECH Act. A reference in this Agreement to the Privacy Regulation, Security Regulation or IIIPAA shall mean the section as in effect or as amended. XV. REFERENCES References herein to statutes and regulations shall be deemed to be references to those statutes and regulations as amended or recodified. On Behalf of the Group Health Plan and Employer: Business Associate: City of Carmel Name of the Group Health PlantEmployer Signature Printed Name Title Date Form ASO BAA 05/15/2013 9 Anthem Blur Crass & Blue Shield Name of Business Associate Signature 4414 G Prinled Name Title /y4 /ZGiy Date Approved and Adopted this5 day of 4leeh,R'r— , 20 CITY OF CARMEL, INDIANA By and through its Board of Public Works and Safety On Behalf of the Group Health Plan and Employer: Business Associate: Anthem Blue Cross and Blue Shield James/Brainard, Presiding Officer Name of Business Associate Date: / /"S /`/ at"--S144 Mary Burke, Merpt2er Date: //-5--/y /J 17 Signature .44 Name Lori S. atsori, Meipber Title Date: (l (5 / /y< ATTEST: Dian. Cordray,IMC., lerk- Treasurer Date: r / 9 Form ASO BAA 05/15/2013 10 Y' /G 27 / 2�i/ Date