The URL can be used to link to this page

Home My WebLink AboutVSP Global/HR/$0/Add-on to previous Business Associate AgreementCzTfshfzHsfdivlijobu4;56qn-Nbs32-3133 DocuSign Envelope ID: 5763FED6-9E94-4233-BEB5-3F762D281573 F. is a group of records maintained by or for a Covered Entity that may include patient medical and billing records; the enrollment, payment, claims, adjudication, and cases, or medical management record systems maintained byor for a health plan; orinformation used in whole or in part to make care-related decisions. G. means any entity that enters into an Acceptable Written Arrangement to perform services in connection with the services Business Associate performs for Covered Entity under the Contract and this BAA. H. shall have the same meaning as the I. as used in45 CFR 160.103, and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). J. as defined bythe CMS encompasses work that the Business Associate performs on behalf of the Covered Entity when the Business Associate receives, processes, transfers, handles, stores, or accesses member PHI while administrating the vision benefit i.e. claims processing, claims data entry services, scanning paper claims to create electronic records, receipt of member calls, and any situation where a downstream subcontractor of the Business Associate may have access to beneficiary PHI). K. refers tothe performance of services by Business Associate or a Downstream Subcontractor outside ofone of the fifty U.S. states, the District of Columbia, or one of the United States Territories (American Samoa, Guam, Northern Marianas, Puerto Rico, and the Virgin Islands). L. shall mean the Standards for Privacy of Individually Identifiable Health Information in 45CFR part 160 and part 164, subparts A and E. M. shall have the same meaning as the term health created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity and that is held by Business Associate or a Downstream Subcontractor as contemplated by 45 C.F.R. 164.308(a)(1)(ii)(A). N. shall have the same meaning as the tCFR 164.103. O. shall mean the Secretary ofthe Department of Health and Human Services or designee. P. shall mean the Security Standards for Protection ofElectronic Protected Health Information in 45CFR part 160 and part 164, subparts A and C. Terms used but not otherwise defined in this BAA shall have the same meaning as the meaning tBusinessAssociateAgreement DocuSign Envelope ID: 5763FED6-9E94-4233-BEB5-3F762D281573 ascribed to those terms in HIPAA, as codified at 42 U.S.C. § 1320d, HITECH, as set forth in Sections 13400 through 13424, inclusive, of Public Law 111-5, and any current and future regulations promulgated under either. HIPAA, HITECH Act and any current and future regulations Regulations. 2. Obligations and Activities of Business Associate. Business Associate may use and disclose PHI only as necessary and appropriate to fulfill its specific obligations to Covered Entity, subject to the further limitations set out below. Business Associate agrees: A. Not to use or disclose PHI other than as permitted or required by this BAA, the Contract, or as Required by Law. B. To limit uses and disclosures ofPHI to the minimum necessary for that use or disclosure. C. To use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA or the Contract. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information () that it creates, receives, maintains, ortransmits on behalf of Covered Entity. D. To mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI in violation of the requirements of this BAA. E. Offshore Subcontracting by Business Associate is not allowed and strictly prohibited. F. To report to Covered Entity, as soon as practicable, but no later than 24 hours after discovery, any use, disclosure of the PHI or ePHI not provided for in this BAA or the Contract, or any successful security breach of which Business Associate becomes aware. Such report shall include all available information required, including: i. the identity of each individual whose PHI has been or believed to have been assessed, acquired, used, or disclosed during the Breach, ii. nature of the incident, iii. the corrective actions Business Associate took or will take to prevent further incidents, iv. anyadditional information as required relating to the Breach. G. To ensure that any agents, including a Downstream Subcontractor, to whom itprovides PHI agrees toabide by the same restrictions and conditions that apply to Business Associate with respect to PHI, and to implement reasonable and appropriate safeguards to protect it. H. To provide access to PHI in a in a Designated Record Set to Covered Entity, or, as directed by Covered Entity, to anIndividual within 15 business days as necessary to meet the requirements under 45 CFR 164.524. This provision shall be applicable only if Business Associate has PHI in a Designated Record Set. tBusinessAssociateAgreement DocuSign Envelope ID: 5763FED6-9E94-4233-BEB5-3F762D281573 I. To make available to Covered Entity, in the time and manner designated by Covered Entity, information necessary for Covered Entity to give Individuals their rights of access, amendment, and accounting in accordance with HIPAA. Business Associate agrees to incorporate any amendments made or agreed to by Covered Entity with respect to PHI in the possession of the Business Associate. This provision shall be applicable only if Business Associate has PHI in a Designated Record Set. J. To make its internal practices, books, and records including policies and procedures, relating tothe use and disclosure of PHI, created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, available to the Secretary of the Department ofHealth and Human Services (the ) for purposes of determining compliance with HIPAA. The obligations of the Business Associate under this section shall survive termination of the BAA. K. To document such uses and disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond toa request by an Individual for anaccounting of such disclosures in accordance with 45 CFR 164.528. L. To make available to Covered Entity in response to a request from an Individual, the information required to permit Covered Entity to respond to any request from Individual for an accounting of disclosures and/or an access report pursuant to 45 CFR 164.528. Nothing inthis Section shall require Business Associate to provide an access report of PHI unless such action is required by amendments to 45 C.F.R. § 164.528. M. To implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability ofthe electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by HIPAA. Business Associate acknowledges that pursuant to Section 13401(a) of the HITECH Act, 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 shall apply to Business Associate in the same manner that such sections apply to a covered entity. N. To authorize termination ofthis BAA by Covered Entity, ifCovered Entity determines that Business Associate has violated a material term of this BAA. O. To maintain appropriate clearance procedures and provide supervision to assure that P. removing any workforce other resources. Q. es. R. To maintain a current contingency plan incase of anemergency. S. If appropriate, to maintain an emergency access plan to assure that the PHI Business Associate holds onbehalf of Covered Entity is available when needed. tBusinessAssociateAgreement DocuSign Envelope ID: 5763FED6-9E94-4233-BEB5-3F762D281573 T. To provide appropriate backup of the PHI Business Associate holds for Covered Entity U. To have in place appropriate authentication and access controls to safeguard the PHI that Business Associate holds for Covered Entity. V. To make use of appropriate encryption for data at rest (for example, stored or archived PHI) and data in motion (for example, transmitting PHI over a network). W. To conduct, where applicable, electronic transactions, for which the Department of Health and Human Services has established standards, on behalf of the Covered Entity pursuant to the requirements of 45 CFR Part 162, and to require that any agent orsubcontractor involved in conducting these transactions maintains compliance with these requirements. 3. Audit by Covered Entity. Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received on behalf of, the Covered Entity available to the Covered Entity within ninety (90) days of the Electronic Transactions Rule, and the HITECH Act, as applicable. 4. Permissible Use and Disclosure by Business Associate. A. Except as otherwise limited in this BAA or the Contract, Business Associate may use or disclose PHI as necessary for its proper management and administration or to carry out its legal responsibilities, so long as any such disclosure is Required byLaw or Business Associate has received from the recipient reasonable written assurances that (1) the information will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the recipient; and (2) the recipient will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached. B. Except as otherwise limited in this BAA or the Contract, Business Associate may use or disclose PHI for data aggregation services as permitted by42 C.F.R. §164.504(e)(2)(i)(B). C. Except as otherwise limited in this BAA orthe Contract, Business Associate may use PHI to create de-identified health information in accordance with 45 CFR 164.514(b). D. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. §164.502(j)(1). 5. Obligations of Covered Entity. Covered Entity shall: A. Covered Entity shall notify Business Associate with the notice ofprivacy practices the Covered Entity produces inaccordance with 45 CFR 164.520, as well asany changes to such notice. Covered Entity shall provide Business Associate in writing, with any changes in, or revocation of, the permission by Individual to use or disclose PHI if such changes affect Business Associate'spermitted tBusinessAssociateAgreement DocuSign Envelope ID: 5763FED6-9E94-4233-BEB5-3F762D281573 or required uses and disclosures. Upon receipt by Business Associate of such notice of changes, Business Associate shall cease the use and disclosure of any such Indivi extent it has relied on such use or disclosure of PHI or where an exception under HIPAA expressly applies. B. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed toin accordance with 45 CFR 164.522. 6. Indemnification. Business Associate agrees to indemnify, defend, and hold Covered Entity and its Affiliates, and its and their respective directors, agents, representatives and employees harmless from and against any and all liabilities, damages, losses, expenses, fines, penalties, and/or judgments, including arising from or connected with the breach by Business Associate or any of its officers, directors, employees, agents and subcontractors of its obligations under this BAA with respect toPHI. Any limitation on or exclusion of liability contained in the Contract indemnification under this section. 7. Security Breaches. In the event ofany unauthorized access toor acquisition, use, loss, destruction, compromise, alteration or require Business Associate to: A. Provide copies ofits practices, procedures, books, and records to facilitate mitigation of damages arising from aSecurity Breach. B. Exercise all reasonable efforts to retrieve improperly used or disclosed PHI subject to the Security Breach. C. Establish and adopt new practices, policies, and procedures to reduce the likelihood of further disclosure or additional Security Breaches. D. Comply with all auditing orreporting requests by Covered Entity to demonstrate Business E. Covered Entity may terminate this BAA and the Contract if Covered Entity reasonably suspects the Business Associate has improperly used or disclosed PHI or there has been a Security Breach. 8. Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible underthe Privacy Rule if done by Covered Entity. 9. Term and Termination. tBusinessAssociateAgreement DocuSign Envelope ID: 5763FED6-9E94-4233-BEB5-3F762D281573 A. Term. This BAA shall be effective as of the Effective Date and shall terminate when all PHI is destroyed or returned to the Covered Entity or, if itis unfeasible to return or destroy such PHI, protections are extended to such information, in accordance with the termination provisions in this Section. B. Termination for Cause. Business Associate to the terms of this BAA orthe Contract, Covered Entity may provide Business Associate with a reasonable opportunity tocure such breach, but no less than thirty (30) days, or terminate this BAA and/or the Contract. C. Effect of Termination. (1) Except as provided herein, upon termination of this BAA for any reason, orat any other time upon the written request of Covered Entity, Business Associate shall return or destroy allPHI. This provision shall apply toPHI in the possession of any agents or Downstream Subcontractors ofBusiness Associate. Business Associate shall not retain any copy(ies) of the PHI. (2) In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate may retain such PHI required by this BAA for six years from the date of its creation or the date when itlast was in effect, whichever is later. Business Associate shall extend the protections of this BAA and the Contract to such PHI and limit all further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. 10. Miscellaneous. A. Downstream Subcontractors. If Business Associate is to retain a Downstream Subcontractor, Business Associate shall impose on such Downstream Subcontractors the same obligations imposed upon Business Associate in this BAA and the Agreement. B. Regulatory References. A reference in this BAA or the Contract to a section in the Privacy Rule means the section as then in effect or as amended, and for which compliance is required. C. Amendment. The Parties agree to negotiate in good faith an amendment to this BAA, from time to time, as is necessary for Covered Entity tocomply with the requirements of the Privacy Rule andthe Health Insurance Portability and Accountability Act, Public Law 104.191. D. No Third-Party Beneficiaries. Except as otherwise set forth herein, nothing in this BAA shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. E. Survival. The obligations of Business Associate under Section 2 of this BAA and any other provision that, by its nature, is intended tosurvive termination of this BAA shall sosurvive. F. Incorporation of Recitals. The recitals set forth above are, by this reference, incorporated into and deemed a part of this BAA. tBusinessAssociateAgreement DocuSign Envelope ID: 5763FED6-9E94-4233-BEB5-3F762D281573 G. Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA. H. Governing Law; Venue. This BAA shall be governed by, construed, interpreted, and enforced under the laws of the State of California, without regard to its choice of law provisions. The parties hereby consent to the jurisdiction and venue of the state and federal courts located in Sacramento County, California. IN WITNESS WHEREOF, the Parties hereto have caused this BAA to be executed by their respective duly authorized representatives, effective as of the Effective Date. Business Associate: Covered Entity: By: By: Print: Print: Kate Renwick-Espinosa Title: Title: President tBusinessAssociateAgreement DocuSign Envelope ID: 5763FED6-9E94-4233-BEB5-3F762D281573 Approved and Adopted this day of , 20 . CITY OF CARMEL, INDIANA By and through its Board of Public Works and Safety BY: James Brainard, Presiding Officer Date: Mary Ann Burke, Member Date: Lori S. Watson, Member Date: ATTEST: Sue Wolfgang, Clerk Date: 6th April 22 DocuSign Envelope ID: 5763FED6-9E94-4233-BEB5-3F762D281573 4/6/2022 4/6/2022 Not Present 4/6/2022