R2007-063 2007-04-23
RESOLUTION NO. R2007-63
A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF PEARLAND,
TEXAS, AUTHORIZING A CONTRACT FOR GROUP BENEFITS
CONSULTING SERVICES.
BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF PEARLAND, TEXAS:
Section 1. That certain amended contract for group benefits consulting services,
a copy of which is attached hereto as Exhibit "A" and made a part hereof for all purposes,
is hereby authorized and approved.
Section 2. That the City Manager or his designee is hereby authorized to execute
and the City Secretary to attest an amended contract for group benefits consulting
services.
PASSED, APPROVED and ADOPTED this the 23rd day of April, A.D., 2007.
~~
TOM REID
MAYOR
ATTEST:
~~~~
SONIA BLAIR
DEPUTY CITY SECRETARY
APPROVED AS TO FORM:
CJ~'h,dL
DARRIN M. COKER
CITY ATTORNEY
R2007 -63
File No. 07 -0032
Professional Services Agreement between the City of Pearland and
City-County Benefits Services to
Provide Employee Benefits Consulting Services to the City of Pearland
CITY (also described as "Client"): City of Pearland, a Texas municipal corporation, 3519 Liberty Drive, Pearland, Texas 77581
PROFESSIONAL (also described as "C-CBS"): City-County Benefits Services, a general partnership
PROJECT: PROFESSIONAL will provide employee benefits consulting services in accordance with requested services:
A. Develop overall strategies in the following areas necessary to attain the highest level of efficiency. Evaluation and
assessment will include the following areas:
1. Administration Service
2. Managed Care Platforms
3. Benefit Design(s) Development
4. Provider Networks - including contractuals and network service area
5. Care Management and Disease Management
6. Member/Client Services
B. Provide a financial analysis of current and projected plan cost to include:
1. Review historical claims data to evaluate current plan cost
2. Assist in preparing cost projections for benefit plans for the current and next fiscal year
3. Develop premium contribution strategies
4. Develop overall cost and risk management strategies
C. Prepare proposal specifications as necessary for:
1. Medical/Rx Plan
2. Dental Plan
3. Vision Plan
4. Life Plan
Prepare and assist in providing the current carriers/vendors/administrators" Agent of Record" letters to obtain data
(financial and claims).
Prepare and provide Business Associate Agreements.
Prepare and provide "Notice" as required by Local Government Codes.
D. Coordinate and distribute Proposal Specifications to qualified carriers/vendors/administrators to meet the requirements of
the City. Respond to all questions and provide clarity and secure the carriers/vendor/administrators best offer. Prepare
and distribute any addendum that may be required.
E. Prepare analysis of bids/proposals received so that a direct comparison can be made. Enter into negotiations with qualified
carriers/vendors/administrators to secure and provide the City with the most advantageous contract(s). Prepare a
narrative, including a "why sheet" for discussion with City staff and consideration by City Council.
F. After completion ofthe proposal process and the awarding of contract(s) provide notification to all respondents of the
City's decision. If a change in carriers/vendors/administrators occurs, develop and monitor a transition plan to the new
carrier(s)/vendor(s)/administrator(s). Provide oversight during the transition to a new carrier(s)/vendor(s)/administrator(s).
G. Provide ongoing service activities necessary to assure the overall plan satisfaction.
CC BS. Pea ria nd.C onsu Iti ng Ag ree .0708 (V)
H. Review and provide quarterly financial reports to the City whether on a self-funded or insured basis, including projections
for the current and subsequent financial year.
I. Meet with the City Staff on a quarterly basis to explain the financial status of the plan, projections, and recommendations.
J. Meet with the City Council on an "as needed" basis to review the financial status of the plan, projections and
recommendations.
K. Maintain a vision to the future for cost effective products and services as may be necessary or appropriate.
CONTRACT PERIOD: May 1, 2007 through April 30, 2008
PAYMENTS TO PROFESSIONAL: CITY shall pay PROFESSIONAL $30,000 for services indicated in items A-K. Payment shall be made in
accordance with the following Fee Schedule:
Fee Schedule
May 1, 2007
May 1, 2007
June 1,2007
July 1,2007
August 1, 2007
September 1, 2007
October 1, 2007
November 1,2007
December 1,2007
January 1,2008
February 1,2008
March 1,2008
April 1, 2008
Total:
$ 12,000.00
$ 1 ,500.00
$ 1 ,500.00
$ 1 ,500.00
$ 1 ,500.00
$ 1 ,500.00
$ 1 ,500.00
$ 1 ,50000
$ 1 ,500.00
$ 1 ,500.00
$ 1 ,500.00
$ 1 ,500.00
$ 1 ,500.00
$30,000.00
GENERAL CONDITIONS:
1. Termination--ClTY or PROFESSIONAL may terminate this Agreement upon 60 days written notice to the other party with the
understanding that all services being performed under this agreement shall cease upon the date specified in such notice. In the event
of such early termination, PROFESSIONAL shall invoice CITY for all services completed and shall be compensated in an amount
corresponding to the amount of the contract satisfactorily completed by PROFESSIONAL, in accordance with the Fee Schedule
described above, to the extent such work provides value to the CITY. If this contract is terminated after the PROFESSIONAL has
completed the competitive bid or proposal process in accordance with this contract, then the CITY will be obligated to pay
PROFESSIONAL the sum of $30,000.
2. Controlling Law--This agreement is performable and is to be governed by the law applicable in Brazoria (ounty, Texas. Sole venue
for any action arising under this agreement shall be in Brazoria County, Texas.
3. Successors and Assigns--PROFESSIONAL shall not assign, sublet or transfer any rights under or interest in (including, but without
limitations, monies that may become due or monies that are due) this Agreement without the written consent of the CITY. Unless
specifically stated to the contrary in any written consent to an assignment, no assignment will release or discharge the assignor from
any duty or responsibility under this agreement. Nothing contained in this paragraph shall prevent PROFESSIONAL from employing
independent consultants, associates and other employees to assist it in the performance of services hereunder.
c: CBS. Pearla nd.C ons u Iti ngAg ree.O 7 08(\1)
4. Independent Contractor--In performing services under this agreement, the relationship between CITY and PROFESSIONAL is that of
independent contractor, and CITY and PROFESSIONAL by the execution of this agreement do not change the independent contractor
status of PROFESSIONAL. No term or provision of this agreement or act of PROFESSIONAL in the performance of this agreement shall be
construed as making PROFESSIONAL the agent, servant, or employee of CITY.
5. Confidentiality---PROFESSIONAL will be analyzing confidential Protected Health Information concerning the CITY's employees and
retirees. For purposes of this section of this agreement, PROFESSIONAL will be considered a "Business Associate" and the City of
Pearland will be considered a "Covered Entity".
I. Definitions
Except as otherwise defined herein, any and all capitalized terms in this Section shall have the definitions set forth in the HIPAA
Security and Privacy Rule. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of
the HIPAA Security and Privacy Rule, as amended, the HIPAA Security and Privacy Rule shall control. Where provisions of this
Agreement are different than those mandated in the HIPAA Security and Privacy Rule, but are nonetheless permitted by the HIPAA
Security and Privacy Rule, the provisions ofthis Agreement shall control.
The term "Protected Health Information" means individually identifiable health information including, without limitation, all
information, data, documentation, and materials, including without limitation, demographic, medical and financial information,
that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the
individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
"Protected Health Information" includes without limitation "Electronic Protected Health Information" as defined below.
The term "Electronic Protected Health Information" means Protected Health Information which is transmitted by Electronic Media
(as defined in the HIPAA Security and Privacy Rule) or maintained in Electronic Media.
Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity
and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display
by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity's
behalf shall be subject to this Agreement.
II. Confidentiality And Security Reauirements
(a) Business Associate agrees:
(i) to use or disclose any Protected Health Information solely: (1) for meeting its obligations as set forth in any agreements
between the Parties evidencing their business relationship, or (2) as required by applicable law, rule or regulation, or by
accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise
permitted under this Agreement, the Arrangement Agreement (if consistent with this Agreement and the HIPAA Security and
Privacy Rule), or the HIPAA Security and Privacy Rule, and (3) as would be permitted by the HIPAA Security and Privacy Rule if
such use or disclosure were made by Covered Entity;
(ii) at termination of this Agreement, the Arrangement Agreement (or any similar documentation ofthe business relationship
of the Parties), or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return or destroy all
Protected Health Information received from or created or received by Business Associate on behalf of Covered Entity that
Business Associate still maintains in any form and retain no copies of such information, or if such return or destruction is not
feasible, Business Associate will extend the protections of this Agreement to the information and limit further uses and
disclosures to those purposes that make the return or destruction of the information not feasible; and
(iii) to ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from or
created by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply to
Business Associate with respect to such information, and agrees to implement reasonable and appropriate safeguards to
protect any of such information which is Electronic Protected Health Information. In addition, Business Associate agrees to
take reasonable steps to ensure that its employees' actions or omissions do not cause Business Associate to breach the terms
of this Agreement.
(b) Notwithstanding the prohibitions set forth in this Agreement, Business Associate may use and disclose Protected Health
Information as follows:
(i) if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities
of Business Associate, provided that as to any such disclosure, the following requirements are met:
(A) The disclosure is required by law; or
(B) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be
held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to
c. CBS. Pea ria nd.c 0 nsu It I ng Ag ree.O 7 08(V)
the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of
the information has been breached;
(ij) for data aggregation services, if to be provided by Business Associate for the health care operations of Covered Entity
pursuant to any agreements between the Parties evidencing their business relationship. For purposes of this Agreement, data
aggregation services means the combining of Protected Health Information by Business Associate with the protected health
information received by Business Associate in its capacity as a business associate of another covered entity, to permit data
analyses that relate to the health care operations of the respective covered entities.
(c) Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other
than as permitted in this Agreement. Business Associate will implement administrative, physical, and technical safeguards that
reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information
that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule.
(d) The Secretary of Health and Human Services shall have the right to audit Business Associate's records and practices related to
use and disclosure of Protected Health Information to ensure Covered Entity's compliance with the terms of the HIPAA Security
and Privacy Rule.
(e) Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information which is not in
compliance with the terms of this Agreement of which it becomes aware. Business Associate shall report to Covered Entity any
Security Incident of which it becomes aware. For purposes of this agreement, "Security Incident" means the attempted or
successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations
in an information system. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is
known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the
requirements ofthis Agreement.
III. Availability of PHI
Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section
164.524 of the HIPAA Security and Privacy Rule. Business Associate agrees to make Protected Health Information available for
amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section
164.526 of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to make Protected Health Information
available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule.
IV. Termination
Notwithstanding anything in this Agreement to the contrary, Covered Entity shall have the right to terminate this Agreement and
the Arrangement Agreement immediately if Covered Entity determines that Business Associate has violated any material term of
this Agreement. If Covered Entity reasonably believes that Business Associate will violate a material term of this Agreement and,
where practicable, Covered Entity gives written notice to Business Associate of such belief within a reasonable time after forming
such belief, and Business Associate fails to provide adequate written assurances to Covered Entity that it will not breach the cited
term of this Agreement within a reasonable period of time given the specific circumstances, but in any event, before the
threatened breach is to occur, then Covered Entity shall have the right to terminate this Agreement and the Arrangement
Agreement immediately.
V. Miscellaneous
Except as expressly stated herein or the HIPAA Security and Privacy Rule, the parties to this Agreement do not intend to create any
rights in any third parties. The obligations of Business Associate under this Section shall survive the expiration, termination, or
cancellation of this Agreement, the Arrangement Agreement and/or the business relationship of the parties, and shall continue to
bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein.
This Agreement may be amended or modified only in a writing signed by the Parties. No Party may assign its respective rights and
obligations under this Agreement without the prior written consent of the other Party. None of the provisions of this Agreement
are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent
parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements
between the Parties evidencing their business relationship. This Agreement will be governed by the laws ofthe State ofTexas. No
change, waiver or discharge of any liability or obligation hereunder on anyone or more occasions shall be deemed a waiver of
performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion.
The parties agree that, in the event that any documentation of the arrangement pursuant to which Business Associate provides
services to Covered Entity contains provisions relating to the use or disclosure of Protected Health Information which are more
restrictive than the provisions of this Agreement, the provisions ofthe more restrictive documentation will control. The provisions
of this Agreement are intended to establish the minimum requirements regarding Business Associate's use and disclosure of
Protected Health Information.
In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the
remainder ofthe provisions ofthis Agreement will remain in full force and effect. In addition, in the event a party believes in good
faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy
CC BS. Pearla nd .Cons u Iti ng Ag ree. 0 708(V)
Rule, such party shall notify the other party in writing. For a period of up to 10 days, the parties shall address in good faith such
concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such 10-day period, the
Agreement fails to comply with the HIPAA Security and Privacy Rule, then either party has the right to terminate upon written
notice to the other party. This provision shall not abrogate or affect the right of either party to terminate this agreement on at
least 10 days notice to the other party.
III. PROFESSIONAL will use Protected Health Information in accordance with the following procedures:
A. Prior to accessing employee or confidential medical information, receive written authorization from the CITY. A copy of the
CITY's written authorization, or request, to any entity in possession of the CITY's medical and employee information, will be
maintained in the engaging CITY master file.
B. Maintain all medical information that is obtained in hard copy, or assimilated into hard copy, in a secure file, separate from
the CITY master file, that can only be accessed by individuals that are required to use the information to provide
service to the engaging CITY.
C. Maintain all medical information that is obtained in an electronic format in a password-protected file that can only be
accessed by individuals that are required to use the information to provide service to the engaging CITY.
D. Use medical information only for the purpose of assessing risk for underwriting purposes.
E. Use employee information only for the purpose of assessing risk for underwriting purposes.
F. If requested by the CITY'S REPRESENTATIVE, provide employee and confidential medical information to the CITY's
designated contact for the purposes of assessing risk for underwriting purposes and to monitor the CITY's self-funded benefit
program(s).
G. Prior to releasing confidential employee and medical information to a third party, receive and approve a copy of the third
party's confidentiality procedures or a Confidentiality Agreement signed by an authorized individual of the third party.
H. Only release employee information and confidential medical information to a third party for the purpose of assessing risk
for underwriting purposes after receiving the following:
1. A copy of the third party's confidentiality procedures or a Confidentiality Agreement.
2. The confidentiality procedures or Confidentiality Agreement must be client specific, and will only apply to a
specific risk assessment for underwriting purposes.
I. Maintain a list in the engaging CITY's master file of all third parties that requested and received employee or confidential
medical information to be used to assess risk for underwriting purposes.
J. Maintain a copy of the confidentiality procedures or Confidentiality Agreement in the engaging CITY's master file of any
third party that received employee or confidential medical information.
6. During the term of the engagement, PROFESSIONAL will maintain $3,000,000 Errors and Omissions coverage.
This agreement and said attachments may only be amended, supplemented, modified or canceled by a duly executed written
instrument.
Approved by the City Council of Pearland, Texas this the 23 day of April 2007.
CITY: City of Pearland, Texas
PROFESSIONAL: City-County Benefits Services, A General Partnership
~
Bill Eisen
City Manager
Burke O. Sunday,; LHIC
Partner
CC BS. Pea ria nd.C 0 nsu It 1 ng Ag ree.O 7 08(V)
ATTEST:
FORM APPROVED:
()~
Darrin Coker
City Attorney
\\\\\\\111"1111,
,,\ ~ b.RJ .1AI """
:0..' ~=-"y'D :I,,"
~ ~ .............." ~ ~
....J... "*.. ~~
:,..,.,,:- ... ~
-;"to . ..-
:v.\ ~ (1)=
i j i
-::. / ::
~~.... ~
~ ......... ~
~, ~~
"'", ~,,,
l""III""\~
CCBS. Pearla nd, Cons u It I ng Ag ree.O 7 08(\!)
ATTEST:
," .)' \
/;6 !).
. 1/;1 . " /
. ,'- ..: ' r I' -'.
Patsy ~ccltiJn ,/ / ( l_~ C C (.
Administraffve Assistant
(_,_ _d ..
R2007 -63
File No. 07-0032
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement") is effective May 1, 2007, by
and between The City of Pearland ("Employer" [Plan Sponsor]) on behalf of its
Employee Benefits Plan ("COVERED ENTITY'') and CITY-COUNTY BENEFITS
SERVICES/SUNDAY and ASSOCIATES, INC. ("ASSOCIATE").
RECITALS
Whereas, COVERED ENTITY has created a partially self-funded employee health
and welfare benefits plan ("the Plan'') for the benefits of its employees and retirees;
Whereas, the Plan is a COVERED ENTITY for the purposes of the privacy provisions
of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-
191 ("HIPAA''), and the Privacy Rule promulgated by the United States Department
of Health and Human Services;
Whereas, COVERED ENTITY wishes to disclose certain information to ASSOCIATE
pursuant to the terms of the Agreement, some of which may constitute Protected
Health Information ("PHI") (defined below);
Whereas; ASSOCIATE performs functions that assist COVERED ENTITY in the Plan's
Health Care Operations (defined below);
Whereas, it may be necessary for COVERED ENTITY and ASSOCIATE to disclose
PHI to each other, and to other Business Associate's of COVERED ENTITY, in order to
facilitate performance of the functions performed by ASSOCIATE for COVERED
ENTITY;
Whereas, COVERED ENTITY and ASSOCIATE intend to protect the privacy and
provide for the security of PHI disclosed to ASSOCIATE pursuant to the Agreement in
compliance with HIPAA and regulations promulgated by the U.s. Department of
Health and Human Services (the "HIPAA Regulations") and other applicable laws;
Whereas, as part of the HIPAA Regulations, the Privacy Rule (defined below)
requires COVERED ENTITY to enter into a contract containing specific requirements
with ASSOCIATE prior to the disclosure of PHI, as set forth in, but not limited to,
Title 45, Sections 164.502(e) and 164.504(e) of the Code of Federal Regulations
("CFR") and contained in this Agreement.
NOW THEREFORE, in consideration of the beneficial relationship enjoyed by the
parties, the parties agree as follows:
1. Defi n itions
a. "Associate" shall have the meaning given to such term under the
Privacy Rule, including, but not limited to, 45 CFR Section 160.103.
City-County Benefits Services/Sunday and Associates, Inc.
b. "Covered Entity" shall have the meaning given to such term under the
Privacy Rule, including, but not limited to, 45 CFR Section 160.103.
c. "Data Aggregation" shall have the meaning given to such term under
the
Privacy Rule, including, but not limited to, 45 CFR Section164.501.
d. "Designated Record Set" shall have the meaning given to such term
under the Privacy Rule, including, but not limited to, 45 CFR Section
164.501 and further shall mean the set of records used to make
decisions about an individual that relate to: 1) medical information or
billing records provided by a health care provider; or 2) the enrollment,
payment, claims, adjudication, and case or medical management
records maintained by or for a health plan. This includes the group of
records used or maintained by a health care clearinghouse.
e. "Health Care Operations" shall have the meaning given to such term
under the Privacy Rule, including, but not limited to, 45 CFR ~ 164.501.
Specifically, including actuarial and consulting in accordance with 45
CFR 9 160.103(B)(ii) and underwriting, premium rating, and other
activities relating to the creation, renewal or replacement of a contract
of health insurance or health benefits, and ceding, securing, or placing
for reinsurance of risk relating to claims for health care (including stop-
loss insurance and excess loss insurance) in accordance with 45 CFR 9
164.501(3).
f. 'individual" shall have the same meaning as the term "individual" in 45
CFR 9 164.501 and shall include a person who qualifies as a personal
representative in accordance with 45 CFR 9 164.502(g).
g. 'Privacy Rule" shall mean the Standards for Privacy of Individually
Identifiable Health Information at 45 CFR Part 160 and Part 164,
Subparts A and E.
h. "Protected Health Information" ("PHI") means any information, whether
oral or recorded in any form or medium: (i) that relates to the past,
present or future physical or mental condition of an individual; the
provision of healthcare to an individual; or the past, present or future
payment for the provision of health care to an individual; and (ii) that
identifies the individual or with respect to which there is a reasonable
basis to believe the information can be used to identify the individual,
and shall have the meaning given to such term under the Privacy Rule,
including, but not limited to, 45 CFR 99160.103 and 45 CFR Section
164.501.
i. "Protected Information" ['PI") shall mean PHI provided by COVERED
ENTITY to ASSOCIATE or created, developed, or received by
City-County Benefits Services/Sunday and Associates, Inc.
'"l
L
ASSOCIATE on COVERED ENTITY'S behalf.
j. "Required By Law" shall have the same meaning as the term "required
by law" in 45 CFR 9 164.501.
k. "Secretary" shall mean the Secretary of the Department of Health and
Human Services or his designee.
In addition, unless otherwise noted, any term used in this Agreement that is defined
in the Privacy Rule shall have the same meaning as those terms have under the
Privacy Ru Ie.
2. Obligations of ASSOCIATE
a. ASSOCIATE shall not use PI except for the purpose of performing
ASSOCIATE'S obligations for COVERED ENTITY and as permitted under
the Agreement and Addendum A. Further, ASSOCIATE shall not use PI
in any manner that would constitute a violation of the Privacy Rule if so
used by COVERED ENTITY, except that ASSOCIATE may use PI (i) for
the proper management and administration of ASSOCIATE, (ii) to carry
out the responsibilities as Required By Law of ASSOCIATE, or (iii) for
Data Aggregation purposes for the Health Care Operations of COVERED
ENTITY. [45 CFR 99164.504(e)(2)(i), 164.504(e)(2)(ii)(A) and
164, S04( e)( 4 )(1)]
b. ASSOCIATE shall not disclose PI in any manner that would constitute
violation of the Privacy Rule if disclosed by COVERED ENTITY, except
that ASSOCIATE may disclose PI (i) in a manner permitted pursuant to
the Agreement and Addendum A, (ii) for the proper management and
administration of ASSOCIATE; (iii) as Required By Law, or (iv) for Data
Aggregation purposes for the Health Care Operations of COVERED
ENTITY. To the extent that Associate discloses PI to a third party,
ASSOCIATE must obtain, prior to making any such disclosure, (i)
reasonable assurances from such third party that such PI will be held
confidential as provided pursuant to this Agreement and only disclosed
as Required By Law or for the purposes for which it was disclosed to
such third party, and (iii) an agreement from such third party to
immediately notify ASSOCIATE of any breaches of confidentiality of the
PI, to the extent it has obtained knowledge of such breach.
[45 CFR 99164.504(e)(2)(i), 164.504(e)(2)(i)(B), 164.504(e)(2)(ii)(A)
and 164.504(e)(4)(ii)]
c. ASSOCIATE shall implement appropriate safeguards as are necessary to
prevent the use or disclosure of PI other than as permitted by this
Agreement. ASSOCIATE shall maintain a comprehensive written
information privacy and security program that includes administrative,
technical and physical safeguards appropriate to the size and
complexity of the ASSOCIATE'S operations and the nature and scope of
its activities.
City-County Benefits Services/Sunday and Associates, Inc.
"
,1
[45 CFR ~164,504(e)(2)(ii)(B)]
d. ASSOCIATE shall report to COVERED ENTITY in writing of any use or
disclosure of PI other than as provided for by the Agreement and
Attachment A within five (5) days of becoming aware of such use or
disclosure. [45 CFR ~164.504(e)(2)(ii)(C)]
e. ASSOCIATE agrees to within ten (10) days of notice by COVERED
ENTITY of a request for an accounting of disclosures of PI, to make
available to COVERED ENTITY the information required to provide an
accounting of disclosures to enable COVERED ENTITY to fulfill its
obligations under the Privacy Rule, including, but not limited to, 45 CFR
Section 164.528. As set forth in, and as limited by, 45 CFR Section
164.528. ASSOCIATE shall not be required provide an accounting to
COVERED ENTITY of disclosures: (i) to carry out treatment, payment or
Health Care Operations, as set forth in 45 CFR Section 164.502; (ii) to
Individuals of PI about them as set forth in 45 CFR 164.502; (iii) to
persons involved in the Individual's care or other notification purposes
as set forth in 45 CFR Section 164.510; (iv) for national security or
intelligence purposes as set forth in 45 CFR Section 164.512(k)(2); or
(v) to correctional institutions or law enforcement officials as set forth
in 45 CFR Section 164.512(k)(5).
f. ASSOCIATE agrees to implement a process that allows for an
accounting to be collected and maintained by ASSOCIATE and its
agents or subcontractors for at least six (6) years prior to the request,
but not before the compliance date of the Privacy Rule. At a minimum,
such information shall include: (i) the date of disclosure; (ii) the name
of the entity or person who received PI and, if known, the address of
the entity or person;. (iii) a brief description of PI disclosed; and (iv) a
brief statement of purpose of the disclosure that reasonably informs the
Individual of the basis for the disclosure, or a copy of the Individual's
authorization, or a copy of the written request for disclosure. In the
event that the request for an accounting is delivered directly to
ASSOCIATE, ASSOCIATE shall within five (5) days of a request forward
it to COVERED ENTITY in writing. It shall be COVERED ENTITY'S
responsibility to prepare and deliver any such accounting requested.
ASSOCIATE shall not disclose any PI except as set forth in Section 2(b)
of this Agreement. [45 CFR ~~ 164.504(e)(2)(ii)(G) and 165, 528]
g. ASSOCIATE shall ensure that any agents (including subcontractors),
individuals or COVERED ENTITY to whom it provides PI received from
COVERED ENTITY, or created and received by ASSOCIATE on behalf of
COVERED ENTITY, agree in writing prior to its release to the same
restrictions and conditions that apply to ASSOCIATE with respect to
such PHI. [45 CFR ~164.504(e)(2)(D)]
h. ASSOCIATE shall make PI maintained in its possession or control,
City-County Benefits Services/Sunday and Associates, Inc.
4
except PHI excluded from disclosure under 45 CFR 99
164.524(a)(1)(i),(ii), (iii), by ASSOCIATE or its agents or
subcontractors in Designated Record Sets available to COVERED
ENTITY for inspection and copying within ten (10) days of a request by
COVERED ENTITY to enable COVERED ENTITY to fulfill its obligations
under the Privacy Rule, including, but not limited to, 45 CFR Section
164.524. [45 CFR 9164.504(e)(2)(ii)(E)]
i. ASSOCIATE agrees to within ten (10) days of receipt of a request from
COVERED ENTITY for an amendment of PHI or a record about an
Individual contained in a Designated Record Set, ASSOCIATE or its
agents or subcontractors shall make such PI available to COVERED
ENTITY for amendment and incorporate any such amendment to
enable COVERED ENTITY to fulfill its obligations under the Privacy Rule,
including, but not limited to, 45 CFR Section 164.526. If any Individual
requests an amendment of PHI directly from ASSOCIATE or its agents
or subcontractors, ASSOCIATE will notify COVERED ENTITY in writing
within five (5) days of the request. Any denial of amendment of PHI
maintained by ASSOCIATE or its agents or subcontractors shall be the
responsibility of COVERED ENTITY. [45 CFR 9164.504(e)(2)(ii)(F)]
j. ASSOCIATE shall make its internal practices, books and records,
including policies and procedures and PI, relating to the use and
disclosure of PI received from, or created by ASSOCIATE on behalf of,
COVERED ENTITY available to the Secretary for purposes of
determining ASSOCIATES'S compliance with the Privacy Rule.
ASSOCIATE shall provide to COVERED ENTITY a copy of any Protected
Information that ASSOCIATE provides to the Secretary concurrently
with providing such PI to the Secretary. [45 CFR 9164.504(e)(2)(ii)(H)}
k. ASSOCIATE agrees to document such disclosures of PHI and
information related to such disclosures as would be required for
COVERED ENTITY to respond to a request by an Individual for an
accounting of disclosures of PHI in accordance with 45 CFR 9 164.528.
I. ASSOCIATE (and its agents or subcontractors) shall only request, use
and disclose the minimum amount of PI necessary to accomplish the
purpose of the request, use or disclosure. [45 CFR 9164.514(d)(3)}
m. ASSOCIATE acknowledges that ASSOCIATE has no ownership rights
with respect to the PI.
n. During the term of this Agreement, Associate shall notify COVERED
ENTITY within twenty four (24) hours of any suspected or actual
breach of security, intrusion or unauthorized use or disclosure of PHI
and/or any actual or suspected use or disclosure of data in violation of
any applicable federal or state laws or regulations. ASSOCIATE shall
take (i) prompt corrective action to cure any such deficiencies and (ii)
any action pertaining to such unauthorized disclosure required by
City-County Benefits Services/Sunday and Associates, Inc.
5
applicable federal and state laws and regulations.
o. ASSOCIATE agrees to within ten (10) days of a written request by
COVERED ENTITY to allow COVERED ENTITY to conduct a reasonable
inspection of the facilities, systems, books, records, agreements,
policies and procedures relating to the use or disclosure of PI pursuant
to this Agreement for the purpose of determining whether ASSOCIATE
has complied with this Agreement; provided, however, that (i)
ASSOCIATE and COVERED ENTITY, shall mutually agree in advance
upon the scope, timing and location of such an inspection, (ii)
COVERED ENTITY shall protect the confidentiality of all confidential and
proprietary information of ASSOCIATE to which COVERED ENTITY has
access during the course of such inspection; and (iii) COVERED ENTITY
shall execute a nondisclosure agreement, upon terms mutually agreed
upon by the parties, if requested by ASSOCIATE.
3. Obligations of COVERED ENTITY
a. COVERED ENTITY shall be responsible for using appropriate safeguards
to maintain and ensure the confidentiality, privacy and security of PHI
transmitted to ASSOCIATE pursuant to this Agreement, in accordance
with the standards and requirements of the Privacy Rule, until such PHI
is received by Associate.
b. COVERED ENTITY shall notify ASSOCIATE of any limitation(s) in its
notice of privacy practices of COVERED ENTITY in accordance with 45
CFR 9 164.520, to the extent that such limitation may affect
ASSOCIATE'S use or disclosure of PHI.
c. COVERED ENTITY shall notify ASSOCIATE of any changes in, or
revocation of, permission by Individual to use or disclose PHI, to the
extent that such changes may affect ASSOCIATE'S use or disclosure of
PHI.
d. COVERED ENTITY shall notify ASSOCIATE of any restriction to the use
or disclosure of PHI that COVERED ENTITY has agreed to in accordance
with 45 CFR 9 164.522, to the extent that such restriction may affect
ASSOCIATE'S use or disclosure of PHI.
e. COVERED ENTITY shall identify its Business Associates through
Addendum A to this Agreement whose Business Associate agreements
with COVERED ENTITY permit ASSOCIATE to disclose PHI directly, and
shall provide information on any limitations or restrictions on
ASSOCIATE'S disclosure.
4. Permitted Uses and Disclosure by ASSOCIATE
a. Except as otherwise limited in this Agreement, ASSOCIATE may use or
disclose PHI to perform functions, activities, or services for, or on
behalf of, COVERED ENTITY as agreed to by COVERED ENTITY and
City-County Benefits Services/Sunday and Associates, Inc.
6
ASSOCIATE, provided that such use or disclosure would not violate the
Privacy Rule if done by COVERED ENTITY or the minimum necessary
policies and procedures of COVERED ENTITY.
b. ASSOCIATE may use and disclose PHI for the management and
administration of ASSOCIATE.
c. ASSOCIATE may provide data aggregation services relating to the
Health Care Operations of COVERED ENTITY.
d. COVERED ENTITY shall not request ASSOCIATE to use or disclose PHI
in any manner that would not be permissible under the Privacy Rule if
done by COVERED ENTITY.
5. Term and Termination
a. The Term of this Agreement shall be effective as of March 7, 2006, and
shall terminate when all of PHI provided by COVERED ENTITY to
ASSOCIATE, or created or received by ASSOCIATE on behalf of
COVERED ENTITY, is destroyed or returned to COVERED ENTITY.
b. If COVERED ENTITY knows of a pattern of activity or practice of
ASSOCIATE that constitutes a material breach or violation of
ASSOCIATE'S obligations under the provisions of this Agreement,
COVERED ENTITY shall either: (i) Provide an opportunity for
ASSOCIATE to cure the breach and terminate this Agreement only if
ASSOCIATE does not cure the breach or end the violation within the
time specified by COVERED ENTITY; (ii) Immediately terminate this
Agreement if ASSOCIATE has breached a material term of this
Agreement and cure is not possible; or (iii) if neither termination nor
cure are feasible, COVERED ENTITY shall report the violation to the
Secretary. [45 CFR 9164.504(e}(1}(ii)]
c. Upon termination of this Agreement for any reason, ASSOCIATE shall
return or destroy all PI that ASSOCIATE still maintains in any form, and
shall retain no copies of such PI. If return or destruction is not feasible,
ASSOCIATE shall continue to extend the protections of the Agreement
to such information, and limit further use of such PHI to those purposes
that make the return or destruction of such PHI infeasible. If
ASSOCIATE elects to destroy the PHI ASSOCIATE shall certify in writing
to COVERED ENTITY that such PHI has been destroyed. [45 CFR
9164. 504( e )(ii)(2 }(l}j
6. Amendment
a. The Parties acknowledge that state and federal laws relating to data
security and privacy are rapidly evolving and that amendment of this
Agreement may be required to provide for procedures to ensure
compliance with such developments. The parties specifically agree to
City-County Benefits Services/Sunday and Associates, Inc.
take such action as is necessary to implement the standards and
requirements of HIPAA, the Privacy Rule and other applicable laws
relating to the security or confidentiality of PHI. The parties understand
and agree that COVERED ENTITY must receive satisfactory written
assurance from ASSOCIATE that ASSOCIATE will adequately safeguard
all PI. Upon the request of either party, the other party agrees to
promptly enter into negotiations concerning the terms of an
amendment to this Agreement embodying written assurances
consistent with the standards and requirements of HIPAA, the Privacy
Rule or other applicable laws. Any amendment must be in writing and
executed by both parties.
b. Attachment A to this Agreement may be modified or amended through
the written mutual consent of the parties at anytime without
amendment to this Agreement.
7. Miscellaneous Provisions
a. A reference in this Agreement to a section in the HIPAA Privacy Rule
means the section as in effect or as amended.
b. Any notice to COVERED ENTITY required under the Agreement shall be
delivered to the Privacy Officer designated by COVERED ENTITY that is
on file with ASSOCIATE at the time of such notice.
c. COVERED ENTITY makes no warranty or representation that
compliance by ASSOCIATE with this Agreement, HIPAA or the HIPAA
Regulations will be adequate or satisfactory for ASSOCIATE'S own
purposes. ASSOCIATE is solely responsible for all decisions made by
ASSOCIATE regarding the safeguarding of PHI.
d. ASSOCIATE shall make itself, employees, or agents assisting
ASSOCIATE in the performance of its obligations under this Agreement,
available to COVERED ENTITY to testify as witnesses, or otherwise, in
the event of litigation or administrative proceedings being commenced
against COVERED ENTITY, its officers, or employees based upon a
claimed violation of HIPAA, the Privacy Rule or other laws relating to
security and privacy, except where ASSOCIATE is a named adverse
pa rty.
e. The respective rights and obligations of ASSOCIATE and COVERED
ENTITY shall survive the termination of this Agreement.
f. The provisions of this Agreement and Attachment A shall prevail over
any provisions in any other agreement or understanding between the
parties that may conflict or appear inconsistent with any provision in
this Agreement. This Agreement shall be interpreted as broadly as
necessary to implement and comply with HIPAA and the Privacy Rule.
The parties agree that any ambiguity in this Agreement shall be
City-County Benefits Services/Sunday and Associates, Inc.
8
resolved in favor of a meaning that complies and is consistent with
HIPAA and the Privacy Rule.
g. The provisions of this Agreement shall be severable, and if any
provision of this Agreement shall be held or declared to be illegal,
invalid or unenforceable, the remainder of this Agreement shall
continue in full force and effect as though the illegal, invalid or
unenforceable provision had not been contained.
h. Performance under this Agreement shall be in Brazoria County Texas.
IN WITNESS WHEREOF, the parties have executed this Agreement to take effect on
the Effective Date.
For COVERED ENTITY
By:
&If~
Bill Eisen
City Manager - The City of Pearland
May 1, 2007
By:
City-County Benefits Services
Life and Health Insurance Counselor/Benefits Consultant
May 1, 2007
City-County Benefits Services/Sunday and Associates, Inc.
9
BUSINESS ASSOCIATE AGREEMENT
ATTACHMENT A
This Attachment sets forth additional terms to the BUSINESS ASSOCIATE AGREEMENT
("the Agreement'') by and between The City of Pearland Employee Benefit Plan
("COVERED ENTITY'') and CITY-COUNTY BENEFITS SERVICES/SUNDAY and
ASSOCIATES, INC. ("ASSOCIATE''), effective May 1, 2007, and this Attachment is
effective as of the date indicated.
This Attachment supercedes and replaces prior Attachments and may be amended from
time to time as provided in Section 6(b) of the Agreement. Definitions in the
Agreement also apply to this Attachment.
1. Additional Business Associates of COVERED ENTITY with whom ASSOCIATE is
authorized to share PHI (including types of information, purpose and limitations):
a. CIGNA Healthcare (Medical/Rx Plan)
b. Assurant Employee Benefits (Dental Plan)
c. Vision Benefits of Amercia (Vision Plan)
d. Prudential (Life)
2. Subcontractor(s): The parties acknowledge that the following subcontractors or
agents of ASSOCIATE may receive PHI in the course of assisting ASSOCIATE in
the performance of its obligations to COVERED ENTITY:
a. Gary Monnin (G.P. Monnin Consulting) (Actuary)
3. ASSOCIATE may only provide COVERED ENTITY with PHI to the following
persons/positions:
a. Bill Eisen - City Manager
b. Mary Hickling - Director of Human Resources and Safety Management
c. Yesenia Garza - Human Resources Benefits Coordinator
c. Claire Manthei - Director of Finance
d. Darrin Coker - City Attorney
4. This Attachment is effective May 1, 2007.
City-County Benefits Services/Sunday and Associates, Inc.
IO
For COVERED ENTITY
For ASSOCIATE
By:
By:
~
....
Bill Eisen
Burke O. Sund
City Manager
City of Pearland
City-County Benefits Services
Life and Health Insurance Counselor
Benefits Consultant
May 1, 2007
May 1, 2007
City-County Benefits Services/Sunday and Associates, Inc.
11