The URL can be used to link to this page

1st Addendum 02/18/2009DANNY L. KOLHA GE CLERK OF THE CIRCUIT COURT DATE: April 21, 2009 TO: Maria Z. Fernandez - Gonzalez Senior Administrator - Benefits FROM. • Pamela G. HancA.C. At the February 18, 2009, Board of County Commissioner's meeting the Board granted approval and authorized execution of the following: HIPPA (Health Insurance Portability and Accountability Act) Business Associate Contract Addendum between Monroe County and Walgreens Health Initiatives, Inc. The purpose of this addendum is to satisfy certain standards and requirements of HIPPA and HIPPA Regulations, including, but not limited to Title 45, Section 164.50(e) of the Code of Federal Regulations. Amendment No. 1 to the Prescription Management Plan Services Agreement between Monroe County and Walgreens Health Initiatives, Inc. (WHI). Enclosed is a duplicate original of each of the above - mentioned for your handling. Should you have any questions please do not hesitate to contact this office. cc: County Attorney Finance File. BUSINESS ASSOCIATE CONTRACT ADDENDUM This HIPAA Business Associate Contract Addendum (the "Addendum ") supplements and is made a part of the Services Agreement ( "Agreement ") by and between the health plan ( "Covered Entity") of Monroe County, a political subdivision of the State of Florida ( "Plan Sponsor "), and Walgreens Health Initiatives, Inc., a Business Associate (`BA "), and is effective as of September 8, 2008 (the "Addendum Effective Date "). Covered Entity and BA have entered into an Agreement whereby BA provides pharmacy benefit management services to Covered Entity; Covered Entity wishes to disclose certain information to BA pursuant to the terms of the Agreement, some of which may constitute Protected Health Information ( "PHI "); Covered Entity and BA intend to protect the privacy and provide for the security of PHI disclosed to BA pursuant to the Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104 -191 ( "HIPAA ") and regulations promulgated thereunder by the U.S. Department of Health and Human Services (the "HIPAA Regulations ") and other applicable laws; The purpose of this Addendum is to satisfy certain standards and requirements of HIPAA and the HIPAA Regulations, including, but not limited to, Title 45, Section 164.504(e) of the Code of Federal Regulations ( "C.F.R. "), as the same may be amended from time to time; For good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties, intending to be legally bound, hereby agree as follows: A. Definitions For the purposes of this Addendum, the following terms have the meanings ascribed to them: (1) "Disclosure" with respect to PHI, shall mean the release, transfer, provision of access to or divulging in any other manner of PHI outside the entity holding the PHI. (2) "Individual" shall mean the person who is the subject of the Protected Health Information. (3) "Parties" shall mean Covered Entity and BA. (4) "Protected Health Information" or "PHI" shall mean any information created or received by Covered Entity, whether oral or recorded in any form or medium: (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. BUSINESS ASSOCIATE AGREEMENT PBM 2009 1 (R7 02.04.2008) (5) "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. B. Stated Purpose for Which BA May Use or Disclose PHI The Parties hereby agree that except as otherwise limited in this Addendum, BA shall be permitted to use or disclose PHI provided or made available from Covered Entity to perform any function, activity or service for, or on behalf of, Covered Entity as specified in the Agreement, provided that such use or disclosure would not violate the HIPAA Regulations if done by Covered Entity. C. BA Obligations BA covenants and agrees that it shall: (1) Not further use or disclose the PHI provided or made available by Covered Entity other than as permitted or required by this Addendum or as required by applicable law or regulation. (2) Establish and maintain appropriate safeguards as necessary to prevent the use or disclosure of PHI other than as permitted under this Addendum. (3) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity. (4) Report to Covered Entity any use or disclosure of PHI that BA is aware of that is not provided for or allowed by this Addendum. Report any Security Incident of which BA becomes aware to the Covered Entity. (5) Ensure that any of its agents or subcontractors, or other third parties with which BA does business that are provided PHI on behalf of Covered Entity, are aware of and bound to BA's obligations under this Addendum. Ensure that any agents or subcontractors who will have access to electronic PHI will also implement reasonable and appropriate safeguards to protect the information. (6) Make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity's obligations to provide access to, amendment of, and account for disclosures with respect to PHI pursuant to HIPAA and the HIPAA Regulations, including, but not limited to, 45 CFR §§164.524, 164.526, and 164.528. (7) Make available to the Secretary of the U.S. Department of Health and Human Services all internal practices, books and records relating to the use and disclosure of PHI received from, or created by, the BA on behalf of the Covered Entity, for purposes of determining Covered Entity's compliance with federal privacy laws and regulations. D. Permitted Disclosures Notwithstanding Article C(1), above, Parties agree that, pursuant to federal law, BA may: BUSINESS ASSOCIATE AGREEMENT PBM 2009 2 (R7 02.04.2008) (1) Use PHI in its possession for its proper management and administration and to fulfill any of its present or future legal responsibilities provided that such uses are permitted under state and federal confidentiality laws. (2) Use PHI in its possession to provide data aggregation services relating to the health care operations, as provided for in 45 C.F.R. § 164.501, of the Covered Entity. (3) Disclose PHI in its possession to third parties for the purpose of its proper management and administration or to fulfill any of its present or future legal responsibilities provided that (i) the disclosures are required by law, as provided for in 45 C.F.R. § 164.103, or (ii) BA has received from the third party written assurances that the PHI will be held confidentially, that the PHI will only be used or further disclosed as required by law or for the purpose for which it was disclosed to the third party, and that the third party will notify BA of any instances of which it is aware in which the confidentiality of the information has been breached, as required under 45 C.F.R. § 164.504(e)(4). (4) De- identify any and all PHI provided that the de- identification conforms to the requirements of 45 C.F.R. § 164.514(b), and further provided that the BA maintains the documentation required by 45 C.F.R. § 164.514(b), which may be in the form of a written assurance from BA. Pursuant to 45 C.F.R. § 164.502(d)(2), de- identified information does not constitute PHI and is not subject to the terms of this Addendum. E. Obligations of Covered Entity With respect to the use and /or disclosure of PHI by BA, the Covered Entity hereby agrees: (1) to use appropriate safeguards to maintain and ensure the confidentiality, privacy, and security of PHI transmitted to BA pursuant to the Agreement, in accordance with the standards and requirements of HIPAA and the HIPAA Regulations, until such PHI is received by BA. (2) to inform BA of any changes in, or withdrawal of, the consent or authorization provided to the Covered Entity by individuals pursuant to 45 C.F.R. § 164.506 or § 164.508. (3) to notify BA, in writing and in a timely manner, of any arrangements permitted or required of the Covered Entity under 45 C.F.R. Parts 160 and 164 that may impact in any manner the use and /or disclosure of PHI by BA under the Agreement, including, but not limited to, restrictions on the use and /or disclosure of PHI as provided for in 45 C.F.R. § 164.522 agreed to by the Covered Entity. (4) that BA may make any use and /or disclosure of PHI permitted under 45 C.F.R. § 164.512. F. Termination Notwithstanding any other provision under the Agreement and pursuant to federal law, each Party agrees that the Agreement may be terminated by the other Party without penalty should the other Party violate a material obligation under this Addendum. BUSINESS ASSOCIATE AGREEMENT PBM 2009 3 (R7 02.04.2008) G. Return or Destruction of PHI Upon termination or expiration of the Agreement, BA shall return to Covered Entity any and all PHI received from, or created by, BA on behalf of Covered Entity that is maintained by BA in any form whatsoever, including any copies or replicas. If returning the PHI to Covered Entity is not feasible, BA shall destroy any and all PHI maintained by BA in any form whatsoever, including any copies or replicas. Should the return or destruction of the PHI be determined by BA to not be feasible, the Parties agree that the terms of this Addendum shall extend to the PHI until otherwise indicated by the Covered Entity, and any further use or disclosure of the PHI by BA shall be limited to that purpose which renders the return or destruction of the PHI infeasible. H. Amendment to Comply with Law The Parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Addendum may be required to provide for procedures to ensure compliance with such developments. The Parties agree to take such action as is necessary to comply with the standards and requirements of HIPAA, the HIPAA Regulations and other applicable laws relating to the security or confidentiality of PHI. Upon either Party's request, the other Party agrees to promptly enter into negotiations concerning the terms of an amendment to this Addendum. I. No Third Party Beneficiaries Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, BA, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. J. Term This Addendum shall become effective on the Addendum Effective Date and shall expire when all of the PHI provided by Covered Entity to BA is destroyed or returned to Covered Entity pursuant to Section G. The Parties agree that Sections B, C, D, E, and I of the Addendum shall survive the termination or expiration of the Agreement. In the event of a conflict between this Addendum and other terms and conditions agreed to by the parties, the terms of this Addendum shall control with respect to its subject matter. K. Notice Notices required or given pursuant to a privacy or security incident shall be delivered in writing to BA or Covered Entity, as appropriate, and submitted to the address indicated below: Privacy For BA: Walgreens Privacy Office 200 Wilmot Road, MS 9000 Deerfield, Illinois 60015 Attn: Privacy Official With a copy to: Walgreens Health Initiatives, Inc. 1411 Lake Cook Road, MS L319 Deerfield, Illinois 60015 Attn: WHS Legal Security HIPAA Security Office 302 Wilmot Road, MS 3266 Deerfield, Illinois 60015 Attn: Security Official BUSINESS ASSOCIATE AGREEMENT PBM 2009 4 (R7 02.04.2008) For Covered Entity Maria Z. Fernandez - Gonzalez Sr- Adminintrator T Bene f its 1100 Simonton St., Suit 2 -268 Key West, FL 33040 ( 305) 292 -4448 Privacy Contact] [ Security Contact] L. Parties to Agreement Covered Entity and BA acknowledge and agree that they are the Parties to this Addendum and to the Agreement, and, to the extent such Parties are not so identified in the Agreement, the Agreement is hereby amended accordingly. M. Nominal Fee Covered Entity will pay BA a mutually agreeable fee to cover the costs associated with BA's response to PHI - related requests by Covered Entity or individuals hereunder. N. Entire Agreement This Agreement, which includes any and all attachments, exhibits, riders, and other documents referenced herein, constitutes the entire and full agreement between the parties hereto with respect to the subject matter hereof and supersedes any previous contract and no changes, amendments or alterations will be effective unless reduced to a writing signed by a duly authorized representative of both parties. Any prior agreements, documents, understandings, or representations relating to the subject matter of this Agreement not expressly set forth herein or referred to or incorporated herein by reference are of no force or effect. The Parties have caused this Addendum to be signed and delivered by their duly authorized representatives, as of the Addendum Effective Date. COVERED ENTITY: Monroe County, a political subdivision of the State of Florida �"Vg_ B . 4. V / �e.�. '5 Y Print Name: geo� fz, A/cct en Print Title: Ala ma• C�i4.i rr�a,ri BA: Walgreens Health Initiatives, Inc. By: C" Print Name: o;.,,•..,.a w wM...w.i{� Print Title: va PBM ReMn-n -tt. AMON �o ue BUSINESS ASSOCIATE AGREEMENT PBM 2009 5 (R7 02.04.2008) FEB 1 2409 (SEAL) ANNY L. OLHAGE ATT . w DEPUTY CLERK M �E COUNTY ATTORNEY C w M �0VED,A Tff F M: c c: YNTHIA L. ALL U_ tV A&9 N CO UNTY ATTQ R N EY © D U-) ZD ocy w � v U _� v va PBM ReMn-n -tt. AMON �o ue BUSINESS ASSOCIATE AGREEMENT PBM 2009 5 (R7 02.04.2008)