Item D39
BOARD OF COUNTY COMMISSIONERS
AGENDA ITEM SUMMARY
Meeting Date: February 19.2003
Division: Management Services
Bulk Item: Yes X
No
Department: Admin'e Services - Employee Benefits
AGENDA ITEM WORDING: Approval of Business Associate Addendum with WHP Health Initiatives,
Inc. d/b/a Walgreens Health Initiatives. Agreement covers security of Protected Health Information.
This does not change Prescription Benefits received by Employees in any manner.
ITEM BACKGROUND: Privacy Regulations of the Health Insurance Portability and Accountability
Act of 1996 (illPAA) require we enter into Business Associate Agreements with our providers of Health
Care Services to regulate and formalize the handling, reporting, dispensing, and security of Protected
Health Information. The Deadline for completion of these agreements is April 2003.
PREVIOUS RELEVANT BOCC ACTION:
CONTRACT/AGREEMENT CHANGES: New Provisions covered under Health Insurance Portability
and Accountability Act of 1996 (illPAA).
STAFF RECOMMENDATIONS: Approval
TOTAL COST: This Agreement
BUDGETED: Yes
COST TO COUNTY: None
None (Pharmaceutical Benefit $1.5 Million Annually)
No
SOURCE OF FUNDS: na
REVENUE PRODUCING: Yes
No
AMOUNTPERMONTH_ Year
APPROVED BY:
DIVISION DIRECTOR APPROVAL:
County Atty -X OMB/Purchasing ~ Risk Management _X_
-:;!i:.liL 06;JJ~
Sheila A. Barker
DOCUMENTATION: Included X
To Follow_
Not Required_
AGENDA ITEM #~
DISPOSITION:
Revised 1/03
MONROE COUNTY BOARD OF COUNTY COMMISSIONERS
CONTRACT SUMMARY
Contract with: WHP Health Initiatives Contract #
Effective Date: Upon Approval
Expiration Date:
Contract Purpose/Description:
Agreement with our provider of Health Care Services to regulate and formalize the
handling, reporting, dispensing, and security of Protected Health Information
Contract Manager: Maria Fernandez 4448 Employee Benefits - #8
(Name) (Ext. ) (Department/Stop #)
for BOCC meeting on February 19, Agenda Deadline: February 5,2003
2003
CONTRACT COSTS
Total Dollar Value of Contract: $ None
Pharmacy Benefits $1.4 million
annually
Budgeted? YesD No 0 Account Codes:
Grant: $
County Match: $
Current Year Portion: $
- - -
----
- - -
----
- - -
----
- - -
----
Estimated Ongoing Costs: $_/yr
(Not included in dollar value above)
ADDITIONAL COSTS
For:
(eJ,l;. maintenance, utilities, janitorial, salaries, etc.)
CONTRACT REVIEW
Risk Management
YesD Noif
YesD Not::(
Date Out
Date In
Division Director
:? ,~ tJ:3
~ )/03
_ 1
IJ~..~ /( .,'" )"
f./( .:--- t,:& d" -.) - {;j
O.M.B./Purchasing
County Attorney
YesDNoD
Comments:
OMB Form Revised 2/27/01 Mep #2
~~
HEALTH
INITIATIVES
Pharmacy Benefit Management
Specialty Pharmacy
Home Respiratory Services
Home Infusion Services
Home Medical Equipment
1417 Lake Cook Road
Deerfield, illinois 60015-5223
847-374-2640 . 847.374-2645
www.walgreenshealth.com
Phone: (847) 964-8319
Fax: (847) 374-2645
January 2003
RE: Business Associate Agreement
Dear Client:
WHP Health Initiatives, Inc. d/b/a Walgreens Health Initiatives, as a
prescription benefit manager, is a "Business Associate" for your
organization, as defined in the Health Insurance Portability &
Accountability Act's (HIPAA) regulations.
As your PBM, we will be obtaining and using prescription and other
healthcare information in carrying out our duties as your chosen PBM
under the forthcoming Prescription Service Agreement. However, in
advance of the Prescription Service Agreement, we have enclosed a
Business Associate Agreement (referred to in the Prescription Service
Agreement and attached document as "Addendum") that details our
policies on the use of patient information.
In order to expedite the agreement process and to help you be in full
compliance with HIPAA regulations, we ask that you review the document
and verify the legal entity ("covered entity") name on the document. If the
legal entity name is incorrect, please make any corrections on the
document itself. We encourage you to sign the document and return it to
my attention at the address below. Once we have received the signed
document, wewill have a representative of WHP Health Initiatives, Inc.
a/so sign the document and then a copy of the fully executed document
will be sent to you for your files.
Thank you for your cooperation and assistance. If you have any
questions, please contact me at the number below.
Sincerely,
~0 4v~-f
Mary ~.-'~osenquist
Walgreens Health Initiatives, Paralegal
1417 Lake Cook Road, MS L468
Deerfield, I L 60015
847/964-8319
Enclosure
~ -- ~~4:7 ;;occ
DJ'IE Oft tfp ~cJI
J71.n.)1J:~J (,'\Jf /l J Vr--
f~ OA~' I
BUSINESS ASSOCIATE ADDENDUM
This HIPAA Business Associate Agreement Addendum (the "Addendum"), entered into by and between the
health plan ("Covered Entity") of Monroe County Board of County Commissioners ("Plan Sponsor"), and WHP
Health Initiatives, Inc. d/b/a Walgreens Health Initiatives, a Business Associate ("BA"), supplements and is made a
part of the Prescription Services Agreement ("Agreement") entered into between BA and Plan Sponsor, and is
effective no later than April 14,2003 or such other date as regulations may require (the "Addendum Effective
Date"). If the compliance date that is applicable to the Covered Entity as established in the Privacy Regulations is
extended or otherwise delayed, in its sole and absolute discretion, the Covered Entity may elect to similarly extend
or otherwise delay the Privacy Compliance Date. If the Covered Entity does not make such an election, BA
obligations shall remain unchanged and in full force and effect.
WITNESSETH:
WHEREAS. Covered Entity and BA have entered into an Agreement whereby BA provides prescription benefit
management services to Covered Entity;
WHEREAS, Covered Entity wishes to disclose and/or make available certain information to BA pursuant to the
terms of the Agreement, some of which may constitute Protected Health Information ("PHI");
WHEREAS. Covered Entity and BA intend to protect the privacy and provide for the security of PHI disclosed to
BA pursuant to the Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996,
Public Law 104-191 ("HIPAA") and regulations promulgated thereunder by the U.S. Department of Health and
Human Services (the "HIPAA Regulations") and other applicable laws;
WHEREAS, the purpose of this Addendum is to satisfy certain standards and requirements of HIPAA and the
HIPAA Regulations, including, but not limited to, Title 45, Section 164.504(e) of the Code of Federal Regulations
C'C.F.R."), as the same may be amended from time to time;
NOW THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are hereby
acknowledged. the parties, intending to be legally bound, hereby agree as follows:
A. Definitions. For the purposes of this Addendum, the following terms have the meanings ascribed
to them:
(I) "Disclosure" with respect to PHI, shall mean the release, transfer, provision of access to or
divulging in any other manner of PHI outside the entity holding the PHI.
(2) "Individual" shall mean the person who is the subject of the Protected Health Information.
(3) "Parties" shall mean Covered Entity and BA.
(4) "Protected Health Information" or "PHI" shall mean any information created or received by
Covered Entity, or another entity acting on Covered Entity's behalf, or by BA in the perfonnance
of its services on behalf of Covered Entity, whether oral or recorded in any fonn or medium: (i)
that relates to the past, present or future physical or mental condition of an individual; the
provision of health care to an individual; or the past, present or future payment for the provision of
health care to an individual, and (ii) that identifies the individual or with respect to which there is a
reasonable basis to believe the information can be used to identify the individual.
B. Stated Purpose for Which BA May Use or Disclose PHI. The Parties hereby agree that except as
otherwise limited in this Addendum, BA shall be permitted to use or disclose PHI provided or
made available from Covered Entity to perfonn any function, activity or service for, or on behalf
businessassoClale.112
of~ Covered Entity as specified in the Agreement or in this Addendum, provided that such use or
disclosure would not violate the HIPAA Regulations if done by Covered Entity. Covered Entity
acknowledges that SA intends to make PHI available to the subject Individual via its website,
using SA's customized online registration process for each such Individual. SA also may make
PHI available to Covered Entity or other permitted third party via the Internet or other electronic
medium. Covered Entity will notify SA in writing at the notice address stated herein if it wishes
to limit such communications.
C. SA Obligations. SA covenants and agrees that it shall:
(I) Not further use or disclose the PHI provided or made available by Covered Entity other than as
permitted or required by this Addendum or as required by applicable law or regulation.
(2) Establish and maintain appropriate safeguards as necessary to prevent the use or disclosure of
PHI other than as permitted under this Addendum.
(3) Report to Covered Entity any use or disclosure of PHI that SA is aware of that is not provided
for or allowed by this Addendum.
(4) Ensure that any of its agents or subcontractors, or other third parties with which SA does
business that are provided PHI on behalf of Covered Entity, are aware of and bound to SA's
obligations under this Addendum.
(5) Make available to Covered Entity such information as Covered Entity may require to fulfill
Covered Entity's obligations to provide access to, amendment of, and account for disclosures with
respect to PHI pursuant to HIPAA and the HIPAA Regulations, including, but not limited to, 45
CFR SS 164.524, 164.526, and 164.528.
(6) Make available to the Secretary of the U.S. Department of Health and Human Services all
internal practices, books and records relating to the use and disclosure of PHI received from, or
created by, the SA on behalf of the Covered Entity, for purposes of determining Covered Entity's
compliance with federal privacy laws and regulations.
D. Permitted Disclosures. Notwithstanding Article C( I), above, Parties agree that, pursuant to
federal law, SA may:
(I) Use PHI in its possession, for its proper management and administration and to fulfill any of
its present or future legal responsibilities provided that such uses are permitted under state and
federal confidentiality laws.
(2) Use PHI in its possession to provide data aggregation services relating to the health care
operations, as provided for in 45 C.F.R. S 164.501, of the Covered Entity.
(3) Disclose PHI in its possession to third parties for the purpose of its proper management and
administration or to fulfill any of its present or future legal responsibilities provided that (i) the
disclosures are required by law, as provided for in 45 C.F.R. S 164.50 I, or (ii) SA has received
from the third party written assurances that the PHI will be held confidentially, that the PHI will
only be used or further disclosed as required by law or for the purpose for which it was disclosed
to the third party, and that the third party will notify SA of any instances of which it is aware in
which the confidentiality of the information has been breached, as required under
45 C.F.R. S 1 64.504(e)(4).
(4) De-identify any and all PHI provided that the de-identification conforms to the requirements of
45 C.F.R. 9 164.514(b), and further provided that the Covered Entity maintains the documentation
required by 45 C.F.R. S 164.514(b), which may be in the form of a written assurance from SA.
businessassociate.112
Pursuant to 45 C.F.R. ~ 164.502( d)(2), de-identified information does not constitute PHI and is not
subject to the terms of this Addendum.
E. Obligations of Covered Entity. No later than the effective date of this Agreement, Covered Entity
will provide SA with a copy of Plan Sponsor's certification that the health plan meets and will abide by all
HIPAA requirements. With respect to the use and/or disclosure of PHI by SA, the Covered Entity hereby
agrees:
(I) to use appropriate safeguards to maintain and ensure the confidentiality, privacy, and security
of PHI transmitted to SA pursuant to the Agreement, in accordance with the standards and
requirements of HIP AA and the HIP AA Regulations, until such PHI is received by SA.
(2) to inform SA of any changes in, or withdrawal of, the consent or authorization provided to the
Covered Entity by individuals pursuant to 45 C.F.R. ~ 164.506 or ~ 164.508.
(3) to notify SA, in writing and in a timely manner, of any arrangements permitted or required of
the Covered Entity under 45 C.F.R. Parts 160 and 164 that may impact in any manner the use
and/or disclosure of PHI by SA under the Agreement, including, but not limited to, restrictions on
the use and/or disclosure of PHI as provided for in 45 C.F.R. ~ 164.522 agreed to by the Covered
Entity.
(4) that SA may make any use and/or disclosure of PHI permitted under 45 C.F.R. ~ 164.512.
F. Termination. Notwithstanding any other provision under the Agreement and pursuant to federal
law, each Party agrees that the Agreement may be terminated by the other Party without penalty should the
other Party violate a material obligation under this Addendum.
G. Return or Destruction of PHI. Upon termination or expiration of the Agreement, SA shall return
to Covered Entity, upon request, any and all PHI received from, or created by, SA on behalf of Covered
Entity that is maintained by SA in any form whatsoever, including any copies or replicas. If returning the
PHI to Covered Entity is not feasible, SA shall destroy any and all PHI maintained by SA in any form
whatsoever, including any copies or replicas, Should the return or destruction of the PHI be determined by
SA to be contrary to SA's legal or operational interests or otherwise not feasible, the Parties agree that the
terms of this Addendum shall extend to the PHI for such time as SA deems necessary, and any further use
or disclosure of the PHI by SA shall be limited to that purpose which renders the return or destruction of
the PHI infeasible.
H. Amendment to Complv with Law. The Parties acknowledge that state and federal laws relating to
electronic data security and privacy are rapidly evolving and that amendment of this Addendum may be
required to provide for procedures to ensure compliance with such developments. The Parties agree to take
such action as is necessary to comply with the standards and requirements of HIPAA, the HIPAA
Regulations and other applicable laws relating to the security or confidentiality of PHI. Upon either Party's
request, the other Party agrees to promptly to enter into negotiations concerning the terms of an amendment
to this Addendum.
I. Indemnification. Each Party agrees to indemnify, defend and hold harmless the other Party. its
affiliates and each of their respective directors, officers, employees, agents or assigns from and against any
and all actions, causes of action, claims. suits and demands whatsoever, and from all damages, liabilities.
costs, charges, debts, and expenses whatsoever (including reasonable attorneys' fees and expenses related
to any litigation or other defense of any claims), which may be asserted or for which they may now or
hereafter become subject arising in connection with (i) any misrepresentation, breach of warranty or non-
fulfillment of any undertaking on the part of the Party under the Addendum; and (ii) any claims, demands,
awards. judgments, actions. and proceedings made by any person or organization arising out of or in any
way connected with the Party's performance under the Addendum,
buslnessassociate.112
J. No Third Party Beneficiaries. Nothing express or implied in this Addendum is intended to confer,
nor shall anything herein confer, upon any person other than Covered Entity, BA, and their respective
successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
K, Term. This Addendum shall become effective on the Addendum Effective Date and shall expire
when all of the PHI provided by Covered Entity to BA is destroyed or returned to Covered Entity pursuant
to Section G. The Parties agree that Sections B, C, D, E, and I of the Addendum shall survive the
termination or expiration of the Agreement. In the event of a conflict between this Addendum and other
terms and conditions agreed to by the parties, the terms of this Addendum shall control with respect to its
subject matter.
L. Parties to Agreement. Covered Entity and BA acknowledge and agree that they are the Parties to
this Addendum and to the Agreement, and, to the extent such Parties are not so identified in the Agreement,
the Agreement is hereby amended accordingly.
IN WITNESS WHEREOF. the Parties have caused this Addendum to be signed and delivered by their duly
authorized representatives. as of the Addendum Effective Date.
COVERED ENTITY
By Plan Administrator
BUSINESS ASSOCIATE:
WHP Health Initiatives, Inc. d/b/a WaIgreens Health
Initiatives
By:
By:
Print Name:
Print Name:
Print Title:
Print Title:
businessassoclate.112