Loading...
Item C22 BOARD OF COUNTY COMMISSIONERS AGENDA ITEM SUMMARY Meeting Date: June 18,2003 . Division: Administrative Services Bulk Item: Y es ~ No Department: Group Insurance AGENDA ITEM WORDING: Approval of Business Associate Addendum with Multiplan. Inc.. our nationwide network. At!reement covers security of Protected Health Information (pm) as required by the Health Insurance Portability and Accountability Act of 1996 (HIP AA) Privacy Rule effective April 13. 2003. ITEM BACKGROUND: The Health Insurance Portability and Accountability Act of 1996 (HIP AA) Privacy Rule effective April 13. 2003 requires the enterint! of Business Associates At!reements with providers of health care services to ret!ulate the use and disclosure of Protected Health Information (PHO. PREVIOUS RELA VENT BOCC ACTION: N/A CONTRACT/AGREEMENT CHANGES: New provisions covered under the Health Insurance Portability and Accountability Act of 1996 (HIP AA). STAFF RECOMMENDATIONS: Approval TOTAL COST: None BUDGETED: Yes No COST TO COUNTY: None REVENUE PRODUCING: Yes No AMOUNTPERMONTH_ Year APPROVED BY: County Arty ~ OMB/Puf:?aSing!if Risk Management t)V" DIVISION DIRECTOR APPROVAL: ~ tl~----<..- Sheila A. Barker DOCUMENTATION: Included X To Follow_ Not Required_ DISPOSITION: AGENDAITEM#~~~ ~ Revised 2/27/01 .MULTIPLAN. INC. AMENDMENT TO CLIENT AGREEMENT FOR NETWORK ACCESS REGARDING PRIVACY and SECURITY OF PROTECTED HEALTH INFORMATION EFFECTIVE APRIL 14, 2003 I. Definitions A. "Individual" shall have the same meaning as in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). B. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E. C. "Protected Health Information (hereafter "PHI")" shall have the same meaning as in 45 CFR 164.501, limited to the information created or received by MPI from or on behalf of Client. D. "Security Rule" shall mean the Security Standards for the Protection of Electronic Protected Identifiable Health Information set forth at 45 CFR part 164, subpart C. II. Obligations and Activities of MPI A. Pursuant to the Privacy Rule: 1. MPI shall not use or further disclose PHI other than as permitted or required by the Agreement or as required or permitted by law and regulation. 2. MPI shall use appropriate safeguards to prevent use or disclosure of the PHI other than as agreed to between the parties hereto. 3. MPI shall, to the extent practicable, mitigate any harmful effect that is known to MPI of a use or disclosure of PHI by MPI in violation of the requirements of this Agreement. 4. MPI shall report to Client any use or disclosure of the PHI not provided for by this Agreement, or as otherwise specified in writing by Client. 5. MPI shall take reasonable steps to ensure that any agent, including a subcontractor, to whom it provides PHI agrees to the same restrictions and conditions that apply to MPI under this Agreement with respect to such PHI. 6. At the request of Client, MPI shall provide Client access to PHI in the time and manner mutually agreed upon between MPI and Client or, as directed by Client, to an Individual in order to meet the requirements under 45 CFR 164.524. 7. MPI shall make any amendments to PHI in a Designated Record Set that the Client directs or agrees to pursuant to 45 CFR 164.526 at the request of Client or an Individual, and in the time and manner designated by Client. MPI\Sales\HIPAA Bus Assoe arnd rev'd 3-tO-03 8. MPI shall make internal practices, books, and records relating to the use and disclosure of PHI available to the Client, or at the request of the Client to the Secretary of the Department of Health and Human Services or designee, in a time and manner designated by the Client or the Secretary, for purposes of the Secretary determining Client's compliance with the Privacy Rule. MPI shall document such disclosures of PHI and information related to such disclosures as would be required for Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528. 9. MPI shall provide to Client or an Individual, in time and manner designated by Client, information collected in accordance with this Agreement, to permit Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528. B. Pursuant to the Security Rule: In addition to the foregoing, pursuant to 45 CFR 9164.308(b)(1) and 9164. 314(a)(2)(i) of the Security Rule, MPI shall: 1. Implement administrative, physical, and technical safeguards that reasonable and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of Client; 2. Ensure that any agent, including a subcontractor, to which MPI providers such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; 3. Report to the Client any security incident of which MPI becomes aware; 4. Authorize termination of the Agreement by the Client if the Client reasonably determines that MPI has violated a material term of this Amendment; and 5. Make its policies and procedures, and documentation relating to such safeguards, available to the Secretary ofHHS for purposes of determining Client's compliance with the Security Rule, III. Permitted Uses and Disclosures by MPI Except as otherwise limited in this Agreement, A. MPI may use PHI for the proper management and adm inistration of MPI or to carry out the legal responsibilities of MPI. MPI also may disclose such PHI as necessary for MPl's proper management and administration or to carry out MPl's legal responsibilities, provided that such use or disclosure is required by law, or MPI obtains reasonable assurance from any person or organization to which MPI shall disclose such PHI that such person or organization shall: 1. hold such Pill in confidence and use or further disclose it only for the purpose for which it was disclosed to MPI or as required by law; and 2. notify MPI of any instance of which the person or organization becomes aware in which the confidentiality of such PHI was breached. MPI shall promptly notify Client of such breach. B. MPI may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Client as specified in this Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Client. MPIISales\HIPAA Bus Assoc amd rev'd 10-15-02 2 IV. Obligations of Client A. Client shall provide MPI with notice of Client's privacy practices in accordance with 45 CFR 164.520, as well as any changes to such notice. B. Client shall provide MPI with any changes in, or revocation of, permission by Individual to use or disclose PHI, if such changes affect MPI's permitted or required uses and disclosures. C. Client shall notify MPI of any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 CFR 164.522. D. Client shall not request MPI to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Client. E. Client shall advise MPI of state laws and regulations that are pre-emptive of HIP AA. V. Termination for Canse Upon Client's knowledge of a material breach by MPI of obligations set forth in this Amendment, Client shall provide MPI an opportunity to cure the breach within a reasonable time agreed to by Client. In the event of failure to cure in such time, Client shall have the right immediately to terminate the Agreement. Notwithstanding the foregoing, if neither termination nor cure is feasible, Client shall report the violation to the Secretary. VI. Effect of Termination of Agreement with respect to PHI A. Except as provided in paragraph (b) below, upon termination of this Agreement, for any reason, MPI shall return or destroy all PHI received from Client, or created or received by MPI on behalf of Client. This provision shall apply to PHI that is in the possession of subcontractors or agents of MPI. B. In the event that MPI determines that returning or destroying the PHI is infeasible, MPI shall provide to Client notification of the conditions that make return or destmction infeasible. Upon mutual agreement of the parties that return or destruction of PHI is infeasible, MPI shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for as long as MPI maintains such PHI. MultiPlan, Inc. 115 Fifth Avenue New York, NY 10003-1004 Client Principal Address: By: Marcy E. Peller Date Executive Vice President, General Counsel By: Signature Date Print Name and Title MPI\SalesIHIPAA Bus Assoc amd rev'd 10-15-02 3