Business Associate Addendum 02/19/2003MOWN
eircufteoun Danny L. Kolhage
Phone: 305 - 292 -3550 Fax: 305 - 295 -3663
M omrard=
To: James Roberts,
County Administrator
Attn: Maria Z. Fernandez, Administrator
Group Insurance
From: Isabel C. DeSantis,
Deputy Clerk
Date: Tuesday, April 29, 2003
At the Board meeting on February 19, 2003, the Board approved the following
was approved:
Business Associate Addendum between Monroe County and WHP Health
Initiatives, Inc. d /b /a Walgreens Health Initiatives. Agreement covers security of
Protected Health Information, and does not change Prescription Benefits received by
Employees in any manner.
Enclosed please find a duplicate original of the subject document for your
handling.
Copies: Finance
County Attorney
File ✓/
BUSINESS ASSOCIATE ADDENDUM
This HIPAA Business Associate Agreement Addendum (the "Addendum "), entered into by and between the
health plan ( "Covered Entity") of Monroe County Board of County Commissioners ( "Plan Sponsor "), and WHP
Health Initiatives, Inc. d/b /a Walgreens Health Initiatives, a Business Associate ( "BA "), supplements and is made a
part of the Prescription Services Agreement ( "Agreement ") entered into between BA and Plan Sponsor, and is
effective no later than April 14, 2003 or such other date as regulations may require (the "Addendum Effective
Date "). If the compliance date that is applicable to the Covered Entity as established in the Privacy Regulations is
extended or otherwise delayed, in its sole and absolute discretion, the Covered Entity may elect to similarly extend
or otherwise delay the Privacy Compliance Date. If the Covered Entity does not make such an election, BA
obligations shall remain unchanged and in full force and effect.
W ITNESSETH:
WHEREAS, Covered Entity and BA have entered into an Agreement whereby BA provides prescription benefit
management services to Covered Entity;
WHEREAS, Covered Entity wishes to disclose and/or make available certain information to BA pursuant to the
terms of the Agreement, some of which may constitute Protected Health Information ( "PHI ");
WHEREAS, Covered Entity and BA intend to protect the privacy and provide for the security of PHI disclosed to
BA pursuant to the Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996,
Public Law 104 -191 ( "HIPAA ") and regulations promulgated thereunder by the U.S. Department of Health and
Human Services (the "HIPAA Regulations ") and other applicable laws;
WHEREAS, the purpose of this Addendum is to satisfy certain standards and requirements of HIPAA and the
HIPAA Regulations, including, but not limited to, Title 45, Section 164.504(e) of the Code of Federal Regulations
( "C.F.R. "), as the same may be amended from time to time;
NOW THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are hereby
acknowledged, the parties, intending to be legally bound, hereby agree as follows:
A. Definitions For the purposes of this Addendum, the following terms have the meanings ascribed
to them:
(1) "Disclosure" with respect to PHI, shall mean the release, transfer, provision of access to or
divulging in any other manner of PHI outside the entity holding the PHI.
(2) "Individual" shall mean the person who is the subject of the Protected Health Information.
(3) "Parties" shall mean Covered Entity and BA.
(4) "Protected Health Information" or "PHI" shall mean any information created or received by
Covered Entity, or another entity acting on Covered Entity's behalf, or by BA in the performance
of its services on behalf of Covered Entity, whether oral or recorded in any form or medium: (i)
that relates to the past, present or future physical or mental condition of an individual; the
provision of health care to an individual; or the past, present or future payment for the provision of
health care to an individual, and (ii) that identifies the individual or with respect to which there is a
reasonable basis to believe the information can be used to identify the individual.
B. Stated Purpose for Which BA May Use or Disclose PHI The Parties hereby agree that except as
otherwise limited in this Addendum, BA shall be permitted to use or disclose PHI provided or
made available from Covered Entity to perform any function, activity or service for, or on behalf
businessassociate.112
of, Covered Entity as specified in the Agreement or in this Addendum, provided that such use or
disclosure would not violate the HIPAA Regulations if done by Covered Entity. Covered Entity
acknowledges that BA intends to make PHI available to the subject Individual via its website,
using BA's customized online registration process for each such Individual. BA also may make
PHI available to Covered Entity or other permitted third party via the Internet or other electronic
medium. Covered Entity will notify BA in writing at the notice address stated herein if it wishes
to limit such communications.
C. BA Obligations BA covenants and agrees that it shall:
(1) Not further use or disclose the PHI provided or made available by Covered Entity other than as
permitted or required by this Addendum or as required by applicable law or regulation.
(2) Establish and maintain appropriate safeguards as necessary to prevent the use or disclosure of
PHI other than as permitted under this Addendum.
(3) Report to Covered Entity any use or disclosure of PHI that BA is aware of that is not provided
for or allowed by this Addendum.
(4) Ensure that any of its agents or subcontractors, or other third parties with which BA does
business that are provided PHI on behalf of Covered Entity, are aware of and bound to BA's
obligations under this Addendum.
(5) Make available to Covered Entity such information as Covered Entity may require to fulfill
Covered Entity's obligations to provide access to, amendment of, and account for disclosures with
respect to PHI pursuant to HIPAA and the HIPAA Regulations, including, but not limited to, 45
CFR § §164.524, 164.526, and 164.528.
(6) Make available to the Secretary of the U.S. Department of Health and Human Services all
internal practices, books and records relating to the use and disclosure of PHI received from, or
created by, the BA on behalf of the Covered Entity, for purposes of determining Covered Entity's
compliance with federal privacy laws and regulations.
D. Permitted Disclosures Notwithstanding Article C(1), above, Parties agree that, pursuant to
federal law, BA may:
(1) Use PHI in its possession, for its proper management and administration and to fulfill any of
its present or future legal responsibilities provided that such uses are permitted under state and
federal confidentiality laws.
(2) Use PHI in its possession to provide data aggregation services relating to the health care
operations, as provided for in 45 C.F.R. § 164.501, of the Covered Entity.
(3) Disclose PHI in its possession to third parties for the purpose of its proper management and
administration or to fulfill any of its present or future legal responsibilities provided that (i) the
disclosures are required by law, as provided for in 45 C.F.R. § 164.501, or (ii) BA has received
from the third party written assurances that the PHI will be held confidentially, that the PHI will
only be used or further disclosed as required by law or for the purpose for which it was disclosed
to the third party, and that the third party will notify BA of any instances of which it is aware in
which the confidentiality of the information has been breached, as required under
45 C.F.R. § 164.504(e)(4).
(4) De- identify any and all PHI provided that the de- identification conforms to the requirements of
45 C.F.R. § 164.514(b), and further provided that the Covered Entity maintains the documentation
required by 45 C.F.R. § 164.514(b), which may be in the form of a written assurance from BA.
businessassociate.112
Pursuant to 45 C.F.R. § 164.502(d)(2), de- identified information does not constitute PHI and is not
subject to the terms of this Addendum.
E. Obligations of Covered Entity No later than the effective date of this Agreement, Covered Entity
will provide BA with a copy of Plan Sponsor's certification that the health plan meets and will abide by all
HIPAA requirements. With respect to the use and/or disclosure of PHI by BA, the Covered Entity hereby
agrees:
(1) to use appropriate safeguards to maintain and ensure the confidentiality, privacy, and security
of PHI transmitted to BA pursuant to the Agreement, in accordance with the standards and
requirements of HIPAA and the HIPAA Regulations, until such PHI is received by BA.
(2) to inform BA of any changes in, or withdrawal of, the consent or authorization provided to the
Covered Entity by individuals pursuant to 45 C.F.R. § 164.506 or § 164.508.
(3) to notify BA, in writing and in a timely manner, of any arrangements permitted or required of
the Covered Entity under 45 C.F.R. Parts 160 and 164 that may impact in any manner the use
and/or disclosure of PHI by BA under the Agreement, including, but not limited to, restrictions on
the use and /or disclosure of PHI as provided for in 45 C.F.R. § 164.522 agreed to by the Covered
Entity.
(4) that BA may make any use and/or disclosure of PHI permitted under 45 C.F.R. § 164.512.
F. Termination Notwithstanding any other provision under the Agreement and pursuant to federal
law, each Party agrees that the Agreement may be terminated by the other Party without penalty should the
other Party violate a material obligation under this Addendum.
G. Return or Destruction of PHI Upon termination or expiration of the Agreement, BA shall return
to Covered Entity, upon request, any and all PHI received from, or created by, BA on behalf of Covered
Entity that is maintained by BA in any form whatsoever, including any copies or replicas. If returning the
PHI to Covered Entity is not feasible, BA shall destroy any and all PHI maintained by BA in any form
whatsoever, including any copies or replicas. Should the return or destruction of the PHI be determined by
BA to be contrary to BA's legal or operational interests or otherwise not feasible, the Parties agree that the
terms of this Addendum shall extend to the PHI for such time as BA deems necessary, and any further use
or disclosure of the PHI by BA shall be limited to that purpose which renders the return or destruction of
the PHI infeasible.
H. Amendment to Comply with Law The Parties acknowledge that state and federal laws relating to
electronic data security and privacy are rapidly evolving and that amendment of this Addendum may be
required to provide for procedures to ensure compliance with such developments. The Parties agree to take
such action as is necessary to comply with the standards and requirements of HIPAA, the HIPAA
Regulations and other applicable laws relating to the security or confidentiality of PHI. Upon either Party's
request, the other Party agrees to promptly to enter into negotiations concerning the terms of an amendment
to this Addendum.
I. Indemnification Each Party agrees to indemnify, defend and hold harmless the other Party, its
affiliates and each of their respective directors, officers, employees, agents or assigns from and against any
and all actions, causes of action, claims, suits and demands whatsoever, and from all damages, liabilities,
costs, charges, debts, and expenses whatsoever (including reasonable attorneys' fees and expenses related
to any litigation or other defense of any claims), which may be asserted or for which they may now or
hereafter become subject arising in connection with (i) any misrepresentation, breach of warranty or non-
fulfillment of any undertaking on the part of the Party under the Addendum; and (ii) any claims, demands,
awards, judgments, actions, and proceedings made by any person or organization arising out of or in any
way connected with the Party's performance under the Addendum.
busi nessassociate.112
J. No Third Party Beneficiaries Nothing express or implied in this Addendum is intended to confer,
nor shall anything herein confer, upon any person other than Covered Entity, BA, and their respective
successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
K. Term This Addendum shall become effective on the Addendum Effective Date and shall expire
when all of the PHI provided by Covered Entity to BA is destroyed or returned to Covered Entity pursuant
to Section G. The Parties agree that Sections B, C, D, E, and I of the Addendum shall survive the
termination or expiration of the Agreement. In the event of a conflict between this Addendum and other
terms and conditions agreed to by the parties, the terms of this Addendum shall control with respect to its
subject matter.
L. Parties to Agreement Covered Entity and BA acknowledge and agree that they are the Parties to
this Addendum and to the Agreement, and, to the extent such Parties are not so identified in the Agreement,
the Agreement is hereby amended accordingly.
IN WITNESS WHEREOF, the Parties have caused this Addendum to be signed and delivered by their duly
authorized representatives, as of the Addendum Effective Date.
COVERED ENTITY
By Plan Administrator
BUSINESS ASSOCIATE:
WHP Health Initiatives, Inc. d /b /a Walgreens Health
Initiatives
�
By: 6
� � G;
Print Name ✓ f X t / Y 1 ' �� ^"`
4 IPA
Print Title: " /''1 0t i, Print Title: �feS ;dtK't
Vt
r U +? pn�!NYL. KCNLHP
DEPUTY CLERK
a- �9 03
APPRUVEb L AS Tf3 0 M
AN[� ` AL StJMCIE
BY
ANNE H 1 ON
X 0 lx/
T
ZZ
Q ,__
C7)
�-
M
r-9 r— :
Q
oc
5
Zt.
rU
Cn
-n
C:)
r -n
C. 3
A
c-
CD
Cn
CD
businessassociate.112