04/21/2004 Agreement
DANNY L. KOLHAGE
CLERK OF THE CIRCUIT COURT
DATE:
May 25, 2004
TO:
Louis Latorre, Director
Social Services Division
Pamela G. Hanco~
Deputy Clerk c::y
FROM:
At the April 21, 2004, Board of County Commissioner's meeting the Board granted
approval and authorized execution of a Business Associate Agreement between Monroe County
and ENVOY Corporation d/b/a WebMD ENVOY to allow Monroe County Transportation
personnel to check on Medicaid status as well as Medicaid transportation trips.
Enclosed is a duplicate original of the above-mentioned for your handling. Should you
have any questions please do not hesitate to contact this office,
cc: County Administrator w/o document
County Attorney
Finance
File)
BUSINESS ASSOCIATE AGREEMENT
"Customer" or "Covered Entity":
Name: Monroe County Transportation
Address: 1100 Simonton st. Rm 1-181
City: Key West State: F 1 Zip: 33040
Phone: 90$292 14.22
Attention: Jerry Eskew
RECITALS
WHEREAS, Business Associate now and in the future may have
relationships with Customer in which Business Associate creates or
receives Protected Health Information (as defined below) for use in
providing services or products to Customer.
WHEREAS, Business Associate and Customer (each a "Party" and
collectively the "Parties") desire to meet their obligations, to the extent
applicable, under the Standards for Privacy of Individually Identifiable
Health Information (the "Privacy Regulation") and the Health Insurance
Reform: Security Standards (the "Security Regulation") published by the
U.S. Department of Health and Human Services ("HHS") at 45 C.F.R.
parts 160 and 164 under the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA"), and as may be applicable to the
services rendered by Business Associate to the Customer, under the
Gramm-Leach-Bliley Act ("GLB") and implementing regulations.
WHEREAS, the Parties desire to set forth the terms and conditions
pursuant to which Protected Health Information that is provided by, or
created or received by, the Business Associate on behalf of the Customer
("Protected Health Information"), will be handled between themselves and
third parties.
NOW THEREFORE, in consideration of the foregoing and for other good
and valuable consideration, the receipt and sufficiency of which are hereby
acknowledged, the Parties hereby agree as follows:
TERMS AND CONDITIONS
1. PERMITTED USES AND DISCLOSURES OF PROTECTED
HEALTH INFORMATION
1.1 Services. (a) Business Associate provides services (which may
include transaction services as well as servicing hardware or software
products) ("Services") that involve the use and/or disclosure of Protected
Health Information. These Services are provided to Customer under
various agreements ("Service Agreements") that specify the Services to be
provided by Business Associate. Except as otherwise specified herein, the
Business Associate may make any and all uses and disclosures of
Protected Health Information created or received from or on behalf of
Customer necessary to perform its obligations under the Service
Agreements.
(b) Business Associate may perform Data Aggregation for the
Health Care Operations of Customer.
1.2. Public Health Activities. Business Associate may use, analyze, and
disclose the Protected Health Information in its possession for the public
health activities and purposes set forth at 45 CFR. ~ 164.512(b)
1.3. Business Activities of the Business Associate. Unless otherwise
limited herein, the Business Associate may: (a) consistent with 45 C.F.R. ~
164.504(e)(4), use and disclose the Protected Health Information in its
possession for its proper management and administration and to fulfill any
present or future legal responsibilities of the Business Associate; and
gv.8/18/03
"Business Associate":
Each of the subsidiaries of WebMD Corporation, a Delaware corporation,
listed on Exhibit A hereto as amended from time to time as provided herein,
who has a relationship with Customer in which such entity creates or
receives Protected Health Information (as defined below) for use in providing
services or products to Customer.
Address: ENVOY Corporation d/b/a WebMD ENVOY
Post Office Box 149090
Nashville, TN 37214-9090
Attention: Legal Department
(b) de-identify any and all Protected Health Information in
accordance with 45 C.F.R. ~ 164.514(b). Customer acknowledges and
agrees that de-identified information is not Protected Health Information
and that Business Associate may use such de-identified information for
anyla~ul purpose.
2. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO
PROTECTED HEALTH INFORMATION
2.1. ResDonsibilities of the Business Associate. Business Associate
agrees to: (a) use and/or disclose the Protected Health Information only as
permitted or required by this Agreement or as otherwise required by law;
(b) report to the Customer any use and/or disclosure of the
Protected Health Information of which Business Associate becomes aware
that is not permitted or required by this Agreement;
(c) report to Customer any Security Incident of which it becomes
aware with respect to Electronic Protected Health Information provided by,
or created or received by, Business Associate on behalf of Customer
("Electronic Protected Health Information");
(d) mitigate, to the extent practicable, any harmful effect that is
known to Business Associate of a use or disclosure of Protected Health
Information by Business Associate not provided for by this Agreement;
(e) use appropriate safeguards to prevent use or disclosure of
Protected Health Information other than as permitted or required by this
Agreement;
(f) (i) implement administrative, physical, and technical safeguards
that reasonably and appropriately protect the confidentiality, integrity, and
availability of the Electronic Protected Health Information that it creates,
receives, maintains, or transmits on behalf of Customer; and (ii) make its
policies and procedures, and documentation required by the Security
Regulation relating to such safeguards, available to the Secretary of HHS
for purposes of determining Customer's compliance with the Security
Regulation;
(g) require all of its subcontractors and agents that receive, use or
have access to Protected Health Information, to agree to adhere to the
same restrictions and conditions on the use and/or disclosure of Protected
Health Information that apply to the Business Associate;
(h) ensure that all of its subcontractors and agents to whom it
provides Electronic Protected Health Information agree to implement
reasonable and appropriate safeguards to protect such Electronic
Protected Health Information;
(i) make available its internal practices, books and records relating
to the use and/or disclosure of Protected Health Information to the
Secretary of HHS for purposes of determining the Customer's compliance
with the Privacy Regulation;
0) within thirty (30) days of receiving a written request from
Customer, make available information necessary for Customer to make an
accounting of disclosures of an individual's Protected Health Information;
Page 1
(k) within fifteen (15) days of receiving a written request from
Customer, make available Protected Health Information necessary for
Customer to respond to individuals' requests for access to Protected
Health Information about them, to the extent that the Protected Health
Information in Business Associate's possession constitutes a Designated
Record Set; and
(I) within thirty (30) days of receiving a written request from
Customer, incorporate any amendments or corrections to the Protected
Health Information in accordance with the Privacy Regulation, to the extent
that the Protected Health Information in Business Associate's possession
constitutes a Designated Record Set
2.2. ResDonsibilities of the Customer. (a) With regard to the use and/or
disclosure of Protected Health Information by the Business Associate, the
Customer agrees: (i) to obtain any consent, authorization or permission that
may be required by the Privacy Regulation or any other applicable federal,
state or local laws and/or regulations prior to furnishing Business
Associate the Protected Health Information pertaining to an individual; and
(ii) that it will not furnish Business Associate Protected Health Information
that is subject to any arrangements permitted or required of the Covered
Entity, including but not limited to, arrangements agreed to by Customer
under 45 C.FR 9 164.522 that may impact in any manner the use and/or
disclosure of Protected Health Information by the Business Associate
under this Agreement and the Service Agreement(s).
(b) Customer represents and warrants that its notice of privacy
practices permits Customer to use and disclose Protected Health
Information in the manner that Business Associate is authorized to use
and disclose Protected Health Information under this Agreement
3. TERM AND TERMINATION
3.1. Term. Each term and condition of this Agreement shall become
effective oothe Effective Date, unless such term or condition relates to
Electronic Protected Health Information only, in which event such term or
condition shall become effective on the later of (a) the compliance date
applicable to the Customer under the Security Regulation or (b) the date on
which the Parties have executed the Agreement This Agreement shall
continue in effect unless terminated as provided in this Section 3, provided,
that certain provisions and requirements of this Agreement shall survive the
expiration or termination of this Agreement in accordance with Section 4.4
herein.
3.2. Termination bv the Customer. As provided for under 45 C.FR 9
164.504(e)(2)(iii), the Covered Entity may immediately terminate this
Agreement with respect to a Business Associate and any related Service
Agreement(s) if the Covered Entity makes the determination that such
Business Associate has breached a material term of this Agreement
Alternatively, Covered Entity may choose to provide such Business
Associate written notice of the breach in sufficient detail to enable
Business Associate to understand the specific nature of the breach and
afford Business Associate an opportunity to cure the breach; provided,
however, that if such Business Associate fails to cure the breach within a
reasonable time specified by Covered Entity, Covered Entity may
terminate this Agreement with respect to such Business Associate and
any related Service Agreement(s) to the extent that the Service
Agreement(s) requires such Business Associate to create or receive
Protected Health Information.
3.3. Termination bv Business Associate. Any Business Associate may
immediately terminate this Agreement with respect to such Business
Associate and any related Service Agreement(s) if such Business
Associate makes the determination that Covered Entity has breached a
material term of this Agreement Alternatively, such Business Associate
may choose to provide Covered Entity written notice of the breach in
sufficient detail to enable Covered Entity to understand the specific nature
of the breach and afford Covered Entity an opportunity to cure the breach;
provided, however, that if Covered Entity fails to cure the breach within a
reasonable time specified by Business Associate, Business Associate
may terminate this Agreement as it relates to such Business Associate
and any related Service Agreement(s) to the extent that the Service
gv.8/18/03
Agreement(s) requires such Business Associate to create or receive
Protected Health Information.
3.4. Automatic Termination. This Agreement will automatically
terminate with respect to any Business Associate without any further
action of the Parties upon the termination or expiration of all Service
Agreement(s) between Customer and such Business Associate.
3.5. Effect of Termination. Upon the termination of this Agreement with
respect to anyone or more Business Associates, such Business
Associate(s) agrees to return or destroy all Protected Health Information,
including such information in possession of such Business Associate's
subcontractors, if it is feasible to do so. If return or destruction of said
Protected Health Information is not feasible, such Business Associate(s)
will extend any and all protections, limitations and restrictions contained in
this Agreement to the Business Associate's use and/or disclosure of any
Protected Health Information retained after the termination of this
Agreement, and limit any further uses and/or disclosures to the purposes
that make the return or destruction of the Protected Health Information
infeasible.
4. MISCELLANEOUS
4.1. Entire Aareement This Agreement, and all attachments,
schedules and exhibits hereto, constitutes the entire agreement and
understanding between the Parties with respect to the subject matter
hereof and supersedes any prior or contemporaneous written or oral
memoranda, negotiations, arrangements, contracts or understandings of
any nature or kind between the Parties with respect to the subject matter
hereof.
4.2. Chanae of Law. Customer shall notify Business Associate within
ninety (90) days of any amendment to any provision of HIPAA, or its
implementing regulations set forth at 45 C.F.R. parts 160 through 164,
which materially alters either Party's or the Parties' obligations under this
Agreement The Parties agree to negotiate in good faith mutually
acceptable and appropriate amendment(s) to this Agreement to give effect
to such revised obligations; provided, however, that if the Parties are
unable to agree on mutually acceptable amendment(s) within ninety (90)
days of the relevant change of law, either Party may terminate this
Agreement consistent with sections 3.5 and 3.4.
4.3. Construction of Terms. The terms of this Agreement shall be
construed in light of any interpretation and/or guidance on HIPAA, the
Privacy Regulation and/or the Security Regulation issued by HHS from
time to time.
4.4. Survival. Sections 3.5, 4.3, 4.8, 4.11, 5, 6 and this Section 4.4,
and any other provisions of this Agreement that by their terms are
intended to survive, shall survive the termination of this Agreement
4.5. Amendment: Waiver. This Agreement may not be modified, nor
shall any provision hereof be waived or amended, except in a writing duly
signed by authorized representatives of the Parties. A waiver with respect
to one event shall not be construed as continuing, or as a bar to or waiver
of any right or remedy as to subsequent events.
4.6. Notices. Any notices to be given hereunder to a Party shall be
made via U.S. Mail or express courier to such Party's address given
above, and/or via facsimile to the facsimile telephone numbers listed
above. Each Party may change its address and that of its representative
for notice by the giving of notice thereof in the manner herein above
provided.
4.7. Counteroarts: Facsimiles. This Agreement may be executed in any
number of counterparts, each of which shall be deemed an original.
Facsimile copies hereof shall be deemed to be originals.
4.8. DisDutes. If any controversy, dispute or claim arises between the
Parties with respect to this Agreement, the Parties shall make good faith
efforts to resolve such matters informally.
Page 2
4.9 Effective Date. The Effective Date of this Agreement shall be the
later of April 14, 2003, or the date on which the Parties have executed the
Agreement
4.10 Bindina Aareement: New Parties: Aaencv.
(a) This Agreement shall be binding upon the Parties and
their successors and permitted assigns. Anyone or more additional
subsidiaries of WebMD Corporation with a relationship with Customer in
which such entity creates or receives Protected Health Information for use
in providing services or products to Customer (each a "New Party") may
join this Agreement as a Party and a Business Associate by executing and
delivering a counterpart of this Agreement In addition, WebMD
Corporation from time to time lists on its corporate website its subsidiaries
which are business associates for purposes of HIPAA compliance ("HIPAA
BA Subs"). Each HIPAA BA Sub that creates or receives Protected Health
Information for use in providing services or products to Customer shall be
deemed to be a New Party without further action by any Party hereto.
Whenever a New Party joins this Agreement, Exhibit A will be deemed
amended (and shall be revised at the request of any Party or WebMD
Corporation as agent for the Business Associates) to list such New Party
as a Business Associate hereunder.
(b) The Parties acknowledge that WebMD Corporation is
executing and delivering this Agreement solely in its capacity as agent for
the Business Associates. By signing below, WebMD Corporation
represents that it has been authorized to execute this Agreement on behalf
of each Business Associate, including any New Party who joins this
Agreement under Section 4.1 O(a).
4.11 No Third Partv Beneficiaries. Nothing in this Agreement shall
confer upon any person other than the Parties and their respective
successors or assigns, any rights, remedies, obligations, or liabilities
whatsoever.
4.12 Contradictorv Terms. This Agreement hereby amends, modifies,
supplements and is made part of the Service Agreement(s), provided that
any provision of the Service Agreement(s), including all exhibits or other
attachments thereto and all documents incorporated therein by reference,
that is directly contradictory to one or more terms of this Agreement
("Contradictory Term") shall be superseded by the terms of this Agreement
as of the date such terms become effective pursuant to Section 3.1, to the
extent and only to the extent of the contradiction and only to the extent that
it is reasonably impossible to comply with both the Contradictory Term and
the terms of this Agreement
5. LIMITATION OF LIABILITY
NEITHER PARTY SHAll BE LIABLE TO THE OTHER PARTY FOR ANY
INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES
OF ANY KIND OR NATURE, WHETHER SUCH LIABILITY IS
ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING
NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF THE
OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
lOSS OR DAMAGES.
6. DEFINITIONS
Regulatory citations in this Agreement are to the United States Code of
Federal Regulations Title 45 parts 160 through 164, as interpreted and
amended from time to time by HHS, for so long as such regulations are in
effect. Unless otherwise specified in this Agreement, all capitalized terms
not otherwise defined shall have the meaning established for purposes of
Title 45 parts 160 through 164 of the United States Code of Federal
Regulations, as amended from time to time.
IN WITNESS WHEREOF, each of the undersigned has caused this Business Associate Agreement to be duly executed effective as of the
Effective Date.
WEBMD CORPORATION
BY:~ X~
Print Name: Lowell Stc \~es
Print Title:
./ '-' -'\ssistant General Counsel
Date:
APR 2 9 2004
I--"'~''':;' l
r:;.\::;,.,...'_.......\\'I,I','.
.'
,_' o----~._-_.~~
gv.8/18/03
CUSTOMER
By: ~
Print Name:
David P. Rice
Print Title:
Mayor Pro Tem
Date:
April 21, 2004
%
o 0
Z l>
;gP~
rTI:;ll:. -<
g~f-
c::::ij;.J:
z. C
-f C") r-
:<:-f:r
.." )>
r- C>
~ l'TI
.,..,
r-
ITI
o
."
o
::tJ
::tJ
ITI
(;
o
;0
a
'-~
=
=
~
::c
:ra.
-<
N
en
Hi,nC!!
rjlWi/i"'i:;'
Page 3
Adaptive Health Systems of Arizona, Inc.
Advanced Business Fulfillment, Inc.
Benchmark Systems, Inc. of Louisiana
Carelnsite Corporation
Claims Processing Service, Inc.
Envoy Corporation
EnvoylExpressBill, Inc.
Healthcare Interchange, Inc.
Illinois Medical Information Network, Inc.
IMS-Net of Arkansas, Inc.
IMS-Net of Central Florida, Inc.
IMS-Net of Colorado, Inc.
IMS-Net of Illinois, Inc.
Kinetra LLC
MedE America Corporation
MedE America Corporation of Ohio
Medical Manager Health Systems, Inc.
Medical Manager PCN, Inc
Medical Manager Research & Development
Medical Manager Sales & Marketing
Medifax ED!
Minnesota Medical Communication Network, LLC
National Electronic Information Corporation
Peachtree Associates, Inc
Personal Best!, Inc.
Preferred System Solutions, Inc
TouchPoint Software Corporation
United Software Architects, Inc.
WebMD Clinical Services, LLC
We limed, Inc.
~y.8/18/03
EXHIBIT A