Loading...
HomeMy WebLinkAboutMCMC Managing Care Managing ClaimsEXECUTION COPY BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this "Agreement ") is entered into as of the 24th day of April 2013, (the "Effective Date ") by and between MCMC LLC ( "Business Associate ") and City of Pasco _ (Covered Entity") (collectively, the "Parties "). WHEREAS, the Parties wish to enter into or have entered into an arrangement ( "Arrangement") whereby Business Associate will provide certain services to Covered Entity and, in providing those services, may have access to Protected Health Information or PHI (as hereinafter defined); and WHEREAS, the Parties are obligated under the statute and regulations implementing the Health Insurance Portability and Accountability Act of 1996, including the final Privacy and Security Rules ( "HIPAA "), to ensure that they use and disclose PHI consistent with the requirements of HIPAA; and WHEREAS, the Parties understand and acknowledge that PHI must be safeguarded as outlined in this Agreement. NOW THEREFORE, the Parties agree as follows: 1. Definitions a. Protected Health Information ("PHI"). "Protected Health Information" or "PHI ", as defined in 45 CFR § 164.501 and 45 CFR §160.103, includes any information, whether oral or recorded in any form or medium, that is created for or received from Covered Entity and that: (1) relates to the past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual; and (2) identifies the individual or provides a reasonable basis to believe that it may be used to identify the individual. b. The HITECH Act. The " HITECH Act" shall mean Title XIIII of the American Recovery and Reinvestment Act of 2009, which is also known as the Health Information Technology for Economic and Clinical Health Act. 2. Obligations and Activities of Business Associate a. Confidentiality of PHI. Business Associate agrees to not use or disclose PHI other than as permitted or required by the Agreement or as required by law. Business Associate shall not at any time access any PHI for any purpose other than those specifically authorized by Covered Entity or required by law. Furthermore, Business Associate shall not permit access to any PHI by any unauthorized person or disclose any access code or authorization assigned to Business Associate that allows Revised December 2012 EXECUTION COPY it to access PHI to any unauthorized person or use such access code or authorization in an unauthorized manner. b. Permitted Uses. Except as otherwise provided in this Agreement, Business Associate shall use PHI solely for meeting its obligations and performing any functions, activities, or services for or on behalf of Covered Entity under the terms of the Arrangement. Any such use of PHI by Business Associate may not violate HIPAA or any other applicable law, rule or regulation. c. Permitted Disclosures. Business Associate shall not disclose PHI in any manner that would constitute a violation of HIPAA if disclosed by Covered Entity except that Business Associate may disclose PHI as necessary for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate if. (1) the disclosure is required by law; or (2) Business Associate obtains reasonable assurances from the third -party who receives the disclosed PHI that the confidentiality of the PHI will be maintained, that PHI will be further disclosed only as required by law or for the purpose for with it was disclosed and that third -party will notify Business Associate of any breaches of confidentiality of PHI. d. Aggregation of Data. Business Associate may aggregate the PHI received or obtained from Covered Entity with other PHI in its possession provided that the purpose of such aggregation is to provide Covered Entity with data analyses related to Covered Entity's "health care operations" as that term is defined in HIPAA. Under no circumstances may Business Associate disclose PHI of Covered Entity to another entity covered by HIPAA absent the explicit authorization of Covered Entity. e. Appropriate Safeguards. Business Associate agrees to use commercially reasonable and appropriate efforts to maintain the privacy and security of the PHI and to prevent unauthorized use or disclosure of PHI. Such efforts shall include the adoption and enforcement of policies and procedures to effectively implement the requirements of HIPAA and implement, pursuant to HIPAA, administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Covered Entity's PHI. f Reporting Improper Use or Disclosure. Business Associate agrees to promptly report to Covered Entity any unauthorized use or disclosure of which it becomes aware, and to maintain and /or establish procedures for mitigating, to the greatest extent possible, any harmful effect that is created by any improper use or disclosure of PHI in violation of this Agreement. g. Access to PHI. To enable Covered Entity to fulfill its obligations under HIPAA, Business Associate shall, at the request and direction of Covered Entity, make PHI maintained by Business Associate or its agents and subcontractors available 2 Revised December 2012 EXECUTION COPY to Covered Entity or an individual for inspection and copying within five (5) days of receipt of such a request from Covered Entity. h. Amendment of PHI. To enable Covered Entity to fulfill its obligations under HIPAA, Business Associate shall, within five (5) days of a request from Covered Entity, make PHI maintained by Business Associate or its agents and subcontractors, available for amendment and, as directed by Covered Entity, shall incorporate any amendment or related statements into the information held by Business Associate and any of its agents or subcontractors. If any individual directly requests that Business Associate or its agents or subcontractors amend PHI, Business Associate or its agents or subcontractors shall notify Covered Entity within five (5) days of such request. i. Accounting of Disclosures. Business Associate and its agents and subcontractors shall, within five (5) days of a request from Covered Entity, make available the information necessary for Covered Entity to provide an individual with an accounting of the disclosures of his or her PHI as required under HIPAA. At a minimum, such information shall include: (1) the date of the disclosure; (2) the name and address of the entity or person receiving the PHI; (3) a brief description of the PHI disclosed; and (4) a brief description of the reason for the disclosure or a copy of the written request for the disclosure. Such information must be maintained by Business Associate and its agents or subcontractors for a period of six (6) years from the date of each disclosure. If any individual directly requests that Business Associate or its agents or subcontractors provide an accounting of disclosures of PHI, Business Associate or its agents or subcontractors shall notify Covered Entity within five (5) days of such request. j. Minimum Necessary. Business Associate agrees that it will not request, use or disclose more than the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure or request. k. Auditing, Inspections and Enforcement. Business Associate agrees to make its internal practices, books and records relating to the use or disclosure of PHI available to Covered Entity and the Secretary of the Department of Health and Human Services, or the Secretary's designee, for purposes of determining Covered Entity's compliance with HIPAA. Business Associate shall provide appropriate training regarding the requirements of this Agreement to any employee accessing, using or disclosing PHI and shall develop and implement a system of sanctions for any employee, agent or subcontractor who violates this Agreement. 1. Agents of Business Associate. Business Associate shall ensure that all of its agents and subcontractors to whom it discloses PHI agree to be bound by the same restrictions and obligations contained in this Agreement whenever PHI is made accessible to such agents or subcontractors. Business Associate shall 3 Revised December 2012 EXECUTION COPY disclose only the minimum necessary PHI for the agent or subcontractor to perform or fulfill the authorized subcontracted services. m. HITECH Act. Business Associate shall comply with all requirements applicable to Business Associate under the HITECH Act. 3. Obligations of Covered Entity a. Notice of Privacy Practices. Covered Entity agrees to inform Business Associate of its current privacy practices and any future changes to those practices by providing Business Associate with updated copies of its notice of privacy practices. b. Revocation of Authorization by Individual. Covered Entity agrees to inform Business Associates of any change to or revocation of an individual's authorization to use or disclose PHI to the extent that such changes may affect Business Associate's use or disclosure of PHI. c. Restrictions on Use and Disclosure. Covered Entity agrees to notify Business Associate of any restrictions to the use or disclosure of PHI agreed to by Covered Entity in accordance with HIPAA to the extent that such restriction may affect Business Associate's use or disclosure of PHI. d. Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PIII in any manner that would not be permissible under HIPAA if done by Covered Entity. 4. Indemnification The Parties shall indemnify and hold harmless each other from and against any and all losses, expense, damage or injury that the indemnified party may sustain as a result of, or arising out of a breach of this Agreement by the indemnifying party or its agents or subcontractors, including, but not limited to, any unauthorized use or disclosure of PHI. 5. Term and Termination a. Term. This Agreement shall be effective from the Effective Date until all PHI provided by or created for Covered Entity is destroyed or returned to Covered Entity or, if it is infeasible to return or destroy PHI, protections are extended to such PHI in accordance with the terms of this Agreement. b. Material Breach. A breach by Business Associate of any material provision of this Agreement or HIPAA, as determined by Covered Entity, shall constitute a material breach of this Agreement and shall provide grounds for the immediate termination of this Agreement and the Arrangement. 4 Revised December 2012 EXECUTION COPY c. Reasonable Steps to Cure Breach. If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of Business Associate's obligations under this Agreement or HIPAA, Covered Entity may provide Business Associate with an opportunity to cure the breach or violation. Should Business Associate fail to cure the breach or violation to the satisfaction of Covered Entity within the specified time period, Covered Entity shall have the right to terminate the Agreement and the underlying Arrangement. In the event termination or cure are not feasible, Covered Entity shall report Business Associate's breach or violation to the Secretary of the Department of Health and Human Services. d. Remedies. Notwithstanding any rights or remedies set forth in this Agreement or provided by law, Covered Entity retains all rights to seek injunctive relief to prevent or stop the unauthorized use or disclosure of PHI by Business Associate, any of its agents or subcontractors, or any third party who has received PHI from Business Associate. e. Effect of Termination. Upon termination of this Agreement, Business Associate shall return or destroy all PHI in its possession or the possession of its agents or subcontractors that was created for or received from Covered Entity. If it is infeasible to return or destroy the PHI, Business Associate and its agents or subcontractors shall continue to extend the protections of this Agreement to such information and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. Business Associate agrees that it will not retain any copies of PHI in any form or medium except as required by law. 6. Miscellaneous a. Relationship of Parties. None of the provisions of this Agreement are intended to create or shall be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other Arrangement between the Parties. b. Ownership of PHI. The PHI and any related information created for or received from Covered Entity is, and will remain, the property of Covered Entity. Business Associate agrees that it acquires no ownership rights to or title in the PHI or any related information. c. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person or entity other than Covered Entity, Business Associate and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever. 5 Revised December 2012 EXECUTION COPY d. Successors and Assigns. This Agreement shall be binding on the parties and their successors, but neither party may assign the Agreement without the prior written consent of the other, which consent shall not be unreasonably withheld. e. Waiver. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any occasion. Severability. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement shall remain in full force and effect. g. Modification to Comply with Law. The Parties acknowledge that state and federal laws relating to the security and privacy of PHI are rapidly evolving and that modification of this Agreement may be required to provide for procedures to ensure compliance with such developments. The Parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA. The Parties understand and agree that Covered Entity must receive satisfactory written assurances from Business Associate that Business Associate will adequately safeguard all PHI. Upon request of either party, the other party agrees to promptly enter into negotiations concerning the terms of a modification to this Agreement embodying written assurances consistent with the standards and requirements of HIPAA. Either party may terminate this Agreement upon thirty (30) days written notice in the event that the other party does not promptly enter into negotiations to modify this Agreement when requested by such party under this section. Covered Entity may terminate this Agreement upon thirty (30) days written notice in the event that Business Associate does not enter into a modification of this Agreement providing assurances regarding the safeguarding of PHI that Covered Entity, in its sole discretion, deems sufficient to satisfy the standards and the requirements of HIPAA. h. Amendment. This Agreement may be amended or modified only in writing signed by the Parties. i. Notice. Any notice to the other party pursuant to this Agreement shall be deemed provided if sent by first class United States mail, postage prepaid, as follows: To Covered Entity: Privacy Officer Attention: Gary Crutchfield Title: City Manager Client: City of Pasco Address: 525 North Third Avenue Pasco WA 99301 Revised December 2012 EXECUTION COPY To Business Associate: Attention: Robert A. Millerick Sr. Vice President, General Counsel MCMC LLC 300 Crown Colony Drive, Suite 203 Quincy, MA 02169 j. Interpretation. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA. k. Governing Law. To the extent that federal law does not apply, this Agreement shall be governed in all respects by the laws of the Commonwealth of Massachusetts without regard to principles of conflicts of laws. 1. Counterparts. This Agreement may be executed in counterparts with the same effect as if the signatures on such counterparts appeared on one document, and each such counterpart shall be deemed to be an original. Delivery of a photocopy or facsimile of an executed counterpart of a signature page to this Agreement shall be as effective as a delivery of a manually executed counterpart of this Agreement. m. Headings. The various headings in this Agreement are inserted for convenience only and shall not affect the meaning or interpretation of this Agreement or any provision hereof. (Remainder of page intentionally left blank; Signature page follows.) IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date. MCMC LLC BUSI"S ASSOCIATE B y : / % � a� ✓C�IG�L r L' ' Print Name Title: CF C) Dated: Q9 � c�(--1 Revised December 2012 City of By: �AC. CC Print Name Title: 'TV kigN (�L2 Dated: J ur4 5 3 zo 1 �) Exhibit C - Utilization Review Services 1. Nature of Services MCMC's Utilization Review services (the "Services ") are consultative in nature and MCMC shall have no authority to bind CLIENT to any assessments, recommendations, determinations, analyses or certifications. CLIENT acknowledges that CLIENT maintains the right to act upon its own judgment with regard to claims issues. The Services do not include the rendering of a diagnosis or the provision of treatment for any individual. 2. MCMC Obligations MCMC shall: • maintain all licenses and approvals required by state and federal law; • comply with all applicable state regulatory requirements; • provide timely notification of the loss of any required license or approval; • utilize written clinical review criteria based on current clinical principles and processes; • utilize appropriate licensed and experienced clinical professionals to perform reviews; • utilize licensed, board certified physicians and other licensed health specialists (e.g., Physical and Occupational Therapists, Chiropractors and others) to act as Peer Reviewers. • insure access to Utilization Review services, including hours of availability, method and frequency of communications, in accordance with State and/or URAC guidelines, as applicable. • prohibit the use of financial incentives or other measures that might impact the independent decision making of any clinical professional or Peer Reviewer. 3, CLIENT Oblisations CLIENT shall: • cooperate with MCMC in the implementation and exchange of information to facilitate adherence to all required regulations and in the performance of services "envisioned" by this Agreement ; and • provide all pertinent information related to a requested Utilization Review. 4. PRICING Pre- certification/Case Management/Peer Review: $3.20 /PEPM MCMC Revised February 2013