HomeMy WebLinkAboutMCMC Managing Care Managing ClaimsEXECUTION COPY
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (this "Agreement ") is entered into as of
the 24th day of April 2013, (the "Effective Date ") by and
between MCMC LLC ( "Business Associate ") and City of Pasco _ (Covered Entity")
(collectively, the "Parties ").
WHEREAS, the Parties wish to enter into or have entered into an arrangement
( "Arrangement") whereby Business Associate will provide certain services to Covered
Entity and, in providing those services, may have access to Protected Health Information
or PHI (as hereinafter defined); and
WHEREAS, the Parties are obligated under the statute and regulations implementing the
Health Insurance Portability and Accountability Act of 1996, including the final Privacy
and Security Rules ( "HIPAA "), to ensure that they use and disclose PHI consistent with
the requirements of HIPAA; and
WHEREAS, the Parties understand and acknowledge that PHI must be safeguarded as
outlined in this Agreement.
NOW THEREFORE, the Parties agree as follows:
1. Definitions
a. Protected Health Information ("PHI"). "Protected Health Information" or "PHI ",
as defined in 45 CFR § 164.501 and 45 CFR §160.103, includes any information,
whether oral or recorded in any form or medium, that is created for or received from
Covered Entity and that: (1) relates to the past, present or future physical or mental
health or condition of an individual, provision of health care to an individual, or the
past, present or future payment for health care provided to an individual; and (2)
identifies the individual or provides a reasonable basis to believe that it may be used
to identify the individual.
b. The HITECH Act. The " HITECH Act" shall mean Title XIIII of the American
Recovery and Reinvestment Act of 2009, which is also known as the Health
Information Technology for Economic and Clinical Health Act.
2. Obligations and Activities of Business Associate
a. Confidentiality of PHI. Business Associate agrees to not use or disclose PHI
other than as permitted or required by the Agreement or as required by law.
Business Associate shall not at any time access any PHI for any purpose other than
those specifically authorized by Covered Entity or required by law. Furthermore,
Business Associate shall not permit access to any PHI by any unauthorized person or
disclose any access code or authorization assigned to Business Associate that allows
Revised December 2012
EXECUTION COPY
it to access PHI to any unauthorized person or use such access code or authorization
in an unauthorized manner.
b. Permitted Uses. Except as otherwise provided in this Agreement, Business
Associate shall use PHI solely for meeting its obligations and performing any
functions, activities, or services for or on behalf of Covered Entity under the
terms of the Arrangement. Any such use of PHI by Business Associate may not
violate HIPAA or any other applicable law, rule or regulation.
c. Permitted Disclosures. Business Associate shall not disclose PHI in any manner
that would constitute a violation of HIPAA if disclosed by Covered Entity except
that Business Associate may disclose PHI as necessary for the proper
management and administration of Business Associate or to carry out the legal
responsibilities of Business Associate if. (1) the disclosure is required by law; or
(2) Business Associate obtains reasonable assurances from the third -party who
receives the disclosed PHI that the confidentiality of the PHI will be maintained,
that PHI will be further disclosed only as required by law or for the purpose for
with it was disclosed and that third -party will notify Business Associate of any
breaches of confidentiality of PHI.
d. Aggregation of Data. Business Associate may aggregate the PHI received or
obtained from Covered Entity with other PHI in its possession provided that the
purpose of such aggregation is to provide Covered Entity with data analyses
related to Covered Entity's "health care operations" as that term is defined in
HIPAA. Under no circumstances may Business Associate disclose PHI of
Covered Entity to another entity covered by HIPAA absent the explicit
authorization of Covered Entity.
e. Appropriate Safeguards. Business Associate agrees to use commercially
reasonable and appropriate efforts to maintain the privacy and security of the PHI
and to prevent unauthorized use or disclosure of PHI. Such efforts shall include
the adoption and enforcement of policies and procedures to effectively
implement the requirements of HIPAA and implement, pursuant to HIPAA,
administrative, physical and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity and availability of the Covered
Entity's PHI.
f Reporting Improper Use or Disclosure. Business Associate agrees to promptly
report to Covered Entity any unauthorized use or disclosure of which it becomes
aware, and to maintain and /or establish procedures for mitigating, to the greatest
extent possible, any harmful effect that is created by any improper use or
disclosure of PHI in violation of this Agreement.
g. Access to PHI. To enable Covered Entity to fulfill its obligations under HIPAA,
Business Associate shall, at the request and direction of Covered Entity, make
PHI maintained by Business Associate or its agents and subcontractors available
2
Revised December 2012
EXECUTION COPY
to Covered Entity or an individual for inspection and copying within five (5)
days of receipt of such a request from Covered Entity.
h. Amendment of PHI. To enable Covered Entity to fulfill its obligations under
HIPAA, Business Associate shall, within five (5) days of a request from Covered
Entity, make PHI maintained by Business Associate or its agents and
subcontractors, available for amendment and, as directed by Covered Entity,
shall incorporate any amendment or related statements into the information held
by Business Associate and any of its agents or subcontractors. If any individual
directly requests that Business Associate or its agents or subcontractors amend
PHI, Business Associate or its agents or subcontractors shall notify Covered
Entity within five (5) days of such request.
i. Accounting of Disclosures. Business Associate and its agents and subcontractors
shall, within five (5) days of a request from Covered Entity, make available the
information necessary for Covered Entity to provide an individual with an
accounting of the disclosures of his or her PHI as required under HIPAA. At a
minimum, such information shall include: (1) the date of the disclosure; (2) the
name and address of the entity or person receiving the PHI; (3) a brief
description of the PHI disclosed; and (4) a brief description of the reason for the
disclosure or a copy of the written request for the disclosure. Such information
must be maintained by Business Associate and its agents or subcontractors for a
period of six (6) years from the date of each disclosure. If any individual directly
requests that Business Associate or its agents or subcontractors provide an
accounting of disclosures of PHI, Business Associate or its agents or
subcontractors shall notify Covered Entity within five (5) days of such request.
j. Minimum Necessary. Business Associate agrees that it will not request, use or
disclose more than the minimum amount of PHI necessary to accomplish the
purpose of the request, use or disclosure or request.
k. Auditing, Inspections and Enforcement. Business Associate agrees to make its
internal practices, books and records relating to the use or disclosure of PHI
available to Covered Entity and the Secretary of the Department of Health and
Human Services, or the Secretary's designee, for purposes of determining
Covered Entity's compliance with HIPAA. Business Associate shall provide
appropriate training regarding the requirements of this Agreement to any
employee accessing, using or disclosing PHI and shall develop and implement a
system of sanctions for any employee, agent or subcontractor who violates this
Agreement.
1. Agents of Business Associate. Business Associate shall ensure that all of its
agents and subcontractors to whom it discloses PHI agree to be bound by the
same restrictions and obligations contained in this Agreement whenever PHI is
made accessible to such agents or subcontractors. Business Associate shall
3
Revised December 2012
EXECUTION COPY
disclose only the minimum necessary PHI for the agent or subcontractor to
perform or fulfill the authorized subcontracted services.
m. HITECH Act. Business Associate shall comply with all requirements applicable
to Business Associate under the HITECH Act.
3. Obligations of Covered Entity
a. Notice of Privacy Practices. Covered Entity agrees to inform Business Associate
of its current privacy practices and any future changes to those practices by
providing Business Associate with updated copies of its notice of privacy
practices.
b. Revocation of Authorization by Individual. Covered Entity agrees to inform
Business Associates of any change to or revocation of an individual's
authorization to use or disclose PHI to the extent that such changes may affect
Business Associate's use or disclosure of PHI.
c. Restrictions on Use and Disclosure. Covered Entity agrees to notify Business
Associate of any restrictions to the use or disclosure of PHI agreed to by
Covered Entity in accordance with HIPAA to the extent that such restriction may
affect Business Associate's use or disclosure of PHI.
d. Permissible Requests. Covered Entity shall not request Business Associate to
use or disclose PIII in any manner that would not be permissible under HIPAA if
done by Covered Entity.
4. Indemnification
The Parties shall indemnify and hold harmless each other from and against any and
all losses, expense, damage or injury that the indemnified party may sustain as a
result of, or arising out of a breach of this Agreement by the indemnifying party or
its agents or subcontractors, including, but not limited to, any unauthorized use or
disclosure of PHI.
5. Term and Termination
a. Term. This Agreement shall be effective from the Effective Date until all PHI
provided by or created for Covered Entity is destroyed or returned to Covered
Entity or, if it is infeasible to return or destroy PHI, protections are extended to
such PHI in accordance with the terms of this Agreement.
b. Material Breach. A breach by Business Associate of any material provision of
this Agreement or HIPAA, as determined by Covered Entity, shall constitute a
material breach of this Agreement and shall provide grounds for the immediate
termination of this Agreement and the Arrangement.
4
Revised December 2012
EXECUTION COPY
c. Reasonable Steps to Cure Breach. If Covered Entity knows of a pattern of
activity or practice of Business Associate that constitutes a material breach or
violation of Business Associate's obligations under this Agreement or HIPAA,
Covered Entity may provide Business Associate with an opportunity to cure the
breach or violation. Should Business Associate fail to cure the breach or
violation to the satisfaction of Covered Entity within the specified time period,
Covered Entity shall have the right to terminate the Agreement and the
underlying Arrangement. In the event termination or cure are not feasible,
Covered Entity shall report Business Associate's breach or violation to the
Secretary of the Department of Health and Human Services.
d. Remedies. Notwithstanding any rights or remedies set forth in this Agreement or
provided by law, Covered Entity retains all rights to seek injunctive relief to
prevent or stop the unauthorized use or disclosure of PHI by Business Associate,
any of its agents or subcontractors, or any third party who has received PHI from
Business Associate.
e. Effect of Termination. Upon termination of this Agreement, Business Associate
shall return or destroy all PHI in its possession or the possession of its agents or
subcontractors that was created for or received from Covered Entity. If it is
infeasible to return or destroy the PHI, Business Associate and its agents or
subcontractors shall continue to extend the protections of this Agreement to such
information and limit further use of such PHI to those purposes that make the
return or destruction of such PHI infeasible. Business Associate agrees that it
will not retain any copies of PHI in any form or medium except as required by
law.
6. Miscellaneous
a. Relationship of Parties. None of the provisions of this Agreement are intended to
create or shall be deemed to create any relationship between the Parties other
than that of independent parties contracting with each other solely for the
purposes of effecting the provisions of this Agreement and any other
Arrangement between the Parties.
b. Ownership of PHI. The PHI and any related information created for or received
from Covered Entity is, and will remain, the property of Covered Entity.
Business Associate agrees that it acquires no ownership rights to or title in the
PHI or any related information.
c. No Third Party Beneficiaries. Nothing express or implied in this Agreement is
intended to confer, nor shall anything herein confer, upon any person or entity
other than Covered Entity, Business Associate and their respective successors
and assigns, any rights, remedies, obligations or liabilities whatsoever.
5
Revised December 2012
EXECUTION COPY
d. Successors and Assigns. This Agreement shall be binding on the parties and
their successors, but neither party may assign the Agreement without the prior
written consent of the other, which consent shall not be unreasonably withheld.
e. Waiver. No change, waiver or discharge of any liability or obligation hereunder
on any one or more occasions shall be deemed a waiver of performance of any
continuing or other obligation, or shall prohibit enforcement of any obligation, on
any occasion.
Severability. In the event that any provision of this Agreement is held by a court
of competent jurisdiction to be invalid or unenforceable, the remainder of the
provisions of this Agreement shall remain in full force and effect.
g. Modification to Comply with Law. The Parties acknowledge that state and
federal laws relating to the security and privacy of PHI are rapidly evolving and
that modification of this Agreement may be required to provide for procedures to
ensure compliance with such developments. The Parties specifically agree to
take such action as is necessary to implement the standards and requirements of
HIPAA. The Parties understand and agree that Covered Entity must receive
satisfactory written assurances from Business Associate that Business Associate
will adequately safeguard all PHI. Upon request of either party, the other party
agrees to promptly enter into negotiations concerning the terms of a modification
to this Agreement embodying written assurances consistent with the standards
and requirements of HIPAA. Either party may terminate this Agreement upon
thirty (30) days written notice in the event that the other party does not promptly
enter into negotiations to modify this Agreement when requested by such party
under this section. Covered Entity may terminate this Agreement upon thirty
(30) days written notice in the event that Business Associate does not enter into a
modification of this Agreement providing assurances regarding the safeguarding
of PHI that Covered Entity, in its sole discretion, deems sufficient to satisfy the
standards and the requirements of HIPAA.
h. Amendment. This Agreement may be amended or modified only in writing
signed by the Parties.
i. Notice. Any notice to the other party pursuant to this Agreement shall be
deemed provided if sent by first class United States mail, postage prepaid, as
follows:
To Covered Entity: Privacy Officer
Attention: Gary Crutchfield
Title: City Manager
Client: City of Pasco
Address: 525 North Third Avenue
Pasco WA 99301
Revised December 2012
EXECUTION COPY
To Business Associate: Attention: Robert A. Millerick
Sr. Vice President, General Counsel
MCMC LLC
300 Crown Colony Drive, Suite 203
Quincy, MA 02169
j. Interpretation. This Agreement shall be interpreted as broadly as necessary to
implement and comply with HIPAA. The Parties agree that any ambiguity in
this Agreement shall be resolved in favor of a meaning that complies and is
consistent with HIPAA.
k. Governing Law. To the extent that federal law does not apply, this Agreement
shall be governed in all respects by the laws of the Commonwealth of
Massachusetts without regard to principles of conflicts of laws.
1. Counterparts. This Agreement may be executed in counterparts with the same
effect as if the signatures on such counterparts appeared on one document, and
each such counterpart shall be deemed to be an original. Delivery of a photocopy
or facsimile of an executed counterpart of a signature page to this Agreement
shall be as effective as a delivery of a manually executed counterpart of this
Agreement.
m. Headings. The various headings in this Agreement are inserted for convenience
only and shall not affect the meaning or interpretation of this Agreement or any
provision hereof.
(Remainder of page intentionally left blank; Signature page follows.)
IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective
Date.
MCMC LLC
BUSI"S ASSOCIATE
B y : / %
� a� ✓C�IG�L
r L' '
Print Name
Title: CF C)
Dated: Q9 � c�(--1
Revised December 2012
City of
By:
�AC. CC
Print Name
Title: 'TV kigN (�L2
Dated: J ur4 5 3 zo 1 �)
Exhibit C - Utilization Review Services
1. Nature of Services
MCMC's Utilization Review services (the "Services ") are consultative in nature and MCMC shall have no
authority to bind CLIENT to any assessments, recommendations, determinations, analyses or
certifications. CLIENT acknowledges that CLIENT maintains the right to act upon its own judgment
with regard to claims issues. The Services do not include the rendering of a diagnosis or the provision of
treatment for any individual.
2. MCMC Obligations
MCMC shall:
• maintain all licenses and approvals required by state and federal law;
• comply with all applicable state regulatory requirements;
• provide timely notification of the loss of any required license or approval;
• utilize written clinical review criteria based on current clinical principles and processes;
• utilize appropriate licensed and experienced clinical professionals to perform reviews;
• utilize licensed, board certified physicians and other licensed health specialists (e.g.,
Physical and Occupational Therapists, Chiropractors and others) to act as Peer
Reviewers.
• insure access to Utilization Review services, including hours of availability, method and
frequency of communications, in accordance with State and/or URAC guidelines, as
applicable.
• prohibit the use of financial incentives or other measures that might impact the
independent decision making of any clinical professional or Peer Reviewer.
3, CLIENT Oblisations
CLIENT shall:
• cooperate with MCMC in the implementation and exchange of information to facilitate
adherence to all required regulations and in the performance of services "envisioned" by
this Agreement ; and
• provide all pertinent information related to a requested Utilization Review.
4. PRICING
Pre- certification/Case Management/Peer Review: $3.20 /PEPM
MCMC Revised February 2013