The URL can be used to link to this page

Home My WebLink AboutAgreement A-16-433-1 with Keenan & Associates.pdfAgreement No . 16-433-1 1 FIRST AMENDMENT TO AGREEMENT 2 THIS FIRST AMENDMENT TO AGREEMENT (hereinafter "Amendment") is made and entered 3 into th is10th day of December, 2019 , by and between COUNTY OF FRESNO , a Political Subdivision 4 of the State of California , Fresno , California (hereinafter "COUNTY"), and Keenan & Associates , a 5 California corporation , whose address is 2355 Crenshaw Blvd ., Suite 200 , Torrance , CA 90510 6 (hereinafter "CONTRACTOR "). 7 WITNESSETH: 8 WHEREAS , COUNTY and CONTRACTOR entered into Agreement number 16-433 , dated July 9 12 , 2016 (hereinafter "Agreement"), pursuant to which CONTRACTOR agreed to provide employee 1 O health care and benefit plan consulting services to COUNTY ; and 11 WHEREAS , CONTRACTOR was responsible for COUNTY securing the services of Labor 12 First , LLC to manage and administer a Medicare Supplement plan through United American and 13 United Healthcare for COUNTY retirees beginning January 1, 2020 , resulting in a 22% savings to the 14 COUNTY retirees ; and 15 WHEREAS, COUNTY and CONTRACTOR now desire to amend the Agreement in order to 16 make CONTRACTOR broker of record for the retiree Medicare Supplement plan and incorporate 17 Health Insurance Portability and Accountability Act (HIPAA) agreement language . 18 NOW, THEREFORE , for good and valuable consideration , the receipt and adequacy of which 19 is hereby acknowledged, COUNTY and CONTRACTOR agree as follows : 20 1 . Section Five (5) of the Agreement is amended to re-letter subsections B through F to be 21 subsections C through G . 22 2. Section five (5) of the Agreement is amended to insert the following subsection on Page 23 Four (4) after line Twenty (20), which ends with "this Agreement.": 24 "B. COUNTY will make CONTRACTOR broker of record for the Medicare Supplement 25 plan COUNTY is obtaining from United American and UnitedHealthcare through Labor First , LLC , 26 beginning January 1, 2020 , and CONTRACTOR will receive from Labor First, LLC a commission of 27 $15.00 per participating retired member per month . Commissions received by CONTRACTOR for this 28 Medicare Supplement plan under this Agreement will be credited to COUNTY . At the end of each -1 - - 2 - 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 contract year (“Calculation Period”), recognizing that the COUNTY shall submit quarterly payments of CONTRACTOR’s annual fee, CONTRACTOR will report all commissions that have been received by CONTRACTOR from Labor First, LLC for the Medicare Supplement plan and will forward to COUNTY an amount equal to the amount reported within sixty (60) days following the end of the contract year.” 3. Subsection A., of Section Five of the Agreement, beginning on page four (4), line seventeen (17) through line twenty (20), is deleted in its entirety and replaced with the following: “CONTRACTOR will receive said compensation every year in which CONTRACTOR provides Consultation Services as set forth in this Agreement.” 4. The Agreement is amended to add Section sixteen (16) on page 11 (eleven), beginning on Line twenty (20), to state as follows: “16. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT A. The parties to this Agreement shall be in strict conformance with all applicable Federal and State of California laws and regulations, including but not limited to Sections 5328, 10850, and 14100.2 et seq. of the Welfare and Institutions Code, Sections 2.1 and 431.300 et seq. of Title 42, Code of Federal Regulations (CFR), Section 56 et seq. of the California Civil Code, and the Health Insurance Portability and Accountability Act (HIPAA), including but not limited to Section 1320 D et seq. of Title 42, United States Code (USC) and its implementing regulations, including, but not limited to Title 45, CFR, Sections 142, 160, 162, and 164, The Health Information Technology for Economic and Clinical Health Act (HITECH) regarding the confidentiality and security of patient information and the Genetic Information Nondiscrimination Act (GINA) of 2008 regarding the confidentiality of genetic information. Except as otherwise provided in this Agreement, CONTRACTOR, as a Business Associate of COUNTY, may use or disclose Protected Health Information (PHI) to perform functions, activities or services for or on behalf of COUNTY, as specified in this Agreement, provided that such use or disclosure shall not violate the HIPAA, USC 1320d et seq. The uses and disclosures of PHI may not be more expansive than those applicable to COUNTY, as the “Covered Entity” under the HIPAA Privacy Rule (45 CFR 164.500 et seq), except as authorized for management, administrative or legal responsibilities of the Business Associate. - 3 - 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 B. CONTRACTOR, including its subcontractors and employees, shall protect, from unauthorized access, use, or disclosure of names and other identifying information, including genetic information, concerning persons receiving services pursuant to this Agreement, except where permitted in order to carry out data aggregation purposes for health care operations [45 CFR Sections 164.504 (e)(2)(i), 164.504 (3)(2)(ii)(A), and 164.504 (e)(4)(i)]. This pertains to any and all persons receiving services pursuant to a COUNTY funded program. This requirement applies to electronic PHI. CONTRACTOR shall not use such identifying information or genetic information for any purpose other than carrying out CONTRACTOR’s obligations under this Agreement. C. CONTRACTOR, including its subcontractors and employees, shall not disclose any such identifying information or genetic information to any person or entity, except as otherwise specifically permitted by this Agreement, authorized by Subpart E of 45 CFR Part 164 or other law, required by the Secretary, or authorized by the client/patient in writing. In using or disclosing PHI that is permitted by this Agreement or authorized by law, CONTRACTOR shall make reasonable efforts to limit PHI to the minimum necessary to accomplish intended purpose of use, disclosure or request. D. For purposes of the above sections, identifying information shall include, but not be limited to name, identifying number, symbol, or other identifying particular assigned to the individual, such as finger or voice print, or photograph. E. For purposes of the above sections, genetic information shall include genetic tests of family members of an individual or individual, manifestation of disease or disorder of family members of an individual, or any request for or receipt of, genetic services by individual or family members. Family member means a dependent or any person who is first, second, third, or fourth degree relative. F. CONTRACTOR shall provide access, at the request of COUNTY, and in the time and manner designated by COUNTY, to PHI in a designated record set (as defined in 45 CFR Section 164.501), to an individual or to COUNTY in order to meet the requirements of 45 CFR Section164.524 regarding access by individuals to their PHI. With respect to individual requests, access shall be provided within thirty (30) days from request. Access may be extended if CONTRACTOR cannot provide access and provide individual with the reasons for the delay and the date when access may be granted. PHI shall be provided in the form and format requested by the individual or COUNTY. - 4 - 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 CONTRACTOR shall make any amendment(s) to PHI in a designated record set at the request of COUNTY or individual, and in the time and manner designated by COUNTY in accordance with 45 CFR Section 164.526. CONTRACTOR shall provide to COUNTY or to an individual, in a time and manner designated by COUNTY, information collected in accordance with 45 CFR Section 164.528, to permit COUNTY to respond to a request by the individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. G. CONTRACTOR shall report to COUNTY, in writing, any knowledge or reasonable belief that there has been unauthorized access, viewing, use, disclosure, security incident, or breach of unsecured PHI not permitted by this Agreement of which it becomes aware, immediately and without reasonable delay and in no case later than two (2) business days of discovery. Immediate notification shall be made to COUNTY’s Information Security Officer and Privacy Officer and COUNTY’s DBH HIPAA Representative, within two (2) business days of discovery. The notification shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, disclosed, or breached. CONTRACTOR shall take prompt corrective action to cure any deficiencies and any action pertaining to such unauthorized disclosure required by applicable Federal and State Laws and regulations. CONTRACTOR shall investigate such breach and is responsible for all notifications required by law and regulation or deemed necessary by COUNTY and shall provide a written report of the investigation and reporting required to COUNTY’s Information Security Officer and Privacy Officer and COUNTY’s DBH HIPAA Representative. This written investigation and description of any reporting necessary shall be postmarked within the thirty (30) working days of the discovery of the breach to the addresses below: County of Fresno County of Fresno County of Fresno Dept. of Behavioral Health Dept. of Public Health Information Technology Services HIPAA Representative Privacy Officer Information Security Officer (559) 600-6798 (559) 600-6405 (559) 600-5800 3147 N. Millbrook Ave. (559) 600-6439 2048 N. Fine Ave. Fresno, CA 93703 P.O. Box 11867 Fresno, CA 93727 Fresno, CA 93721 - 5 - 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 H. CONTRACTOR shall make its internal practices, books, and records relating to the use and disclosure of PHI received from COUNTY, or created or received by the CONTRACTOR on behalf of COUNTY, in compliance with HIPAA’s Privacy Rule, including, but not limited to the requirements set forth in Title 45, CFR, Sections 160 and 164. CONTRACTOR shall make its internal practices, books, and records relating to the use and disclosure of PHI received from COUNTY, or created or received by the CONTRACTOR on behalf of COUNTY, available to the United States Department of Health and Human Services (Secretary) upon demand. CONTRACTOR shall cooperate with the compliance and investigation reviews conducted by the Secretary. PHI access to the Secretary must be provided during the CONTRACTOR’s normal business hours, however, upon exigent circumstances access at any time must be granted. Upon the Secretary’s compliance or investigation review, if PHI is unavailable to CONTRACTOR and in possession of a Subcontractor, it must certify efforts to obtain the information to the Secretary. I. Safeguards CONTRACTOR shall implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule, Subpart C of 45 CFR 164, that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, that it creates, receives, maintains or transmits on behalf of COUNTY and to prevent unauthorized access, viewing, use, disclosure, or breach of PHI other than as provided for by this Agreement. CONTRACTOR shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidential, integrity and availability of electronic PHI. CONTRACTOR shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of CONTRACTOR’s operations and the nature and scope of its activities. Upon COUNTY’s request, CONTRACTOR shall provide COUNTY with information concerning such safeguards. CONTRACTOR shall implement strong access controls and other security safeguards and precautions in order to restrict logical and physical access to confidential, personal (e.g., PHI) or sensitive data to authorized users only. Said safeguards and precautions shall include the following administrative and technical password controls for all systems used to process or store - 6 - 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 confidential, personal, or sensitive data: 1. Passwords must not be: a. Shared or written down where they are accessible or recognizable by anyone else; such as taped to computer screens, stored under keyboards, or visible in a work area; b. A dictionary word; or c. Stored in clear text 2. Passwords must be: a. Eight (8) characters or more in length; b. Changed every ninety (90) days; c. Changed immediately if revealed or compromised; and d. Composed of characters from at least three (3) of the following four (4) groups from the standard keyboard: 1) Upper case letters (A-Z); 2) Lowercase letters (a-z); 3) Arabic numerals (0 through 9); and 4) Non-alphanumeric characters (punctuation symbols). CONTRACTOR shall implement the following security controls on each workstation or portable computing device (e.g., laptop computer) containing confidential, personal, or sensitive data: 1. Network-based firewall and/or personal firewall; 2. Continuously updated anti-virus software; and 3. Patch management process including installation of all operating system/software vendor security patches. CONTRACTOR shall utilize a commercial encryption solution that has received FIPS 140- 2 validation to encrypt all confidential, personal, or sensitive data stored on portable electronic media (including, but not limited to, compact disks and thumb drives) and on portable computing devices (including, but not limited to, laptop and notebook computers). CONTRACTOR shall not transmit confidential, personal, or sensitive data via e- mail or other internet transport protocol unless the data is encrypted by a solution that has been validated - 7 - 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 by the National Institute of Standards and Technology (NIST) as conforming to the Advanced Encryption Standard (AES) Algorithm. CONTRACTOR must apply appropriate sanctions against its employees who fail to comply with these safeguards. CONTRACTOR must adopt procedures for terminating access to PHI when employment of employee ends. J. Mitigation of Harmful Effects CONTRACTOR shall mitigate, to the extent practicable, any harmful effect that is suspected or known to CONTRACTOR of an unauthorized access, viewing, use, disclosure, or breach of PHI by CONTRACTOR or its subcontractors in violation of the requirements of these provisions. CONTRACTOR must document suspected or known harmful effects and the outcome. K. CONTRACTOR’s Subcontractors CONTRACTOR shall ensure that any of its contractors, including subcontractors, if applicable, to whom CONTRACTOR provides PHI received from or created or received by CONTRACTOR on behalf of COUNTY, agree to the same restrictions, safeguards, and conditions that apply to CONTRACTOR with respect to such PHI and to incorporate, when applicable, the relevant provisions of these provisions into each subcontract or sub-award to such agents or subcontractors. L. Employee Training and Discipline CONTRACTOR shall train and use reasonable measures to ensure compliance with the requirements of these provisions by employees who assist in the performance of functions or activities on behalf of COUNTY under this Agreement and use or disclose PHI and discipline such employees who intentionally violate any provisions of these provisions, including termination of employment. M. Termination for Cause Upon COUNTY’s knowledge of a material breach of these provisions by CONTRACTOR, COUNTY shall either: 1. Provide an opportunity for CONTRACTOR to cure the breach or end the violation and terminate this Agreement if CONTRACTOR does not cure the breach or end the violation within the time specified by COUNTY; or 2. Immediately terminate this Agreement if CONTRACTOR has breached a material - 8 - 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 term of these provisions and cure is not possible. 3. If neither cure nor termination is feasible, the COUNTY’s Privacy Officer shall report the violation to the Secretary of the U.S. Department of Health and Human Services. N. Judicial or Administrative Proceedings COUNTY may terminate this Agreement in accordance with the terms and conditions of this Agreement as written hereinabove, if: (1) CONTRACTOR is found guilty in a criminal proceeding for a violation of the HIPAA Privacy or Security Laws or the HITECH Act; or (2) a finding or stipulation that the CONTRACTOR has violated a privacy or security standard or requirement of the HITECH Act, HIPAA or other security or privacy laws in an administrative or civil proceeding in which the CONTRACTOR is a party. O. Effect of Termination Upon termination or expiration of this Agreement for any reason, CONTRACTOR shall return or destroy all PHI received from COUNTY (or created or received by CONTRACTOR on behalf of COUNTY) that CONTRACTOR still maintains in any form, and shall retain no copies of such PHI. If return or destruction of PHI is not feasible, it shall continue to extend the protections of these provisions to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This provision shall apply to PHI that is in the possession of subcontractors or agents, if applicable, of CONTRACTOR. If CONTRACTOR destroys the PHI data, a certification of date and time of destruction shall be provided to the COUNTY by CONTRACTOR. P. Disclaimer COUNTY makes no warranty or representation that compliance by CONTRACTOR with these provisions, the HITECH Act, HIPAA or the HIPAA regulations will be adequate or satisfactory for CONTRACTOR’s own purposes or that any information in CONTRACTOR’s possession or control, or transmitted or received by CONTRACTOR, is or will be secure from unauthorized access, viewing, use, disclosure, or breach. CONTRACTOR is solely responsible for all decisions made by CONTRACTOR regarding the safeguarding of PHI. Q. Amendment The parties acknowledge that Federal and State laws relating to electronic data - 9 - 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 security and privacy are rapidly evolving and that amendment of these provisions may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to amend this agreement in order to implement the standards and requirements of HIPAA, the HIPAA regulations, the HITECH Act and other applicable laws relating to the security or privacy of PHI. COUNTY may terminate this Agreement upon thirty (30) days written notice in the event that CONTRACTOR does not enter into an amendment providing assurances regarding the safeguarding of PHI that COUNTY in its sole discretion deems sufficient to satisfy the standards and requirements of HIPAA, the HIPAA regulations and the HITECH Act. R. No Third-Party Beneficiaries Nothing express or implied in the terms and conditions of these provisions is intended to confer, nor shall anything herein confer, upon any person other than COUNTY or CONTRACTOR and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. S. Interpretation The terms and conditions in these provisions shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA regulations and applicable State laws. The parties agree that any ambiguity in the terms and conditions of these provisions shall be resolved in favor of a meaning that complies and is consistent with HIPAA and the HIPAA regulations. T. Regulatory References A reference in the terms and conditions of these provisions to a section in the HIPAA regulations means the section as in effect or as amended. U. Survival The respective rights and obligations of CONTRACTOR as stated in this Section shall survive the termination or expiration of this Agreement. V. No Waiver of Obligations No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation on any other occasion.” 1 COUNTY and CONTRACTOR agree that this Amendment is sufficient to amend the 2 Agreement and , that upon execution of this Amendment , the Agreement and this Amendment together 3 shall be considered the Agreement. 4 The Agreement , as hereby amended , is ratified and continued. All provisions , terms , 5 covenants , conditions and promises contained in the Agreement and not amended herein shall rema in 6 in full force and effect. 7 EXECUTED AND EFFECTIVE as of the date first above set forth . 8 9 10 11 12 13 CONTRACTOR r ~U-~ ~~---r?~:3- Laurie LoFranco Municipality Practice Leader Keenan & Associates 2355 Crenshaw Blvd ., Suite 200 14 1+-=-T~o~rr=an~c~e~·~C~A~9~0~5~0~1 ________ _ 15 Mailing Address 16 17 18 19 20 21 22 23 24 25 26 27 28 FOR ACCOUNTING USE ONLY : Fund No : Subclass : ORG No : Account No : 1060 10000 89250200 7185 COUNTY OF FRESNO ~ 2 .S---· ) Nathan Magsig Chairman of the Board of Supervisors of the County of Fresno ATTEST: Bernice E. Seidel Clerk of the Board of Supervisors County of Fresno , State of California -10 -