The URL can be used to link to this page

Home My WebLink AboutAgreement A-06-072-2 with Blue Cross.pdf- 1 - 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 SECOND AMENDMENT TO AGREEMENT THIS SECOND AMENDMENT TO AGREEMENT (hereinafter “Amendment”) is made and entered into this _____ day of ______________, 2020, by and between COUNTY OF FRESNO, a Political Subdivision of the State of California, Fresno, California (hereinafter “COUNTY”), and Blue Cross of California, a California corporation, whose address is 21555 Oxnard Street, Woodland Hills, CA 91367 (hereinafter “CONTRACTOR”). WITNESSETH: WHEREAS, COUNTY and CONTRACTOR entered into Agreement number A-06-072, dated May 1, 2006, and Amendment I (Agreement number A-06-072-01) to that Agreement, dated May 16, 2017 (collectively hereinafter “Agreement”), pursuant to which CONTRACTOR agreed to collaborate and cooperate with COUNTY in providing public health services; and WHEREAS, COUNTY and CONTRACTOR wish to amend the Agreement to include a Health Insurance Portability and Accountability Act (HIPAA) Business Associate agreement to protect the privacy and provide for the security of Protected Health Information (PHI) disclosed by COUNTY to CONTRACTOR during the term of this Agreement; and WHEREAS, COUNTY and CONTRACTOR now desire to amend the Agreement regarding changes as stated below. NOW, THEREFORE, for good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, COUNTY and CONTRACTOR agree as follows: 1.COUNTY and CONTRACT agree to the terms of the HIPAA Business Associate Agreement, attached hereto as Exhibit G, and agree that Exhibit G shall become a part of, and be incorporated into, the Agreement. COUNTY and CONTRACTOR agree that this Second Amendment is sufficient to amend the Agreement and, that upon execution of this Second Amendment, the Agreement, Amendment I and this Second Amendment together shall be considered the Agreement. The Agreement, as hereby amended, is ratified and continued. All provisions, terms, covenants, conditions and promises contained in the Agreement and not amended herein shall remain in full force and effect. Agreement No. 06-072-2 24th November 1 IN WITNESS WHEREOF, the parties hereto have executed this Second Amendment as of the 2 day and year first hereinabove written . 3 4 CONTRACTOR 5 --J ./,,, /' ,, ..... /I, /2 --;·,;, ,,-,:,.,--< .. -r --;:~; ..... --...... ✓-t--,A,,,-:::..-... -~~,,,.,,,,,:_,,.t,,,,,----~ ... r, 6 (" ··>·-::"--_. 7 (Authorized Signature) 8 Barsam Kasravi , MD Print Name & Title 9 President-Medicaid CA 10 barsam.kasravi@anthem .com 11 Mailing Address 12 13 14 15 16 17 18 19 20 21 22 23 FOR ACCOUNTING USE ONLY : 24 25 Fund/Subclass : 0001/10000 Org :56208550 26 Account: 7309 27 28 COUNTY OF FRESNO Ernest Buddy Mende , Chairman of the Board of Supervisors of the County of Fresno ATTEST: Bernice E. Seidel Clerk of the Board of Supervisors County of Fresno , State of California By : _ ____...._d.....:' ~=·=-· l --=~~~---~ - 2 - EXHIBIT G HIPAA BUSINESS ASSOCIATE AGREEMENT This Exhibit, the HIPAA Business Associate Agreement (“Exhibit”) supplements and is made a part of the underlying agreement (“Agreement”) by and between the County of Fresno, (“County” or “Covered Entity”) and Blue Cross of California Partnership Health Plan, Inc, (“Contractor” or “Business Associate”) to which this Exhibit is attached. This Exhibit is effective upon execution of the Second Amendment to the Agreement. I.RECITALS Covered Entity wishes to disclose certain information to Business Associate pursuant to the terms of the Agreement, some of which may constitute Protected Health Information (“PHI”); Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed to Business Associate pursuant to the Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the “HITECH Act”), the regulations promulgated thereunder by the U.S. Department of Health and Human Services (the “HIPAA Regulations”), and other applicable laws; and The Privacy Rule and the Security Rule in the HIPAA Regulations require Covered Entity to enter into a contract, containing specific requirements, with Business Associate prior to the disclosure of PHI, as set forth in, but not limited to, Title 45, sections 164.314(a), 164.502(e), and 164.504(e) of the Code of Federal Regulations (“C.F.R.”) and as contained in this Agreement. II.STANDARD DEFINITIONS Capitalized terms used, but not otherwise defined, in this Exhibit shall have the same meaning as those terms are defined in the HIPAA Regulations. In the event of an inconsistency between the provisions of this Exhibit and the mandatory provisions of the HIPAA Regulations, as amended, the HIPAA Regulations shall control. Where provisions of this Exhibit are different than those mandated in the HIPAA Regulations, but are nonetheless permitted by the HIPAA Regulations, the provisions of this Exhibit shall control. All regulatory references in this Exhibit are to HIPAA Regulations unless otherwise specified. The following terms used in this Exhibit shall have the same meaning as those terms in the HIPAA Regulations: Data Aggregation, Designated Record Set, Disclosure, Electronic Health Record, Health Care Operations, Health Plan, Individual, Limited Data Set, Marketing, Minimum Necessary, Minimum Necessary Rule, Protected Health Information, and Security Incident. The following term used in this Exhibit shall have the same meaning as that term in the HITECH Act: Unsecured PHI. III.SPECIFIC DEFINITIONS Agreement. “Agreement” shall mean the underlying agreement between County and Contractor, to which this Exhibit, the HIPAA Business Associate Agreement, is attached. Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 C.F.R. section 160.103, the HIPAA Regulations, and the HITECH Act, and in reference to a party to this Exhibit shall mean the Contractor identified above. “Business Associate” shall also mean any subcontractor that creates, receives, maintains, or transmits PHI in performing a function, activity, or service delegated by Contractor. Contractual Breach. “Contractual Breach” shall mean a violation of the contractual obligations set forth in this Exhibit. Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 C.F.R. section 160.103, and in reference to the party to this Exhibit, shall mean any part of County subject to the HIPAA Regulations. Electronic Protected Health Information. “Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is maintained in or transmitted by electronic media. Exhibit. “Exhibit” shall mean this HIPAA Business Associate Agreement. HIPAA. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. HIPAA Breach. “HIPAA Breach” shall mean a breach of Protected Health Information as defined in 45 C.F.R. 164.402, and includes the unauthorized acquisition, access, use, or Disclosure of Protected Health Information which compromises the security or privacy of such information. HIPAA Regulations. “HIPAA Regulations” shall mean the regulations promulgated under HIPAA by the U.S. Department of Health and Human Services, including those set forth at 45 C.F.R. Parts 160 and 164, Subparts A, C, and E. HITECH Act. “HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the “HITECH Act”). Privacy Rule and Privacy Regulations. “Privacy Rule” and “Privacy Regulations” shall mean the standards for privacy of individually identifiable health information set forth in the HIPAA Regulations at 45 C.F.R. Part 160 and Part 164, Subparts A and E. Secretary. “Secretary” shall mean the Secretary of the United States Department of Health and Human Services (“DHHS”) or his or her designee. Security Rule and Security Regulations. “Security Rule” and “Security Regulations” shall mean the standards for security of Electronic PHI set forth in the HIPAA Regulations at 45 C.F.R. Parts 160 and 164, Subparts A and C. IV.PERMITTED USES AND DISCLOSURES OF PHI BY BUSINESS ASSOCIATE Business Associate may only use or disclose PHI: A.As necessary to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement, provided that such use or Disclosure would not violate the Privacy Rule if done by Covered Entity; B.As required by law; and C.For the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. V.PROTECTION OF PHI BY BUSINESS ASSOCIATE A.Scope of Exhibit. Business Associate acknowledges and agrees that all PHI that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording and electronic display, by Covered Entity or its operating units to Business Associate, or is created or received by Business Associate on Covered Entity’s behalf, shall be subject to this Exhibit. B.PHI Disclosure Limits. Business Associate agrees to not use or further disclose PHI other than as permitted or required by the HIPAA Regulations, this Exhibit, or as required by law. Business Associate may not use or disclose PHI in a manner that would violate the HIPAA Regulations if done by Covered Entity. C.Minimum Necessary Rule. When the HIPAA Privacy Rule requires application of the Minimum Necessary Rule, Business Associate agrees to use, disclose, or request only the Limited Data Set, or if that is inadequate, the minimum PHI necessary to accomplish the intended purpose of that use, Disclosure, or request. Business Associate agrees to make uses, Disclosures, and requests for PHI consistent with any of Covered Entity’s existing Minimum Necessary policies and procedures. D.HIPAA Security Rule. Business Associate agrees to use appropriate administrative, physical and technical safeguards, and comply with the Security Rule and HIPAA Security Regulations with respect to Electronic PHI, to prevent the use or Disclosure of the PHI other than as provided for by this Exhibit. E.Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or Disclosure of PHI by Business Associate in violation of the requirements of this Exhibit. Mitigation includes, but is not limited to, the taking of reasonable steps to ensure that the actions or omissions of employees or agents of Business Associate do not cause Business Associate to commit a Contractual Breach. F.Notification of Breach. During the term of the Agreement, Business Associate shall notify Covered Entity in writing within twenty-four (24) hours of any suspected or actual breach of security, intrusion, HIPAA Breach, and/or any actual or suspected use or Disclosure of data in violation of any applicable federal or state laws or regulations. This duty includes the reporting of any Security Incident, of which it becomes aware, affecting the Electronic PHI. Business Associate shall take (i) prompt corrective action to cure any such deficiencies and (ii) any action pertaining to such unauthorized use or Disclosure required by applicable federal and/or state laws and regulations. Business Associate shall investigate such breach of security, intrusion, and/or HIPAA Breach, and provide a written report of the investigation to Covered Entity’s HIPAA Privacy Officer or other designee that is in compliance with 45 C.F.R. section 164.410 and that includes the identification of each individual whose PHI has been breached. The report shall be delivered within fifteen (15) working days of the discovery of the breach or unauthorized use or Disclosure. Business Associate shall be responsible for any obligations under the HIPAA Regulations to notify individuals of such breach, unless Covered Entity agrees otherwise. G.Agents and Subcontractors. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions, conditions, and requirements that apply through this Exhibit to Business Associate with respect to such information. Business Associate shall obtain written contracts agreeing to such terms from all agents and subcontractors. Any subcontractor who contracts for another company’s services with regards to the PHI shall likewise obtain written contracts agreeing to such terms. Neither Business Associate nor any of its subcontractors may subcontract with respect to this Exhibit without the advanced written consent of Covered Entity. H.Review of Records. Business Associate agrees to make internal practices, books, and records relating to the use and Disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Regulations. Business Associate agrees to make copies of its HIPAA training records and HIPAA business associate agreements with agents and subcontractors available to Covered Entity at the request of Covered Entity. I.Performing Covered Entity’s HIPAA Obligations. To the extent Business Associate is required to carry out one or more of Covered Entity’s obligations under the HIPAA Regulations, Business Associate must comply with the requirements of the HIPAA Regulations that apply to Covered Entity in the performance of such obligations. J.Restricted Use of PHI for Marketing Purposes. Business Associate shall not use or disclose PHI for fundraising or Marketing purposes unless Business Associate obtains an Individual’s authorization. Business Associate agrees to comply with all rules governing Marketing communications as set forth in HIPAA Regulations and the HITECH Act, including, but not limited to, 45 C.F.R. section 164.508 and 42 U.S.C. section 17936. K.Restricted Sale of PHI. Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of Covered Entity and as permitted by the HITECH Act, 42 U.S.C. section 17935(d)(2); however, this prohibition shall not affect payment by Covered Entity to Business Associate for services provided pursuant to the Agreement. L.De-Identification of PHI. Unless otherwise agreed to in writing by both parties, Business Associate and its agents shall not have the right to de-identify the PHI. Any such de- identification shall be in compliance with 45 C.F.R. sections 164.502(d) and 164.514(a) and (b). M.Material Contractual Breach. Business Associate understands and agrees that, in accordance with the HITECH Act and the HIPAA Regulations, it will be held to the same standards as Covered Entity to rectify a pattern of activity or practice that constitutes a material Contractual Breach or violation of the HIPAA Regulations. Business Associate further understands and agrees that: (i) it will also be subject to the same penalties as a Covered Entity for any violation of the HIPAA Regulations, and (ii) it will be subject to periodic audits by the Secretary. VI.INDIVIDUAL CONTROL OVER PHI A.Individual Access to PHI. Business Associate agrees to make available PHI in a Designated Record Set to an Individual or Individual’s designee, as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. section 164.524. Business Associate shall do so solely by way of coordination with Covered Entity, and in the time and manner designated by Covered Entity. B.Accounting of Disclosures. Business Associate agrees to maintain and make available the information required to provide an accounting of Disclosures to an Individual as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. section 164.528. Business Associate shall do so solely by way of coordination with Covered Entity, and in the time and manner designated by Covered Entity. C.Amendment to PHI. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 C.F.R. section 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. section 164.526. Business Associate shall do so solely by way of coordination with Covered Entity, and in the time and manner designated by Covered Entity. VII.TERMINATION A.Termination for Cause. A Contractual Breach by Business Associate of any provision of this Exhibit, as determined by Covered Entity in its sole discretion, shall constitute a material Contractual Breach of the Agreement and shall provide grounds for immediate termination of the Agreement, any provision in the Agreement to the contrary notwithstanding. Contracts between Business Associates and subcontractors are subject to the same requirement for Termination for Cause. B.Termination due to Criminal Proceedings or Statutory Violations. Covered Entity may terminate the Agreement, effective immediately, if (i) Business Associate is named as a defendant in a criminal proceeding for a violation of HIPAA, the HITECH Act, the HIPAA Regulations or other security or privacy laws or (ii) a finding or stipulation that Business Associate has violated any standard or requirement of HIPAA, the HITECH Act, the HIPAA Regulations or other security or privacy laws is made in any administrative or civil proceeding in which Business Associate has been joined. C.Return or Destruction of PHI. In the event of termination for any reason, or upon the expiration of the Agreement, Business Associate shall return or, if agreed upon by Covered Entity, destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall retain no copies of the PHI. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. If Business Associate determines that returning or destroying the PHI is infeasible under this section, Business Associate shall notify Covered Entity of the conditions making return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Exhibit to such PHI and limit further uses and Disclosures to those purposes that make the return or destruction of the information infeasible. VIII.MISCELLANEOUS A.Disclaimer. Covered Entity makes no warranty or representation that compliance by Business Associate with this Exhibit, HIPAA, the HIPAA Regulations, or the HITECH Act will be adequate or satisfactory for Business Associate’s own purposes or that any information in Business Associate’s possession or control, or transmitted or received by Business Associate is or will be secure from unauthorized use or Disclosure. Business Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI. B.Regulatory References. A reference in this Exhibit to a section in HIPAA, the HIPAA Regulations, or the HITECH Act means the section as in effect or as amended, and for which compliance is required. C.Amendments. The parties agree to take such action as is necessary to amend this Exhibit from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, the HIPAA Regulations, and the HITECH Act. D.Survival. The respective rights and obligations of Business Associate with respect to PHI in the event of termination, cancellation or expiration of this Exhibit shall survive said termination, cancellation or expiration, and shall continue to bind Business Associate, its agents, employees, contractors and successors. E.No Third Party Beneficiaries. Except as expressly provided herein or expressly stated in the HIPAA Regulations, the parties to this Exhibit do not intend to create any rights in any third parties. F.Governing Law. The provisions of this Exhibit are intended to establish the minimum requirements regarding Business Associate’s use and Disclosure of PHI under HIPAA, the HIPAA Regulations and the HITECH Act. The use and Disclosure of individually identified health information is also covered by applicable California law, including but not limited to the Confidentiality of Medical Information Act (California Civil Code section 56 et seq.). To the extent that California law is more stringent with respect to the protection of such information, applicable California law shall govern Business Associate’s use and Disclosure of confidential information related to the performance of this Exhibit. G.Interpretation. Any ambiguity in this Exhibit shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA, the HIPAA Regulations, the HITECH Act, and in favor of the protection of PHI.