BUSINESS ASSOCIATE ADDENDUMBUSINESS ASSOCIATE ADDENDUM
This Business Associate Addendum (the "Addendum") is entered into by and between MHNet Specialty
Services, LLC ("Coventry") and City of Clearwater (for purposes of this Addendum hereinafter referred to
as "Business Associate") and sets forth the parties' agreement with respect to the privacy and security
requirements under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the
American Recovery and Reinvestment Act of 2009 ("ARRA"), the Graham Leach Bliley Act (GLBA), and
the regulations promulgated from time to time under each of those acts.
The parties agree that the terms and conditions set forth in this Addendum shall be part of the Service
Agreement dated January 1, 2011, between Coventry and Business Associate ("the Agreement"). Any
conflicts or inconsistencies between the Agreement and this Addendum shall be read and resolved in favor
of this Addendum. This Addendum shall be effective as of January 1, 2011.
1. Business Associate Services. The Services provided by Business Associate under the Agreement
for Coventry may involve the use and disclosure of individually identifiable health information,
deemed protected health information or "PHI" under HIPAA and non-public personal information
("NPPI") under the Gramm Leach Bliley Act and applicable state law and/or regulations. PHI and
NPPI shall be referred to collectively as "Non-Public Information" or "NPI". Except as otherwise
provided herein, the Business Associate may make any and all uses of NPI necessary to perform
the Services and its obligations under the Agreement.
2. Additional Business Associate Activities. Except as otherwise provided in this Addendum,
Business Associate may use and disclose the NPI in its possession for its proper management and
administration and/or to fulfill any present or future legal responsibilities of the Business
Associate, provided that such uses are permitted under state and federal laws and would be
permissible if performed by Coventry. Business Associate represents and warrants to Coventry
that (i) any such disclosures it makes will be required by law and (ii) the Business Associate will
obtain a written agreement from any such person or entity to whom the NPI will be disclosed that
the NPI will be held confidentially and will not be further used or disclosed except as required by
laws or for the purpose for which it was lawfully disclosed to such person or entity, and that such
person or entity will notify the Business Associate of any instances of which it is aware in which
the confidentiality of the NPI has been breached.
3. Business Associate Obligations for Privacy and Security of NPI.
Business Associate agrees to the following:
3.1 Use and Disclosure of NPI. Business Associate shall not use or further disclose the
NPI other than as permitted under the Agreement, this Addendum, HIPAA, GLBA,
ARRA and their respective implementing regulations, each as amended from time to
time.
3.2 Safeguards. Business Associate shall (i) use appropriate safeguards to prevent the use
or disclosure of NPI other than as provided for in this Addendum, and (ii) have
administrative, physical, and technical safeguards that reasonably and appropriately
protect the confidentiality, integrity, and availability of NPI that it creates, receives,
maintains, or transmits on behalf of Coventry. Such safeguards shall include, without
limitation, conducting a security risk assessment, and training employees who will have
access to NPI with respect to the policies and procedures required by HIPAA and
ARRA. Upon request from Coventry, Business Associate shall provide Coventry with a
copy of its written information privacy and security programs.
3.3 Policies and Procedures. Business Associate shall adopt and comply with policies and
procedures that are in accordance with the HIPAA, ARRA, and GLBA requirements
that apply to Business Associate's operations and the Services provided under the
Agreement, including, without limitations, maintaining the confidentiality and integrity
of any information received, maintained or transmitted by or on behalf of Coventry.
Upon Coventry's request, Business Associate shall provide a copy of Business
City of Clearwater BA Addendum 1 1/6/2011
Associate's policies and procedures.
3.4 Incident Reporting. Business Associate shall report to Coventry any security incident
involving or use or disclosure of NPI not permitted by this Addendum of which it
becomes aware. Business Associate shall report to Coventry within five (5) days of the
Business Associate becoming aware of such use, disclosure or incident.
3.5 Notification of Breach. Business Associate shall report to Coventry within five (5)
days any Breach of Unsecured NPI. "Breach" shall mean the unauthorized acquisition,
access, use or disclosure of NPI which compromises the security or privacy of such
information. "Unsecured NPI" shall mean NPI that is not rendered unusable, unreadable
or indecipherable to unauthorized individuals through the use of a technology or
methodology specified by the Secretary from time to time. Notice of Breach shall
include, at minimum: (i) the identification of each individual whose NPI has been, or is
reasonably believed to have been, accessed, acquired, or disclosed during the Breach;
(ii) the date of the Breach, if known; (iii) the scope of the Breach; and (iv) a description
of the Business Associate's response to the Breach. Upon reasonable request, Business
Associate shall provide Coventry with information related to the Breach and will
cooperate with Coventry in any required notifications.
3.6 Government Programs. To the extent that Business Associate provides services to
Coventry relating to individuals enrolled in state or federal programs (e.g., Medicare,
Medicaid), Business Associate shall comply with any additional restrictions or
requirements related to the use, disclosure, maintenance, and protection of NPI of
individuals enrolled in such programs through Coventry. With respect to the NPI of
Medicare enrollees, Business Associate shall report privacy and security incidents
and/or Breaches immediately, but not later than one (1) day, to Coventry and include the
information required under Sections 3.4 and 3.5 of this Addendum.
3.7 Subcontractors. Business Associate shall require any agent or subcontractor to whom
Business Associate provides NPI to agree in writing to (i) implement reasonable and
appropriate safeguards to protect the NPI, and (ii) comply with the same restrictions
and conditions on NPI as required by this Addendum. Upon request from Coventry,
Business Associate shall provide a copy of any such agreement.
3.8 Minimum Necessary. Business Associate shall request, use and/or disclose only the
minimum amount of NPI necessary to accomplish the purpose of the request, use or
disclosure.
3.9 Remuneration of NPI. Business Associate shall not directly or indirectly receive
remuneration in exchange for any NPI as prohibited by 42 U.S.C. §17935(d) and any
regulations promulgated there under.
3.10 Marketing of NPI. Business Associate shall not make or cause to be made any
communication about a product or service that is prohibited by 42 U.S.C. § 17936(a) and
any regulations promulgated there under.
3.11 Fundraising. Business Associate shall not make or cause to be made any written
fundraising communication that is prohibited by 42 U.S.C. §17936(b) and any
regulations promulgated there under.
112 Mitigation. Business Associate shall mitigate, to the extent reasonably practicable, any
harmful effect that is known to Business Associate as the result of a use or disclosure of
NPI by Business Associate that is not permitted by this Addendum.
3.13 Transfer of Data Off-Shore. Business Associate shall not use, transfer, transmit, or
otherwise send or make available, any NPI outside the territory of the United States of
America without Coventry's prior written consent.
City of Clearwater BA Addendum 2 1/6/2011
4. Requested Restrictions on Use of NPI. Coventry will notify Business Associate of any
restrictions on the use or disclosure of NPI that have been received from individuals and agreed to
by Coventry. Business Associate shall comply with all such restrictions.
5. Access to PHI. Within five (5) days of a request by Coventry for access to PHI about an
individual contained in a Designated Record Set (as such Set is then defined by HIPAA
regulation), the Business Associate shall make available to Coventry, or the individual to whom
such PHI relates or his or her authorized representative, such PHI for so long as such information
is maintained in the Designated Record Set as set forth in 45 C.F.R. § 164.524. In the event any
individual requests access to PHI directly from the Business Associate, the Business Associate
shall, within five (5) days, forward such request to Coventry. Coventry shall be responsible for
determining whether to deny access to the PHI and Business Associate shall comply with such
determinations.
6. Amendment of PHI. Within ten (10) days of receipt of a request from Coventry for the
amendment of an individual's PHI or a record regarding an individual contained in a Designated
Record Set the Business Associate shall, as required by 45 C.F.R. § 164.526, incorporate any such
amendments in the PHI; provided, however, that Coventry has made the determination that the
amendment(s) is/are necessary. The obligation in this Section shall apply only for so long as the
PHI is maintained by Business Associate in a Designated Record Set. In the event any individual
requests access to PHI directly from the Business Associate, the Business Associate shall, within
five (5) days, forward such request to Coventry.
7. Accounting for Disclosures of PHI. Business Associate shall maintain a record of any disclosure
of PHI to a third party for a purpose other than Treatment, Health Care Operations, Payment, or
pursuant to an authorization signed by the individual or personal representative of the individual
who is the subject of the record. To the extent that Business Associate provides an electronic
health record to Coventry's enrollees or customers, Business Associate shall comply with the
requirements of 42 U.S.C. § 17935(c) and the regulations promulgated there under.
Within thirty (30) days of notice by Coventry to the Business Associate that it has received a
request for an accounting of disclosures of PHI regarding an individual, the Business Associate
shall make available to Coventry such information as is in the Business Associate's possession
and is required for Coventry to make the accounting required by 45 C.F.R. § 164.528. Business
Associate shall provide such information in electronic form, where available in such form. In the
event the request for an accounting is delivered directly to the Business Associate, the Business
Associate shall, within five (5) days, forward such request to Coventry. Coventry shall be
responsible for preparing and delivering any such accounting to the individual.
8. Access to Books and Records Regarding PHI. The Business Associate will make its internal
practices, books, and records relating to the use and disclosure of NPI received from, or created or
received by the Business Associate on behalf of, Coventry available to the Secretary of the U.S.
Department of Health and Human Services (or such other federal or state agencies with
appropriate oversight authority) for purposes of determining compliance with HIPAA, ARRA,
GLBA or any other similar statute and available to Coventry to ensure compliance with the
Agreement and this Addendum.
9. Term and Termination. This Addendum shall remain in effect for as long as Business Associate
provides services to Coventry under the Agreement. If Coventry determines Business Associate
has violated the terms and conditions of this Addendum, such violation shall be grounds for
Coventry to terminate the Agreement for cause according to the terms of the Agreement.
10. Disposition of NPI at Termination. Within thirty (30) days of the termination of the Agreement,
Business Associate, and its subcontractors, will return or destroy all NPI received from, or created
or received by the Business Associate on behalf of Coventry, which the Business Associate and/or
its subcontractors or agents still maintain in any form, and will not retain any copies of such
information. If such return or destruction is not feasible, the Business Associate will notify
City of Clearwater BA Addendum 3 1/6/2011
Coventry of the reasons for such in writing. Business Associate shall extend the protections,
limitations and restrictions of this Addendum to the NPI retained after the termination of the
Agreement and shall limit further uses and disclosures to those purposes that make the return or
destruction of the NPI infeasible. This provision shall survive termination of the Agreement.
11. Survival. All Sections of this Addendum that relate to Business Associate's obligations related to
the privacy and security of NPI shall survive termination of this Addendum or the Agreement for
as long as Business Associate maintains NPI received or created in connection with the
Agreement.
12. Third Party Beneficiaries. Nothing in this Addendum shall confer upon any person other than
the parties and their respective successors or assigns, any right, remedies, obligations or liabilities.
1.3. Counterparts. This Addendum may be executed in any number of counterparts, each of which
shall be deemed an original, but all of which together shall constitute one and the same instrument.
14. Definitions. Capitalized terms not otherwise defined in the Agreement or this Addendum shall
have the same meaning as set forth in regulations promulgated under HIPAA, GLBA or ARRA, as
may be amended from time to time.
INTENDING TO BE LEGALLY BOUND, the parties hereto have duly executed this Addendum.
MHNet Specialty Services, Inc.
Print Name: Kevin J. Middleton, Psy.D.
Title: Chief Operating Officer
Date: ZI I /it
Countersigned:
Y By:
Frank V. Hibbard
Mayor
Approved as to form:
IC . ?
Leslie K. Dougall-
Assistant City Atto
CITY OF CLEARWATER, FLORIDA
William B. Horne II
City Manager
Attest:
Rosemarie Call
City Clerk
City of Clearwater BA Addendum 4 1/6/2011