CONFIDENTIALITY AGREEMENT CONFIDENTIALITY AGREENIE'NT
THis CONFIDENTIALITY AGREEMENT (Ibis "Agrecinent") is inade and entered
into as of Au-ust 15, 2014 (the "Effective Date") by and between the City of Clearwater
("Client"), The Gehring Group, Itic. (-Gehrinc, Group"), and WageWorks, Inc.
Provider"). Client, Gehring Group, and Service Provider are referred to individually as a, "Party"
and collectively as the "Parties" herein.
WHEREAS, Client is a Covered Erurity under I IIPAA (as defined beloxv);
WHFREAS. effective Client entered into a Service Agreement with
Service Provider (tile "Service Provider, Agrecilictit") pursuant to which Service Provider
L-
perfornis Services (tile "So-vice Provider Services") oil behalf offfie Client;
WHEREAS., effiective May 1, 2001, Client entered into a Consulting Agreement with
Gehrin- GrOUP (tile -Gehrino Group Agreement") pursuant to which the Client ties engaged
Gehring Group to provide or arrange for [lie provision of certain consulting services (the
"Gehring Group SCI-ViCeS") to the (Iient-,
WHEREA: , Client has entered into business associate agreements with each Service
Provider and Gehring Group pursuant to which the Nirtics have agreed to comply with the
requirements of the I lealth Insurance Portability and Accountability Act of 1996, Pubs L. No,
104-191 (the "Act"'), the privacy standards adopted by the U.S, Department of Health and
Hurnan Services ('1116") as they may be amended from time to time, 45 C.F.R. parts 160 and
164, subparts A and I` (the "Privacy Rule"), the Security standards adopted by HHS as they may
be aniended frorn tirne to tirne. 45 C.F.R. parts 160, 162, and 164, subpart C (the "'Security
Rule"), and the privacy provisions (Subtitle D) of the Health Information Technology for
f'.,"conornic and Clinical Health Act, Division A, Title X III of Pub. L. 111-5, and its implementing
regulations (the "HITECII Act") (collectively referred tcs herein as -HIPAA-), in providing tile
Service Provider Services and the Gehring GjrOUP SCrViCCS to the CIjent;
WHEREAS, Client has requested that Gehring Group provide information directly to
Service: Provider, which may include individually identifiable health information, as that term is
defined by HIPAA.
\VHEREAS, the Parties agree to comply with the applicable requirements of HIPAA,
and will appropriately satleguard all protected health information (``PHI") or electronic protected
health information ("electronic Pill") that is transferred, created, received or accessed pursuant
to this Agreement: and
WHEREAS, the Parties desire to enter into this Agreement in order to (i) protect the
privacy and provide for the security of PI-11 and electronic PHI transferred, received), accessed,
used or maintained plirStAam to this Agreement, and (1i) satisfy certain requirements imposed oil
4n
the Parties by HIPAA.
NOW, THEREFORE, in consideration of the 111LAUU11 benefits of complying with laws
and reg'LlIations stated above. the Client, Gehring Group. and Service Provider agree as follows:
I
I 7670672v 7
ARTICLE I
DEFINITIONS
1.1 "Minimum Necessanr" means the rnininiurn amount of Pill necessary to
accomplish the intended:: purl.)ose of the use, diSCI0SUrc, or request or the arnount of PHI
described and defined by III IS from tutee to time as the "minimum necessary, " and in any event
shall riot include any direct identifiers of individuals such as names, street addresses, phone
nurnbers or social security number, except for-a unique identifier assigned by Client as necessary
for the strategic analysis.
T. Other terns. it other terns riot specifically defined in this Agreement shall
have the meanings attributed W there Under HIPAA,
A,R'rj'ICLE 11
PRIVACY OF PROTECTED HEALTIA INFORMA'rl"j,ON
11 PerM'tte(l Tikes & Disclosures,
(a) Except as otherwise limited by this Agreement, Service Provider may
access,, use or disclose PIll on bellaif'of, or to provide the Service Provider Services to Client
Pursuant to the Service Provider Agreement, il'SUCh use or disclosure of Pill would riot violate
HIP AA or the terms of this Aoreernent, Service Provider rnay use 1`31-11 for the proper
management and administration of Service Provider's business oi- to provide data aggregation
services relating to the health care operations of the Client.
(b) Notwithstanding the foregoing, Service Provider shall not disclose PI-11
L_ z:1
unless: (i) required by law, or (ii) Service Provider obtains vN,ritten assurance from the person to
whom the PHI is disclosed that it will be kept confidential and used or further disclosed only as
required by law or for the purpose for which it was disclosed to the person, and the person agrees"
to notify Service Provider of any instances of which it is aware in which the ccNifidentiality of
the information has been breached as required Under 45 C.F.R. 164.504(e)(4). If Service
Provider discloses Pill to a subcontractor or agent, Service Provider shall Comply with Section
2.3 ofthis Atgreenient.
2.2 Sa feauards for the Protection of PHL Cichring Group and Service Provider
shall implement and maintain the administrative,, physical and technical safeguards required by
HIPAA to protect the confidentiality, integrity and availability of electronic Pill and to ensure
that PHI disclosed by and between Service Provider and Gehring Group is not used or disclosed
by either Party, or by any of its subcontractors, affiliates, or associates. except as provided in this
2.3 Ll PL iauthorizeo Uses op- DiscN)sures and Unauthorized AILSMIEL
to Use or Disclose.
(a) Service Provider shall notify Cient and Gehring Group in writing, within
wn (10) business, days, ol"any LISe or disclosure of PI-11 of which Service Provider becomes aware
that is not provided I"or or pernlitted by this Agreement Or Linder HIPAA. Service Provider shall
be responsible for- all reasonable costs of notification associated with a breach or impemlissible
disclosure.
(b) Service Provider agrees to report to C lient and Gehring Group the
aggregate number OF unsuccessful, unauthorized attempts to access, use. disclose,, modify or
destroy electronic versions of any of Pill or interfere with systems operations, in an Inforrnation
System containing Pill, of which Service Provider becomes aware, provided that: (a) such
reports will be provided only as frequently as the Parties mutually agree, but no more than once
per month. and. (b) if the definition Of"Security Incident"' is amended under tile Security Rule to
remove the reqUirenlent bear reporting "WISUCCCSSfUl" a(rCnlptS to Use. disclose,, modify or destroy
electronic: NA L this Section 2.3 shall no longer apply as oCthe effective date of such amendment,
iC) Scrvice Provider shall notify Client and Gehring Groaip of a Breach of
MISCC'Ured PHI NVithin ter, (10) IXIShiess days after discovery of such a Breach in accordance with
45 CFR I 64A 1(). The notice reqUil-ed by this Section 2.3(c) shall include, to the extent possible,
the identification ofeach individual whoSe UnSeCU•ed protected health information has been, or is
reasonably believed by Service Pi-twider to have been, accessed, acquired, used, or. disclosed
Y of the l'ollowing information. ifavailable.
durin- Ov.,� breach. Stich notice shall also include, any
(i) A brief` description of what happened, including the date of tile
breach and the date ofthe discovery ofthe breach, if known;
(ii) A description cif' the types 01' Unsecured protected health
information that were involved in the breach; and
(iii) A brief description of vvhat tile breaching Party is doing to
investigate the [)reach, to mitigate harm to individuals, and to protect against any
farther-breaches.
14 Use of Subcontractors.
(a) Service Provider shall not delegate the performance of Y
1-� an Services
without tile, prior written consent of Gehring Group and Client.
(b) To the extent that Service Provider uses one or more subcontractors or
agents to perform its obligations under the Service Provider Agreement, and Such Subcontractors
or agents receive or have access to PHI. Service Provider agrees to obtain written Service
Provider Agreements that any Such subcontractor or agent agrees to materially the same
restrictions and conditions that apply to Service Provider with respect to such PHI, including the
requirement that subcontractors and agents agree to implement reasonable and appropriate
safeguards to protect eleen-onic PI-11 that is disclosed to subcontractors and agents by
SUbcontfactor, Service Provider will disclose to any Stich Subcontractor no more than a limited
data Set Or the ;Minimum Necessary, as appkable, pursuant to MPAA requirements,
(,c); If. pursuant to fUtUre re"LlIations promulgated by HHS, subcontractors of
business associates are deerned to be business associates, Service Provider "111 (i) ensure its
Subcontractors comply with all offlie provisions,oN flPAA applicable to business associates; and
(ii) require any agent or contractor Nvith whom it shares Pill to sign a business associate,
rII
subcontract that complies with 11111AA.
2.5 Authorized Access to l"HI. To the extent that Service Provider maintains PHI in
a Desiornated Record Set. Service Providcr shall provide Gehring U-OUp with access to such PHI
no later than Five (5) business days after receipt of such written request by Gehring Group
pursuant to 45 CFR 164,524.
2.6 Amendment to,.P111. To the Qxtent that Service Provider maintains Pill in a
Designated Record Set, Service Provider shall amend such Pill ill accordance Nvith Gehring
Group's written request no later than five (5) business days after receipt (W such request by
Gehring Group PUI-Rlallt to 45 CFR 1 64,526
2.7 Accoun"'t,in"2, ,c�l, Ij,sel-osures of 11111, Service Provider shall kop e rccords of all
disclosures of PI 11 made by Service Provider (the "Disclosure Accounting"') on an ongoing basis
to the extent required by l ilPAA and for the period oftimc for %vhich. under HIPAA., as Covered
Entity must maintain as record Of such disclosures. except for disOOSUres:
(a) TO Ulrf ' OLTI TreatrnQM. Payment, or I lealih Care Operations, as provided
in 45 CFR 164,502; provided, however, that, Set-vice Provider shall, to the
extent required by the HITECH Act and the accompanying regUlations.,
keep a record of disciosures to carrY out Treatment, Payment, or Health
Care Operations made via an electronic health record for a period of at
lea-sL sew err (7) years: or
(b) As otherwise excluded, as described at 45 C.F.R. 164.528(i)-(ix).
Service Provider shall provide the Disclosure Accounting to Client arid Gehring Group
zn
(or to xin Individual. if'so directed by Client and Gehring Group, as applicable) (i) no later than
five (5) business days after receipt of written request 6or such DiSCIOSUre Accounting by Client
and Gehring Group pursuant to 45 ("l R 1 64.528,or(ii`) in accordance with I I']PAA_
2.8 ()W:D_gatlons of C fient,
(a) Client shall notify Gehring Group arid Service Provider of any restriction
C
can the use or disclosure 01'PI I I to \vh ich Client has agreed in accordance
with the relevant provisions of I IIPAA, to the extent that such restriction
may affect Gehring Groups usQ or disclosure of P1-1 l to Service Provider.
(h) Client shrill notily (ichring, Group and Set-vice Provider of ally changes ill,
or, revocation cat" permission by an individual 10 use or disclose such
individual's PHI to the extent that such change may affect Gehring
,Group's use Or disclosure cif PHI Lo Set-vice Provider.
19 A, dditional Obligations.
(a) Electronic Cooies of PHL As applicable. Service Provider will (i)
cooperate vvith OiQni and Cyehring Group ice provide an Individual .vith an electronic copy of
4
1 7,,,7(i(,72�2
such individual's P111 if the PHI is maintained by Service Provider in an electronic health record
and the individual requests an electronic copy of his or her PHI, and (ii) comply with, and
cooperate with Client and Gehring GrOLIp to facilitate Client's and Gehring Group's compliance
with its obligations regarding electronic health records pursuant to Section 13405(c)(1) of the
zn t,
HITECI I Act and any regulations HHS may PrOMUlgate thereunder.
(b) Non-Disclosure ft)r Ojrjt_Of'_POCket Services. As applicable, Service
Provider will (i) abide by any directive from Client and Gehring Group ?lot to disclose PI-11 in
connection with an item or service for which an individual has paid out-of-pocket, in full. and (ii)
cooperate with Client and Gehring GrOUP to facilitate Client's and Gehring GrOUP'S compliance
with its oblioations not to disclose certain Pill in accordance with Section I 3405(a) of die
I I I"FECH Act and any regular ions 1111S may Promulgate thereunder.
(C) Prohibition on Sale of P]if. Service Provider \Oi not sell Pill or receive
any direct or indirect remuneration in exchan0e l'or PHI, except as expressly permitted by this
Agreement and the Scr\,ice Pro v ider Agreement,
(d) Prohibition on Marketing. Service Provider will not transmit, to any,
individual for whom Service Provider has P H1, any conlinunication about a product or service
that encourages the recipient of the COMMUnWatiOn 110 Purchase or use that product or service
unless permitted to do so under the Ir-j ITFCfj Act.
A1 T1 C 1,K I I I
,\1 I SCEL 1,AN EO U S
3.1 is Agreement shall be applicable to Pill received by Set-vice
Provider firorn Gehring Group or- created or- received by Service Provider from Client oil behalf
Of Gehring Group.
3.2 Amendments. The Parties acknowledge tflat state and federal laws relating to
data seCLII•ity and privacy are rapidly evolving and that amendment of this Agreement may be
reqUired to provide lot- procedures to ensure compliance with such developments, The Parties
specifically agree to take such action as is necessary to implement tile standards and
requirernents of' HIPAA and other applicable laws reladno to the security or confidentiality of
PHL
33 No Third Pirtv Beneficiaries. 'Nothing express or implied in this AgrCernent is
intended to conrcr. nor shall anything, herein Confer, upon any person other than Client, Gebring
Cri-OLIP, Service Provider and their respective successors or assigns, any rights, remedies.
obligations car liabilities whatsoever.
3.4 Conflicts, The terms and conditions ofdiis Aorcement wiii override and control
any conflicting tern or condition of any other agreements that may be in place between the
Pat-ties: Provided. however., that the Business Associate Agreements between Client and Service
Provider and Chent and Gehring Group shall supersede this Agreement with respect to the
5
relationships betvvecn such pat-ties. All non-conflicting terms and conditions of this Agreement
and any other ag)rement between the Parties remain in Rdl force and effect,
3.5 Construction. This Agreement shall be construed as broadly as necessary to
implement and comply with 11111 A, Any ambiguity in this Agreement shall be resolved in
favor ofa meaning that.coniphes with 111PAA.
16 kudit Rights, Service Provider shall make its practices, books and records
related to PI-11 available to 11FIS lor (fie pUrpose of'determining Service Provider's compliance
with this Aurcement and H111AA. In the event it is determined that Service Provider is in
violation of HIPAA, or this Agreement, Service Provider will take reasonable steps to cure such
violation or breach. in accordance with HIPAA.
17 Subaas . Each Party e\dl provide \,,,,ritten notice to the other Parties of any
Subpoena or other le,''al Process seekri lig PHI rccei�lled from or created on behaff of Gehring
Z�` z�
GrOU[) OT IfIC Wriit-,eyj notice shall be provided within 48 hours of rm ipx ofa subpoena or other
legal process.
3.8 Notices. AI I notices reqUiNd to be given to any Party Under this Agreement will
be in writing and sent by traceable carrier w each Party's address indicated below, or such other
address as a Party may indicate by at least i.en (10) days' prior written notice to the other Parties.
Notices will be effective uport receipt.
City of Clearwater
...........
3,21)
------------------
Attention: Privacy Officer
The (dehring Group, Inc.
1150-5 Fairchild Gardens Ave., Suite 202
Pah-li Beach Gardens, FL 334101
Attention: Privacy Officer, Katherine Bellantoni
Wage works, Inc.
I 1010 Park Place, 4"' Floor
San Mateo, CA 94403
Attention: General Counse 1. Fax: (650)577-520 1
3.9 Teryri. 'i.`he term of this Aoreemcni shall commence as ol'the Effective Date of
this A-reemem and shall continue ill effect until torminated in accordance with Section 3.10.
3. 4:1 l`ca�°earasrararo-rr.
(a) This agreement shall terfllhlatC Uj)0n the earlier to OCCUr of'-, (i)
termination of the Gehring &OUp Aoreement (,i) the termination of the Set-vice Provider
Agreement or (iii) receipt by any Party of the Parlv's notice to terminate in the event of an
U11CUred bi-CaCh Of a F11,11ffial term of' this Agrecment where the breach is not cared to the
Z�
6
reasonable satisfaction of the non-breaching Parties) after thirty (30) days written notice of such
breach.
(b) Upon termination of this Agreement for any reason, Service Provider
shall, if feasible, return or destroy all PHI and electronic PHI or any copies thereof receivedfrom.
Gehring Group that Service Provider,or its agents or subcontractors still maintain in any fon-n. If
return or destruction is infeasible, Service Provider or its agents or subcontractors shall continue
to extend the protections of this Agreement to such information, and limit further use of such
PHI to those purposes that make the return or destruction of such PHI infeasible.
3.11 Indemnification.
(a) Service Provider will indemnify and hold harmless Gehring Group and
any of its affiliates, officers, directors, employees, subcontractors., agents, or other members of
its workforce, from and against any claim, cause of action, liability, damage, fine, penalty, cost
or expense arising out of or in connection with any non-permitted use or disclosure of PHI,
electronic PHI or other breach of this Agreement by Service Provider or any subcontractor,
agent, person or entity of Service Provider that provides the Service Provider Services.
Notwithstanding any provision of the Service Provider Agreement to the contrary, Service
Provider's responsibility for indemnification arising out of or in connection with this Agreement
will be governed solely by this Section 3.11 and no provision set forth in the Service Provider
Agreement, including indemnification provisions thereunder or any terms that define, restrict or
limit the types or amounts of damages, costs or expenses,will in any way restrict or limit Service
Provider's indemnification liability hereunder. Notwithstanding anything contained herein to the
contrary, this indemnification provision shall not be construed as a waiver of any immunity to
which Client is entitled or the extent of any limitation of liability pursuant to § 768.28, Florida
Statutes, Furthermore, this provision is not intended to nor shall be interpreted as limiting or in
any way affecting any defense Client may have under § 768.28, Florida Statutes or as consent to
be sued by third parties.
3.12 Govcnnijigg_j�M. This Agreement shall be governed by and interpreted in
accordance with the laws of Florida.
[Signatures on following page]
7
17670672v.2
IN WH'NESS WHEREOF. the Parties have entered into this Aoreernent to be e6et:tive
as ofthe Eflerctive Date.
`its° of Clearwater:
By
lts;
'The Gehr'irr Group, Inc..:
W a r —WageWorks, In g.
Naa'te: bid u
Its: qvp sGarcac�rate Se
s