city of johnson arkansas logo

RESOLUTION 2017-06

RESOLUTION  NO. 2017-06

A RESOLUTION AUTHORIZING EXECUTION OF
BUSINESS ASSOCIATE AGREEMENT WITH BROWN AND  BROWN  OF ARKANSAS, INC.

 

WHEREAS, the City sponsors a Cafeteria Plan for medical expenses for the benefit and wellbeing of its employees and officials;

WHERE , administration of the Cafeteria Plan is through Brown & Brown of Arkansas, Inc. (hereinafter Brown);

WHEREAS , the U. S. Department of Health and Human Services (hereinafter the Department) in order to protect the privacy of participants in the Cafeteria Plan regarding protected health information, requires specific agreements which assign certain responsibilities to the entities handling such information;

WHEREAS, the Business Associate Agreement (hereinafter Agreement) attached hereto is in compliance with the federal regulations as expressed in HIPAA; and,

WHEREAS, the provisions of the Agreement, specifically Article 6, Section 6.7, requires the City to indemnify others and to be indemnified by others in the event of specified occurrences and indemnity provisions may affect the immunity usually afforded municipalities in Arkansas .

NOW, THEREFORE BE IT RESOLVED BY THE CITY COUNCIL OF JOHNSON, ARKANSAS, that:

Section I:    That the attached Business Associate Agreement (Agreement) as it relates to obligations imposed upon the City by virtue of HIPAA regulations to safeguard protected health information which contains indemnification provisions is hereby approved.

 

 

 

Section i: That the Mayor and Recorder-Treasurer are hereby authorized and directed to

I

take such  necessary  steps  and  precautions  as  are  required  to comply  with the  Agreement and

I                             .                              .

specifically Artile 4 thereof.

 

Section 31     That the Recorder-Treasurer should be and hereby is authorized to execute   the Agreement on behalf of the City and transmit the two (2) signed originals to Brown and maintain the original  executed  by Brown upon its return.

PASSED AND APPROVED this 13 day of June, 2017.

 

ATTEST :

J

 

-       -

Business Associate Agreement

 

This Business Associate Agreement ("Agreement") is being entered into between Brown & Brown of Arkansas. Inc. - NW Arkansas ("Business Associate") and all of the Health Plans of Plan Sponsor City of Johnson Jennifer Allen ("Covered Entity") to facilitate compliance with the HIPAA Rules. In consideration for the compensation paid to Business Associate to provide services relating to and on behalf of Covered Entity, the parties agree to the terms set forth in this Agreement.

Article 1 Definitions

 

The following terms have the meanings described in this Article for purposes of the Agreement unless the context clearly indicates another meaning. Terms used, but not otherwise defined; in this Agreement have the same meaning as those terms in the Privacy Rule.

  • 1 Business Associate

"Business Associate" means the entity described in the first paragraph of this Agreement.

  • 2 CFR

"CFR means the Code of Federal Regulations.

  • 3 Covered Entity

"Covered Entity" means all of the Health Plans maintained by Plan Sponsor.

  • 4 Designated  Record Set

"Designated Record Set" has the same meaning as the term "Designated Record Set" in 45. CPR 164.501.

  • 5 Electronic Health Record

"Electronic Health Record" means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care- clinicians and staff.

  • 6 HIPAA

"HIPAA" means the Health Insurance Portability and Accountability Act of 1996.

  • 7 HIPAA Rules

"HIPAA Rules" means the privacy, security, breach notification and enforcement rules of 45 CFR Parts 160 and 164.

  • 8 HITECH Amendment

"HITECH Amendment" means the changes to HIPAA made by the Health Information Technology for Economic and Clinical Health Act.

1.9        Individual

"Individual" has the same meaning as the term "individual" in 45 CFR 160.103 and includes a person  who qualifies as a personal  representative in accordance with 45 CFR 164.502(g).

1.10     Plan Sponsor

"Plan Sponsor" means City of Johnson

1.11     Protected Health Information

"Protected Health Information" has the same meaning as  the  term  "Protected  Health Information" in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

1.12     Required By Law

"Required By Law" has the same meaning as the term "required by law" in 45 CFR 164.103.

1.13     Secretary

"Secretary" means the Secretary of the Department of Health and Human Services or his designee.

1.14     Security Incident

"Security Incident" has the same meaning as the term "Security Incident" in 45 CFR 164.304.

Article 2

Obligations and Activities of Business Associate

 

Business Associate agrees to perform the obligations and activities described in this Article.

  • 1 Business Associate understands that it is subject to the HIPAA Rules in a similar manner as the rules apply to Covered Entity. As a result, Business Associate agrees to take all actions

necessary to comply with the HIPAA Rules for business associates, including, but not limited to,

the following:  Business  Associate shall establish  policies  and procedures  to ensure compliance                                                                                                                                                       Nm}

with the HIPAA Rules, Business Associate shall train its workforce regarding the HIPAA Rules, Business Associate shall enter into a privacy/security agreement with Covered Entity, Business Associate shall enter into privacy/security agreements with its subcontractors that perform functions relating to Covered Entity involving Protected Health Information, and Business Associate shall conduct a security risk analysis.

  • 2 Business Associate agrees to not use or disclose Protected Health Information other than as V

permitted or required by the Agreement or as Required By Law.

  • 3 Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent use or disclosure of i/"

the Protected Health Information other than as provided for by this Agreement.

  • 4 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known

to Business  Associate of a use or disclosure  of Protected  Health  Information by Business                                                                                                                                                       Neu}

Associate in violation of the requirements of this Agreement.

 

 

2.5        Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware and/or any Security Incident of which it becomes aware.

  • 6 Business Associate agrees to the following in connection with the breach notification requirements of the HIPAA Rules:
    1. a) If Business Associate discovers a breach of unsecured Protected Health Information, as those terms are defined by 45 CFR 164.402, Business Associate shall notify Covered Entity without unreasonable delay and within 10 calendar days after discovery. For this purpose, discovery means the first day on which the breach is known to Business Associate or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a breach if the breach is known or by ex,ercising reasonable diligence would have been known to any person, other than the person committing the breach, who is an employee, officer, subcontractor or other agent of Business Associate. The notification must include identification of each individual whose unsecured Protected Health  Information  has been or it has reasonably believed to have been breached and any other available information in Business Associate's possession  which the Plan is required  to include in
  • the individual notice contemplated by 45 CFR 164.404.
    1. b) Not withstanding the immediately preceding paragraph, Business  Associate  shall assume the individual notice obligation specified in 45 CFR 164.404 on behalf of Covered Entity where a breach of unsecured Protected Health Information was committed by Business Associate or its mnployee, officer, subcontractor or other agent of Business Associate or is within the unique knowledge of Business Associate as opposed to Covered Entity. In such case, Business  Associate  will  prepare the notice and shall provide it to Covered Entity for review and approval at least  five  calendar days before it is required to be sent to the affected individual(s). Covered Entity shall promptly review the notice and shall not unreasonably withhold its
    2. c) Further, where a breach involves more than 500 individuals and was committed by the Business Associate or its employee, officer, subcontractor or other agent  or is  within the unique knowledge of Business Associate as opposed to Covered Entity. Business Associate shall provide notice to the media pursuant to 45 CFR 164.406. Again, Business Associate will prepare the notice and shall provide it to Covered Entity for review and approval at least five calendar days before it is required to be sent to the media. Covered Entity shall promptly review the notice and shall not unreasonably withhold its
    3. d) Business Associate shall either report breaches of unsecured Protected Health Information  with respect to Covered Entity to the Secretary in accordance with 45 CFR

164.408 or alternatively, shall maintain a log of breaches of unsecured  Protected  Health. Information with respect to Covered Entity and shall submit the log to Covered Entity within 30 calendar days following the end of each calendar year so that Covered Entity may report the breaches to the Secretary in accordance  with 45 CFR 164.408(c).

 

 

2.7         Business Associate agrees to ensure that any agent, including a subcontractor, that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate regarding Covered Entity, agrees in writing to the same restrictions, conditions and requirements that apply through this Agreement and the HIPAA Rules to Business Associate with respect to such information. Moreover, Business Associate shall ensure that any such  agent  or subcontractor agrees to implement reasonable and appropriate safeguards to protect Covered Entity's electronic Protected Health Information.

  • 8 Business Associate agrees to provide reasonable access, at the written request of Covered Entity, to Protected Health Information in a Designated. Record Set, to Covered Entity or, as directed in writing by Covered Entity, to an Individual or the Individual's designee in order to meet the requirements under 45 CFR 164.524. If Business Associate receives a request directly from an Individual or the Individual's designee,  Business  Associate shall notify Covered  Entity as soon as administratively feasible in order for the parties to coordinate a response.
  • 9 Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs in writing or agrees to pursuant to 45 CFR 164.526, or take any other measures as necessary  to satisfy Covered  Entity's obligations  under 45 CFR 164.526. If Business Associate receives a request directly from an Individual or the Individual's designee, Business Associate shall notify Covered Entity as soon as administratively feasible in order for the parties to coordinate a response.
  • 10 Following receipt of a written request by Covered Entity, Business Associate agrees to make its internal practices, books, and records including policies and procedures and Protected Health Information relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity reasonably  available to the Secretary for purposes of the Secretary determining Covered Entity's compliance with the HIPAA Rules.
  • 11 Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528, effective as of such effective date prescribed by regulations issued by the U.S. Department of Health and Human Services, an accounting of disclosures of Protected Health Information from an Electronic Health Record in accordance with the HITECH Amendment.
  • 12 clip_image019.gifFollowing receipt of a written request by Covered  Entity,  Business  Associate agrees to provide to Covered Entity or an Individual or the Individual's designee, information collected in accordance with Section 2.10 of this Agreement, to permit Covered Entity  to  respond  to a request by an Individual or the Individual's designee, for an accounting of disclosures  of Protected Health Information in accordance with 45 CFR 164.528, effective as of such effective date prescribed by regulations issued by the U.S. Department of Health and Human Services, an accounting of disclosures of Protected Health Information from an Electronic Health Record in accordance  with  the HITECH  Amendment. If  Business  Associate  receives  a request directly

 

 

from an Individual or the Individual's designee, Business Associate shall notify Covered Entity as soon as administratively feasible in order for the parties to coordinate a response.

  • 13 To the extent Business Associate is to carry out one or more of Covered Entity's  obligations under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.

Article 3

Permitted Uses and Disclosures by Business Associate

 

  • 1 Business Associate may use or disclose Protected Health Information to perform functions, activities or services for, or on behalf of, Covered Entity as specified in the underlying service agreement between Plan Sponsor and Business Associate with respect to the Health Plan(s), provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity. If there is no underlying service agreement between Plan Sponsor and Business Associate with respect to the Health Plan(s), Business Associate may use or disclose Protected Health Information to perform functions, activities or services for, or on behalf of, Covered Entity for the purposes of payment, treatment or health care operations as those terms are defined in the HIPAA Rules, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.

Business Associate is authorized to use Protected Health Information to de- identify the information in accordance with 45 CFR 164.514(a)-(c). Before proceeding with any such de­ identification, Business Associate shall inform Covered Entity in writing of the manner in which it will de-identify the Protected Health Information and the proposed use and disclosure by the Business Associate of the de-identified information.

  • 2 Business Associate may use or disclose Protected Health Information as Required by Law.
  • 3 Business Associate agrees to make uses and disclosures and requests for Protected Health Information consistent with Covered Entity's minimum necessary policies and procedures.
  • 4 Business Associate may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific uses and disclosures set forth in this Article.
  • 5 Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
  • 6 Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances in writing from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

 

-

  • 7 Business Associate may use Protected Health Information to provide data aggregation services relating to the health care operations of the Covered Entity.

Article 4 Obligations of Covered Entity

 

  • 1 Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.
  • 2 Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an. Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.
  • 3 Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.
  • 4 Covered Entity shall not request Business Associate to use or djsclose.Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity. However, there is an exception to this restriction if, pursuant to this Agreement, Business Associate uses or discloses Protected Health Information for data aggregation or management and administration and legal responsibilities of the Business Associate.

 

5.1         Term

 

Article 5

Term and Termination

 

This Agreement shall replace and take precedence over any prior business associate agreement entered into between the parties. It shall take effect on 11/01/16 and shall terminate on the date the Agreement is terminated for cause pursuant to Section 5.2 or such other date as agreed to by the parties in writing.

5.2         Termination for Cause

Business Associate authorizes termination of this Agreement by Covered Entity, if. Covered Entity determines that Business Associate has violated a material term of the Agreement. In this situation, Covered Entity shall either:

  1. a) Provide an opportunity for Business Associate to cure the breach or end the violation, and terminate this Agreement if Business Associate does not cure the breach or end the violation within a reasonable time, as specified by Covered Entity; or
  2. b) Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and Covered Entity determines that cure is not

 

5.3         Effect of Termination

  1. a) Except as provided in subparagraph (b) upon termination of this Agreement, for any reason, Business Associate shall return or if agreed to by Covered Entity, destroy all Protected Health Information received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form. Business Associate shall retain no copies of the Protected Health .
  2. b) In the event that Business Associate determines that returning or destroying the Protected Health Information is necessary for its own management and administration or to carry out its legal responsibilities and Business Associate determines that it needs to retain the Protected Health Information for such purposes after termination of the Agreement, Business Associate agrees to the following restrictions set forth in this subsection. Specifically, upon termination of this Agreement, for any reason, Business Associate, with respect to Protected Health Information received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity, shall:
    1. Retain only the Protected Health Information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
    2. Return to Covered Entity or if agreed to by Covered Entity, destroy the remaining Protected Health Information that Business Associate still maintains in any form;
  • Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information to prevent use or disclosure of the Protected Health Information, other than as provided for in this Section, for as long as Business Associate retains the Protected Health Information;
  1. Not use or disclose the Protected. Health Information retained by Business Associate other than for the purposes for which the Protected Health Information was retained and subject to the same conditions set out in Sections 3.5 and 3.6 which apply prior to termination; and
  2. Return to Covered Entity or, if agreed to by Covered. Entity in writing, destroy the Protected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
  1. c) Not withstanding any other provision of this Section, Covered Entity may authorize Business Associate to transmit Protected Health Information to another Business Associate of the Covered Entity at termination pursuant to Covered Entity's written instructions.
  2. d) This Section shall apply to Protected Health Information that is in the possession of subcontractors of Business Associate and Business Associate shall be obligated to ensure the return or destruction (if agreed to by Covered Entity) of such Protected Health-Information.

 

6.1        Notice

 

Article 6 Miscellaneous

 

Any notice or other written communication required or permitted to be given to the other party under this Agreement must be addressed to the attention of the other party in care of the contact person identified below. Written notice may be delivered by certified mail or overnight mail.

Business Associate:

Brown & Brown of Arkansas, Inc. - NW Arkansas Contact Person:  J. Todd Setser

1479 Executive Pl, Ste A Springdale, AR 72762-4324

 

Covered Entity:

Health Plans of: City of Johnson Contact Person: Jennifer Allen PO Box 563

Johnson,AR 72741

 

  • 2 Regulatory References

A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

6.3         Amendment

This Agreement may only be amended in a written document signed by an authorized representative of each party. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the HIPAA Rules and any other applicable law. If the Business Associate refuses to sign such an amendment, this Agreement shall automatically terminate.

6.4        Survival

The rights and obligations of Business Associate under Section 5.3 of this Agreement shall survive the termination of this Agreement.

6.5        Interpretation

Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

6.6         Successors

This Agreement is binding on each party's legal successors.

6.7         Indemnification

clip_image033.gifRegardless of whether Business Associate is Covered Entity's agent, Business Associate agrees to indemnify and hold harmless Covered Entity, Plan Sponsor and its directors, officers and employees against any and all claims, lawsuits, settlements, judgments, costs, penalties and expenses including attorneys fees resulting from or arising out of or in connection with a use or

 

 

disclosure of Protected. Health Information by Business Associate or its subcontractors or agents in violation of this Agreement.

Covered Entity and Plan Sponsor agree to indemnify and hold harmless Business Associate and its directors, officers and employees against any and all claims, lawsuits, settlements, judgments, costs, penalties and expenses including attorneys fees resulting from or arising out of or in connection with a use or disclosure of Protected Health Information by Covered Entity or Plan Sponsor, or agents of Covered Entity or Plan Sponsor, in violation of this Agreement.

6.8        No Beneficiaries

Nothing expressed or implied in this Agreement is intended to confer, nor shall anything confer, upon any person other than the Covered Entity, Plan Sponsor and Business Associate, and their respective successors or assigns, any rights, remedies, obligations or liabilities.

 

Dated:                                             

 

Dated:------------

 

Brown & Brown of Arkansas, Inc - NW Arkansas

  1. Todd Setser

Executive Vice President

 

Health Plans of:

City of Johnson