R-04-05-13-13A2 - 5/13/2004RESOLUTION NO. R -04-05-13-13A2
WHEREAS, the City of Round Rock has previously entered into a
Services Agreement with Workers Assistance Program, Inc., and
WHEREAS, the City wishes to comply with Health Insurance
Portability and Accountability Act (HIPAA) standards that protect
individual's medical records, and
WHEREAS, the City now wishes to enter into a HIPAA Business
Associate Agreement with Workers Assistance Program, Inc. to comply
with HIPAA, Now Therefore
BE IT RESOLVED BY THE COUNCIL OF THE CITY OF ROUND ROCK, TEXAS,
That the Mayor is hereby authorized and directed to execute on
behalf of the City a HIPAA Business Associate Agreement with Workers
Assistance Program, Inc., a copy of same being attached hereto as
Exhibit "A" and incorporated herein for all purposes.
The City Council hereby finds and declares that written notice of
the date, hour, place and subject of the meeting at which this
Resolution was adopted was posted and that such meeting was open to the
public as required by law at all times during which this Resolution and
the subject matter hereof were discussed, considered and formally acted
upon, all as required by the Open Meetings Act,
Government Code, as amended.
RESOLVED this 13th day of May, 2004.
ATTEST:
Chapter 551, Texas
NYL EL , Mayor
City .f Round Rock, Texas
CHRISTINE R. MARTINEZ, City Sectary
@PFDesk[op\::ODM_R/WORLDOX/0:/WDOX/RESOLUTI/R40513A2.WPD/sc
HIPAA BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is made as of April
14, 2004 by and between Workers Assistance Program, Inc. ("Vendor") and the City of
Round Rock Welfare Benefit Plan, sponsored by City of Round Rock ("Covered Entity").
Recitals
WHEREAS, Covered Entity and Vendor are parties to a services agreement dated
December 20, 2001(the "Services Agreement") pursuant to which Vendor has agreed to
provide certain services (the "Services") to Covered Entity; and
WHEREAS, Covered Entity desires to protect the privacy of certain Protected Health
Information, as described below, in accordance with the applicable requirements of the
Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1171 et seq
("HIPAA") , and the privacy regulations promulgated thereunder (45 CFR part 160 and
part 164, subparts A and E) (the "Privacy Rule"); and
WHEREAS, Vendor is a "Business Associate" of Covered Entity within the meaning of
45 CFR Section 160.103; and
WHEREAS, Covered Entity and Vendor desire to set forth the terms and conditions
under which Vendor may use and disclose the Protected Health Information;
Agreement
NOW THEREFORE, in consideration of the foregoing and the mutual covenants set
forth herein, and intending to be legally bound, the parties hereto have agreed as follows:
1. Certain Definitions
"Effective Date" shall mean April 14, 2004.
"Individual" shall have the same meaning as the term "individual" in 45 CFR 164.501
and shall include a person who qualifies as a personal representative in accordance with
45 CFR 164.502(g).
"Protected Health Information" shall mean any "protected health information", as defined
in 45 CFR 164.501, that is created by Vendor or received by Vendor from or on behalf of
Covered Entity in connection with the Services.
"Required by Law" shall have the meaning given to such term under 45 CFR part 160
and part 164, subparts A and E, including but not limited to 45 CRF 164.501.
"Secretary" shall mean the Secretary of the Department of Health and Human Services
EXHIBIT
"An
2
2. Use and Disclosure by Vendor of Protected Health Information.
(a) Use. Vendor may use Protected Health Information received by or created
by Vendor in its capacity as a business associate to the Covered Entity, if necessary:
(i) for the proper management and administration of the business
associate; or
(ii) to carry out the legal responsibilities of the business associate.
(b) Disclosure. Vendor may disclose Protected Health Information received
by or created by Vendor in its capacity as a business associate to Covered Entity for the
proper management and administration of Vendor or to carry out the legal responsibilities
of Vendor if:
(i) the disclosure is Required by Law; or
(ii) (1) Vendor obtains reasonable assurances from the person to whom
the information is disclosed that it will be held confidentially and used or
further disclosed only as Required by Law or for the purpose for which it
was disclosed to the person; and
(2) the person notifies Vendor of any instances of which it is aware in
which the confidentiality of the information has been breached.
3. Obligations of Vendor
(a) Appropriate Safeguards. Vendor shall use appropriate safeguards to
prevent use or disclosure of Protected Health Information other than as provided for or
permitted by this Agreement or the Services Agreement.
(b) Reporting of Improper Use. Vendor shall report to Covered Entity any
use or disclosure of the Protected Health Information other than as permitted by this
Agreement or the Services Agreement of which Vendor becomes aware. Vendor shall
mitigate, to the extent practicable, any harmful effect that is known to Vendor of use or
disclosure of Protected Health Information by Vendor or its agents in violation of the
requirements of this Agreement.
(c) Agents and Subcontractors. Vendor shall ensure that Vendor's agents,
including any subcontractor, to whom Vendor provides the Protected Health Information
agree to the same restrictions and conditions that apply to Vendor hereunder with respect
to such information.
(d) Access to Protected Health Information. Vendor shall make available to
Covered Entity or to an Individual the Protected Health Information in accordance with
the requirements of 45 CFR 164.524, and subject to the limitations specified therein.
(e) Amendment of Protected Health Information. Vendor shall make
available to Covered Entity or to an Individual the Protected Health Information for
amendment and incorporate any amendments thereto in accordance with the requirements
of 45 CFR 164.526.
-3
(f) Accounting of Disclosures. In accordance with the requirements of 45
CFR 164.528, and subject to the limitations specified therein, Vendor shall make
available the information required to provide an accounting of use or disclosure of the
Protected Health Information by Vendor or a third party. Vendor shall promptly report to
Covered Entity all requests for such information received by Vendor directly from an
Individual.
(h) Access to Records by the Secretary. Vendor shall make available its
internal practices, books, and records relating to its use and disclosure of the Protected
Health Information to the Secretary for the purpose of determining Covered Entity's
compliance with the Privacy Rule. Covered Entity shall promptly report to Vendor
receipt of a request for information from the Secretary and copies of materials provided
by the Secretary in connection with such request.
4. Obligations of Covered Entity.
(a) Privacy Practices. Covered Entity shall notify Vendor of any limitations
in the applicable Notice of Privacy Practices, in accordance with 45 CFR 164.520, to the
extent that such limitations may affect Vendor's use or disclosure of Protected Health
Information.
(b) Changes in Individual Permission. Covered Entity shall notify Vendor
of any changes in, or revocation of permissions by an Individual to use or disclose
Protected Health Information to the extent that such changes may affect Vendor's use or
disclosure of the Protected Health Information.
(c) Restrictions on Use or Disclosure of Protected Health Information.
Covered Entity shall notify Vendor of any restrictions affecting the use or disclosure of
Protected Health Information to which Covered Entity may agree pursuant to 45 CFR
164.522 to the extent that such restrictions affect Vendor's use or Disclosure of Protected
Health Information.
5. Term and Termination.
(a) Term. The term of this Agreement shall commence as of the Effective
Date and shall terminate when all Protected Health Information provided by Covered
Entity to Vendor, or created or received by Vendor on behalf of Covered Entity, is
destroyed or returned to Covered Entity.
(b) Termination for Cause; Termination of Services Agreement. Covered
Entity may notify Vendor in writing of any material breach by Vendor of this Agreement
of which Covered Entity has knowledge. Vendor shall have an opportunity to cure any
such breach within the period of time specified by Covered Entity in its notice. If Vendor
fails to cure such breach within such period, Covered Entity may immediately terminate
this Agreement. Notwithstanding any provision of the Services Agreement to the
contrary, Vendor's breach of this Agreement shall constitute grounds for immediate
4
termination of the Services Agreement by Covered Entity. If termination is not feasible,
Covered Entity shall report the violation to the Secretary.
(c) Effect of Termination. Upon termination of this Agreement for any
reason, Vendor shall return or destroy all Protected Health Information received from
Covered Entity or created or received by Vendor upon behalf of Covered Entity,
including without limitation all such information that may be in the possession of
Vendor's agents and subcontractors. Vendor shall not retain any copies of such
information. If Vendor determines that returning or destroying the Protected Health
Information is not feasible, Vendor shall extend the protections of this agreement to the
information and limit further uses and disclosures to those purposes that make the return
or destruction of the information not feasible.
6. Indemnification. Vendor shall indemnify and hold Covered Entity, Plan Sponsor,
and Plan Sponsor's employees and directors harmless from and against any loss, damage,
liability, or expense, including without limitation reasonable attorneys' fees and any civil
or criminal penalties, arising from or in connection with Vendor's failure to comply with
the obligations of this Agreement or breach of this Agreement.
7. Amendment. The parties shall take such action as may be required to amend this
Agreement from time to time to enable Covered Entity to comply with the requirements
of HIPAA and the Privacy Rule.
8. Conflict with Services Agreement. The provisions of this Agreement shall
prevail over any conflicting provisions of the Services Agreement. Except as modified by
this Agreement, the terms of the Services Agreement shall remain in force and effect.
9. No Third Party Beneficiaries. The parties do not intend to confer any rights or
remedies to any party other than Vendor and Covered Entity and their respective
successors and assignees.
10. Assignment. Vendor may not assign this Agreement without Covered Entity's
prior written consent. This Agreement shall be binding upon the successors and
assignees of the parties hereto.
11. Governing Law. This Agreement shall be construed in accordance with
applicable federal law and the governing law specified in the Services Agreement.
12. Interpretation. Any ambiguity in this Agreement shall be resolved to permit
Covered Entity to comply with the Privacy Rule.
IN WITNESS HEREOF, the parties hereto have executed this Agreement effective as of
the Effective Date.
City of Round Rock Workers Assistance Program, Inc.
221 East Main Street
Round Rock, Texas 78664
By:
Nyle Maxwell, Mayor
Attest:
Christine R. Martinez
City Secretary
3410 Far West Blvd. Suite 250
Austin, Texas 78731-3167
By:
\\AA1Q/LinS
Name: l �} 1� /J - � i� �l ei
Title: .171f&Jf C1/Le/t- ," ✓
DATE: May 7, 2004
SUBJECT: City Council Meeting - May 13, 2004
ITEM: 13.A.2. Consider a resolution authorizing the Mayor to execute a
Health Insurance Portability and Accountability Act (HIPAA)
Business Associate Agreement with Workers Assistance
Program, Inc. regarding the confidentiality of protected health
information.
Department: Human Resources
Staff Person: Teresa Bledsoe, HR Director
Justification: The purpose of this resolution is to comply with Health
Insurance Portability and Accountability Act (HIPAA)
standards that protect individuals' medical records and other
personal health information.
Funding:
Cost: N/A
Sources of Funds:
Outside Resources:
Background Information:
Public Comment: N/A
N/A
N/A
The Department of Health and Human Services issued
a compilation of new and existing guidance about key
elements of the requirements of the Health Insurance
Portability and Accountability Act of 1996 ("HIPAA")
Standards for Primacy of Indivually Identifiable Health
Information (the "Privacy Rule").
EXFCUTFD
DOCUMENT
FOLLOWS
HIPAA BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT(the "Agreement") /p A y
g ) is made as ofd
/ 3 k4' 2004 by and between Workers Assistance Program, Inc. ("Vendor") and the City of
Round Rock Welfare Benefit Plan, sponsored by City of Round Rock ("Covered Entity").
Recitals
WHEREAS, Covered Entity and Vendor are parties to a services agreement dated
December 20, 2001(the "Services Agreement") pursuant to which Vendor has agreed to
provide certain services (the "Services") to Covered Entity; and
WHEREAS, Covered Entity desires to protect the privacy of certain Protected Health
Information, as described below, in accordance with the applicable requirements of the
Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1171 et seq
("HIPAA") , and the privacy regulations promulgated thereunder (45 CFR part 160 and
part 164, subparts A and E) (the "Privacy Rule"); and
WHEREAS, Vendor is a "Business Associate" of Covered Entity within the meaning of
45 CFR Section 160.103; and
WHEREAS, Covered Entity and Vendor desire to set forth the terms and conditions
under which Vendor may use and disclose the Protected Health Information;
Agreement
NOW THEREFORE, in consideration of the foregoing and the mutual covenants set
forth herein, and intending to be legally bound, the parties hereto have agreed as follows:
1. Certain Definitions
"Effective Date" shall mean April 14, 2004.
"Individual" shall have the same meaning as the term "individual" in 45 CFR 164.501
and shall include a person who qualifies as a personal representative in accordance with
45 CFR 164.502(g).
"Protected Health Information" shall mean any "protected health information", as defined
in 45 CFR 164.501, that is created by Vendor or received by Vendor from or on behalf of
Covered Entity in connection with the Services.
"Required by Law" shall have the meaning given to such term under 45 CFR part 160
and part 164, subparts A and E, including but not limited to 45 CRF 164.501.
"Secretary" shall mean the Secretary of the Department of Health and Human Services
E-O.I-05--13-I B A2�
2
2. Use and Disclosure by Vendor of Protected Health Information.
(a) Use. Vendor may use Protected Health Information received by or created
by Vendor in its capacity as a business associate to the Covered Entity, if necessary:
(i) for the proper management and administration of the business
associate; or
(ii) to carry out the legal responsibilities of the business associate.
(b) Disclosure. Vendor may disclose Protected Health Information received
by or created by Vendor in its capacity as a business associate to Covered Entity for the
proper management and administration of Vendor or to carry out the legal responsibilities
of Vendor if:
(i) the disclosure is Required by Law; or
(ii) (1) Vendor obtains reasonable assurances from the person to whom
the information is disclosed that it will be held confidentially and used or
further disclosed only as Required by Law or for the purpose for which it
was disclosed to the person; and
(2) the person notifies Vendor of any instances of which it is aware in
which the confidentiality of the information has been breached.
3. Obligations of Vendor
(a) Appropriate Safeguards. Vendor shall use appropriate safeguards to
prevent use or disclosure of Protected Health Information other than as provided for or
permitted by this Agreement or the Services Agreement.
(b) Reporting of Improper Use. Vendor shall report to Covered Entity any
use or disclosure of the Protected Health Information other than as permitted by this
Agreement or the Services Agreement of which Vendor becomes aware. Vendor shall
mitigate, to the extent practicable, any harmful effect that is known to Vendor of use or
disclosure of Protected Health Information by Vendor or its agents in violation of the
requirements of this Agreement.
(c) Agents and Subcontractors. Vendor shall ensure that Vendor's agents,
including any subcontractor, to whom Vendor provides the Protected Health Information
agree to the same restrictions and conditions that apply to Vendor hereunder with respect
to such information.
(d) Access to Protected Health Information. Vendor shall make available to
Covered Entity or to an Individual the Protected Health Information in accordance with
the requirements of 45 CFR 164.524, and subject to the limitations specified therein.
(e) Amendment of Protected Health Information. Vendor shall make
available to Covered Entity or to an Individual the Protected Health Information for
amendment and incorporate any amendments thereto in accordance with the requirements
of 45 CFR 164.526.
-3
(f) Accounting of Disclosures. In accordance with the requirements of 45
CFR 164.528, and subject to the limitations specified therein, Vendor shall make
available the information required to provide an accounting of use or disclosure of the
Protected Health Information by Vendor or a third party. Vendor shall promptly report to
Covered Entity all requests for such information received by Vendor directly from an
Individual.
(h) Access to Records by the Secretary. Vendor shall make available its
internal practices, books, and records relating to its use and disclosure of the Protected
Health Information to the Secretary for the purpose of determining Covered Entity's
compliance with the Privacy Rule. Covered Entity shall promptly report to Vendor
receipt of a request for information from the Secretary and copies of materials provided
by the Secretary in connection with such request.
4. Obligations of Covered Entity.
(a) Privacy Practices. Covered Entity shall notify Vendor of any limitations
in the applicable Notice of Privacy Practices, in accordance with 45 CFR 164.520, to the
extent that such limitations may affect Vendor's use or disclosure of Protected Health
Information.
(b) Changes in Individual Permission. Covered Entity shall notify Vendor
of any changes in, or revocation of permissions by an Individual to use or disclose
Protected Health Information to the extent that such changes may affect Vendor's use or
disclosure of the Protected Health Information.
(c) Restrictions on Use or Disclosure of Protected Health Information.
Covered Entity shall notify Vendor of any restrictions affecting the use or disclosure of
Protected Health Information to which Covered Entity may agree pursuant to 45 CFR
164.522 to the extent that such restrictions affect Vendor's use or Disclosure of Protected
Health Information.
5. Term and Termination.
(a) Term. The term of this Agreement shall commence as of the Effective
Date and shall terminate when all Protected Health Information provided by Covered
Entity to Vendor, or created or received by Vendor on behalf of Covered Entity, is
destroyed or returned to Covered Entity.
(b) Termination for Cause; Termination of Services Agreement. Covered
Entity may notify Vendor in writing of any material breach by Vendor of this Agreement
of which Covered Entity has knowledge. Vendor shall have an opportunity to cure any
such breach within the period of time specified by Covered Entity in its notice. If Vendor
fails to cure such breach within such period, Covered Entity may immediately terminate
this Agreement. Notwithstanding any provision of the Services Agreement to the
contrary, Vendor's breach of this Agreement shall constitute grounds for immediate
4
termination of the Services Agreement by Covered Entity. If termination is not feasible,
Covered Entity shall report the violation to the Secretary.
(c) Effect of Termination. Upon termination of this Agreement for any
reason, Vendor shall return or destroy all Protected Health Information received from
Covered Entity or created or received by Vendor upon behalf of Covered Entity,
including without limitation all such information that may be in the possession of
Vendor's agents and subcontractors. Vendor shall not retain any copies of such
information. If Vendor determines that returning or destroying the Protected Health
Information is not feasible, Vendor shall extend the protections of this agreement to the
information and limit further uses and disclosures to those purposes that make the return
or destruction of the information not feasible.
6. Indemnification. Vendor shall indemnify and hold Covered Entity, Plan Sponsor,
and Plan Sponsor's employees and directors harmless from and against any loss, damage,
liability, or expense, including without limitation reasonable attorneys' fees and any civil
or criminal penalties, arising from or in connection with Vendor's failure to comply with
the obligations of this Agreement or breach of this Agreement.
7. Amendment. The parties shall take such action as may be required to amend this
Agreement from time to time to enable Covered Entity to comply with the requirements
of HIPAA and the Privacy Rule.
8. Conflict with Services Agreement. The provisions of this Agreement shall
prevail over any conflicting provisions of the Services Agreement. Except as modified by
this Agreement, the terms of the Services Agreement shall remain in force and effect.
9. No Third Party Beneficiaries. The parties do not intend to confer any rights or
remedies to any party other than Vendor and Covered Entity and their respective
successors and assignees.
10. Assignment. Vendor may not assign this Agreement without Covered Entity's
prior written consent. This Agreement shall be binding upon the successors and
assignees of the parties hereto.
11. Governing Law. This Agreement shall be construed in accordance with
applicable federal law and the governing law specified in the Services Agreement.
12. Interpretation. Any ambiguity in this Agreement shall be resolved to permit
Covered Entity to comply with the Privacy Rule.
IN WITNESS HEREOF, the parties hereto have executed this Agreement effective as of
the Effective Date.
City of Round Rock Workers Assistance Program, Inc.
221 East Main Street
Round Rock, Texas 78664
B
Maxwell, Mayor
Christine R. Martinez
City Secretary
3410 Far West Blvd. Suite 250
Austin, Texas 78731-3167
By:
)(o 0, L sAid
Name: L%e. /] . A) Ca b/ei t
Title: (41, t4.0T C1;