BenefitPlan Manager is a benefit management services company committed to providing end-to-end accurate,
dynamic and client centric results. BenefitPlan Manager’s technology team is responsible for seamless connectivity
between employees, employers, insurance carriers, payroll vendors and third-party administrators.
SECTION I
This Benefit Administration Services Agreement (“Agreement”) is entered into by and between BenefitPlan Manager Corp. (“BPM”) and the PROSPECTIVE CLIENT (hereinafter referred to as “Client”). The terms of this Agreement apply to the services stated in the “Term Sheet” attached hereto as Exhibit A (the “Services”), which term sheet, including any personal information privacy statement, is incorporated into the terms of this Agreement by this reference. This Agreement is effective upon execution and shall be in force for a period of 12 months unless otherwise mutually agreed upon. Both BPM and Client are duly organized, validly existing, and fully authorized to enter into this Agreement.
Services Provided by BPM
BPM shall use reasonable care and due diligence in the performance of its duties under this Agreement and provide timely and accurately administration and management. All notices provided by BPM to Client’s employees will comply with applicable law, including without limitation, the Employee Retirement Income Security Act of 1974, as amended (“ERISA”).
Client and BPM will execute a Business Associate Agreement, which is attached hereto and incorporated in this Agreement as Exhibit B.
Terms of Payment
Client agrees to pay BPM for Services provided under this Agreement in accordance with the fees determined on the Term Sheet. Payment for Services will occur within thirty (30) days of when Client receives an invoice.
Termination of Agreement
Client may terminate this Agreement with ninety (90) days prior written notice to BPM and BPM may terminate this Agreement with ninety (90) days prior written notice to Client. Notwithstanding the foregoing, if BPM (1) fails to perform any material term, condition or covenant of this Agreement, (2) ceases the conduct of active business, (3) institutes proceedings under bankruptcy or insolvency, or (4) fails to comply with any law governing the Services, Client may terminate this Agreement immediately.
Should Client terminate this agreement during the first six months from the effective date of this agreement for other than as stipulated in the previous paragraph Client agrees to pay BPM a prorated portion of the remaining annual projected fee based on a schedule found in the Fee Schedule on page 24 of this agreement. After six months the Termination Fee will be equal to the average of the final three months fees times two.
Upon termination of this Agreement for any reason, BPM will cooperate with Client in transferring the Services to a new third-party service provider or as otherwise directed by Client in order to ensure a smooth transition.
Client shall have a license to use any forms, scripts, notices or similar information provided by BPM (collectively, “Materials”) in connection with its use of the Services and in a manner that is consistent with this Agreement. Client will have no liability related to claims made against Client arising from any negligent, reckless or willful act or omission arising from BPM’s drafting of such Materials.
Indemnification
BPM agrees to indemnify, defend and hold Client, its Affiliates, and their respective owners, officers, directors, employees, and agents harmless from and against any and all debts,
claims, causes of action, liabilities, expenses, damages (including court costs and attorneys’ fees and disbursements) and suits,
of whatsoever kind or nature, whether in law or in equity, which may be asserted against or incurred by them, or any of them, arising out
of or in connection with BPM’s: (a) intentional, willful or negligent acts or omissions, or the intentional, willful or negligent acts or
omissions of any party under BPM’s direction; (b) BPM’s failure to comply with any federal, state or local laws, regulations, or requirements;
(c) any breach or alleged breach of any representation, warranty, or covenant contained in or contemplated by this Agreement or the BAA;
(d) whether orally or in paper or electronic media, any use or disclosure of any Client Information in violation of any provisions of this Agreement or
the BAA or any federal, state or local law, rule, regulation or ordinance, including, without limitation, the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), Standards for
Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164 (the “Privacy Standards”), the security standards
at 45 C.F.R. Parts 160, 162 and 164 for the protection of electronic protected health information (the “Security Standards”), and any state law;
or (e) any infringement or violation of any proprietary right (including, but not limited to, patent, copyright, trademark, service mark, and trade secret).
BPM’s indemnification obligations under this paragraph shall survive the expiration or termination of this Agreement. In the event of any inconsistency
or conflict between this indemnification provision and the indemnification provision in the BAA, the provision more favorable to Client shall prevail and
control.
SECTION II
In addition to the preceding paragraphs of Section I, the following terms and conditions shall be applicable as they relate to the Services.
BPM Representations and Warranties
BPM has the right to grant the rights granted and to fully perform all of its obligations under this Agreement.
BPM will be in compliance with all federal, state, and local laws, statutes, regulations and ordinances affecting or relating to BPM’s activities under this Agreement and performance of the Services.
There are no claims, litigation, regulatory action or other proceedings pending or threatened which would adversely affect Client’s rights under this Agreement.
The Services will be performed in a timely and accurate manner and rendered using sound, professional practices and in a competent and professional manner by knowledgeable, trained, qualified personnel, and BPM has the expertise to deliver the Services contemplated under this Agreement.
BPM represents, warrants and covenants that its collection, access, use, storage, disposal and disclosure of any Confidential or Personal Data (as hereinafter defined) does and will comply with all applicable federal, state and local privacy and data protection laws, as well as all other applicable regulations and directives, and that BPM will provide the Services in a manner that complies with the terms of “Data Privacy and Security Requirements”, below.
BPM’s Processing and transmission of Confidential Information, Client Information, Personal Data and any other information in connection with the provision of the Services or this Agreement shall be accurate and timely; provided, BPM shall not be responsible to the extent of inaccurate information provided, or delays caused, by Client.
BPM represents, warrants and covenants that all of its subcontractors or agents performing Services or Processing under or in connection with this Agreement (a) have or will enter into written agreements requiring such subcontractors or agents to comply with HIPAA, the HITECH Act, and the Security Standards; and (b) will perform Services and Processing in accordance with this Agreement.
SECTION III
The following terms and conditions shall apply to this Agreement:
Execution and Delivery
This Agreement may be executed and delivered in one or more counterparts, all of which will be considered one and the same agreement. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same document. In making proof of this Agreement, it shall not be necessary to produce or account for more than one such counterpart executed by the party against whom enforcement of this Agreement is sought. Signatures to this Agreement transmitted by facsimile transmission, by electronic mail in portable document format (“.pdf”) form, or by any other electronic means intended to preserve the original graphic and pictorial appearance of a document, will have the same force and effect as physical execution and delivery of the paper document bearing the original signature.
Governing Law
This Agreement shall be construed, governed by, and enforced in accordance with the internal laws of the State of New York without giving effect to the principles of comity or conflicts of laws thereof.
Entire Agreement
This Agreement (including the BAA and the Term Sheet) represents the entire agreement of the parties with respect to the Services and supersedes any prior written or oral agreements. This Agreement shall not be altered or amended, except by written agreement of duly authorized representatives of BPM and Client.
Notices
Any notice, demand or other communication required or permitted to be given to either party to this Agreement shall be in writing and shall be either personally delivered by hand or delivered by prepaid courier or sent by electronic means such as facsimile, telex or electronic mail. Any notice personally delivered or delivered by courier shall be deemed received upon delivery or refusal to accept delivery. Any notice sent by electronic means shall be deemed received upon the date the sending terminal confirms that the notice was received. The addresses to which communications shall be sent are as follows:
In the case of PROSPECTIVE CLIENT , to:
PROSPECTIVE CLIENT
Attn:
In the case of BPM, to:
BenefitPlan Manager Corp.
Attn: Aaron Berg
100 Valley Road, Suite 202
Mount Arlington, NJ 07856
Facsimile: (973) 398-3080
Either party may change its address by giving written notice to the other party as provided in this subsection.
Waiver
The failure of either party at any time to require performance or observance by the other party of any term or condition of this Agreement shall not affect the full right to require such performance or observance at any subsequent time, unless otherwise provided in this Agreement. Further, no single or partial waiver of any right, power or privilege will preclude any other or further exercise of any other right, power or privilege. In order for a waiver of either party’s rights under this Agreement to be effective, such waiver must be in writing and signed by an authorized representative of the party against whom enforcement is sought.
Severability
If any term or condition of this Agreement is held to be invalid or unenforceable by reason of any statute, rule of law or public policy, all other terms and conditions of this Agreement shall remain in full force and effect as if this Agreement had been executed with the invalid or unenforceable portion eliminated.
Third Party Beneficiaries
Client’s Affiliates, including all of its direct and indirect subsidiaries, (a) that provide Confidential Information, Client Information, Personal Data or any other personal or other information to BPM, or (b) on whose behalf Confidential Information, Client Information, Personal Data or any other protected information is created or received by BPM, shall be a third-party beneficiaries of this Agreement and the BAA.
Insurance
(a) At all times during the term of this Agreement, and for a period of three (3) years thereafter, BPM shall procure and maintain, at its sole cost and expense, at least the following types and amounts of insurance coverage, which coverage must cover BPM’s indemnification obligations under this Agreement and the BAA: (i) Commercial General Liability with limits no less than $1,000,000 per occurrence and $2,000,000 in the aggregate, including bodily injury and property damage and products and completed operations and advertising liability, which policy will include contractual liability coverage insuring the activities of BPM under this Agreement and the BAA; (ii) Commercial Umbrella Liability with limits no less than $1,000,000 -per Occurrence and $2,000,000 Aggregate and (iii) Worker’s Compensation with limits no less than the minimum amount required by applicable law; and (iiii) Errors and Omissions and Cyber Insurance (covering data breaches) with limits no less than $2,000,000 per occurrence and $4,000,000 in the aggregate. The failure of BPM to maintain the foregoing coverage shall in no way diminish BPM’s indemnification obligations.
(b) All insurance policies required pursuant to this Agreement shall (i) be issued by insurance companies reasonably acceptable to Client; (ii) provide that such insurance carriers give Client at least 30 days’ prior written notice of cancellation or non-renewal of policy coverage; provided that, prior to such cancellation, the BPM shall have new insurance policies in place that meet the requirements of this Section ; (iii) waive any right of subrogation of the insurers against the Client or any of its Affiliates; (iv) provide that such insurance be primary insurance and any similar insurance in the name of and/or for the benefit of Client shall be excess and non-contributory; and (v) name Client and Client’s Affiliates, including, in each case, all successors and permitted assigns, as additional insureds.
(c) Upon the written request of Client, BPM shall provide Client with copies of the certificates of insurance and policy endorsements for all insurance coverage required by this Agreement, and shall not do anything to invalidate such insurance. This Section shall not be construed in any manner as waiving, restricting or limiting the liability of either party for any obligations imposed under this Agreement or the BAA (including but not limited to, any provisions requiring a party hereto to indemnify, defend and hold the other harmless under this Agreement or the BAA).
(d) Effectiveness
This Agreement shall be effective as of the date set forth in the first part of this Agreement.
Interpretation
Unless the context otherwise requires, as used in this Agreement, including the Term Sheet or the BAA: (i) "or" is not exclusive; (ii) "including" and its variants mean "including, without limitation" and its variants; (iii) words defined in the singular have the parallel meaning in the plural and vice versa; (iv) words of one gender shall be construed to apply to each gender; (vi) the terms "hereof", "herein", "hereby", "hereto", and derivative or similar words refer to this entire Agreement, including the exhibits and schedules to this Agreement; (vi) the terms "Article", "Section", "Exhibit" and "Schedule" refer to the specified Article, Section, Exhibit or Schedule of or to this Agreement; and (vii) any grammatical form or variant of a term defined in this Agreement, including the Term Sheet or BAA, shall be construed to have a meaning corresponding to the definition of the term set forth herein.
EXHIBIT A TERM SHEET
BenefitPlan Manager
BENEFIT ADMINISTRATION OUTSOURCING TERMS – Terms Sheet
BENEFITPLAN MANAGER CORP. (“BPM”) owns and operates a web-based service accessible through the BENEFITPLAN MANAGER website located at www.benefitplanmanager.com (“Website”) that provides and makes available certain employee benefit plan administration services (the “Services”). This Proposal (and the Benefit Administration Services Agreement (the “Agreement”) to which it is attached) sets forth the terms and services which BPM will provide to PROSPECTIVE CLIENT and its Affiliates who are beneficiaries of the Services. Any capitalized term used in this term sheet and not otherwise defined shall have the meaning ascribed to such term in the Agreement.
SERVICES RELATED TO THIS AGREEMENT
Annual Open Enrollment Services:
BPM will collect all plan and employee data pertinent to a one-time Open Enrollment. Data includes:
Plan Features of all benefit plans
Employee contribution schedules
Other data and material required for Open Enrollment
Enrollment options are made available through the employee’s BenefitPlan Manager home page – dates to be determined by Client
Employee dependent input screens enable the employee to add their dependent for inclusion into the benefit plans
Open Enrollment selections are uploaded (Enrollment/Waiver)
Open Enrollment information is verified then uploaded into the BenefitPlan Manager database for further processing
Insurance Carrier enrollment data files are created and shipped to Client for review
Insurance Carrier enrollment data files are created and shipped to Carrier for upload into Carrier enrollment system
Employee contribution Enrollment Summary file is produced for Client input into ADP
New AND Ongoing Enrollment:
New Hire Information is received from client through the client’s BenefitPlan
Manager portal or directly through a payroll upload
Initial email notification system is established which contains up to four email reminders for the employee to access their enrollment website or communicate their election choices to either BPM or the client
New Hire Information is verified then uploaded into BenefitPlan Manager
• If enrollment is going to be received electronically:
We set up employee home page for the employee and they log into BenefitPlan Manager and process their elections through the web.
• If enrollment is going to be received via mail or fax:
We will timely and accurately process all the information concurrent with employee selections in the BenefitPlan Manager System
• Telephonic connection between the employee and BPM are available whenever needed
Benefit elections are timely and accurately communicated to all insurance companies and third-party vendors
“New Hire Compliance” package which includes participant Rights to
COBRA, Private Healthcare Information (PHI), and HIPAA notices is made available on the employee homepage
If employee contribution is required, a Benefit Cost Summary - a Payroll
Authorization form - is available online for print and submission to the HR or
Payroll Manager
Client is notified of elections and can track past elections through the e-mail log
The system records all changes requested from the employee with the last
submission accepted as the benefit election.
Client is notified of employees’ upcoming/past due enrollment
Participant Termination:
Termination information is received from the client through the client’s
BenefitPlan Manager portal or directly through the payroll upload
Termination submission is reviewed for accuracy then uploaded into BenefitPlan Manager
If applicable, mail the Termination Letter which includes participant Rights to COBRA, FSA Continuation, and HIPAA Certificate of Coverage
Notify all insurance companies of termination (Medical/Dental/RX/Vision/Life/AD&D/LTD/STD/and any Ancillary Plans)
Participant “Change of Life Event”- Adding and/or Removing Dependent
Change of Life Event is logged and confirmed
Enrollment options made available through the employee’s BenefitPlan Manager home page
If applicable, mail the Termination Letter which includes participant Rights to COBRA, FSA Continuation, and HIPAA Certificate of Coverage
Ensure that all changes submitted meet legal requirements for example: Timeliness, etc.
Notify all insurance companies of enrollment changes (Medical/Dental/RX/Vision/Life/AD&D/LTD/STD/and any Ancillary Plans)
ACA Reporting
Tracking LNAP, Offer, Enrollment and Measurement Periods
Production of form 1095-C
Mailing of form 1095-C
Production and e-filing of forms 1094-C
COBRA ADMINISTRATION, NOTIFICATION, BILLING AND COLLECTION
Employer notification of employee’s termination initiates Termination Package which includes participant Rights to COBRA, FSA Continuation and HIPAA Certificate of Coverage
Upon receipt of the COBRA election from employee, the participant is mailed a payment coupon booklet
After receipt of first premium payment, the COBRA participant is re-enrolled at the applicable insurance companies
Continue to collect COBRA premiums for the duration of COBRA coverage
Remit collected COBRA premiums to the employer on a monthly basis
Issue HIPAA Certificate of Coverage at the termination or completion of COBRA coverage
Inform and advise COBRA participant during Open Enrollment of plan changes
Process new COBRA coupon booklets for all COBRA participants during Open Enrollment of plan changes
Process any second qualifying events within framework of COBRA including addition of dependent, marriage, divorce, etc.
If premiums are more than 31 days late, terminate the participant at the insurance company for non-payment
GENERAL BPM FEATURES AND VALUE TO PROSPECTIVE CLIENT
Reduce staffing needs thereby cutting corporate overhead
Efficiency and accuracy are greatly improved by utilizing the professional
BenefitPlan Manager staff of administrators and consultants
Provide payroll deductions for each participant electronically to the payroll department
24-hour access to the BenefitPlan Manager Website allows control even when not in the office
E-mail Global company announcements, which can be customized by location, Core Plan elections, Network, or Ancillary Plan elections
Automate the New Hire process
Eligibility processing at all necessary insurance carriers (Medical/Dental/RX/Vision/
Life/AD&D/LTD/STD/and any Ancillary Plans)
Mailing the new hire the “New Hire Compliance” package (including Rights to COBRA
and Private Healthcare Information (PHI) and HIPAA notices)
Reconciliation of monthly invoices
• Changes are summarized on a cover sheet and attached with monthly invoice. Approval to pay current invoice.
• Changes are verified or reprocessed with the carrier.
Post Employee Handbooks/Summary Plan Descriptions online (no more paper)
Any company forms (not necessarily benefits related) can be made available on the participant homepage
Easily update employee’s personal data
Review employee change requests via the employee’s e-mail log
Keep track of on-going issues via the Notes Log
Report Capability
• Management Reports
• Termination Summary Report
• Active Employee Listing
• Beneficiary Designation Reports (Group Life Insurance and 401k)
• Age Change Reports for various reasons including Medicare Eligibility
• Subsidiary Allocations
• Billing Reports - Core & Ancillary Billing reports and consolidations
• 1) Core & Ancillary New Hire & Open Enrollment Summary Reports – Includes the requested change and action taken on the request
• 2)Core & Ancillary New Hire & Open Enrollment Yet to Enroll Reports – Informs the administrator who has been hired (or during open enrollment) and has not gone into the system to request benefits
• COBRA Reports
• Customized Reports pertaining to financial, payroll and participant matters as reasonably requested by PROSPECTIVE CLIENT (without additional cost), which shall include, but not be limited to, the reports described on Exhibit “A” hereto
• ADHOC Reports – The purpose of the ADHOC Report is to pull various census information specified to your needs. This type of report is useful for tasks including:
• Complete Census
• Age Catch-Up inquiry for 401k
• Discrimination Reports (401k)
• Marketing materials easily available
• Re-organization
• Compensation Ratios
• Report of Employees by State for Taxes, LTD, STD, Out of Area Benefits
• Vesting for Special Programs
• Number of Covered Dependents
• NY State Pool Tax (who it may applicable to)
• Mailing Lists for Mail Merge
• State Specific Age Requirements
• Birthday Announcements
• Service Rewards
• Male/Female Ratios
• Exempt or Non-Exempt by Job Title
• Part-time people who are eligible for benefits
• Payroll Reports
• FSA Contribution and Participant Reports
• 401(K) Contribution and Participant Reports
• Complete Benefit Payroll Contributions
Personal Information Privacy
"Personal Information" means personally identifiable information including, without limitation, a person’s name, address, phone number, fax number, e-mail address, social security number or other government-issued identifier, credit card information and IP addresses, any information created, maintained, received or transmitted by a health plan, provider, or health care clearinghouse in any form, including but not limited to medical treatment information, health plan beneficiary number, and claims processing or experience information, in any media or format including computerized or electronic records as well as paper-based files, collected or used by BPM on PROSPECTIVE CLIENT ’s behalf.
In order to protect personal information as required under the Health Insurance Portability and Accountability Act (HIPAA) and generally under federal and state laws pertaining to the protection of personal information, BPM shall execute and return to PROSPECTIVE CLIENT the Business Associate Agreement in the form attached as Exhibit “A” hereto.
BPM acknowledges and agrees that PROSPECTIVE CLIENT shall at all times remain the sole owner of all Personal Information and has the right to direct BPM in connection with the collection, use, disclosure and retention of such Personal Information. Upon termination of this Agreement BPM will return all and any such Personal Information to PROSPECTIVE CLIENT as requested. BPM will collect, use, disclose and retain Personal Information solely for the purpose of performing the Services set forth in this Agreement. BPM agrees that it shall use PGP or other forms of encryption or secure technologies as agreed to in writing in advance by PROSPECTIVE CLIENT in connection with any transfer, communication or remote access connectivity involving Personal Information. BPM will implement and maintain reasonable but strict administrative, technical and physical safeguards as is standard in the industry regarding the protection of Personal Information. BPM will not disclose Personal Information to third parties without securing in advance PROSPECTIVE CLIENT express written approval, other than disclosures made on a need to know basis to authorized employees, agents and any limited subcontractors and such disclosures as are required by law. BPM will only collect, use, disclose and retain Personal Information in the United States, and will not transfer such Personal Information to any other country for any purpose without the prior written authorization of PROSPECTIVE CLIENT Within fifteen (15) days of the termination of this Agreement, BPM shall send PROSPECTIVE CLIENT a written certification by the CEO/President of BPM acknowledging that all Personal Information has been returned or destroyed.
BPM agrees that it shall not, at any time following the execution of this Agreement, use or disclose in any manner any Personal Information, as defined above,- BPM shall not misuse, misappropriate or disclose any information described herein, directly or indirectly, at any time during the term of this Agreement, or at any time thereafter, to anyone without the express written consent of PROSPECTIVE CLIENT . BPM shall be liable to PROSPECTIVE CLIENT for any and all damages suffered by PROSPECTIVE CLIENT or its employees for any breach of this Paragraph by BPM.
Termination: PROSPECTIVE CLIENT may terminate this Agreement at any time, with or without cause, upon providing BPM with 60-days advance written notice. Upon any such termination, BPM agrees to fully cooperate with PROSPECTIVE CLIENT and to cooperate with any third-party vendor that PROSPECTIVE CLIENT may retain to ensure a seamless transition of all services.
Fee Summary - Service Fees – the fees chargeable to
PROSPECTIVE CLIENT
shall be based on the following table and schedule.
PEPM refers to an Eligible Per Employee Per Month fee.
BPM will invoice Client at the PEPM rate.. Any changes to the requested services may result in an adjustment (positive or negative) to the PEPM and may result in retroactive charges to balance the account.
Payment Terms: Payment for Services is due net thirty (30) days from the date of receipt of BPM’s invoice.
EXHIBIT B
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) dated December 1, 2019 (the “Effective Date”), is entered into by and between BenefitPlan Manager Corp. (“Business Associate”), and PROSPECTIVE CLIENT , each a “Party” and collectively, the “Parties.”
WHEREAS, PROSPECTIVE CLIENT and Business Associate have entered into, or are entering into, or may subsequently enter into, agreements or other documented arrangements (collectively, the “Business Arrangements”) pursuant to which Business Associate may provide products and/or services for PROSPECTIVE CLIENT that require Business Associate to access, create and use health information that is protected by state and/or federal law; and
WHEREAS, pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the U.S. Department of Health & Human Services (“HHS”) promulgated the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Standards”), at 45 C.F.R. Parts 160 and 164, requiring certain individuals and entities subject to the Privacy Standards (each a “Covered Entity”, or collectively, “Covered Entities”) to protect the privacy of certain individually identifiable health information (“Protected Health Information”, or “PHI”); and
WHEREAS, pursuant to HIPAA, HHS has issued the Security Standards (the “Security Standards”) at 45 C.F.R. Parts 160, 162 and 164, for the protection of electronic protected health information (“EPHI”); and
WHEREAS, in order to protect the privacy and security of PHI, including EPHI, created or maintained by or on behalf of the Covered Entity, the Privacy Standards and Security Standards require a Covered Entity to enter into a “business associate agreement” with certain individuals and entities providing services for or on behalf of the Covered Entity if such services require the use or disclosure of PHI or EPHI; and
WHEREAS, on February 17, 2009, the federal Health Information Technology for Economic and Clinical Health Act was signed into law (the “HITECH Act”), and the HITECH Act imposes certain privacy and security obligations on Covered Entities in addition to the obligations created by the Privacy Standards and Security Standards; and
WHEREAS, the HITECH Act revises many of the requirements of the Privacy Standards and Security Standards concerning the confidentiality of PHI and EPHI, including extending certain HIPAA and HITECH Act requirements directly to business associates; and
WHEREAS, , the HITECH Act requires that certain of its provisions be included in business associate agreements, and that certain requirements of the Privacy Standards be imposed contractually upon Covered Entities as well as business associates; and
WHEREAS, Business Associate and PROSPECTIVE CLIENT desire to enter into this Business Associate Agreement;
NOW, THEREFORE, in consideration of the mutual promises set forth in this Agreement and the Business Arrangements, and other good and valuable consideration, the sufficiency and receipt of which are hereby acknowledged, the parties agree as follows:
1. Business Associate Obligations.Business Associate may receive from PROSPECTIVE CLIENT or create or receive on behalf of PROSPECTIVE CLIENT , health information that is protected under applicable state and/or federal law, including without limitation, PHI and EPHI. All capitalized terms not otherwise defined in this Agreement shall have the meanings set forth in the Privacy Standards, Security Standards or the HITECH Act, as applicable. All references to PHI herein shall be construed to include EPHI.
Business Associate agrees not to use or disclose, or permit the use or disclosure of, PHI in a manner that would violate any of the following laws:
a. The Privacy Standards, currently in effect and as amended.
b. The Security Standards, currently in effect and as amended.
c. The HITECH Act, currently in effect and as amended.
d. Any New Jersey State law, New York State law, Mississippi State law, Louisiana State law (and any other relevant jurisdiction) governing the safe and confidential treatment of information pertaining to an individual’s health condition or treatment of such health condition.
Collectively, “a” - “d” above are referred to herein as the “Privacy and Security Laws”.
Business Associate shall be solely responsible for understanding and complying with its obligations with respect to the Privacy and Security Laws.
2. Use of PHI. Except as otherwise required by law, Business Associate shall use PHI in compliance with Privacy and Security Laws. Furthermore, Business Associate shall use PHI (i) solely for PROSPECTIVE CLIENT ’s benefit and only for the purpose of performing services for PROSPECTIVE CLIENT as such services are defined in Business Arrangements, and (ii) as necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that such uses are permitted under federal and state law. PROSPECTIVE CLIENT shall retain all rights in the PHI not granted herein. Use, creation, and disclosure of de-identified health information by Business Associate are not permitted unless expressly authorized in writing by PROSPECTIVE CLIENT .
3. Disclosure of PHI. Subject to any limitation in this Agreement, Business Associate may disclose PHI to any third-party persons or entities as necessary to perform its obligations under the Business Arrangement and as permitted or required by applicable federal or state law. Further, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that (i) such disclosures are required by law, or (ii) Business Associate: (a) obtains legally binding assurances from any third party to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third party; and (b) requires the third party to agree to immediately notify Business Associate of any instances of which it is aware the PHI is being used or disclosed for purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Privacy and Security Laws. Additionally, Business Associate shall ensure that all disclosures of PHI by Business Associate and the third party comply with the Privacy and Security Laws.
If Business Associate discloses PHI received from PROSPECTIVE CLIENT , or created or received by Business Associate on behalf of PROSPECTIVE CLIENT , to agents, including a subcontractor (collectively, “Recipients”), Business Associate shall require Recipients to agree in writing to the same restrictions and conditions that apply to Business Associate under this Agreement. Business Associate shall report to PROSPECTIVE CLIENT any use or disclosure of PHI not permitted by this Agreement, of which it becomes aware, such report to be made within three (3) business days of Business Associate becoming aware of such use or disclosure. In addition to Business Associate’s obligations under Section 10 below, Business Associate agrees to mitigate any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or Recipients in violation of this Agreement.
4. Document Retention. Business Associate shall retain any documentation required under this BAA and by state and federal law for six (6) years from the date of its creation or the date when it last was in effect, whichever is later. Business Associate shall review documentation periodically, and update as needed, in response to environmental and operational changes affecting the security of PHI.
5. Individual Rights Regarding Designated Record Sets. If Business Associate maintains a Designated Record Set on behalf of PROSPECTIVE CLIENT , Business Associate shall (i) provide access to, and permit inspection and copying of PHI by PROSPECTIVE CLIENT or, as directed by PROSPECTIVE CLIENT , an individual who is the subject of the PHI under conditions and limitations required under 45 CFR §164.524, as it may be amended from time to time, and (ii) amend PHI maintained by Business Associate as requested by PROSPECTIVE CLIENT Business Associate shall respond to any request from PROSPECTIVE CLIENT for access by an individual within five (5) days of such request and shall make any amendment requested by PROSPECTIVE CLIENT within ten (10) days of such request. Any information requested under this Section 5 shall be provided in the form or format requested, if it is readily producible in such form or format. PROSPECTIVE CLIENT shall determine whether a denial is appropriate or an exception applies. Business Associate shall notify PROSPECTIVE CLIENT within five (5) days of receipt of any request for access or amendment requested by the individual. Business Associate shall have a process in place for requests for amendments and for appending such requests to the Designated Record Set, as requested by PROSPECTIVE CLIENT
6. Accounting of Disclosures. Business Associate shall make available to PROSPECTIVE CLIENT in response to a request from an individual, information required for an accounting of disclosures of PHI with respect to the individual in accordance with 45 CFR §164.528, as amended by Section 13405(c) of the HITECH Act and any related regulations or guidance issued by HHS in accordance with such provision. Business Associate shall provide to PROSPECTIVE CLIENT such information necessary to provide an accounting within thirty (30) days of PROSPECTIVE CLIENT ’s request or such shorter time as may be required by state or federal law. Such accounting must be provided without cost to the individual or to PROSPECTIVE CLIENT if it is the first accounting requested by an individual within any twelve (12) month period. For subsequent accountings within any twelve (12) month period and if permitted by law, Business Associate may charge a reasonable fee based upon Business Associates’ labor costs in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies) so long as Business Associate informs PROSPECTIVE CLIENT and PROSPECTIVE CLIENT informs the individual in advance of the fee, and the individual is afforded an opportunity to withdraw or modify the request. Such accounting obligations shall survive termination of this Agreement and shall continue as long as Business Associate maintains PHI.
7. Withdrawal of Authorization. If the use or disclosure of PHI in this Agreement is based upon an individual’s specific authorization of the use of his or her PHI, and (i) the individual revokes such authorization in writing, (ii) the effective date of such authorization has expired, or (iii) the consent or authorization is found to be defective in any manner that renders it invalid, Business Associate agrees, if it has notice of such revocation or invalidity, to cease the use and disclosure of any such individual’s PHI, unless an exception under the Privacy and Security Laws expressly applies.
8. Records and Audit. Business Associate shall make available to the United States Department of Health and Human Services or its agents, its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by Business Associate on behalf of PROSPECTIVE CLIENT for the purpose of determining PROSPECTIVE CLIENT ’s compliance with the Privacy and Security Laws or any other health oversight agency, in a time and manner designated by the Secretary of the Department of Health and Human Services. Except to the extent prohibited by law, Business Associate agrees to notify PROSPECTIVE CLIENT immediately upon receipt by Business Associate of any and all requests by or on behalf of any and all federal, state and local government authorities served upon Business Associate for PHI.
9. Implementation of Security Standards; Notice of Security Incidents. . Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as expressly permitted under this Agreement. Business Associate will implement administrative, physical and technical safeguards that protect the confidentiality, integrity and availability of the PHI that it creates, receives, maintains or transmits on behalf of PROSPECTIVE CLIENT Business Associate acknowledges that the HITECH Act requires Business Associate to comply with 45 C.F.R. §§164.308, 164.310, 164.312 and 164.316 as if Business Associate were a Covered Entity, and Business Associate agrees to comply with these provisions of the Security Standards and all additional security provisions of the HITECH Act. Furthermore, Business Associate will ensure that the technology safeguards used by Business Associate to secure PHI will render such PHI unusable, unreadable and indecipherable to individuals unauthorized to acquire or otherwise have access to such PHI in accordance with HHS Guidance published at 74 Federal Register 19006 (April 17, 2009), or such later regulations or guidance promulgated by HHS or issued by the National Institute for Standards and Technology (“NIST”) concerning the protection of identifiable data such as PHI. Lastly, Business Associate will immediately report to PROSPECTIVE CLIENT any successful Security Incident of which it becomes aware. At the request of PROSPECTIVE CLIENT , Business Associate shall identify: the date of the Security Incident, the scope of the Security Incident, Business Associate’s response to the Security Incident and the identification of the party responsible for causing the Security incident, if known.
10. Data Breach Notification and Mitigation.
10.1 HIPAA Data Breach Notification and Mitigation.
Business Associate agrees to implement effective systems for the discovery and prompt reporting of any “breach” of “unsecured PHI” as those terms are defined by 45 C.F.R. §164.402 (hereinafter a “HIPAA Breach”). The parties acknowledge and agree that 45 C.F.R. §164.404, as described below in this Section 10.1, governs the determination of the date of a HIPAA Breach. In the event of any conflict between this Section 10.1 and the Privacy and Security Laws, the more stringent requirements shall govern. Business Associate will, following the discovery of a HIPAA Breach, notify PROSPECTIVE CLIENT immediately and in no event later than three (3) business days after Business Associate discovers such HIPAA Breach, unless Business Associate is prevented from doing so by 45 C.F.R. §164.412 concerning law enforcement investigation. For purpose of reporting a HIPAA Breach to PROSPECTIVE CLIENT , the discovery of a HIPAA Breach shall occur as of the first day on which such HIPAA Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate will be considered to have had knowledge of a HIPAA Breach if the HIPAA Breach is known, or by exercising reasonable diligence would have been know, to any person (other than the person committing the HIPAA Breach) who is an employee, officer or other agent of Business Associate.
No later than seven (7) business days following a HIPAA Breach, Business Associate shall provide PROSPECTIVE CLIENT with sufficient information to permit PROSPECTIVE CLIENT to comply with the HIPAA Breach notification requirements set forth at 45 C.F.R. §164.400 et seq. Specifically, if the following information is known to (or can be reasonably obtained by) Business Associate, Business Associate will provide PROSPECTIVE CLIENT with: (i) contact information for individuals who were or who may have been impacted by the HIPAA Breach (e.g., first and last name, mailing address, street address, phone number, email address); (ii) a brief description of the circumstances of the HIPAA Breach, including the date of the HIPAA Breach and date of discovery; (iii) a description of the types of unsecured PHI involved in the HIPAA Breach (e.g., names, social security number, date of birth, address(es), account numbers of any type, disability codes, diagnostic and/or billing codes and similar information); (iv) a brief description of what Business Associate has done or is doing to investigate the HIPAA Breach, mitigate harm to the individual impacted by the HIPAA Breach, and protect against future HIPAA Breaches; and (v) appoint a liaison and provide contact information for same so that PROSPECTIVE CLIENT may ask questions or learn additional information concerning the HIPAA Breach. Following a HIPAA Breach, Business Associate will have a continuing duty to inform PROSPECTIVE CLIENT of new information learned by Business Associate regarding the HIPAA Breach, including but not limited to the information described in items (i) through (v), above.
10.2 Data Breach Notification and Mitigation Under Other laws.
In addition to the requirements of Section 10.1, Business Associate agrees to implement reasonable systems for the discovery and prompt reporting of any breach of individually identifiable information (including but not limited to PHI, and referred to hereinafter as “Individually Identifiable Information”) that, if misused, disclosed, lost or stolen, PROSPECTIVE CLIENT believes would trigger an obligation under one or more State data breach notification laws (each a “State Breach”) to notify the individuals who are the subject of the information. Business Associate agrees that in the event any Individually Identifiable Information is lost, stolen, used or disclosed in violation of one or more State data breach notification laws, Business Associate shall promptly: (i) cooperate and assist PROSPECTIVE CLIENT with any investigation into any State Breach or alleged State Breach: (ii) cooperate and assist PROSPECTIVE CLIENT with any investigation into any State Breach or alleged State Breach conducted by any State Attorney General or State Consumer Affairs Department (or their respective agents); (iii) comply with PROSPECTIVE CLIENT ’s determinations regarding PROSPECTIVE CLIENT ’s and Business Associate’s obligations to mitigate to the extent practicable any potential harm to the individuals impacted by the State Breach; and (iv) assist with the implementation of any decision by PROSPECTIVE CLIENT or any State agency, including any State Attorney General or State Consumer Affairs Department (or their respective agents), to notify individuals impacted or potentially impacted by a State Breach.
10.3 Breach Indemnification.
Business Associate shall indemnify, defend and hold PROSPECTIVE CLIENT and its Affiliates, and their respective officers, directors, employees, agents, successors and assigns harmless, from and against any and all losses, claims, actions, demands, liabilities, damages, costs and expenses (including costs of judgments, settlements, court costs and reasonable attorneys’ fees actually incurred) (collectively, “Information Disclosure Claims”) arising from or related to: (i) the use or disclosure of Individually Identifiable Information (including PHI) in violation of the terms of this Agreement or applicable law, and (ii) whether in oral, paper or electronic media, any use or disclosure of unsecured PHI and/or of Individually Identifiable Information that would constitute a HIPAA Breach or State Breach. If Business Associate assumes the defense of an Information Disclosure Claim, Business Associate shall not settle or take any other final action with respect to any Information Disclosure Claim without the prior written consent of PROSPECTIVE CLIENT To the extent permitted by law, Business Associate shall be fully liable to PROSPECTIVE CLIENT for any acts, failures or omissions of Recipients in furnishing the services as if they were Business Associate’s own acts, failures or omissions.
10.4 Breach Mitigation.
Business Associate’s obligations under the Agreement pertaining to its liability to PROSPECTIVE CLIENT for Incidents caused directly or indirectly, in whole or in part, by Business Associate or its agents or subcontractors expressly contemplate Business Associate’s agreement to reimburse PROSPECTIVE CLIENT for its costs and expenses associated with reasonable mitigation steps taken by PROSPECTIVE CLIENT in response to any such Incidents, including, but not limited to, the following: data analysis to determine appropriate mitigation steps in the event of either a HIPAA Breach or a State Breach, including assistance from Business Associate in the investigation of any such HIPAA or State Breach and, as needed, access to Business Associate’s systems and records for purposes of Breach data analysis; preparation and mailing of notification about any such HIPAA or State Breach to impacted Individuals, group health plans, the media and regulators; costs associated with proper handling of inquiries from Individuals and others about the HIPAA or State Breach (such as the establishment of toll-free numbers, maintenance of call centers for intake, preparation of scripts, questions/answers, and other communicative information about the HIPAA or State Breach); credit monitoring and account monitoring services for impacted Individuals for a reasonable period (which shall be no less than 12 months); other mitigation action steps required of PROSPECTIVE CLIENT by regulators; and other reasonable mitigation steps required of PROSPECTIVE CLIENT by its group health plan customers.
11. Term and Termination.
11.1 - This Agreement shall commence on the Effective Date and shall remain in effect until terminated in accordance with the terms of this Section 11, provided, however, that termination shall not affect the respective obligations or rights of the parties arising under this Agreement prior to the effective date of termination, all of which shall continue in accordance with their terms.
11.2 - PROSPECTIVE CLIENT shall have the right to terminate this Agreement for any reason upon thirty (30) days written notice to Business Associate.
11.3 - Either Party may immediately terminate this Agreement (the “Terminating Party”) and shall have no further obligations to the other Party (the “Terminated Party”) hereunder if any of the following events shall have occurred and be continuing:
(i)The Terminated Party fails to observe or perform any material covenant or obligation contained in this Agreement for ten (10) days after written notice thereof has been given to the Terminated Party; or
(ii)A violation by the Terminated Party of any provision of the Confidentiality Requirements or other applicable federal or state privacy law relating to the obligations of the Terminated Party under this Agreement.
11.4 - Termination of this Agreement for either of the two reasons set forth in Section 11.3 above shall be cause for PROSPECTIVE CLIENT to immediately terminate for cause any Business Arrangement pursuant to which Business Associate is entitled to receive PHI from PROSPECTIVE CLIENT
11.5 - Upon the termination of all Business Arrangements, either Party may terminate this Agreement by providing written notice to the other Party.
11.6 - Upon termination of this Agreement for any reason, Business Associate agrees either to return to PROSPECTIVE CLIENT or to destroy all PHI received from PROSPECTIVE CLIENT or otherwise through the performance of services for PROSPECTIVE CLIENT , that is in the possession or control of Business Associate or its agents. In the case of PHI which is not feasible to “return or destroy,” Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Business Associate further agrees to comply with other applicable state or federal law, which may require a specific period of retention, redaction, or other treatment of such PHI.
11.7 - In the event of any conflict between this Section 11 and the terms of the Business arrangements, this Section 11 shall control and prevail.
12. No Warranty. PHI IS PROVIDED TO BUSINESS ASSOCIATE SOLELY ON AN “AS IS” BASIS. PROSPECTIVE CLIENT DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE.
13. Ineligible Persons. Business Associate represents and warrants to PROSPECTIVE CLIENT that Business Associate (i) is not currently excluded, debarred, or otherwise ineligible to participate in any federal health care program as defined in 42 U.S.C. Section 1320a-7b(f) (“the Federal Healthcare Programs”); (ii) has not been convicted of a criminal offense related to the provisions of health care items or services and not yet been excluded, debarred, or otherwise declared ineligible to participate in the Federal Healthcare Programs, and (iii) is not under investigation or otherwise aware of any circumstances which may result in Business Associate being excluded from participation in the Federal Healthcare Programs. This shall be an ongoing representation and warranty during the term of this Agreement, and Business Associate shall immediately notify PROSPECTIVE CLIENT of any change in the status of the representations and warranty set forth in this section. Any breach of this section shall give PROSPECTIVE CLIENT the right to terminate this Agreement immediately for cause.
14. Miscellaneous.
14.1 Notice.
All notices, requests, demands and other communications required or permitted to be given or made under this Agreement shall be in writing, shall be effective upon receipt or refusal to accept delivery, and shall be sent by (i) personal delivery; (ii) certified or registered United States mail, return receipt requested; (iii) national service such as FedEx or UPS, with proof of delivery; or (iv) facsimile with return facsimile acknowledging receipt. Notices shall be sent to the addresses below. Neither party shall refuse delivery of any notice hereunder.
Notice to:
14.2 Waiver.
No provision of this Agreement or any breach thereof shall be deemed waived unless such waiver is in writing and signed by the Party claimed to have waived such provision or breach. No waiver of a breach shall constitute a waiver of or excuse any different or subsequent breach.
14.3 Assignment.
Neither Party may assign (whether by operation of law or otherwise) any of its rights or delegate or subcontract any of its obligations under this Agreement without the prior written consent of the other Party. Notwithstanding the foregoing, PROSPECTIVE CLIENT shall have the right to assign its rights and obligations hereunder to any entity that is an affiliate or successor of PROSPECTIVE CLIENT , without the prior approval of Business Associate.
14.4 Severability.
Any provision of this Agreement that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of such remaining provisions.
14.5 Entire Agreement.
This Agreement and the Business Arrangements constitutes the complete agreement between Business Associate and PROSPECTIVE CLIENT relating to the matters specified in this Agreement, and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. In the event of any conflict between the terms of this Agreement and the terms of the Business Arrangements or any such later agreement(s), the terms of this Agreement shall control unless the terms of such Business Arrangements are more strict with respect to PHI and comply with the Privacy and Security Laws, or the parties specifically otherwise agree in writing. No oral modification or waiver of any of the provisions of this Agreement shall be binding on either Party; provided, however, that upon the enactment of any law, regulation, court decision or relevant government publication and/or interpretive guidance or policy that PROSPECTIVE CLIENT believes in good faith will adversely impact the use or disclosure of PHI under this Agreement, PROSPECTIVE CLIENT may amend the Agreement to comply with such law, regulation, court decision or government publication, guidance or policy by delivering a written amendment to Business Associate which shall be effective thirty (30) days after receipt. No obligation on either Party to enter into any transaction is to be implied from the execution or delivery of this Agreement. This Agreement is for the benefit of, and shall be binding upon the parties, their affiliates and respective successors and assigns. Except for PROSPECTIVE CLIENT and its Affiliates, no third party shall be considered a third-party beneficiary under this Agreement, nor shall any third party have any rights as a result of this Agreement.
14.6 Governing Law.
This Agreement shall be governed by and interpreted in accordance with the laws of the state of New York, excluding its conflicts of laws provisions.
14.7 Equitable Relief.
Business Associate understands and acknowledges that any disclosure or misappropriation of any PHI in violation of this Agreement will cause PROSPECTIVE CLIENT irreparable harm, the amount of which may be difficult to ascertain, and therefore agrees that PROSPECTIVE CLIENT shall have the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as PROSPECTIVE CLIENT shall deem appropriate. Such right of PROSPECTIVE CLIENT is to be in addition to the remedies otherwise available to PROSPECTIVE CLIENT at law or in equity. Business Associate expressly waives the defense that a remedy in damages will be adequate and further waives any requirement in an action for specific performance or injunction for the posting of a bond by PROSPECTIVE CLIENT
14.8 Nature of Agreement; Independent Contractor.
Nothing in this Agreement shall be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (ii) a relationship of employer and employee between the parties. Business Associate is an independent contractor, and not an agent of PROSPECTIVE CLIENT This Agreement does not express or imply any commitment to purchase or sell goods or services.
14.9 Counterparts.
This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same document. In making proof of this Agreement, it shall not be necessary to produce or account for more than one such counterpart executed by the party against whom enforcement of this Agreement is sought. Signatures to this Agreement transmitted by facsimile transmission, by electronic mail in portable document format (“.pdf”) form, or by any other electronic means intended to preserve the original graphic and pictorial appearance of a document, will have the same force and effect as physical execution and delivery of the paper document bearing the original signature.