The URL can be used to link to this page

Home My WebLink AboutHIPAA BUSINESS ASSOCIATE AMENDMENT TO PBM SERVICES AGREEMENT BETWEEN AUGUSTA, GEORGIA AND MAGELLAN RX MANAGEMENT, LLC HIPAA Business Associate Amendment to PBM Services Agreement Between Augusta,Georgia and Magellan Rx Management,LLC THIS IS*AMENDMENT to the Services Agreement dated January 1, 2017 entered into this day of 1\f'DVerAW 20 Ri by and between Augusta, Georgia ("Sponsor")and Magellan Rx Management, LLC (hereafter"MRx"). Sponsor and MRx, by their duly authorized representatives, hereby agree to amend the PBM Services Agreement by adding the following: HIPAA Compliance. Compliance with the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA") and the accompanying Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as modified by the HIPAA Omnibus Rule, (collectively, the "HIPAA Regulations") as well as the applicable provisions of Subtitle D of Title XIII of the American Recovery and Reinvestment Act of 2009 (the "HITECH Act"), along with the general precepts of privacy, data security, availability and integrity of individually identifiable health information, are core to Sponsor's business. MRx shall ensure that all its products and services provided to Sponsor hereunder shall be provided in compliance with all federal and state laws and regulations governing the privacy and security of Protected Health Information ("PHI"), as defined in the HIPAA Regulations. Any capitalized terms in this Amendment shall have the meaning set forth in the HIPAA Regulations unless otherwise stated. MRx agrees as follows: 1. Protected Health Information. In the course of performing its duties and obligations under the PBM Services Agreement, MRx shall create, receive, maintain, or transmit certain confidential individually identifiable health related information concerning individuals who are health plan members of Sponsor that constitutes PHI. 2. Obligations of Business Associate with Respect to PHI. MRx covenants and agrees that it shall: 2.1 Not use or further disclose PHI, other than as permitted or required under this Amendment or the Services Agreement, as permitted expressly in writing by Sponsor, or as otherwise permitted or required by law. 2.2 In accordance with 45 CFR 164.502(e)(])(ii) and 164.308(b)(2), ensure that any Subcontractor (as defined in the HIPAA Regulations) that creates, receives, maintains, or transmits Sponsor's PHI on behalf of MRx agrees in writing to the same restrictions, conditions, and requirements that apply to MRx in this Amendment with respect to such PHI. 2.3 Use appropriate safeguards to prevent the use or disclosure of PHI,other than as provided for in this Amendment. 2.4 Report to Sponsor any use or disclosure of PHI not authorized under this Amendment (an "Unauthorized Use or Disclosure") of which it becomes aware. In addition, except as provided in 45 CFR 164.412 (related to delays requested by law enforcement), MRx shall, following the discovery of a "Breach" of "Unsecured Protected Health Information" (as these terms are defined at 45 1 CFR 164.402), notify Sponsor of such Breach. MRx shall provide the notification without unreasonable delay and in no case later than 60 calendar days after discovery of a Breach, as set forth at 45 CFR 164.410. The notification shall include, to the extent possible, the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by MRx to have been, accessed, acquired, used. or disclosed during the Breach. MRx shall provide Sponsor with any other available information that Sponsor is required to include in notification to the individual under 45 CFR 164.404(c) at the time of the notification or promptly thereafter as information becomes available. 2.5 Make PHI in a Designated Record Set available to Sponsor or to the Individual for inspection and copying any PHI about the individual which MRx created for or received from Sponsor, and that is in MRx's custody or control, in accordance with applicable law, including 45 CFR 164.524. 2.6 Upon notice from Sponsor, amend any portion of the PHI in a Designated Record Set received or created by MRx for Sponsor in accordance with applicable law, including 45 CFR 164.526. For information created by MRx, an agreement to amend the information will he a mutual decision reached by Sponsor and MRx. 2.7 Maintain and make available to Sponsor information regarding PHI received or created by MRx that is required for an accounting of disclosures in accordance with applicable law, including 45 CFR 164,528 and applicable provisions of the HITECH Act as of the compliance date for such provisions. MRx may also make available to individuals who are the subject of PHI received or created by MRx any and all information required for an accounting of disclosure in accordance with such applicable law if the individual requests an accounting directly from MRx. 2.9 Make MRx's internal practices, books and records relating to the use and disclosure of PHI created,received, maintained,or transmitted by MRx on behalf of Sponsor available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Sponsor's and/or MRx's compliance with the HIPAA Regulations. 2.10 Return all PHI created, received, or maintained by MRx on behalf of Sponsor upon termination of the Services Agreement (retaining no copies of such information). If MRx is unable to return PHI upon termination of the Contract, then MRx shall notify Sponsor with an explanation of when MRx will return all PHI, or, if return of PHI is not feasible, that MRx will destroy all PHI; or MRx shall continue to protect all PHI according to the covenants and representations contained herein if MRx is unable to return or destroy PHI upon termination of the Services Agreement for so long as it maintains such PHI. 2.11 Except where the minimum necessary standard does not apply (as set forth at 45 CFR 164.502(b)(2)), MRx shall ensure that any use, disclosure, or request for PHI is limited, to the extent practicable, to the limited data set (as defined at 45 CFR 164.514(e)(2)); otherwise, MRx shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure,or request. 2 2.]2 To the extent MRx is to carry out one or more of Sponsor's obligation(s) under the Privacy Rule, MRx shall comply with the requirements of the Privacy Rule that apply to the Sponsor in the performance of such obligation(s). 3. Permissible Use and Disclosure of PHI by Business Associate. MRx acknowledges that the provisions of the HIPAA Privacy Rule with respect to the use and disclosure of PHI are now directly applicable to business associates pursuant to the HITECH Act and the HIPAA Omnibus Rule. The parties agree however that MRx has the following rights regarding PHI: 3.1 MRx may use PHI for MRx's proper management and administration or to carry out its legal rights and responsibilities. 3.2 If requested by Sponsor, MRx may provide data aggregation services relating to the health care operations of Sponsor. 3.3 MRx may disclose PHI for MRx's proper management and administration or to carry out its legal rights and responsibilities: 3.3.1 if the disclosure is required by law; or 3.3.2 if MRx obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person and the person agrees to immediately notify MRx of any instances of which it is aware in which the confidentiality of the information has been breached. Reasonable assurances shall be defined as a written agreement that complies with the HIPAA Regulations. 4. Compliance with the HIPAA Security Rule. MRx acknowledges that the provisions of the HIPAA Security Rule with respect to electronic PHI are now directly applicable to business associates pursuant to the HITECH Act and the HIPAA Omnibus Rule. MRx shall comply with such provisions and shall: 4.1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains or transmits on behalf of Sponsor as required to comply with the HIPAA Security Rule. 4.2.Ensure that a Subcontractor to whom MRx provides such information agrees in writing to implement reasonable and appropriate safeguards to protect it. 4.3.Have a system in place to report to Sponsor any security incident of which it becomes aware. Security incident, as defined in the HIPAA Security Rule, means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 3 5. Obligations of Business Associate Regarding Standard Transactions. MRx shall: 5.1 Comply with all applicable provisions of 45 CFR Part 162 (the "HIPAA Transactions Rule") when exchanging information electronically in Standard Transactions (as defined and governed by the HIPAA Transactions Rule). MRx will comply with any future required transactions or code set standards adopted by the U.S. Department of Health and Human Services before the applicable compliance date. 5.2 Ensure that any agents, including, but not limited to, contractors and subcontractors, that assist MRx to conduct Standard Transactions on behalf of Sponsor, agree in writing to comply with the HIPAA Transactions Rule. 5.3 Not change the definition, data condition, or use of a data element or segment in Standard Transactions, 5.4 Not add any data elements or segments to the maximum defined data set in Standard Transactions. 5.5 Not use any code or data elements that are either marked "not used" in the standard's implementation specification or are not in the standard's implementation specification(s). 5.6 Not change the meaning or intent of the standard's implementation specification(s). 6. Amendment. Upon the enactment of any law or regulation affecting the use or disclosure of PHI, or the publication of any decision of a court of the United States or in any state court relating to any such law, or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, Sponsor may, by written notice to MRx, amend this Amendment in such a manner as Sponsor determines necessary to comply with such law or regulation. If MRx disagrees with any such amendment, it shall so notify Sponsor in writing within thirty (30)days of Sponsor notice. If the parties are unable to agree on an amendment within thirty (30) days thereafter, either party may terminate this Amendment upon prior written notice to the other. 7. Interpretation. Any ambiguity in this Amendment shall be resolved in favor of a meaning that permits Sponsor and/or MRx, as applicable, to comply with the HIPAA Regulations and/or the HITECH Act,as applicable. 8. Termination for Cause. Upon either party's knowledge of a breach or violation of a material term of this Amendment by the other party, the non-breaching party shall either: 8.1 Provide an opportunity for the breaching party to cure the breach or end the violation and terminate this Amendment if the breaching party does not cure the breach or end the violation within 30 business days of written notice of breach from the non-breaching party; or 8.2 Immediately terminate this Amendment if cure is not possible. 4 SPONSOR MRX 00011:1 gi nature: 17"(7., Signature: e.--- By: gr47'e" °eV/Cr Ch^ • By: Pfkrri-iew yree-r&-z-- Title: .//' cy€:5)"-- Title: -i-es-sf 9 ta i .A.....4,At. cifyA4,4 „ ,,,-„, • , , ? ir•:zr-.” , .-'7 0.—e,vie 1 N,1i 1, 1'1 ei ? , , c , ..., : 9-1,4 V I . ',4 4.4, os., 491r IS I fi 43/44CL E 0 I tG i P 40, ..16itttaAlgga ; 5