HomeMy WebLinkAboutHIPAA BUSINESS ASSOCIATE AMENDMENT TO PBM SERVICES AGREEMENT BETWEEN AUGUSTA, GEORGIA AND MAGELLAN RX MANAGEMENT, LLC HIPAA Business Associate Amendment to PBM Services Agreement
Between
Augusta,Georgia and Magellan Rx Management,LLC
THIS IS*AMENDMENT to the Services Agreement dated January 1, 2017 entered into this
day of 1\f'DVerAW 20 Ri by and between Augusta, Georgia
("Sponsor")and Magellan Rx Management, LLC (hereafter"MRx").
Sponsor and MRx, by their duly authorized representatives, hereby agree to amend the PBM
Services Agreement by adding the following:
HIPAA Compliance. Compliance with the Administrative Simplification Provisions of the
Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA") and the
accompanying Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts
160 and 164, as modified by the HIPAA Omnibus Rule, (collectively, the "HIPAA Regulations")
as well as the applicable provisions of Subtitle D of Title XIII of the American Recovery and
Reinvestment Act of 2009 (the "HITECH Act"), along with the general precepts of privacy, data
security, availability and integrity of individually identifiable health information, are core to
Sponsor's business. MRx shall ensure that all its products and services provided to Sponsor
hereunder shall be provided in compliance with all federal and state laws and regulations
governing the privacy and security of Protected Health Information ("PHI"), as defined in the
HIPAA Regulations. Any capitalized terms in this Amendment shall have the meaning set forth
in the HIPAA Regulations unless otherwise stated. MRx agrees as follows:
1. Protected Health Information. In the course of performing its duties and obligations
under the PBM Services Agreement, MRx shall create, receive, maintain, or transmit
certain confidential individually identifiable health related information concerning
individuals who are health plan members of Sponsor that constitutes PHI.
2. Obligations of Business Associate with Respect to PHI. MRx covenants and agrees that
it shall:
2.1 Not use or further disclose PHI, other than as permitted or required under this
Amendment or the Services Agreement, as permitted expressly in writing by
Sponsor, or as otherwise permitted or required by law.
2.2 In accordance with 45 CFR 164.502(e)(])(ii) and 164.308(b)(2), ensure that any
Subcontractor (as defined in the HIPAA Regulations) that creates, receives,
maintains, or transmits Sponsor's PHI on behalf of MRx agrees in writing to the
same restrictions, conditions, and requirements that apply to MRx in this
Amendment with respect to such PHI.
2.3 Use appropriate safeguards to prevent the use or disclosure of PHI,other than as
provided for in this Amendment.
2.4 Report to Sponsor any use or disclosure of PHI not authorized under this
Amendment (an "Unauthorized Use or Disclosure") of which it becomes aware.
In addition, except as provided in 45 CFR 164.412 (related to delays requested
by law enforcement), MRx shall, following the discovery of a "Breach" of
"Unsecured Protected Health Information" (as these terms are defined at 45
1
CFR 164.402), notify Sponsor of such Breach. MRx shall provide the
notification without unreasonable delay and in no case later than 60 calendar
days after discovery of a Breach, as set forth at 45 CFR 164.410. The
notification shall include, to the extent possible, the identification of each
individual whose Unsecured Protected Health Information has been, or is
reasonably believed by MRx to have been, accessed, acquired, used. or
disclosed during the Breach. MRx shall provide Sponsor with any other
available information that Sponsor is required to include in notification to the
individual under 45 CFR 164.404(c) at the time of the notification or promptly
thereafter as information becomes available.
2.5 Make PHI in a Designated Record Set available to Sponsor or to the Individual
for inspection and copying any PHI about the individual which MRx created for
or received from Sponsor, and that is in MRx's custody or control, in
accordance with applicable law, including 45 CFR 164.524.
2.6 Upon notice from Sponsor, amend any portion of the PHI in a Designated Record
Set received or created by MRx for Sponsor in accordance with applicable law,
including 45 CFR 164.526. For information created by MRx, an agreement to
amend the information will he a mutual decision reached by Sponsor and MRx.
2.7 Maintain and make available to Sponsor information regarding PHI received or
created by MRx that is required for an accounting of disclosures in accordance
with applicable law, including 45 CFR 164,528 and applicable provisions of the
HITECH Act as of the compliance date for such provisions. MRx may also
make available to individuals who are the subject of PHI received or created by
MRx any and all information required for an accounting of disclosure in
accordance with such applicable law if the individual requests an accounting
directly from MRx.
2.9 Make MRx's internal practices, books and records relating to the use and
disclosure of PHI created,received, maintained,or transmitted by MRx on behalf
of Sponsor available to the Secretary of the U.S. Department of Health and
Human Services for purposes of determining Sponsor's and/or MRx's
compliance with the HIPAA Regulations.
2.10 Return all PHI created, received, or maintained by MRx on behalf of Sponsor
upon termination of the Services Agreement (retaining no copies of such
information). If MRx is unable to return PHI upon termination of the Contract,
then MRx shall notify Sponsor with an explanation of when MRx will return all
PHI, or, if return of PHI is not feasible, that MRx will destroy all PHI; or MRx
shall continue to protect all PHI according to the covenants and representations
contained herein if MRx is unable to return or destroy PHI upon termination of
the Services Agreement for so long as it maintains such PHI.
2.11 Except where the minimum necessary standard does not apply (as set forth at 45
CFR 164.502(b)(2)), MRx shall ensure that any use, disclosure, or request for
PHI is limited, to the extent practicable, to the limited data set (as defined at 45
CFR 164.514(e)(2)); otherwise, MRx shall make reasonable efforts to limit PHI
to the minimum necessary to accomplish the intended purpose of the use,
disclosure,or request.
2
2.]2 To the extent MRx is to carry out one or more of Sponsor's obligation(s) under
the Privacy Rule, MRx shall comply with the requirements of the Privacy Rule
that apply to the Sponsor in the performance of such obligation(s).
3. Permissible Use and Disclosure of PHI by Business Associate. MRx acknowledges that
the provisions of the HIPAA Privacy Rule with respect to the use and disclosure of PHI
are now directly applicable to business associates pursuant to the HITECH Act and the
HIPAA Omnibus Rule. The parties agree however that MRx has the following rights
regarding PHI:
3.1 MRx may use PHI for MRx's proper management and administration or to carry
out its legal rights and responsibilities.
3.2 If requested by Sponsor, MRx may provide data aggregation services relating to
the health care operations of Sponsor.
3.3 MRx may disclose PHI for MRx's proper management and administration or to
carry out its legal rights and responsibilities:
3.3.1 if the disclosure is required by law; or
3.3.2 if MRx obtains reasonable assurances from the person to whom the
information is disclosed that it will be held confidentially and used or
further disclosed only as required by law or for the purpose for which it
was disclosed to the person and the person agrees to immediately notify
MRx of any instances of which it is aware in which the confidentiality of
the information has been breached. Reasonable assurances shall be
defined as a written agreement that complies with the HIPAA
Regulations.
4. Compliance with the HIPAA Security Rule. MRx acknowledges that the provisions of
the HIPAA Security Rule with respect to electronic PHI are now directly applicable to
business associates pursuant to the HITECH Act and the HIPAA Omnibus Rule. MRx
shall comply with such provisions and shall:
4.1. Implement administrative, physical, and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of the electronic
protected health information that it creates, receives, maintains or transmits on behalf
of Sponsor as required to comply with the HIPAA Security Rule.
4.2.Ensure that a Subcontractor to whom MRx provides such information agrees in
writing to implement reasonable and appropriate safeguards to protect it.
4.3.Have a system in place to report to Sponsor any security incident of which it becomes
aware. Security incident, as defined in the HIPAA Security Rule, means the
attempted or successful unauthorized access, use, disclosure, modification, or
destruction of information or interference with system operations in an information
system.
3
5. Obligations of Business Associate Regarding Standard Transactions. MRx shall:
5.1 Comply with all applicable provisions of 45 CFR Part 162 (the "HIPAA
Transactions Rule") when exchanging information electronically in Standard
Transactions (as defined and governed by the HIPAA Transactions Rule). MRx
will comply with any future required transactions or code set standards adopted
by the U.S. Department of Health and Human Services before the applicable
compliance date.
5.2 Ensure that any agents, including, but not limited to, contractors and
subcontractors, that assist MRx to conduct Standard Transactions on behalf of
Sponsor, agree in writing to comply with the HIPAA Transactions Rule.
5.3 Not change the definition, data condition, or use of a data element or segment in
Standard Transactions,
5.4 Not add any data elements or segments to the maximum defined data set in
Standard Transactions.
5.5 Not use any code or data elements that are either marked "not used" in the
standard's implementation specification or are not in the standard's
implementation specification(s).
5.6 Not change the meaning or intent of the standard's implementation
specification(s).
6. Amendment. Upon the enactment of any law or regulation affecting the use or disclosure
of PHI, or the publication of any decision of a court of the United States or in any state
court relating to any such law, or the publication of any interpretive policy or opinion of
any governmental agency charged with the enforcement of any such law or regulation,
Sponsor may, by written notice to MRx, amend this Amendment in such a manner as
Sponsor determines necessary to comply with such law or regulation. If MRx disagrees
with any such amendment, it shall so notify Sponsor in writing within thirty (30)days of
Sponsor notice. If the parties are unable to agree on an amendment within thirty (30)
days thereafter, either party may terminate this Amendment upon prior written notice to
the other.
7. Interpretation. Any ambiguity in this Amendment shall be resolved in favor of a meaning
that permits Sponsor and/or MRx, as applicable, to comply with the HIPAA Regulations
and/or the HITECH Act,as applicable.
8. Termination for Cause. Upon either party's knowledge of a breach or violation of a
material term of this Amendment by the other party, the non-breaching party shall either:
8.1 Provide an opportunity for the breaching party to cure the breach or end the
violation and terminate this Amendment if the breaching party does not cure the
breach or end the violation within 30 business days of written notice of breach
from the non-breaching party; or
8.2 Immediately terminate this Amendment if cure is not possible.
4
SPONSOR MRX
00011:1
gi nature: 17"(7.,
Signature:
e.---
By: gr47'e" °eV/Cr Ch^
• By: Pfkrri-iew yree-r&-z--
Title: .//' cy€:5)"-- Title: -i-es-sf 9
ta i
.A.....4,At. cifyA4,4
„ ,,,-„, • , ,
? ir•:zr-.” , .-'7 0.—e,vie 1
N,1i 1,
1'1 ei
?
, , c ,
...,
:
9-1,4
V I
. ',4 4.4, os., 491r IS
I
fi 43/44CL E 0 I tG i P 40,
..16itttaAlgga ;
5