HomeMy WebLinkAbout15.E.1. HIPAA Compliance Action-Res. No. 5882
\5 . E · \ .
CITY OF SHAKOPEE
Memorandum COt~SENT
TO: Mayor and City Council
FROM: Mark McNeill, City Administrator
Marilyn Remer, Payrol1/Benefits Coordinator
SUBJECT: HIP AA Compliance Action
DATE: April 10, 2003
INTRODUCTION:
The Council is asked to adopt a resolution that adopts the HIP AA Privacy Changes into
the City of Shakopee Flexible Spending Plan.
BACKGROUND:
The Health Insurance Portability and Accountability Act (HIP AA) was passed by
Congress in 1996. As a result of HIP AA, the majority of health plans across the nation
are now required to apply uniform portability and accessibility standards to new
employees or applications for health coverage. The portability provision ensures that
individuals are now free to change employers and health plans without risk or coverage
limitations because of preexisting medical conditions. The motivation for HIP AA came
from a variety of changes over the years: the creation of authorized medical spending
accounts; the need for parity in mental health benefits, tax treatment for long-term care,
and administrative simplification.
Although many ofHIPAA's rules became effective in 1996 & 1997, the Privacy Rule
becomes effective April 14, 2003 (2004 for small health plans). The privacy rule protects
the confidentiality of an individual's health information and provides a national privacy
standard. By definition the City is a small employer, so we have until Ari114, 2004, in
which to comply with the provisions of the law for the city's fully insured health & dental
plans. Stanton is taking the necessary steps to comply with the Administrative
Simplification provisions of HIP AA for their client's Flexible Spending Plans by the
April 14, 2003 deadline.
A resolution has been drafted which adopts the HIP AA changes into the City's Flexible
Spending Plan. As a plan sponsor, the City is required to enter into a written agreement
with vendors or subcontractors who perform administrative functions and access the
individual health information of employees, therefore the second action authorizes the
execution of a HIP AA Business Associate Addendum Agreement with the Stanton
Group.
ACTION REQUIRED:
If the Council concurs, it should, by motion, adopt the following actions:
1.) By motion, adopt the following Resolution:
RESOLUTION NO. 5882
A RESOLUTION ADOPTING HIP AA CHANGES TO THE CITY OF SHAKOPEE
FLEXIBLE BENEFITS PLAN THEREBY AUTHORIZING the STANTON GROUP
TO CREATE A SUMMARY OF MATERIAL MODIFICATION (SMM)
2) By motion, authorize the appropriate staff to execute the attached Business
Associate Agreement with the Stanton Group.
M'~
Mark McNeill
City Administrator
MM:th
RESOLUTION NO. 5882
A RESOLUTION ADOPTING HIP AA CHANGES TO THE CITY OF SHAKOPEE
FLEXIBLE BENEFITS PLAN THEREBY AUTHORIZING the STANTON GROUP TO
CREATE A SUMMARY OF MATERIAL MODIFICATION (SMM)
WHEREAS, the City of Shakopee currently provides a Flexible Spending Account Plan
(the "Plan"), in order to allow employees to pay for, and to be reimbursed for, certain medical
and dependent care expenses on a pre-tax basis; and
WHEREAS, the Stanton Group has been authorized to administer the Plan; and
WHEREAS, the Plan is required to comply with regulations promulgated by the
Department of Health and Human Services under the Health Insurance Portability and
Accountability Act of 1996 (HIP AA) relating to certain privacy requirements, codified at 45
C.F.R Part 164 (the "Privacy Rule"); and
WHEREAS, Section 164.50(f)(2) of the Privacy mle requires the Plan to be amended by
April 14, 2003 in certain respects to be in compliance with HIP AA; and
WHEREAS, the City of Shakopee wishes to amend the Plan to comply with HIP AA and
the Privacy Plan, effective April 14, 2003.
NOW, THEREFORE, BE IT RESOLVED, that the City Council ofthe City of Shakopee
hereby authorizes the Stanton Group to amend the Plan by adding the following new Section:
Health Insurance Portabilitv and Accountability Act
The Plan may use your health information, that is, information that constitutes
protected health information as defined in the Privacy Rule of the Administrative
Simplification provision of the Health Insurance Portability and Accountability Act
of 1996 (HIPAA), for purposes of making or obtaining payment for your care and
conducting health care operations. The Plan has established a policy to guard
against unnecessary disclosure of your health information and itsilllgrog~~use.
X,()~.~,M,!,;~eceive a separate Notice of Privacy Practices (attached) i~1im}i~it~
:tt!g.il!Qi~:~, which will summarize the policies, procedures and safeguards that are
taken by the Plan to protect the privacy of your health information and explain your
rights under HIPAA's Privacy Rule.
Adopted in session of the City Council of the City of
Shakopee, Minnesota, held this day of ,2003.
Mayor of the City of Shako pee
ATTEST:
City Clerk
The Stanton Group, Inc.
HIPAA Business Associate Addendum
This HIPAA Business Associate Addendum ("Addendum") supplements and is made a
part of the administrative services agreement and as modified by any future amendment
or restatement of such contract ("Agreement") by and between on behalf of and in its
capacity as Plan Administrator of the Covered Entity ("CE") and Stanton Group, Inc.
("Stanton"). This Addendum is effective as of April 14, 2003.
RECITALS.
A. CE wishes to disclose certain information ("Information") to STANTON pursuant
to the terms of the Addendum, some of which may constitute Protected Health
Information ("PHI").
B. CE and STANTON intend to protect the privacy and provide for the security of
PHI disclosed to STANTON pursuant to the Addendum in compliance with the Health
Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA") and
regulations promulgated thereunder by the U.S. Department of Health and Human
Services (the "HIPAA Regulations") and other applicable laws.
C. The purpose of this Addendum is to satisfy certain standards and requirements
of the Privacy Rule, including, but not limited to, Title 45, Section 164.504(e) of the
Code of Federated Regulations ("CFR"), as the same may be amended from time to
time.
In consideration of the mutual promises below and the exchange of information
pursuant to this Addendum, the parties agree as follows:
AGREEMENT. The parties identified above agree as follows:
1. Definitions.
a. "CE' or "Covered Entity' for the purpose of this Addendum shall mean
[name of health plan] and the term shall have the
meaning given under the HIPAA Regulations, including, but not limited to, 45
CFR Section 160.103.
b. "Stanton Group, Inc.." or "STANTON' is a business associate of the CE as
that term is defined under the Privacy Rule, including, but not limited to, the
Privacy Rule found at 45 CFR Section 160.103.
c. "Individual' shall have the same meaning as given in 45 CFR 164.501 and
shall include a person who qualifies as a personal representative in accordance
with 45 CFR 502(9).
1514541v4 A-1
d. "Privacy Rule" shall mean the Standards for Privacy of Individually
Identifiable Health Information at 45 CFR part 160 and 164, subparts A and E, as
set forth in HIPAA and the HIPAA Regulations.
e. "Protected Health Information" or "PH" means any information, whether
oral or recorded in any form or medium: (i) that relates to the past, present or
future physical or mental condition of an individual; the provision of health care to
an individual; or the past, present or future payment for the provision of health
care to an individual, and (ii) that identifies the individual or with respect to which
there is a reasonable basis to believe the information can be used to identify the
individual, (iii) which is limited to the information created or received by
STANTON from or on behalf of Covered Entity, and shall have the meaning
given to such term under the Privacy Rule, including, but not limited to 45 CFR
Section 164.501.
f. "Required By Law" shall have the same meaning as the term "required by
law" in 45 CFR 164.501.
g. "Secretary" shall mean the Secretary of the U.S. Department of Health
and Human Services or his designee.
2. Obligations of STANTON.
a. Permitted Uses and Disclosures. STANTON may use and/or disclose PHI
received by STANTON pursuant to this Addendum ("CE's PHI") solely in
accordance with the specifications set forth in the administrative services
agreement in effect, as set forth in the Agreement, which is incorporated herein
by reference. In the event of any conflict between this Addendum and the
Agreement with respect to an issue regarding compliance with the Privacy Rule,
this Addendum shall control.
b. Nondisclosure. STANTON shall not use or further disclose CE's PHI
otherwise than as permitted or required by this Addendum or as Required By
Law.
c. Safeguards. STANTON shall use appropriate safeguards to prevent use
or disclosure of CE's PHI otherwise than as provided for by this Addendum.
d. Reporting of Disclosures. STANTON shall report to CE any use or
disclosure of CE's PHI otherwise than as provided for by this Addendum of which
STANTON becomes aware.
e. STANTON's Agents. STANTON shall ensure that any agents and/or
subcontractors, to whom it provides PHI received from (or created or received by
STANTON on behalf of) CE agree to the same restrictions and conditions that
apply to STANTON with respect to such PHI.
1514541v4 A-2
f. Access to and Accountings of PHI. STANTON shall make available to
CE's Plan Participants such information as required to fulfill the Plan's obligations
to provide access to, provide a copy of, and account for disclosures with respect
to PHI pursuant to HIPAA and the HIPAA Regulations, including, but not limited
to, 45 CFR Sections 164.524 and 164.528. STANTON shall also retain a copy of
its list of disclosures of PHI and provide such list to CE upon request and/or upon
termination of this Agreement
g. Amendment of PHI. STANTON shall make the PHI of a Plan Participant
available to that Participant and also shall receive, review and respond to
requests for amendment or correction of the PHI of a requesting Plan Participant
as required to fulfill the Plan's obligations to amend PHI pursuant to HIPAA and
the HIPM Regulations, including, but not limited to, 45 CFR Section 164.526
and STANTON shall incorporate any amendments to the Plan's PHI into copies
of such PHI maintained by Business Associate
h. Internal Practices. STANTON shall make its internal practices, books and
records relating to the use and disclosure of PHI received from CE (or created or
received by STANTON on behalf of CE) available to the Secretary for purposes
of determining STANTON's compliance with the Privacy Rule.
i. Notification of Breach. During the term of this Addendum, STANTON shall
notify CE within forty-eight (48) hours or if later, by the end of the next business
day of any suspected or actual breach of security, intrusion or unauthorized use
or disclosure of PHI and/or any actual or suspected use or disclosure of data in
violation of any applicable federal or state laws or regulations. STANTON shall
take (i) prompt corrective action to cure any such deficiencies and (ii) any action
pertaining to such unauthorized disclosure required by applicable federal and
state laws and regulations.
j. Document Retention. STANTON shall maintain PHI for a period of six
years from the date received or transmitted, unless CE agrees to receive and
store the PHI itself.
3. Obligations of CEo
a. Disclosure of PHI in accordance with Privacy Rule. Pursuant to the terms
of this Addendum and the Privacy Rule, CE shall disclose PHI to STANTON in
accordance with the Privacy Rule and this Addendum. Disclosure under this
Addendum may also include disclosure directly to STANTON from CE's agents
or subcontractors, or another covered entity or business associate of the CE
(besides the health plan, which may include but is not limited to a claims
administrator, insurer, third party administrator or health care provider or
clearinghouse) which maintains and has access to the CE's PHI, provided that
such disclosure is in accordance with the Privacy Rule and any contracts
regarding disclosures of PHI entered into between the CE and the agent,
subcontractor, other covered entity or business associate of the CE.
1514541v4 A-3
b. Safeguards. CE shall be responsible for using appropriate safeguards to
maintain and ensure the confidentiality, privacy and security of PHI transmitted to
STANTON pursuant to this Addendum, in accordance with the standards and
requirements of HIPAA and the HIPAA Regulations, until such PHI is received by
STANTON.
c. Notice of Privacy Practices. CE shall provide STANTON with the notice of
privacy practices in accordance with the Privacy Rule that CE produces in
accordance with 45 CFR 164.520, as well as any changes or updates to such
notice.
d. Notice of Changes in Authorizations or Consents. CE shall provide
STANTON with any changes in, or revocation of, permission by Individual to use
or disclose PHI, if such changes affect STANTON's permitted or required uses
and disclosures.
e. Notice of Restrictions. CE shall notify STANTON of any restriction to the
use or disclosure of PHI that CE has agreed to in accordance with 45 CFR
164.522.
4. Audits, Inspection and Enforcement.
From time to time upon reasonable notice, upon a reasonable determination by
CE that STANTON has breached this Addendum, CE may inspect the facilities,
systems, books and records of STANTON to monitor compliance with this
Addendum. STANTON shall promptly remedy any violation of any term of this
Addendum and shall certify the same to CE in writing. The fact that CE inspects,
or fails to inspect, or has the right to inspect, STANTON's facilities, systems and
procedures does not relieve STANTON of its responsibility to comply with this
Addendum, nor does CE's (i) failure to detect or (ii) detection, but failure to notify
STANTON or require STANTON's remediation of any unsatisfactory practices,
constitute acceptance of such practice or a waiver of CE's enforcement rights
under this Addendum.
5. Termination.
a. Material Breach. A material breach by STANTON or CE of any provision
of this Addendum shall provide grounds for immediate termination of the
Agreement under written notice to STANTON by CEo
b. Reasonable Steps to Cure Breach. If CE knows of a pattern of activity or
practice of STANTON that constitutes a material breach or violation of
STANTON's obligations under the provisions of this Addendum or another
arrangement and does not terminate this Addendum pursuant to Section 4(a),
then CE shall take reasonable steps to cure such breach or end such violation,
as applicable. If CE's efforts to cure such breach or end such violation are
1514541v4 A-4
unsuccessful, CE shall either (i) terminate this Addendum, if feasible or (ii) if
termination of this Addendum is not feasible, CE shall report STANTON's breach
or violation to the Secretary.
c. Judicial or Administrative Proceedings. Either party may terminate this
Addendum, effective immediately, if (i) the other party is named as a defendant in
a criminal proceeding for a violation of HIPAA or (ii) a finding or stipulation that
the other party has violated any standard or requirement of HIPAA or other
security or privacy laws is made in any administrative or civil proceeding in which
the party has been joined.
d. Effect of Termination. Upon termination of this Addendum for any reason,
STANTON shall return and/or destroy (unless subject to a court order prohibiting
destruction or requiring production) all PHI received from CE (or created or
received by STANTON on behalf of CE) that STANTON still maintains in any
form, and shall retain no copies of such PHI or, if return or destruction is not
feasible, it shall continue to extend the protections of this Addendum to such
information, and limit further use of such PHI to those purposes that make the
return or destruction of such PHI infeasible.
6. Indemnification.
Each party will indemnify, hold harmless and defend the other party to this
Addendum from and against any and all claims, losses, liabilities, costs and other
expenses incurred as a result of, or arising directly or indirectly out of or in
connection with: (i) any misrepresentation, breach of warranty or partial-
fulfillment or non-fulfillment of any undertaking on the part of the party under this
Addendum; and (ii) any claims, demands, awards, judgments, actions and
proceedings made by any person or organization arising out of or in any way
connection with the party's performance under this Addendum.
7. Disclaimer.
CE makes no warranty or representation that compliance by STANTON with this
Addendum, HIPAA or the HIPAA Regulations will be adequate or satisfactory for
STANTON's own purposes or that any information in STANTON's possession or
control, or transmitted or received by STANTON, is or will be secure from
unauthorized use or disclosure. STANTON is solely responsible for all decisions
made by STANTON regarding the safeguarding of PHI.
8. Certification.
To the extent that CE determines that such examination is necessary to comply
with CE's legal obligations pursuant to HIPAA relating to certification of its
security practices, CE or its authorized agents and/or subcontractors, may, at
eE's expense, examine 8T ANTON's facilities, systems, procedures and records
as may be necessary for such agents or subcontractors to certify to CE the
1514541v4 A-5
extent to which STANTON's security safeguards comply with HIPAA, the HIPAA
Regulations or this Addendum.
9. Amendment.
a. Amendment to Comply with Law. The parties acknowledge that state and
federal laws relating to electronic data security and privacy are rapidly evolving
and that amendment of this Addendum may be required to provide for
procedures to ensure compliance with such developments in the Privacy Rule
and other applicable law. The parties specifically agree to take such action as is
necessary to implement the standards and requirements of H/PAA, the HIPAA
Regulations and other applicable laws relating to the security or confidentiality of
PHI. The parties understand and agree that CE must receive satisfactory written
assurance from STANTON that STANTON will adequately safeguard all PHI that
it receives or creates pursuant to this Addendum. Upon CE's request,
STANTON agrees to promptly enter into negotiations with CE concerning the
terms of an amendment to this Addendum embodying written assurances
consistent with the standards and requirements of HIPAA, the HIPAA
Regulations or other applicable laws. CE may terminate this Addendum upon 60
days written notice in the event that (i) STANTON does not promptly enter into
negotiations to amend this Addendum when requested by CE pursuant to this
Section or (ii) STANTON does not enter into an amendment to this Addendum
providing assurances regarding the safeguarding of PHI that CE, in its sole
discretion, deems sufficient to satisfy the standards and requirements of the
Privacy Rule.
b. Amendment of the Agreement. The Agreement may be modified or
amended by mutual agreement of the parties at any time without amendment of
this Addendum. To the extent that the permitted uses and disclosures of PHI
stated in the Agreement are modified, the uses and disclosures discussed in
Section 2(a) of this Addendum shall be modified to reflect the current provisions
of the Agreement.
10. Assistance in Litigation or Administrative Proceedings.
STANTON shall make itself, and any subcontractors, employees or agents
assisting STANTON in the performance of its obligations under this Addendum,
available to CE, to testify as witnesses, or otherwise, in the event of litigation or
administrative proceedings being commenced against CE, its directors, officers,
or employees based upon claimed violation of H/PAA, the HIPAA Regulations or
other laws relating to security and privacy, except where STANTON or its
subcontractor, employee or agent is a named adverse party.
11. No Third-Party Beneficiaries.
Nothing express or implied in this Addendum is intended to confer, nor shall
anything herein confer, upon any person other than CE, STANTON and their
1514541v4 A-6
respective successors or assigns, any rights, remedies, obligations or liabilities
whatsoever.
12. Effect on Agreement.
Except as specifically required to implement the purposes of this Addendum, or to
the extent inconsistent with this Addendum, all other terms of the Agreement shall
remain in force and effect. This Addendum shall govern with respect to terms
required for compliance with the Privacy Rule.
13. Interpretation.
This Addendum and the Agreement shall be interpreted as broadly as necessary
to implement and comply with HIPM, HIPAA Regulations and applicable state
laws. All references in this Addendum to a section in the Privacy Rule means the
section as in effect or as amended, and for which compliance is required.
The parties agree that any ambiguity in this Addendum shall be resolved in favor of a
meaning that complies and is consistent with the Privacy Rule.
IN WITNESS WHEREOF, the parties hereto have duly executed this Addendum
as of the Addendum Effective Date.
CE: STANTON GROUP, INC.
By By
Print Name: Print Name:
Title: Title:
Name of Plan Administrator
Date: Date:
1514541v4 A-7