13-257.00 Discovery Benefits t 1.
BUSINESS ASSOCIATE AGREEMENT
GPID: 20832
This Business Associate Agreement (the "Agreement") is made and entered into effective as of July 17,
2013 (Effective Date), by and between Discovery Benefits, Inc. and its subsidiaries and affiliate companies ("DBI")
and City of Spokane Valley Health Plan(the"Plan"),which is sponsored by City of Spokane Valley(the"Sponsor").
WITNESSETH:
WHEREAS, DBI shall provide certain administrative services, activities or functions in connection with the
Plan (the "Services") pursuant to a Services Agreement between DBI and the Sponsor(the"Services Agreement");
and
WHEREAS, the parties desire to enter into this Agreement as set forth below for the purpose of addressing
the"Standards for Privacy of Individually Identifiable Health Information,"45 CFR Part 160 and Part 164, Subparts A
and E (the "Privacy Rule"); the "Standards for Electronic Transactions,"45 CFR Part 160, Subpart A, and Part 162,
Subpart A and Subparts I through R (the"Electronic Transaction Rule"); the"Security Standards for the Protection of
Electronic Protected Health Information,"45 CFR Part 160, Subpart A, and Part 164, Subparts A and C(the"Security
Rule"); and the "Standards for Breach Notification for Unsecured Protected Health Information," 45 CFR Part 164,
Subpart D(the"Breach Notification Rule"), as amended and clarified by the HIPAA Omnibus Rule or any regulations,
rules or guidance that may be issued after the effective date of this Agreement.
NOW, THEREFORE, in consideration of the premises and other good and valuable consideration, the
receipt and sufficiency of which is hereby acknowledged,the Plan and DBI agree as follows:
Article I—Definitions
1.1 "Agent" shall have the meaning given to it in Section 2.5. As provided by HIPAA, an Agent and a
Subcontractor are two separate types of arrangements.
1.2 "Breach"shall have the meaning given to it by 45 CFR§ 164.402.
1.3 "Business Associate"shall have the meaning given to it by 45 CFR§ 160.103.
1.4 "Designated Record Set"shall have the meaning given to it by 45 CFR§ 164.501.
1.5 "Health Care Operations"shall have the same meaning given to it in 45 CFR§ 164.501.
1.6 "HIPAA" shall mean, collectively, the Privacy Rule, the Electronic Transaction Rule, the Security
Rule,and/or the Breach Notification Rule,each as amended and clarified by the HIPAA Omnibus Rule.
1.7 "HIPAA Omnibus Rule"shall mean the"Modifications to the HIPAA Privacy, Security, Enforcement
and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the
Genetic Information Nondiscrimination Act,"78 Federal Register 5566(January 25,2013).
1.8 "Individual" shall mean the person who is the subject of PHI and shall include a person who
qualifies as a personal representative in accordance with 45 CFR§164.502(g).
1.9 `Individual Rights Requests" shall mean Access Requests, Amendment Requests, Accounting
Requests,and requests under Section 3.3.
1.10 "Payment"shall have the same meaning given to it in 45 CFR§ 164.501.
1.11 "PHI"shall mean any information,whether oral or recorded in any form or medium, that—(i)relates
to the past, present or future physical or mental condition of an Individual; the provision of health care to an
Individual; or the past, present or future payment for the provision of health care to an Individual; and(ii)identifies the
Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the
Individual.
1.12 "Plan"shall have the meaning provided as first written above. In all cases, the Plan shall mean the
group health plan or plans of the Sponsor as set forth in 45 CFR§160.103.
1.13 "Plan Administration Functions"shall have the same meaning given to it in 45 CFR§ 164.504.
1.14 "Plan Administrator" shall mean the entity, individual, group or committee appointed by the
Sponsor, or its successor or successors,who have authority to administer the Plan.
1.15 "Privacy Official"shall mean the person designated by the Plan to serve as its privacy official within
the meaning of 45 CFR § 164.530(a), and any person to whom the Privacy Official has delegated any of his or her
duties or responsibilities.
1.16 "Protected Information" shall mean PHI received from the Plan or created, received, maintained or
transmitted by DBI on behalf of the Plan.
1.17 "Required by Law'shall have the same meaning given to it in 45 CFR§164.103.
1.18 "Secretary" shall mean the Secretary of the United States Department of Health and Human
Services.
1.19 "Services" shall mean the activities, functions and/or services that DBI from time to time renders to
or on behalf of the Plan to the extent that those activities,functions and/or services are covered by HIPAA.
1.20 "Subcontractor"shall have the same meaning giving to it in 45 CFR§ 160.103.
1.21 "Unsecured PHI" shall mean Protected Information that is not secured through the use of a
technology or methodology that renders such Protected Information unusable, unreadable or indecipherable to
unauthorized individuals as specified in 45 CFR§ 164.402.
Article II—Obligations and Activities of DBI
2.1 Status of DBI. DBI acknowledges and agrees that it is a Business Associate of the Plan for
purposes of the Privacy Rule.
2.2 Permitted Uses and Disclosures of Protected Information.
(a) Permitted Uses. DBI shall not use Protected Information other than as permitted by this
Agreement. DBI may use Protected Information — (i) in connection with the performance, management and
administration of the Services, (ii) for the proper business management and administration of DBI, (iii) to carry out
DBI's legal responsibilities; (iv)to report violations of law consistent with 45 CFR§ 164.502(j); (v)to the extent and for
any purpose authorized by an Individual under 45 CFR §164.508; and (vi) for any purpose provided that no data is
identifiable and has been de-identified pursuant to 45 CFR §164.514(b) (including the separate de-identification
guidance issued by the Secretary on November 26, 2012). Notwithstanding the foregoing sentence, DBI shall not
use Protected Information in any manner that violates the Privacy Rule, or that would violate the Privacy Rule if so
used by the Plan(except for the purposes specified under 45 CFR§ 164.504(e)(2)(i)(A)and(B)).
(b) Permitted Disclosures. DBI shall not disclose Protected Information other than as
permitted by this Agreement. DBI may disclose Protected Information — (i) in connection with the performance,
management and administration of the Services; (ii)to report violations of law consistent with 45 CFR § 164.502(j);
(iii)to the extent and for any purpose authorized by an Individual under 45 CFR §164.508; and (iv)for any purpose
provided that no data is identifiable and has been de-identified pursuant to 45 CFR §164.514(b) (including the
separate de-identification guidance issued by the Secretary on November 26, 2012). In addition, DBI may also
disclose Protected Information to a third party for the proper business management and administration of DBI and to
carry out DBI's legal responsibilities; provided, that the disclosure is Required by Law, or DBI obtains, prior to the
disclosure—(1) reasonable assurances from the third party that the Protected Information will be held confidentially
and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the third party,
and (2) an agreement from the third party that the third party will notify DBI immediately of any instances in which it
knows the confidentiality of the information has been breached. Further, DBI shall disclose, upon request, Protected
Information to the Sponsor for Plan Administration Functions and to designated Sponsor employees (or designated
Business Associates of the Plan)who are working for or on behalf of the Plan for purposes of Payment and Health
Care Operations(including claims assistance activities)consistent with 45 CFR§ 164.506(c)(1). Notwithstanding the
foregoing, DBI shall not disclose Protected Information in any manner that violates the Privacy Rule, or that would
violate the Privacy Rule if so disclosed by the Plan (except for the purposes specified under 45 CFR §
164.504(e)(2)(i)(A)and (B)).
(c) Minimum Necessary. To the extent required by the Privacy Rule, DBI shall only request,
use and/or disclose the minimum amount of Protected Information necessary to accomplish the purpose of the
request, use and/or disclosure. For this purpose, the determination of what constitutes the minimum necessary
amount of Protected Information shall be determined in accordance with Section 164.502(b)of the Privacy Rule.
(d) Direct Application of Privacy Rules. DBI shall not use and/or disclose Protected
Information or provide any Services that require the use and/or disclosure of Protected Information unless such use
and/or disclosure directly complies with this Section 2.2 and Sections 164.502(a)(3) and 164.504(e) of the Privacy
Rule.
2
(e) GINA Provisions. Notwithstanding subsections (a) through (c) above, DBI shall not use
and/or disclose Protected Information that is genetic information for underwriting purposes, as set forth in 45 CFR§
164.502(a)(5).
2.3 Safeguards. DBI shall maintain and use appropriate and commercially reasonable safeguards to
prevent use and/or disclosure of Protected Information other than as permitted or required in this Agreement.
2.4 Reports of Prohibited Disclosures. If DBI becomes aware of a disclosure of an Individual's
Protected Information by DBI and the disclosure violated the provisions of this Agreement, DBI must inform the
Privacy Official regarding the prohibited disclosure of the Individual's Protected Information. To the extent that a
disclosure described in this Section 2.4 also constitutes a Breach of Unsecured PHI,the provisions of this Section 2.4
.shall not apply, but rather the provisions of Section 2.8 shall apply.
2.5 Agents and Subcontractors. DBI shall require each of its representatives, agents, and entities
(collectively, "Agents") to whom DBI provides Protected Information on behalf of the Plan to agree to observe the
restrictions on use and disclosure of the Protected Information imposed upon DBI by this Agreement and the Privacy
Rule. In addition, DBI shall enter into a Business Associate Agreement with each of its Subcontractors which meets
the requirements of the Privacy Rule, including the requirements set forth in 45 CFR§ 164.504(e).
2.6 Access by Secretary. DBI shall make available to the Secretary DBI's internal practices, books and
records (including its policies and procedures) relating to DBI's use and disclosure of Protected Information for the
purpose of enabling the Secretary to assess the Plan's and/or DBI's compliance with HIPAA. DBI shall inform the
Privacy Official of any request sent by the Secretary on behalf of the Plan that is received by DBI, unless it is
prohibited by applicable law from doing so.
2.7 Mitigation. DBI agrees to mitigate,to the extent practicable, any harmful effect that is known to DBI
of a use or disclosure of Protected Information by DBI in violation of the requirements of this Agreement.
2.8 Notice of Breach of Unsecured PHI.
(a) DBI Requirements. Upon DBI's discovery of a Breach of Unsecured PHI by DBI, DBI shall
(1) Pursuant to the requirements set forth in subsection (b) below, provide written
notice of the Breach, on behalf of the Plan, without unreasonable delay but no later than sixty(60)calendar
days following the date the Breach is discovered or such later date as is authorized under 45 CFR §
164.412,to:
(I) each Individual whose Unsecured PHI has been, or is reasonably
believed by DBI to have been,accessed,acquired, used or disclosed as a result of the Breach;
(ii) the media to the extent required under 45 CFR§ 164.406;and
(iii) the Secretary to the extent required under 45 CFR § 164.408 (unless
the Plan has elected to provide this notification and has informed DBI);
(2) Pursuant to the requirements set forth in subsection (c) below, provide written
notice of the Breach to the Privacy Official, as soon as administratively practicable, but no later than three
(3)business days after the Breach is discovered; and
(3) If the Breach involves less than 500 individuals, maintain a log or other
documentation of the Breach which contains such information as would be required to be included if the log
were maintained by the Plan pursuant to 45 CFR§ 164.408, and provide such log to the Plan within five (5)
business days of the Plan's written request.
(b) Notice Requirements. This subsection (b) provides the following special rules that shall
each be applicable to the provisions of Section 2.8(a)(1)—
(1) The date that a Breach is discovered shall be determined by DBI, in its sole
discretion, in accordance with the Breach Notification Rule.
(2) The content, form and delivery of each of the notices required by Section
2.8(a)(1) shall comply in all respects with the breach notification provisions applicable to the Plan, as set
forth in the Breach Notification Rule.
3
(3) DBI shall send the notices described in Section 2.8(a)(1)(i) to each Individual
using the address on file with DBI (or as may be otherwise provided by the Plan). If the notice to any
Individual is returned as undeliverable, DBI shall make one additional attempt to deliver the notice to the
Individual using such information as is reasonably available to it, or shall take other action required by the
Breach Notification Rule.
(4) With respect to notices required under Section 2.8(a)(1)(i) and (ii), DBI and the
Privacy Official shall cooperate in all respects regarding the drafting and the content of the notices. To that
end, before sending any notice to any Individual or the media under Section 2.8(a)(1)(i)or(ii), DBI shall first
provide a draft of the notice to the Privacy Official. The Privacy Official shall have five business days (plus
any reasonable extensions)to either approve DBI's draft of the notice or revise the language of the notice.
Altematively, the Privacy Official may elect to draft the notice for review by DBI. Once DBI and the Privacy
Official agree on the final content of the notice, DBI shall send the notice to the Individuals and/or the media
based on the requirements of the Breach Notification Rule.
(c) Privacy Official Notice. The notice to the Privacy Official pursuant to Section 2.8(a)(2)
shall include the identity of each Individual whose Unsecured PHI was involved in the Breach and a brief description
of the Breach. To the extent that DBI does not know the identities of all affected Individuals when it is required to
notify the Privacy Official, DBI shall provide such information as soon as administratively practicable after such
information becomes available. Upon the Plan's written request, DBI shall provide such additional information
regarding the Breach as may be reasonably requested from time to time by the Plan.
(d) Services Agreement. DBI reserves the right to charge reasonable, cost based fees for
sending the notices required by this Section 2.8 should a Breach be due to actions on the part of the Sponsor, the
Plan or any other entity other than DBI, its Agents or Subcontractors.
Article III—Individual Rights Requirements
3.1 Designated Record Sets.
(a) General. DBI agrees to maintain a Designated Record Set for the Plan in a manner and
form that will allow the Plan to provide access and amendment rights to an Individual with respect to the Individual's
Protected Information in conformance with 45 CFR§§164.524 and 164.526.
(b) Access Requests. Upon request from the Plan, DBI shall process and respond to a
request by an Individual for access to an Individual's Protected Information that is maintained by DBI in a Designated
Record Set pursuant to 45 CFR§ 164.524(an"Access Request"). DBI shall respond to such Access Request within
the timeframes required by 45 CFR§ 164.524 by furnishing such Protected Information to the Plan. If the Protected
Information that is requested is maintained electronically and the Individual requests an electronic copy of such
information, DBI will provide access to the information in an electronic format that complies with 45 CFR §
164.524(c)(2)(ii).Thereafter,the Plan will be responsible for sending such information to the Individual.
(c) Amendment Requests. Upon request from the Plan, DBI shall process a request by an
Individual for amendments to an Individual's Protected Information that is maintained by DBI in a Designated Record
Set pursuant to 45 CFR§ 164.526 (an "Amendment Request"). DBI shall process such Amendment Request within
the timeframes required by 45 CFR§ 164.526.
(d) Coordination with Privacy Official. DBI shall coordinate and cooperate with the Privacy
Official (or any other person designated by the Plan Administrator for this purpose) regarding all processing,
recordkeeping and documentation issues relating to Access Requests and Amendment Requests. Notwithstanding
the foregoing, DBI shall not be obligated to coordinate with the Privacy Official if an Individual files an Access
Request or Amendment Request with DBI and such request is directed solely to DBI.
3.2 Accountings.
(a) Documentation of Disclosures. DBI agrees to document and maintain a log of any and all
disclosures from and after the date or dates required by 45 CFR§ 164.528 made by DBI of Protected Information in a
manner and form that will allow the Plan to provide to an Individual an accounting of disclosures or other applicable
report of the Individual's Protected Information in compliance with and based on the requirements of 45 CFR §
164.528.
(b) Accounting Requests. Upon request from the Plan, DBI shall process and respond to a
request by an Individual for an accounting of disclosures or other applicable report of an Individual's Protected
Information pursuant to the requirements of 45 CFR§164.528(an"Accounting Request"). DBI shall respond to such
Accounting Request within the timeframes required by 45 CFR§ 164.528 by furnishing such accounting to the Plan.
Thereafter,the Plan will be responsible for sending such information to the Individual.
4
(c) Coordination with Privacy Official. DBI shall coordinate and cooperate with the Privacy
Official (or any other person designated by the Plan Administrator for this purpose) regarding all processing,
recordkeeping and documentation issues relating to Accounting Requests. Notwithstanding the foregoing, DBI shall
not be obligated to coordinate with the Privacy Official if an Individual files an Accounting Request with DBI and such
request is directed solely to DBI.
3.3 Privacy Protection Requests.
(a) Restriction Requests on Uses and Disclosures. The Plan and DBI on behalf of the Plan
shall not agree to a restriction on the use or disclosure of Protected Information pursuant to 45 CFR § 164.522(a)
without first consulting with the other party. DBI is not obligated to implement any restriction, if such restriction would
hinder Health Care Operations or the Services DBI provides to the Plan, unless such restriction would otherwise be
required by 45 CFR§ 164.522(a).
(b) Confidential Communication Requests. DBI shall implement any reasonable requests by
Individuals relating to a request to receive communications of Protected Information by alternative means or at
alternative locations to the extent required by 45 CFR§164.522(b).
(c) Coordination with Privacy Official. DBI shall coordinate and cooperate with the Privacy
Official (or any other person designated by the Plan Administrator for this purpose) regarding all processing,
recordkeeping and documentation issues relating to requests under this Section 3.3.
Article IV—Electronic Transaction Rule
4.1 Business Associate Requirements. DBI acknowledges that it is a Business Associate of the Plan
for purposes of the Electronic Transaction Rule. DBI agrees that it shall comply with all Electronic Transaction Rule
requirements that may be applicable to DBI with respect to the Services it provides to and on behalf of the Plan. DBI
shall also require each of its Agents and Subcontractors to whom DBI provides Protected Information that is received
from, or created or received by DBI on behalf of the Plan to comply with the applicable requirements of the Electronic
Transaction Rule.
4.2 Sponsor Transmissions. Electronic transmissions between DBI and the Sponsor are not required
to comply with the Electronic Transaction Rule. Accordingly, the Sponsor hereby represents and warrants that all
electronic transmissions with respect to the Plan between the Sponsor (either directly or through its designated
agent) and DBI, relating to— (i) enrollment and disenrollment information and (ii) premium payment information, as
each are covered by the Electronic Transaction Rule, are sent or received by the Sponsor(either directly or through
its designated agent)in the Sponsor's capacity as an employer and are not sent or received by the Plan.
Article V—Obligations of Plan
5.1 Privacy Notice. Upon request, the Plan will provide DBI with a copy of its notice of privacy
practices pursuant to 45 CFR§ 164.520.
5.2 Authorizations. The Plan will notify DBI of any changes in or revocations of Individual
authorizations for use or disclosure of Protected Information to the extent that such changes or revocations may
affect DBI's use or disclosure of Protected Information.
5.3 Officials. The Plan will notify DBI of the current name and contact information of the Plan
Administrator,the Privacy Official and any other person that has the authority to act on behalf of the Plan with respect
to the provisions contained in this Agreement.
5.4 Plan Amendments. Sponsor represents that it has amended its Plan documents to include specific
provisions to restrict the use or disclosure of PHI and to ensure adequate procedural safeguards and accounting
mechanisms for such uses or disclosures, in accordance with the Privacy Rule.
5.5 Additional Certification. The Plan represents and warrants that: (a) it has amended its plan
documents, in accordance with 45 CFR§ 164.504(f), so as to allow the Plan to receive Protected Information; (b) it
has received a certification from the Sponsor in accordance with 45 CFR§ 164.504(f)(2)(ii), and will provide a copy of
such certification to DBI upon request; (c) the plan document amendments permit the Plan to receive Protected
Information (including detailed invoices, reports and statements from DBI); and (d)the Plan has determined, through
its own policies and procedures and in compliance with 45 CFR § 164.502(b), that the Protected Information that it
receives from DBI (including the detailed invoices, reports and statements) contain the minimum information
necessary for the Plan to carry out its Payment and Health Care Operations activities.
5
Article VI—Amendment and Termination
6.1 Amendment. No change, modification, or attempted waiver of any of the provisions of this
Agreement shall be binding upon any party hereto unless reduced to writing and signed by the party against whom
enforcement is sought. DBI agrees to take such action as is necessary to amend this Agreement from time to time as
the Plan reasonably determines necessary to comply with HIPAA, or any other applicable law, rule or regulation.
6.2 Term. The Term of this Agreement shall be effective on the date first written above (except as
otherwise noted herein)and shall terminate when all of the Protected Information received from the Plan, or created
or received by DBI on behalf of the Plan, is destroyed in accordance with the Plan's authorization or is returned to the
Plan(or its designated agents)pursuant to Section 6.4.
6.3 Termination. If one party to this Agreement (the "Non-Breaching Party") has knowledge of a
material violation of this Agreement by the other party to this Agreement (the "Breaching Party"), as determined in
good faith by the Non-Breaching Party,the Non-Breaching Party must promptly:
(a) Provide an opportunity for the Breaching Party to end and to cure the material violation
within a reasonable time specified by the Non-Breaching Party, and if the Breaching Party does not end and cure the
material violation within such time (including reasonable extensions that the Non-Breaching Party determines are
necessary) to the satisfaction of the Non-Breaching Party, the Non-Breaching Party shall immediately terminate the
Services rendered by DBI and any agreement or contract related thereto; or
(b) If a cure is not possible as determined by the Non-Breaching Party in its sole discretion,
the Non-Breaching Party shall immediately terminate the Services rendered by DBI and any agreement or contract
related thereto.
6.4 Effect of Termination. Upon termination pursuant to Section 6.3,the Plan within a reasonable time
thereafter must inform DBI to either destroy or return to the Plan(or any agents designated by the Plan)the Protected
Information that DBI and its Agents and Subcontractors maintain in any form, and DBI and its Agents and
Subcontractors shall retain no copies of the Protected Information. However, in many situations DBI maintains one or
more backup copies of Protected Information for auditing,data management and other related purposes and DBI has
determined that destruction of all copies of Protected Information that it maintains is infeasible. Therefore, after
termination of the Services and pursuant to 45 CFR § 164.504(e)(2)(ii)(J), this Agreement shall remain in effect and
DBI shall continue to observe and shall ensure that its Agents and Subcontractors continue to observe its obligations
under this Agreement to the extent copies of the Protected Information are retained by DBI and shall limit further uses
and disclosures of Protected Information to the purposes that make its return or destruction infeasible and that are
consistent with the Privacy Rule.
Article VII—Electronic Security Standards
7.1 Definitions. When used in this Article, the following terms shall have the meanings set forth as
follows:
(a) "Electronic Media"shall have the meaning given to it in 45 CFR§ 160.103.
(b) "Electronic Protected Information" shall mean Protected Information received from the
Plan or created, received, maintained or transmitted by DBI on behalf of the Plan that is transmitted by Electronic
Media or maintained in Electronic Media.
(c) "Security Incident"shall have the meaning given to it in 45 CFR§ 164.304.
7.2 Requirements. Pursuant to 45 CFR§ 164.314(a)(2)(i), DBI shall:
(a) Comply with the applicable requirements of the Security Rule, including the requirement
that DBI implement, maintain and document administrative, physical and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of Electronic Protected Information to the extent
required by the Security Rule;
(b) Report (pursuant to the terms and conditions of Section 7.3) to the Privacy Official (or
such other person designated for this purpose) any Security Incident of which DBI becomes aware and which
occurred during the applicable reporting period;
(c) Require each of its Agents to whom DBI provides Electronic Protected Information to
agree to implement administrative, physical and technical safeguards that reasonably and appropriately protect the
confidentiality, integrity, and availability of the Electronic Protected Information that is provided to the agent to the
extent required by the Security Rule; and
6
(d) Enter into a contract or other arrangement with each of its Subcontractors that create,
receive, maintain or transmit Electronic Protected Information on behalf of DBI pursuant to which the Subcontractor
agrees to comply with the applicable requirements of the Security Rule.
7.3 Reporting Protocols. All reports required by Section 7.2(b)shall be provided pursuant to the terms
and conditions specified in this Section.
(a) Attempted Security Incidents. Reporting for any Security Incident involving the attempted
unauthorized access, use, disclosure, modification or destruction of Electronic Protected Information (collectively, an
"Attempted Security Incident") shall be provided pursuant to the standard reporting protocols of DBI (as determined
by DBI).
(b) Successful Security Incident. Reporting for any Security Incident involving the successful
unauthorized access, use, disclosure, modification or destruction of Electronic Protected Information (collectively, a
"Successful Security Incident") shall be provided to the Plan pursuant to the standard reporting protocols of OBI (as
determined by DBI); provided, that (i) the reports shall at a minimum include the date of the incident, the parties
involved (if known, including the names of Individuals affected), a description of the Successful Security Incident, a
description of the Electronic Protected Information involved in the incident and any action taken to mitigate the impact
of the Successful Security Incident and/or prevent its future recurrence and (ii)the reports shall satisfy the minimum
requirements for Security Incident reporting that may be required from time to time by the Secretary. In addition,
Successful Security Incidents shall be reported to the Plan as soon as administratively practicable after the
occurrence of the incident taking into account the severity and nature of the incident. Notwithstanding the foregoing,
the Plan may request details about one or more Successful Security Incidents, and DBI shall have 30 days thereafter
to fumish the requested information.
(c) Breach of Unsecured PHI. To the extent that a Security Incident described in this Section
7.3 also constitutes a Breach of Unsecured PHI, the provisions of this Section 7.3 shall not apply, but rather the
provisions of Section 2.8 shall apply.
7.4 Mitigation. DBI agrees to mitigate,to the extent practicable, any harmful effect that is known to DBI
relating to any Security Incident.
7.5 Access by Secretary. DBI shall make available to the Secretary DBI's internal practices,books and
records(including its policies and procedures)relating to the safeguards established by DBI with respect to Electronic
Protected Information for the purpose of enabling the Secretary to assess DBI and/or the Plan's compliance with the
Security Rule. DBI shall inform the Privacy Official of any request sent by the Secretary on behalf of the Plan that is
received by DBI, unless DBI is prevented by applicable law from doing so.
Article VIII—General
8.1 Other Agreements. The Plan and DBI acknowledge and affirm that this Agreement is in no way
intended to address or cover all aspects of the relationship of the Plan and DBI and of the Services that are rendered
by DBI to and on behalf of the Plan. Rather, this Agreement deals only with those matters that are specifically
addressed herein. Further,this Agreement supersedes any prior business associate agreements entered into by DBI
and the Plan (or any predecessor to the Plan), and shall apply to all Protected Information existing as of the effective
date of this Agreement or created or received thereafter while this Agreement is in effect.
8.2 Indemnification. Any indemnification relating to violations of this Agreement by DBI or the Plan (or
the Sponsor on behalf of the Plan) shall be addressed to the extent applicable by the Services Agreement of the
parties.
8.3 Severability. The provisions of this Agreement shall be severable, and the invalidity or
unenforceability of any provision (or part thereof)of this Agreement shall in no way affect the validity or enforceability
of any other provisions (or remaining part thereof). If any part of any provision contained in this Agreement is
determined by a court of competent jurisdiction, or by any administrative tribunal, to be invalid, illegal or incapable of
being enforced, then the court or tribunal shall interpret such provisions in a manner so as to enforce them to the
fullest extent of the law.
8.4 Interpretation. The provisions of this Agreement shall be interpreted in a manner intended to
achieve compliance with HIPAA. Whenever the Agreement uses the term "including" followed by a specific item or
items, or there is a passage having a similar effect, such passages of the Agreement shall be construed as if the
phrase "without limitation" followed such term (or otherwise applied to such passage in a manner that avoids
limitations on its breadth of application). Where the term "and/or" is used in this Agreement, the provision that
includes the term shall have the meaning the provision would have if"and" replaced "and/or," but it shall also have
the meaning the provision would have if"or"replaced"and/or." Any reference to a section or provision of HIPAA shall
7
include any amendment or clarification of such section or provision contained in the HIPAA Omnibus Rule and any
regulation, rule or guidance issued by the Secretary following the effective date of this Agreement.
8.5 Counterparts. Any number of counterparts of this Agreement may be signed and delivered, each of
which shall be considered an original and all of which,together, shall constitute one and the same instrument.
8.6 Binding Effect. The provisions of this Agreement shall be binding upon and shall inure to the
benefit of the parties hereto and their heirs, assigns and successors in interest. The Plan shall have the right to
assign this Agreement to any successor or surviving health plan, and all covenants and agreements hereunder shall
inure to the benefit of and be enforceable by any such assignee.
8.7 No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer,
and nothing herein shall confer, upon any person other than the parties hereto any rights, remedies, obligations or
liabilities whatsoever.
8.8 Applicable Law. The provisions of this Agreement shall be construed and administered to, and its
validity and enforceability determined under HIPAA. To the extent that HIPAA is not applicable in a particular
circumstance, the provisions of this Agreement shall be construed and administered to, and its validity and
enforceability determined under the Employee Retirement Income Security Act of 1974, as amended ("ERISA"). In
the event that HIPAA and ERISA do not preempt state law in a particular circumstance, the laws of the State of North
Dakota shall govern.
8.9 State Privacy and Security Laws.
(a) General. Pursuant to 45 CFR§ 160.203, DBI and the Plan acknowledge that HIPAA only
preempts state laws which are contrary to a HIPAA standard, requirement or implementation specification, provided
that state laws which relate to the privacy of Protected Information and are more stringent than the Privacy Rule are
not preempted. Accordingly, the parties acknowledge that certain State Privacy Laws affecting the privacy and/or
security of personally identifiable information(e.g., name, address, age,and social security number)relating to a Plan
participant or beneficiary ("Privacy Restricted Data") may apply to the Services provided by DBI to the extent such
State Privacy Laws are not preempted by HIPAA. For purposes of this Section 8.9, "State Privacy Laws"shall mean
any applicable state and local privacy laws governing the creation, collection, storage, maintenance, access,
modification,transmission, use or disclosure of Privacy Restricted Data.
(b) State Privacy Laws. All Privacy Restricted Data created, collected, received or obtained
by or on behalf of DBI in the course of performing its Services shall be created, collected, received, obtained, stored,
maintained, accessed, modified, transmitted, used and disclosed in accordance with any and all applicable State
Privacy Laws. DBI shall at all times perform the Services in accordance with the State Privacy Laws and as not to
cause the Sponsor or the Plan to be in violation of the State Privacy Laws. DBI shall be fully responsible for any
creation, collection, receipt, access, storage, maintenance, modification, transmission, use and disclosure of Privacy
Restricted Data performed by or on behalf of DBI that is in violation of any State Privacy Laws. DBI shall remedy and
mitigate the damages of any breach of privacy, security, integrity or confidentiality with respect to the unauthorized
creation, collection, receipt, storage, maintenance, access, modification, transmission, use or disclosure (a "State
Breach")of Privacy Restricted Data that is or may be in violation of any State Privacy Laws.
(c) Notification. DBI shall notify the Privacy Officer (using the procedures that apply to
Breaches of Unsecured PHI under Section 2.8(c))of any State Breaches by or on behalf of DBI of Privacy Restricted
Data that is or may be in violation of any State Privacy Laws. In addition, DBI shall also notify the affected Plan
participants and beneficiaries (using the procedures that apply to Breaches of Unsecured PHI under Section 2.8(b))
of any State Breaches by or on behalf of DBI of Privacy Restricted Data that is in violation of any State Privacy Laws
and any state or local governmental agencies, authorities or other entities, but only to the extent required by such
State Privacy Laws.
(d) HIPAA Coordination. The parties acknowledge that in certain situations the provisions of
both Section 2.8 and this Section 8.9 shall apply. If both Sections 2.8 and 8.9 apply in a given situation, DBI shall
comply with both Sections 2.8 and 8.9 to the extent applicable.
8.10 Obligation of Plan and DBI. To the extent that DBI carries out the HIPAA obligations of the Plan
(including the obligations set forth in Section 2.8 and Article III), DBI shall comply with the applicable requirements of
HIPAA as they apply to the Plan in the performance of such obligations on behalf of the Plan.
8
IN WITNESS WHEREOF,the parties hereto have executed this Agreement by their duly authorized officials
on the date set forth above.
Signed for by o e Sponsor o behalf of and as a Discovery Benefits,Inc.
representatiiv o the Plan:
By: �
\ ' i By:
`
Name: J C5 "-V1/Lv��l����
nn Name:Suzanne Rehr
U`
Title: !
/13
Title:Chief Compliance Officer/EVP
Date:
Date: May 1,2013
•
9