The URL can be used to link to this page

Resolution No. 8973t 1 RESOLUTION NO. 8973 2 3 A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF VERNON APPROVING AND RATIFYING THE EXECUTION OF A 4 BUSINESS ASSOCIATE AGREEMENT BY AND BETWEEN THE CITY OF VERNON AND PART D ADVISORS, INC. RELATING 5 TO MEDICARE PART D IMPLEMENTATION SERVICES 6 7 WHEREAS, on November 16, 2005, the City Council of the City 8 of Vernon adopted Resolution No. 8909 approving the filing of an 9 application for federal subsidies for medicare drug purchases and 10 approving an Agreement for Medicare Part D Implementation Services 11 (the "Services Agreement") with Part D Advisors, Inc. (""Part D"); and 12 WHEREAS, in order for Part D to obtain health claims data in 13 accordance with the Health Insurance Portability and Accountability 14 Act of 1996 and 45 CFR Parts 160-164 (the "Privacy Rule"), Part D has 15 requested that the City enter into a agreement to satisfy the 16 "business associate" and related requirements within the meaning of 17 the Privacy Rule; and 18 WHEREAS, such "business associate" agreement will be a 19 supplemental attachment to the Services Agreement; and 20 WHEREAS, in order to meet the urgent need to facilitate the 21 City's Medicare Part D Program, the Chief Deputy City Attorney/Acting 22 Risk Manager executed a Business Associate Agreement (the "Agreement") 23 with Part D on February 6, 2006, subject to ratification by the City 24 Council. 25 NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE 26 CITY OF VERNON AS FOLLOWS: 27 SECTION 1: The City Council of the City of Vernon hereby 28 finds and determines that the recitals contained hereinabove are true 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 and correct. SECTION 2: The City Council of the City of Vernon hereby ratifies the execution of the Business Associate Agreement with Part D executed on February 6, 2006, a copy of which is attached hereto as Exhibit A and incorporated by reference. SECTION 3: The Acting City Clerk of the City of Vernon shall certify to the passage of this resolution, and thereupon and thereafter the same shall be in full force and effect. APPROVED AND ADOPTED this 15th day of February, 2006. (ATTEST: BRUCE V. MA4KENHORST, JR. Acting(Cit Clerk LEONIS C. MA4BURG, Mayor - 2 - 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 STATE OF CALIFORNIA ) ) ss COUNTY OF LOS ANGELES j I, BRUCE V. MALKENHORST, JR., Acting City Clerk of the City of Vernon, do hereby certify that the foregoing Resolution, being Resolution No. 8973, was duly adopted by the City Council of the City of Vernon at a regular meeting of the City Council duly held on Wednesday, February 15, 2006, and thereafter was duly signed by the Mayor of the City of Vernon. BRUCE V.k4ALKENHORST, JR. Acting City Clerk (SEAL) - 3 - EXHIBIT ATTACHMENT B Business Associate Agreement This BUSINESS ASSOCIATE AGREEMENT (this' ") is entered into by and between Part D Advisors, Inc., a Michigan corporation ("EDA") and The C itv of Vernon. California Health Plan (the "Health Plan") (together, the "Parties"), effective as provided'' below. RECITALS WHEREAS, the Health Plan is a "covered entity" within the meaning of the Health Insurance Portability and Accountability Act of 1996 Cl�) and its implementing regulation concerning privacy of individually identifiable health information as set forth in 45 CFR Parts 160-164, as amended from time to time (the ` 'vacv Rule"); and WHEREAS, PDA has heretofore entered into an agreement with The City of Vernon, California ("Plan Sponsor') to provide certain administrative services in connection with the Health Plan (the "Service Agreement'); and WHEREAS, the Privacy Rule requires covered entities such as the Health Plan to obtain and document satisfactory assurances from "business associates" (as defined therein) regarding appropriate safeguarding of certain "protected health information" (as defined therein) received or created by the business associate (a "BA Agreement"); and. WHEREAS, PDA, in the performance of its services in connection with the Health Plan, may be deemed a "business associate" within the meaning of the Privacy Rule; and WHEREAS, the Parties desire to enter into an agreement intended to satisfy the BA Agreement requirement and related requirements under the Part D Program (as defined in the Service Agreement) as and to the extent such requirement may be applicable. NOW, THEREFORE, in consideration of the premises and the respective covenants and agreements herein contained, the Parties agree as follows: AGREEMENT I. Definitions Capitalized terms not expressly detained in this Agreement shall have the meanings as defined in the Privacy Rule. For purposes of this Agreement: (a) "Designated Record Set" shall have the same meaning as the term "designated record set" in 45 CFR 164.501 in respect of the Health Plan. (b) "Efjerdye Date" shall have the meaning as set forth in Section 7(a) of this Agreement. (c) "ERISA" shall mean Employee Retirement Income Security Act of 1974, as amended, and the regulations hereunder. BA K v3 1 7/29/05 (d) `Individual" shall have the same meaning as the term "individual" in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). (e) "Health Plan Administra or" or "Plan Adminlatiwor" shall have the same meaning as set forth in the Health Plan's Plan Document. (f) "Privacy Rule" shall have the meaning as set forth in the RECITALS portion of this Agreement. (g) "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR 164.501, but limited to the information crested or received by PDA from or on behalf of the Health Plan. (h) "Required by Law" shall have the same meaning as the term "required by law" in 45 CFR 164.5,01 (and as further described in 70 Federal Register 4405 with regard to compliance with the Center for Medicare and Medicaid Services' requirement of disclosure of Protected Health Information pursuant to 42 CFR 423.884(b)). G) "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. 0) "Service Agreement" shall have the meaning as set forth in the RECITALS portion of this Agreement. 2. Obligations of PDA PDA agrees to: (a) Not use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law, (b) Use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement; (c) Report to the Health Plan Administrator any use or disclosure of the Protected Health Information not provided for by this. Agreement of which it becomes aware; (d) Ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from the Health Plan, or created or received by PDA on behalf of the Health Plan agrees to the same restrictions and conditions that apply through this Agreement to PDA with respect to such information; provided that the Health Plan shall not have any right to disapprove any subcontractors of PDA or to review any agreements with such subcontractors, except to the extent specifically provided herein; (e) Provide, in a commercially reasonable time and manner, access to Protected Health Information to the Health Plan Administrator to the extent necessary to meet the requirements under 45 CFR 164.524, provided that such access shall be provided only to the extent such Protected Health Information is in the possession of PDA and is a part of the Designated Record Set. (f) Make, in a commercially reasonable time and manner, any amendment(s) to Protected .Health Information that the Health Plan Administrator directs or agrees to pursuant to 45 CFR 164.526, BA K 0 2 7/29/05 provided that such amendment(s) shall be made only to the extent such Protected Health Information is in the possession of PDA and is a part of the Designated Record Set; (g) bake .available to the Health Plan, in a commercially reasonable time and manner, information in the possession of PDA as and to the extent required for the Health Plan to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528; (h) Make internal practices, books, and records relating to the use and disclosure of Protected Health information received from the Health Plan, or created or received by PDA on behalf of the Health Plan, available to the Secretary for purposes of the Secretary determining the Health Plan's compliance with the Privacy Rule. 3. Permitted Uses and Disclosures by PDA (a) Cleneral Use and DWOAM Provisions. Except as otherwise limited in this Agreement, PDA may use or disclose Protected Health Information to perform its duties, functions, activities, or services for, or on behalf of, the Health Plan or its Plan Sponsor, provided that such use or disclosure would not violate (i) the Privacy Rule if done by the Health Plan or (ii) the minimum necessary policies and procedures of the Health Plan as communicated by the Health Plan Administrator to PDA. (b) SRmific Use and Disclosure Provisions. (i) PDA may use Protected Health Information for the proper management and administration of PDA or to carry out the legal responsibilities of PDA. GO Except as otherwise limited in this Agreement, PDA may disclose Protected Health Information for the proper management and administration of PDA or to. carry out the legal responsibilities of PDA, provided that: (A) Disclosures are Required By Law, or (B) PDA obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the 'person notifies PDA of any instances of which it is aware in which the confidentiality of the information has been breached. (iii) Except as otherwise limited in this Agreement, PDA may use Protected Health Information to provide Data Aggregation services as permitted by 45 CFR 164.504(ex2)(i)(B). (iv) PDA may use or disclose Protected Health Information to report violations of law to appropriate Federal and/or State authorities to the extent consistent with 45 CFR 164.5020). (v) Except as otherwise limited in this Agreement, PDA may disclose Protected Health Information to other "business associates" (within the meaning of the Privacy Rule) of the Health Plan to perform its dudes under the Service Agreement. Notwithstanding any provision hereof or any other prior agreement by the Parties, it shall be the Health Plan's sole responsibility (and not PDA's BAK0 3 7/29/OS responsibility) to ensure that the Health Plan has entered into appropriate business associate agreements with its business associates. (vi) Except as otherwise limited in this Agreement, PDA may disclose Protected Health Information to the persons to whom the Hesalth Plan Administrator directs PDA to provide Protected Health Information. Notwithstanding any provision hereof or any other prior agreement by the Parties, it shall be the Health Plan's sole responsibility (and not PDA's responsibility) to ensure that the Health Plan has, in its official plan document, appropriate provisions regarding disclosures of Protected Health Information. 4. Obligations of the Health Ptah and Health Plan Admiuistraetor (a) General. Except as otherwise specifically provided under this Agreement, the Health Plan shall not request or permit PDA to (and shall not cause the Health Plan Administrator to request or permit PDA to) use or disclose Protected Health Information in any manner that may not be permissible under the Privacy Rule if done by the Health Plan. (b) Notification of Privacy Practices and Restrictions: The Health Plan shall cause the Health Plan Administrator to promptly notify PDA of (i) Any limitation(s) in the Health Plan's notice of privacy practices in accordance with 45 CFR 164.520, to the extent that such limitation may affect PDA's use or disclosure of Protected Health Information; (ii) Any changes in, or revocation of, permission by Individual to use or disclosure of Protected Health Information, to the extent that such changes may affect PDA's use or disclosure of Protected Health Information; and (iii) Any restriction to the use or disclosure of Protected Health Information that the Health Plan has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect PDA's use or disclosure of Protected Health Information. S. Disclosure to CMS for Part D Program Pursuant to 42 CFR 423.884(b) and notwithstanding any provision herein to the contrary, the Health Plan agrees that the Health Plan, the Health Plan Administrator or PDA (on behalf of the Health Plan) may disclose Protected Health Information to the Center for Medicare and Medicaid Services (CMS) to the extent necessary to comply with Subpart R of 42 CFR Part 423 (relating to Notices of Creditable and Non -Creditable Coverage and applications for drug subsidy payment to the Plan Sponsor in connection with the prescription drug benefit under the Health Plan). BA K 0 4 7/29/05 & Security of Electronic Protected Health Information (a) PDA has implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information that it creates, receives or transmits on behalf of the Health Plan C'ePHI") as required under the Security Standards 45 C.F.R. Part 160 and 164 subpart C. (b) PDA agrees that it will ensure that agents or subcontractors to whom it provides ePHI agree to implement the reasonable and appropriate safeguards to protect its confidentiality, integrity and availability. (c) PDA agrees to report to the Health Plan any Security Incident (as defined in 45 C.F.R. Part 164.304) within one business day after it becomes aware of any such Security Incident. (d) The Health Plan agrees and understands that the Health Plan is independently responsible for the security of ePHI in its possession, whether it was created by the Health Plan or received from outside sources (including PDA). 7. Term and Termination (a) Term. The term of this Agreement shall be for a period commencing as of the effective date of the Service Agreement and ending when all of the Protected Health Information provided by the Health Plan to PDA, or created or received by PDA on behalf of the Health Plan, is destroyed, returned to the Health Plan or further protected in accordance with the termination provisions in this Section 7. (b) Termination for Cause. Upon the Health Plan Administrator's knowledge of a Significant Breach of PDA's obligation under this Agreement and subject to Section 7(e) hereof, the Health Plan Administrator may commence termination of this Agreement by providing a notice of termination to PDA. Notwithstanding the foregoing, this Agreement shall be considered to have been terminated pursuant to this Section 7(b) only if, prior to such notice of termination: (i) The Health Plan Administrator shall have given to PDA written notice describing with specificity the Significant Breach; (ii) A period of 60 days from and after the giving of such notice shall have elapsed without PDA Is having cured or remedied such reason for termination during such 60-day period; and (iii) A final determination shall have been made by the Health Plan Administrator that Significant Breach persists, following a meeting at which PDA shall be entitled to appear and contest the determination. (c) edition Precedent. Upon receipt of a notice of termination pursuant to Section 7(b) hereof, or for termination of this Agreement for any other reason, PDA shall ret4m all Protected Health Information received from the Health Plan, or created or received by PDA on behalf of the Health Plan, that PDA still maintains in any form, and shall retain no copies of such information. If PDA determines that such return is not feasible, PDA shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible. BA K O 5 7/29/05 (d) Reuort to See INN o�, If, in the reasonable determination of the Health Plan Administrator, termination of the Agreement pursuant to Section 7(b) hereof is not feasible, the Health Plan Administrator shall report the Significant Breach to the Secretary. 8. Other Provisions (a) Seoamte from S : Aar---t. Except to the extent specifically provided herein, this Agreement shall not be construed, and is not intended, to be a part of the Service Agreement or to otherwise impose on PDA any duties, responsibilities, obligation whatsoever in respect of the administration of the Health Plan, including any duties, responsibilities or obligation of the Health Plan pursuant to the Privacy Rule. (b) No Liability. To the fullest extent permitted by law, PDA shall be under no liability for any use or disclosure made in accordance with the directions of the Health Plan. (c) No Duty to Question. Notwithstanding anything herein to the contrary, PDA shall not be under any duty to question any directions received from the Health Plan Administrator, nor to review in any respect the manner in which any fiduciary of the Health Plan exercises its authority and discharges its duties with respect to the Health Plan. (d) Amendment. The Parties agree to take such action to amend this Agreement from time to time as is necessary for the Health Plan to comply with the requirements of the Privacy Rule. (e) Ambi uR it'"- Any ambiguity in this Agreement shall be resolved in a manner that is consistent with the applicable requirements under the privacy Rule. (i) Notice. Any notice required to be given hereunder shall be in writing and delivered by hand or sent by facsimile, registered or certified mail, return receipt requested, or by air courier, to the address (or fax number) cited in the signature block of this Agreement or to such other address (or fax number) as shall be specified by like to notice by either Party, and shall be deemed given only when received (g) Headings-. The title, headings, and subheadings of this Agreement are solely for the convenience of the Parties and do not effect the meaning or interpretation of any provision of this Agreement. (h) Governnmg Law. Except to the extent preempted by ERISA, this Agreement shall be governed by and enforceable in accordance with the laws of the State of California without giving effect to the principles of conflict of laws thereof. W Arbitration. The parties agree that any and all disputes arising out of or in relation to this Agreement, including without limitation any action in tort, shall be resolved exclusively, finally and conclusively by arbitration in Los Angeles County, California under the auspices of and pursuant to the rules of the Judicial Arbitration & Mediation Services Inc. (JAMS). Each party will select an arbitrator. Those two arbitrators will then select a third'. The three member panel will make the final decision. All decisions of the arbitrators shall be in writing, and the arbitrators shall provide written reasons for their decision. The arbitration decision shall be final and binding on the parties. Notwithstanding the foregoing, the parties shall, be permitted to access the court system to enforce any arbitration award or to obtain injunctive relief. The exclusive jurisdiction and venue for any such action shall be the Superior Court of California, BA K v3 6 7/29/OS Los Angeles County. Any and all contracts between PDA and any subcontractor shall include the same arbitration clause. 0) EntireASEOWUNIt Tltis Agreement and the Service Agreement contain the entire understanding between the Healfit Platt and PDA with respect to the subject matter hereof and, except as specifically Provided herein, cancels and alPerSeda any and all other agreements between the Health Plan and PDA with respect to the subject matter hereof. Any amendment or modification of this Agreement shall not be binding unless in writing and signed by both the Health Plan and PDA. W Severabil tv. In the event that any provision of this Agreement is determined to be invalid or unenforceable, the remaining terns and conditions of this Agreement shall be unaffected and shall remain in full force and effect, and any such determination of invalidity or unenforceability shall not affect the validity or enforceability of any other provision of this Agreement. . (1) No Benefit to tom. nne representations, covenants and agreements contained in this Agreement are for the sole benefit of the Parties, and they shall not be construed as conferring, and are not intended to confer, any rights on any other persons. (m) QW art . This Agreement may be signed in counterparts, each of which shall be an original, with the same effect as if the signatures thereto and hereto were upon the same instrument. IN WITNESS WHEREOF, the Parties have entered into this . Business Associate Agreement, effective as of the Effective Date. HEALTH PLAN Date: �" " By: Date: Title: C Address: Vernon, CA 9UU5U tto Fax Number: _ (g23) g 6_.i439 PARTI) ADVISORS, INC. By. Name: Title: Address: Fax Number: Risk Manager BA K v3 7 7/29/05 AcknOwledgement by Plan Sponsor CITY OF VERNON By: , Name: Willard G Y Title: uy_City ACCorney Acting Risk Manager Date: fi BA K v3 8 7/29/05 SUPPORTING DOCUMENTS ATTACHMENT B Business Associate Agreement This BUSINESS ASSOCIATE AGREEMENT (this "Astreement") is entered into by and between Part D Advisors, Inc., a Michigan corporation ("PDA') and The City of Vernon, California Health Plan (the "Health Plan") (together, the "Parties"), effective as provided below. RECITALS WHEREAS, the Health Plan is a `covered entity" within the meaning of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulation concerning privacy of individually identifiable health information as set forth in 45 CFR Parts 160-164, as amended from time to time (the "Privacy Rule'); and WHEREAS, PDA has heretofore entered into an agreement with The City of Vernon, California ("Plan Sponsor") to provide certain administrative services in connection with the Health Plan (the "Service Agreement'); and WHEREAS, the Privacy Rule requires covered entities such as the Health Plan to obtain and document satisfactory assurances from "business associates" (as defined therein) regarding appropriate safeguarding of certain "protected health information" (as defined therein) received or created by the business associate (a `BA Agreement'); and WHEREAS, PDA, in the performance of its services in connection with the Health Plan, may be deemed a "business associate" within the meaning of the Privacy Rule; and WHEREAS, the Parties desire to enter into an agreement intended to satisfy the BA Agreement requirement and related requirements under the Part D Program (as defined in the Service Agreement) as and to the extent such requirement may be applicable. NOW, THEREFORE, in consideration of the premises and the respective covenants and agreements herein contained, the Parties agree as follows: AGREEMENT 1. Definitions Capitalized terms not expressly defined in this Agreement shall have the meanings as defined in the Privacy Rule. For purposes of this Agreement: (a) "Designated Record Set" shall have the same meaning as the term "designated record set" in 45 CFR 164.501 in respect of the Health Plan. (b) "Effective Date" shall have the meaning as set forth in Section 7(a) of this Agreement. (c) "ERISA" shall mean Employee Retirement Income Security Act of 1974, as amended, and the regulations hereunder. BA K v3 1 7/29/05 (d) "Individual" shall have the same meaning as the term "individual" in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). (e) "Health Plan Administrator" or "Plan Administrator" shall have the same meaning as set forth in the Health Plan's Plan Document. (f) "Privacy Rule" shall have the meaning as set forth in the RECITALS portion of this Agreement. (g) "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR 164.501, but limited to the information created or received by PDA from or on behalf of the Health Plan. (h) "Required by Law" shall have the same meaning as the term "required by law" in 45 CFR 164.501 (and as further described in 70 Federal Register 4405 with regard to compliance with the Center for Medicare and Medicaid Services' requirement of disclosure of Protected Health Information pursuant to 42 CFR 423.884(b)). (i) "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. 0) "Service Agreement" shall have the meaning as set forth in the RECITALS portion of this Agreement. z Obligations of PDA PDA agrees to: (a) Not use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law; (b) Use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement; (c) Report to the Health Plan Administrator any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware; (d) Ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from the Health Plan, or created or received by PDA on behalf of the Health Plan agrees to the same restrictions and conditions that apply through this Agreement to PDA with respect to such information; provided that the Health Plan shall not have any right to disapprove any subcontractors of PDA or to review any agreements with such subcontractors, except to the extent specifically provided herein; (e) Provide, in a commercially reasonable time and manner, access to Protected Health Information to the Health Plan Administrator to the extent necessary to meet the requirements under 45 CFR 164.524, provided that such access shall be provided only to the extent such Protected Health Information is in the possession of PDA and is a part of the Designated Record Set. (f) Make, in a commercially reasonable time and manner, any amendment(s) to Protected Health Information that the Health Plan Administrator directs or agrees to pursuant to 45 CFR 164.526, BA K v3 2 7/29105 provided that such amendment(s) shall be made only to the extent such Protected Health Information is in the possession of PDA and is a part of the Designated Record Set; (g) Make available to the Health Plan, in a commercially reasonable time and manner, information in the possession of PDA as and to the extent required for the Health Plan to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528; (h) Make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from the Health Plan, or created or received by PDA on behalf of the Health Plan, available to the Secretary for purposes of the Secretary determining the Health Plan's compliance with the Privacy Rule. 3. Permitted Uses and Disclosures by PDA (a) General Use and Disclosure Provisions. Except as otherwise limited in this Agreement, PDA may use or disclose Protected Health Information to perform its duties, functions, activities, or services for, or on behalf of, the Health Plan or its Plan Sponsor, provided that such use or disclosure would not violate (i) the Privacy Rule if done by the Health Plan or (ii) the minimum necessary policies and procedures of the Health Plan as communicated by the Health Plan Administrator to PDA. (b) Specific Use and Disclosure Provisions. (i) PDA, may use Protected Health Information for the proper management and administration of PDA or to carry .out the legal responsibilities of PDA. (ii) Except as otherwise limited in this Agreement, PDA may disclose Protected Health Information for the proper management and administration of PDA or to carry out the legal responsibilities of PDA, provided that: (A) Disclosures are Required By Law, or (B) PDA obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies PDA of any instances of which it is aware in which the confidentiality of the information has been breached. (iii) Except as otherwise limited in this Agreement, PDA may use Protected Health Information to provide Data Aggregation services as permitted by 45 CFR 164.504(ex2)(i)(B). (iv) PDA may use or disclose Protected Health information to report violations of law to appropriate Federal and/or State authorities to the extent consistent with 45 CFR 164.5020). (v) Except as otherwise limited in this Agreement, PDA may disclose Protected Health Information to other "business associates" (within the meaning of the Privacy Rule) of the Health Plan to perform its duties under the Service Agreement. Notwithstanding any provision hereof or any other prior agreement by the Parties, it shall be the Health Plan's sole responsibility (and not PDA's BA K 0 3 7/29/05 responsibility) to ensure that the Health Plan has entered into appropriate business associate agreements with its business associates. (vi) Except as otherwise limited in this Agreement, PDA may disclose Protected Health information to the persons to whom the Health Plan Administrator directs PDA to provide Protected Health Information. Notwithstanding any provision hereof or any other prior agreement by the Parties, it shall be the Health Plan's sole responsibility (and not PDA's responsibility) to ensure that the Health Plan has, in its official plan document, appropriate provisions regarding disclosures of Protected Health Information. 4. Obligations of the Health Plan and Health Plan Administrator (a) General. Except as otherwise specifically provided under this Agreement, the Health Plan shall not request or permit PDA to (and shall not cause the Health Plan Administrator to request or permit PDA to) use or disclose Protected Health Information in any manner that may not be permissible under the Privacy Rule if done by the Health Plan. (b) Notification of Privacy Practices and Restrictions. The Health Plan shall cause the Health Plan Administrator to promptly notify PDA of: (i) Any limitation(s) in the Health Plan's notice of privacy practices in accordance with 45 CFR 164.520, to the extent that such limitation may affect PDA's use or disclosure of Protected Health Information; (ii) Any changes in, or revocation of, permission by Individual to use or disclosure of Protected Health Information, to the extent that such changes may affect PDA's use or disclosure of Protected Health Information; and (iii) Any restriction to the use or disclosure of Protected Health Information that the Health Plan has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect PDA's use or disclosure of Protected Health Information. S. Disclosure to CMS for Part D Program Pursuant to 42 CFR 423.884(b) and notwithstanding any provision herein to the contrary, the Health Plan agrees that the Health Plan, the Health Plan Administrator or PDA (on behalf of the Health Plan) may disclose Protected Health Information to the Center for Medicare and Medicaid Services (CMS) to the extent necessary to comply with Subpart R of 42 CFR Part 423 (relating to Notices of Creditable and Non -Creditable Coverage and applications for drug subsidy payment to the Plan Sponsor in connection with the prescription drug benefit under the Health Plan). BA K 0 4 7/29/05 6. Security of Electronic Protected Health Information (a) PDA has implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information that it creates, receives or transmits on behalf of the Health Plan ("ePHI") as required under the Security Standards 45 C.F.R. Part 160 and 164 subpart C. (b) PDA agrees that it will ensure that agents or subcontractors to whom it provides ePHI agree to implement the reasonable and appropriate safeguards to protect its confidentiality, integrity and availability. (c) PDA agrees to report to the Health Plan any Security Incident (as defined in 45 C.F.R. Part 164.304) within one business day after it becomes aware of any such Security Incident. (d) The Health Plan agrees and understands that the Health Plan is independently responsible for the security of ePHI in its possession, whether it was created by the Health Plan or received from outside sources (including PDA). 7. Term and Termination (a) Term. The term of this Agreement shall be for a period commencing as of the effective date of the Service Agreement and ending when all of the Protected Health Information provided by the Health Plan to PDA, or created or received by PDA on behalf of the Health Plan, is destroyed, returned to the Health Plan or further protected in accordance with the termination provisions in this Section 7. (b) Termination for Cause. Upon the Health Plan Administrator's knowledge of a Significant Breach of PDA's obligation under this Agreement and subject to Section 7(c) hereof, the Health Plan Administrator may commence termination of this Agreement by providing a notice of termination to PDA. Notwithstanding the foregoing, this Agreement shall be considered to have been terminated pursuant to this Section 7(b) only if, prior to such notice of termination: (i) The Health Plan Administrator shall have given to PDA written notice describing with specificity the Significant Breach; (ii) A period of 60 days from and after the giving of such notice shall have elapsed without PDA's having cured or remedied such reason for termination during such 60-day period; and (iii) A final determination shall have been made by the Health Plan Administrator that Significant Breach persists, following a meeting at which PDA shall be entitled to appear and contest the determination. (c) Condition Precedent. Upon receipt of a notice of termination pursuant to Section 7(b) hereof, or for termination of this Agreement for any other reason, PDA shall return all Protected Health Information received from the Health Plan, or created or received by PDA on behalf of the Health Plan, that PDA still maintains in any form, and shall retain no copies of such information. If PDA determines that such return is not feasible, PDA shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible. BA K 0 5 7/29/05 (d) Report to Secretary of HHS. If, in the reasonable determination of the Health Plan Administrator, termination of the Agreement pursuant to Section 7(b) hereof is not feasible, the Health Plan Administrator shall report the Significant Breach to the Secretary. 8. Other Provisions (a) Separate from Service Agreement. Except to the extent specifically provided herein, this Agreement shall not be construed, and is not intended, to be a part of the Service Agreement or to otherwise impose on PDA any duties, responsibilities, obligation whatsoever in respect of the administration of the Health Plan, including any duties, responsibilities or obligation of the Health Plan pursuant to the Privacy Rule. (b) No Liability. To the fullest extent permitted by law, PDA shall be under no liability for any use or disclosure made in accordance with the directions of the Health Plan. (c) No Duty to Question. Notwithstanding anything herein to the contrary, PDA shall not be under any duty to question any directions received from the Health Plan Administrator, nor to review in any respect the manner in which any fiduciary of the Health Plan exercises its authority and discharges its duties with respect to the Health Plan. (d) Amendment. The Parries agree to take such action to amend this Agreement from time to time as is necessary for the Health Plan to comply with the requirements of the Privacy Rule. (e) Ambi ities. Any ambiguity in this Agreement shall be resolved in a manner that is consistent with the applicable requirements under the Privacy Rule. (f) Notice. Any notice required to be given hereunder shall be in writing and delivered by hand or sent by facsimile, registered or certified mail, return receipt requested, or by air courier, to the address (or fax number) cited in the signature block of this Agreement or to such other address (or fax number) as shall be specified by like to notice by either Party, and shall be deemed given only when received. (g) Headings. The title, headings, and subheadings of this Agreement are solely for the convenience of the Parties and do not effect the meaning or interpretation of any provision of this Agreement. (h) Governing W. Except to the extent preempted by ERISA, this Agreement shall be governed by and enforceable in accordance with the laws of the State of California without giving effect to the principles of conflict of laws thereof. (i) Arbitration. The parties agree that any and all disputes arising out of or in relation to this Agreement, including without limitation any action in tort, shall be resolved exclusively, finally and conclusively by arbitration in Los Angeles County, California under the auspices of and pursuant to the rules of the Judicial Arbitration & Mediation Services Inc. (JAMS). Each party will select an arbitrator. Those two arbitrators will then select a third. The three member panel will make the final decision. All decisions of the arbitrators shall be in writing, and the arbitrators shall provide written reasons for their decision. The arbitration decision shall be final and binding on the parties. Notwithstanding the foregoing, the parties shall be permitted to access the court system to enforce any arbitration award or to obtain injunctive relief. The exclusive jurisdiction and venue for any such action shall be the Superior Court of California, BA K O 6 7/29/05 Los Angeles County. Any and all contracts between PDA and any subcontractor shall include the same arbitration clause. 0) Entire Agreement. This Agreement and the Service Agreement contain the entire understanding between the Health Plan and PDA with respect to the subject matter hereof and, except as specifically provided herein, cancels and supersedes any and all other agreements between the Health Plan and PDA with respect to the subject matter hereof. Any amendment or modification of this Agreement shall not be binding unless in writing and signed by both the Health Plan and PDA. (k) Severability. In the event that any provision of this Agreement is determined to be invalid or unenforceable, the remaining terms and conditions of this Agreement shall be unaffected and shall remain in full force and effect, and any such determination of invalidity or unenforceability shall not affect the validity or enforceability of any other provision of this Agreement. (1) No Benefit to Others. The representations, covenants and agreements contained in this Agreement are for the sole benefit of the Parties, and they shall not be construed as conferring, and are not intended to confer, any rights on any other peisons. (m) Counterparts. This Agreement may be signed in counterparts, each of which shall be an original, with the same effect as if the signatures thereto and hereto were upon the same instrument. IN WTI'NESS WHEREOF, the Parties have entered into this Business Associate Agreement, effective as of the Effective Date. HEALTH PLAN Date: By; /XA Name: Willard G. ag Title: Chief Deput ity Attorney Acting Risk Manager Address: 4305 Santa Fe venue Vernon, CA 90058 Fax Number: 3) 826-1439 PART.D ADVISORS, INC. v2-i.3-�� ' Date: By; Name: D N Title: Address: Fax Number: BA K v3 7 7/29/05 Acknow edgement by Plan Sponsor CITY OF VERNON By: • Name: Willard G Y agu Title: City Attorne /Acting Risk Manager Date: — — I BA K v3 8 7/29/05