Resolution No. 91211
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
RESOLUTION NO. 9121
A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF
VERNON APPROVING AND RATIFYING THE EXECUTION OF A
BUSINESS ASSOCIATE AGREEMENT BY AND BETWEEN THE
CITY OF VERNON AND GALLAGHER BENEFIT SERVICES, INC.
WHEREAS, Gallagher Benefit Services, Inc. ("Gallagher")
provides brokerage services to the City regarding health benefits; and
WHEREAS, in order for Gallagher to obtain data in accordance
with the Health Insurance Portability and Accountability Act of 1996
and 45 CFR Parts 160-164 (the "Privacy Rule"), Gallagher has requested
that the City enter into a agreement to satisfy the "business
associate" and related requirements within the meaning of the Privacy
Rule; and
WHEREAS, in order to meet the urgent need to facilitate the
City's health benefits program, the Chief Deputy City Attorney/Acting
Risk Manager executed a Business Associate Agreement dated August 4,
2006 (the "Agreement") with Gallagher, subject to ratification by the
City Council; and
WHEREAS, the City Council desires to approve and ratify the
Agreement executed by the Chief Deputy City Attorney/Acting Risk
Manager.
NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE
CITY OF VERNON AS FOLLOWS:
SECTION 1: The City Council of the City of Vernon hereby
finds and determines that the recitals contained hereinabove are true
and correct.
SECTION 2: The City Council of the City of Vernon hereby
1 approves and ratifies the execution of a Business Associate Agreement
2 dated August 4, 2006, with Gallagher, a copy of which is attached
3 hereto as Exhibit A and incorporated by reference.
4 SECTION 3: The Acting City Clerk of the City of Vernon
5 shall certify to the passage of this resolution, and thereupon and
6 thereafter the same shall be in full force and effect.
7 APPROVED AND ADOPTED this 5th day of September, 2006.
8
9
10 LEONIS C. MA BURG, Mayor
11 ATTEST:
12
13
14 BRUCE V. MALKENHORST, JR.
Acting City Clerk
15
16
17
18
19
20
21
22
23
24
25
26
27
28
2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
STATE OF CALIFORNIA
COUNTY OF LOS ANGELES
ss
I, BRUCE V. MALKENHORST, JR., Acting City Clerk of the City of
Vernon, do hereby certify that the foregoing Resolution, being
Resolution No. 9121, was duly adopted by the City Council of the City
of Vernon at an adjourned regular meeting of the City Council duly held
on Tuesday, September 5, 2006, and thereafter was duly signed by the
Mayor of the City of Vernon.
BRUcV V. MALKENHORST, JR.
Acting City Clerk
(SEAL)
- 3 -
-Xisc,':
L
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement') is entered into on this 4th day of
August, 2006 (the "Effective Date"), by and between City of Vernon ("Covered Entity")
and Gallagher Benefit Services, Inc. ("Business Associate").
RECITALS:
WHEREAS, Covered Entity and Business Associate mutually desire to outline their
individual responsibilities with respect to the use and/or disclosure of Protected Health
Information ("PHT') as mandated by the Privacy Rule (as defined below) promulgated under
the Administrative Simplifications subtitle of the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA") as well as outline their individual responsibilities with
respect to the Security Standards of electronic PHI (ePHI) as outlined in 45 C.F.R. Part 160
and 164 subpart C; and
WHEREAS, Covered Entity and Business Associate understand and agree that the
Privacy Rule and Security Standards requires the Covered Entity and Business Associate
enter into a Business Associate Agreement which shall govern the use and/or disclosure of"
PHI and the security of ePHI .
NOW, THEREFORE, the parties hereto agree as follows:
1. Definitions. When used in this Agreement and capitalized, the following
terms have the following meanings:
(a) "Business Associate" shall mean Gallagher Benefit Services, Inc. and
shall include all successors and assigns of the Business Associate.
(b) "HIPAA" means the Health Insurance Portability and Accountability
Act of 1996.
(c) "Individual' shall have the same meaning as the term "Individual" in
45 C.F.R. § 164.501 and shall include a person who qualifies as a personal
representative in accordance with 45 C.F.R. § 164.502(g).
(d) "Privacy Rule" shall mean the Standards for Privacy of Individual
Identifiable Health Information as set forth at 45 G.F.R. Parts 160 and 164 Subparts A
and E.
(e) "Protected Health Information" or "PHI" shall have the same meaning
as the term "protected health information" in 45 C.F.R. § 164.501, limited to the
information created or received by Business Associate from or on behalf of Covered
Entity.
(f) "Required by Law" shall have the same meaning as the term "required
by law" in 45 C.F.R. § 164.501.
BOSS>Mandatory Standards>Docummts>Business Associate Agreement including Security 08-2006
1-1-1711
(g) "Secretary" shall mean the Secretary of the Department of Health and
Human Services or his or her designee.
(h) "Security Rule" shall mean the Standards for Security of ePHI as set
forth at 45 C.F.R. Parts 160 and 164 Subpart C.
Terms used but not defined in this Agreement shall have the same meaning as those
terms in 45 C.F.R. §§ 164.103 and 164.501.
2. Obligations and Activities of Business Associate Reeardine PHI.
(a) Business Associate agrees to not use or further disclose PHI other than
as permitted or required by this Agreement or as Required by Law.
(b) Business Associate agrees to use appropriate safeguards to prevent use
or disclosure of the PHI other than as provided for by this Agreement.
(c) Business Associate agrees to report to Covered Entity, as soon as
reasonably practicable, any use or disclosure of PHI not provided for by this
Agreement.
(d) Business Associate agrees to ensure that any agents, including sub-
contractors (excluding entities that are merely conduits), to whom it provides PHI
agree to the same restrictions and conditions that apply to Business Associate with
respect to such information.
(e) Business Associate agrees to provide access, at the request of Covered
Entity, and in a reasonable time and manner designated by Covered Entity, to PHI in a
Designated Record Set that is not also in Covered Entity's possession, to Covered
Entity in order for Covered Entity to meet the requirements under 45 C.F.R.
§ 164.524.
(f) Business Associate agrees to make any amendment to PHI in a
Designated Record Set that the Covered Entity directs or agrees to pursuant ,to 45
C.F.R. § 164.526 in a reasonable time and manner designated by Covered Entity.
(g) Business Associate agrees to make internal practices books and records
relating to the use and disclosure of PHI available to the Secretary, in a reasonable
time and manner as designated by the Covered Entity or Secretary, for purposes of the
Secretary determining Covered Entity's compliance with the Privacy Rule. Business
Associate shall immediately notify Covered Entity upon receipt or notice of any
request by the Secretary to conduct an investigation with respect to PHI received from
the Covered Entity.
(h) Business Associate agrees to document any disclosures of PHI that are
not excepted under 45 C.F.R. § 164.528(a)(1) as would be required for Covered Entity
BOSS>Mandatory Standmrds>Documents>Business Associate Agreement including Security 08-2006
Page 2 of 8
to respond to a request by an Individual for an accounting of disclosures of PHI in
accordance with 45 C.F.R. § 164.528.
(i) Business Associate agrees to provide to Covered Entity or an
Individual, in a time and manner designated by Covered Entity, information collected
in accordance with paragraph (h) above, to permit Covered Entity to respond to a
request by an Individual for an accounting of disclosures of PHI in accordance with 45
C.F.R. § 164.528.
6) Business Associate agrees to use or disclose PHI pursuant to the
request of Covered Entity, provided, however, that Covered Entity shall not request
Business Associate to use or disclose PHI in any manner that would not be permissible
under the Privacy Rule if done by Covered Entity.
3. Permitted Uses and Disclosures of PHI by Business Associate.
(a) Business Associate may use or disclose PHI to perform functions,
activities or services for, or on behalf of, Covered Entity provided that such use or
disclosure would not violate the Privacy Rule if done by Covered Entity.
(b) Business Associate may use PHI for the proper management and
administration of Business Associate and to carry out the legal responsibilities of
Business Associate.
(c) Business Associate may disclose PHI for the proper management and
administration of Business Associate and to carry out the legal responsibilities of
Business Associate if: (i) such disclosure is Required by Law, or (ii) Business
Associate obtains reasonable assurances from the person to whom the information is
disclosed that such information will remain confidential and used or further disclosed
only as Required by Law or for the purposes for which it was disclosed to the person,
and the person agrees to notify Business Associate of any instances of which it is
aware that the confidentiality of the information has been breached.
(d) Business Associate may use PHI to provide Data Aggregation services
to Covered Entity as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B).
4. 4blipations of Covered Entity Retarding PHI.
(a) Covered Entity shall provide Business Associate with the notice of
privacy practices that Covered Entity produces in accordance with 45 C.F.R.
§ 164.520, as well as any changes to such notice.
(b) Covered Entity shall provide Business Associate with any changes in,
or revocation of, authorization by an Individual to use or disclose PHI, if such changes
affect Business Associate's permitted or required uses and disclosures.
BOSS>Mandatory Standards>Documents>Business Associate Agreement including Security 08-2006
Page 3 of 8
(c) Covered Entity shall notify Business Associate of any restriction to the
use or disclosure of PHI that Covered Entity has agreed to in accordance with 45
C.F.R. § 164.522.
5. Security of Electronic Protected Health Information.
(a) Business Associate has implemented policies and procedures to ensure
that its receipt, maintenance, or transmission of electronic protected health information
("ePHI") on behalf of Covered Entity complies with the applicable administrative,
physical, and technical safeguards required protecting the confidentiality and integrity
of ePHI under the Security Standards 45 C.F.R. Part 160 and 164 subpart C.
(b) Business Associate agrees that it will ensure that agents or
subcontractors agree to implement the applicable administrative, physical, and
technical safeguards required to protect the confidentiality and integrity of ePHI under
the Security Standards 45 C.F.R. Part 164.
(c) Business Associate agrees to report to Covered Entity any Security
Incident (as defined 45 C.F.R. Part 164.304) of which it becomes aware. Business
Associate agrees to report the Security Incident to the Covered Entity as soon as
reasonably practicable, but not later than 10 business days from the date the Business
Associate becomes aware of the incident.
(d) Covered Entity agrees and understands that the Covered Entity is
independently responsible for the security of ePHI in its possession or for ePHI that it
receives from outside sources including the Business Associate.
(e) Sections 5(a) — 5(d) of this Agreement shall become effective the later
of (i) April 20, 2005 for health plans that are not small health plans or (ii) April 20,
2006 for small health plans as defined 45 C.F.R. Part 164.318, or (iii) the Effective
Date of this Agreement.
6. Amendment.
Subject to Business Associate's rights described in Section 7(c) below, the parties
agree to take any action necessary to amend this Agreement so that Covered Entity is in
compliance with the Privacy Rule. The parties may agree to amend this Agreement from time
to time in any other respect that they deem appropriate. This Agreement shall not be amended
except by written instrument executed by the parties.
7. Term and Termination.
(a) Term. This Agreement shall be effective as of the Effective Date and
shall terminate when the requirements of Section 7(d) below are satisfied.
BOSS>Mandatory Standards>Documents>Business Associate Agreement including Security 08-2006
Page 4of8
(b) Termination for Cause by Covered Entity. upon Covered Entity's
knowledge of a material breach by Business Associate, Covered Entity shall provide
an opportunity for Business Associate to cure the breach. If Business Associate does
not cure the breach within 30 days from the date that Covered Entity provides notice
of such breach to Business Associate, Covered Entity shall have the right to terminate
this Agreement by providing 30 days advance written notice of such termination to
Business Associate.
(c) Termination by Business Associate. This Agreement may be
terminated by Business Associate upon 30 days prior written notice to Covered Entity
in the event that Business Associate believes that the requirements of any law,
legislation, consent decree, judicial action, governmental regulation or agency opinion,
enacted, issued, or otherwise effective after the date of this Agreement and applicable
to PHI or to this Agreement, cannot be met by Business Associate in a commercially
reasonable manner and without significant additional expense.
Effect of Termination. Except as set forth in this Section 7(d), upon termination of
this Agreement for any reason, at the request of Covered Entity, Business Associate shall
return or destroy all PHI received from Covered Entity, or created or received by Business
Associate on behalf of Covered Entity. Business Associate shall not retain any copies of the
PHI. In the event that Business Associate determines that returning or destroying the PHI is
infeasible, such as in the use of data aggregation, Business Associate shall provide to Covered
Entity written notification of the conditions that make return or destruction infeasible. If the
return or destruction of PHI is infeasible, Business Associate shall extend the protections of
this Agreement to such PHI and limit further uses and disclosures of such PHI to those
purposes that make the return or destruction infeasible, for so long as Business Associate
maintains such PHI.
8. Notices.
All notices, requests, consents and other communications hereunder will be in writing,
will be addressed to the receiving party's address set forth below or to such other address as a
party may designate by notice hereunder, and will be either (i) delivered by hand, (ii) made
facsimile transmission, (iii) sent by overnight courier, or (iv) sent by registered mail or
certified mail, return receipt requested, postage prepaid.
If to the Covered Entity:
City of Vernon
Attention: Bruce V. Malkenhorst, Jr.
Acting City Clerk
4305 Sante Fe Ave.
Vernon, CA 90058
(323) 583-881
(323) 826-1439
BOSS>Mandatory Standards>Documents>Business Associate Agreement including Security 08-2006
Page 5 of 8
If to the Business Associate:
Gallagher Benefit Services, Inc.
Attention: Brenda Lee
Area Assistant Vice President
505 North Brand Blvd., 6` Floor
Glendale, CA 91203-3944
(818) 539-1347
(818) 539-1647 fax
9. Seyerability.
The parties intend this Agreement to be enforced as written. However, (i) if any
portion or provision of this Agreement will to any extent be declared illegal or unenforceable
by a duly authorized court having jurisdiction, then the remainder of this Agreement, or the
application of such portion or provision in circumstances other than those as to which it.is so
declared illegal or unenforceable, will not be affected thereby, and each portion and provision
of this Agreement will be valid and enforceable to the fullest extent permitted by law; and (ii)
if any provision, or part thereof, is held to be unenforceable because of the duration of such
provision, the Covered Entity and the Business Associate agree that the court making such
determination will have the power to modify such provision, and such modified provision will
then be enforceable to the fullest extent permitted by law.
10. Headings and Captions.
The headings and captions of the various subdivisions of the Agreement are for
convenience of reference only and will in no way modify or affect the meaning or
construction of any of the terms or provisions hereof.
11. . No Waiver of Rights, Powers and Remedies.
No failure or delay by a party hereto in exercising any right, power or remedy under
this Agreement, and no course of dealing between the parties hereto, will operate as a waiver
of any such right, power or remedy of the party.. No single or partial exercise of any right,
power or remedy under this Agreement by a party hereto, nor any abandonment or
discontinuance of steps to enforce any such right, power or remedy, will preclude such party
from any other or further exercise thereof or theexercise of any other right, power or remedy
hereunder. The election of any remedy by a party hereto will not constitute a waiver of the
right of such pasty to pursue other available remedies. No notice to or demand on a party not
expressly required under this Agreement will entitle the party receiving such notice or
demand to any other or further notice or demand in similar or other circumstances or
constitute a waiver of the right of the party giving such notice or demand to any other or
further action in any circumstances without such notice or demand. The terms and provisions
of this Agreement may be waived, or consent for the departure therefrom granted, only by
written document executed by the party entitled to the benefits of such terms or provisions.
No such waiver or consent will be deemed. to be or will constitute a waiver or consent with
respect to any other terms or provisions of this Agreement, whether or not similar. Each such
BOSS>Mandatory Standards>Docu ncnts>Business Associate Agreement including Security 08-2006
Page 6 of 8
waiver or consent will be effective only in the specific instance and for the purpose for which
it was given, and will not constitute a continuing waiver or consent.
12. Regulatory References.
A reference in this Agreement to a section in the Privacy Rule means the referenced
section or its successor, and for which compliance is required.
13. Governing Law.
This Agreement will be governed by and construed in accordance with the laws of
the State of Illinois.
14. Entire Agreement.
This Agreement sets forth the entire understanding of the parties with respect to the
subject matter set forth herein and supersedes all prior agreements, arrangements and
communications, whether oral or written, pertaining to the subject matter hereof.
15. lnteraretation.
Any ambiguity in this Agreement shall be interpreted consistent with the Privacy Rule
and Security Rule.
BOSS>Mandatory Standards>Docurnents>Business Associate Agreement including Security 08-2006
Page 7 of 8
IN WITNESS WHEREOF, the parties have executed this Business Associate
Agreement as of the Effective Date.
BUSINESS ASSOCIATE:
GALLAGHER BENEFIT
All/ i.. / /■ I11 -1�i
COVERED ENTITY:
CITY O,F VERNON
Title: Chief Deputy( Cjety Attorney/Acting Risk
BOSS>Mandatory Standards>Doeutt=ts>8usiTms Associate Agreement including Security 08-2006