AMENDMENT #16 TO CONTRACT #0654 BETWEEN THE GEORGIA DEPARTMENT OF COMMUNITY HEALTH AND WELLCARE OF GEORGIA, INC.
Exhibit 10.1
AMENDMENT #16
TO CONTRACT #0654 BETWEEN
THE GEORGIA DEPARTMENT OF COMMUNITY HEALTH
AND
WELLCARE OF GEORGIA, INC.
This Amendment is between the Georgia Department of Community Health (hereinafter referred to as “DCH” or the “Department”) and WellCare of Georgia, Inc. (hereinafter referred to as “Contractor”) and is made effective on the date DCH receives approval from the Centers for Medicare and Medicaid Services (hereinafter referred to as “CMS”) and the Georgia Department of Administrative Services (“DOAS”), whichever last occurs, as further described herein. Unless expressly modified, deleted, or added in this Amendment #16, the terms and conditions of the original Contract, as previously amended, are expressly incorporated into this Amendment #16 as if completely restated herein.
WHEREAS, DCH and Contractor executed a Contract with an effective date of July 18, 2005, for the provision of services to members of the Georgia Families program;
WHEREAS, DCH and Contractor desire to amend the Contract, pursuant to Section 32.0 Amendment in Writing, to add additional renewal options as further described herein; and
WHEREAS, DCH requests permission from CMS and DOAS to add such additional renewal options;
NOW THEREFORE, for and in consideration of the mutual promises of the parties, the terms, provisions and conditions of this Amendment and other good and valuable consideration, the sufficiency of which is hereby acknowledged, DCH and Contractor hereby agree as follows:
I. | To delete the language in Section 6.0, Term of Contract, in its entirety and replace it with the following language: |
This Contract shall begin on the Effective Date and shall continue until June 30, 2006 unless terminated earlier pursuant to Xxxxxxx 00, Xxxxxxxxxxx of Contract. The parties agree that DCH has ten (10) options to renew this Contract for additional terms up to one (1) State fiscal year, which shall begin on July 1, and end at midnight on June 30 of the following year as follows:
Initial Term: | July 18, 2005 – June 30, 2006 | |
Renewal Option 1: | July 1, 2006 – June 30, 2007 | |
Renewal Option 2: | July 1, 2007 – June 30, 2008 | |
Renewal Option 3: | July 1, 2008 – June 30, 2009 | |
Renewal Option 4: | July 1, 2009 – June 30, 2010 | |
Renewal Option 5: | July 1, 2010 – June 30, 2011 | |
Renewal Option 6: | July 1, 2011 – June 30, 2012 | |
Renewal Option 7: | July 1, 2012 – June 30, 2013 | |
Renewal Option 8: | July 1, 2013 – June 30, 2014 | |
Renewal Option 9: | July 1, 2014 – June 30, 2015 | |
Renewal Option 10: | July 1, 2015 – June 30, 2016 | |
Amendment #16 | Page 1 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
Pursuant to O.C.G.A. § 50-5-64(a)(2), all renewal options shall be exercisable solely and exclusively by DCH. The terms, conditions and pricing in effect at the time of renewal shall apply for each renewal option term. DCH will send Contractor written notice of its intent to exercise a renewal option under this Contract. As to each term, the Contract shall be terminated absolutely at the close of the then current state fiscal year without further obligation by DCH. Notwithstanding any language to the contrary, DCH reserves the right to terminate this Contract prior to the close of the fiscal year pursuant to Section 22, Termination of Contract.
II. | To replace Attachment E, Business Associate Agreement, with the revised version of that agreement that is contained at Exhibit 1 to this Amendment. |
III. | This Amendment is contingent upon receiving approval from both CMS and DOAS and shall be effective once written notices of such approvals are received by DCH. DCH shall notify Contractor in writing upon receipt of responses from CMS and DOAS. In the event approval is denied by either CMS or DOAS, this Amendment shall be null and void and have no effect upon the Contract. |
IV. | DCH and Contractor agree that they have assumed an obligation to perform the covenants, agreements, duties, and obligations of the Contract, as modified and amended herein, and agree to abide by all the provisions, terms and conditions contained in the Contract as modified and amended. |
V. | This Amendment shall be binding and inure to the benefit of the Parties hereto, their heirs, representatives, successors, and assigns. In the event of a conflict between the provisions of this Amendment and the Contract or any previous amendments, the provisions of this Amendment shall control and govern. Additionally, in the event of a conflict between this Amendment and any exhibit or attachment incorporated into this Amendment, the provisions of this Amendment shall control and govern. |
VI. | It is understood by the Parties hereto that, if any part, term, or provision of this Amendment or this Amendment in its entirety is held to be illegal or in conflict with any law of this State, then DCH, at its sole option, may enforce the remaining unaffected portions or provisions of this Amendment or of the Contract and the rights and obligations of the Parties shall be construed and enforced as if the Contract or Amendment did not contain the particular part, term or provision held to be invalid. |
VII. | This Amendment shall be construed in accordance with the laws of the State of Georgia. |
VIII. | All other terms and conditions contained in the Contract and any amendment thereto, not amended by this Amendment, shall remain in full force and effect. |
IX. | Each Party has had the opportunity to be represented by counsel of its choice in negotiating this Amendment. This Amendment shall therefore be deemed to have been negotiated and prepared at the joint request, direction, and consideration of the Parties, at arms’ length, with the advice and participation of counsel, and will be interpreted in accordance with its terms without favor to any Party. |
Amendment #16 | Page 2 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
X. | This amendment may be signed in any number of counterparts, each of which shall be an original, with the same effect as if the signatures thereto were upon the same instrument Any signature below that is transmitted by facsimile or other electronic means shall be binding and effective as the original. |
Signatures on the following page
Amendment #16 | Page 3 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
SIGNATURE PAGE
IN WITNESS WHEREOF, DCH and Contractor, through their authorized officers and agents, have caused this Amendment to be executed on their behalf as of the date indicated.
GEORGIA DEPARTMENT OF COMMUNITY HEALTH
/s/ Xxxxx X. Xxxxx, III | March 5, 2014 | |
Xxxxx X. Xxxxx III, Esq., Commissioner | Date | |
/s/ Xxxxx X. Xxxxxxxx | 3/4/14 | |
Xxxxx Xxxxxxxx, Chief | Date | |
Division of Medical Assistance Plans | ||
WELLCARE OF GEORGIA, INC.
BY: | /s/ Xxxxx X. Xxxxxx | 2/27/14 | |
*SIGNATURE | Date | ||
Xxxxx X. Xxxxxx | |||
Please Print/Type Name Here | |||
TITLE President | |||
* Must be President, Vice President, CEO or Other Officer Authorized by Corporate Resolution to Execute on Behalf of and Bind the Entity to a Contract
Amendment #16 | Page 4 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
EXHIBIT 1
ATTACHMENT E
BUSINESS ASSOCIATE AGREEMENT (REVISED)
This Business Associate Agreement (hereinafter referred to as “Agreement”), effective this 8th day of April, 2014 (hereinafter the “Effective Date”) is made and entered into by and between the Georgia Department of Community Health (hereinafter referred to as “DCH”) and WellCare of Georgia, Inc. (hereinafter referred to as “Contractor”) as Attachment E to Contract No. 0654 between DCH and Contractor dated July 18, 2005 (hereinafter referred to as the “Contract”).
WHEREAS, DCH is a hybrid entity, as defined in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), and is required by HIPAA to enter into a Business Associate Agreement with certain entities that provide functions, activities, or services on behalf of or in support of health care components of DCH, which functions, activities or services involve the use of Protected Health Information as defined by HIPAA (“PHI”);
WHEREAS, Contractor, under the Contract provides functions, activities, or services involving the use of PHI;
NOW, THEREFORE, for and in consideration of the mutual promises, covenants and agreements contained herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, DCH and Contractor (each individually a “Party” and collectively the “Parties”) hereby agree as follows:
1. | Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms have in HIPAA and in Title XIII of the American Recovery and Reinvestment Act of 2009 (the Health Information Technology for Economic and Clinical Health Act, or “HITECH”), and in the implementing regulations of HIPAA and HITECH. Implementing regulations are published as the Standards for Privacy and Security of Individually Identifiable Health Information in 45 C.F.R. Parts 160 and 164. Together, HIPAA, HITECH, and their implementing regulations are referred to in this Agreement as the “Privacy Rule and Security Rule.” If the meaning of any defined term is changed by law or regulation, then this Agreement will be automatically modified to conform to such change. The term “NIST Baseline Controls” means the baseline controls set forth in National Institute of Standards and Technology (NIST) SP 800-53 established for “moderate impact” information. |
2. | Except as limited in this Agreement, Contractor may use or disclose PHI only to the extent necessary to meet its responsibilities as set forth in the Contract provided that such use or disclosure would not violate the Privacy Rule or the Security Rule, if done by DCH. Furthermore, except as otherwise limited in this Agreement, Contractor may: |
A. | Use PHI for internal quality control and auditing purposes. |
B. | Use or disclose PHI as Required by Law. |
C. | After providing written notification to DCH’s Office of Inspector General, use PHI to make a report to a health oversight agency authorized by law to investigate DCH (or otherwise |
Amendment #16 | Page 5 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
oversee the conduct or conditions of the DCH) about any DCH conduct that Contractor in good faith believes to be unlawful as permitted by 45 C.F.R. 164.502(j)(1). Notwithstanding the foregoing, Contractor shall not be required to provide prior written notice to DCH’s Office of Inspector General if Contractor is provided written instruction otherwise by the health oversight agency authorized by law to investigate DCH.
D. | Use and disclose PHI to consult with an attorney for purposes of determining Contractor’s legal options with regard to reporting conduct by DCH that Contractor in good faith believes to be unlawful, as permitted by 45 C.F.R. 164.502(j)(1). |
3. | Contractor represents and warrants that only individuals designated by title or name on Attachments E-1 and E-2 will request PHI from DCH or access DCH PHI in order to perform the services of the Contract, and these individuals will only request the minimum necessary amount of information necessary in order to perform the services. |
4. | Contractor represents and warrants that the individuals listed by title on Attachment E-1 require access to PHI in order to perform services under the Contract. Contractor agrees to send updates to Attachment E-1 whenever necessary. Uses or disclosures of PHI by individuals not described on Attachment E-1 are impermissible. |
5. | Contractor represents and warrants that the individuals listed by name on Attachment E-2 require access to a DCH information system in order to perform services under the Contract. Contractor agrees to notify the Project Leader and the Access Control Coordinator named on Attachment E-2 immediately, but at least within 24 hours, of any change in the need for DCH information system access by any individual listed on Attachment E-2. Any failure to report a change within the 24 hour time period will be considered a security incident and may be reported to Contractor’s Privacy and Security Officer, Information Security Officer and the Georgia Technology Authority for proper handling and sanctions. |
6. | Contractor agrees that it is a Business Associate to DCH as a result of the Contract, and represents and warrants to DCH that it complies with the Privacy Rule and Security Rule requirements that apply to Business Associates and will continue to comply with these requirements. Contractor further represents and warrants to DCH that it maintains and follows written policies and procedures to achieve and maintain compliance with the HIPAA Privacy and Security Rules that apply to Business Associates, including, but not limited to policies and procedures addressing HIPAA’s requirements that Business Associates use, request and disclose only the minimum amount of PHI necessary to perform their services, and updates such policies and procedures as necessary in order to comply with the HIPAA Privacy and Security Rules that apply to Business Associates and will continue to maintain and update such policies and procedures. These policies and procedures, and evidence of their implementation, shall be provided to DCH upon request. |
7. | The Parties agree that a copy of all communications related to compliance with this Agreement will be forwarded to the following Privacy and Security Contacts: |
Amendment #16 | Page 6 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
A. | At DCH: | Xxxx Xxxxxxxx-Xxxxxxx | ||
HIPAA Privacy and Security Specialist, Office of General Counsel | ||||
xxxxx@xxx.xx.xxx | ||||
xxxxxxxx@xxx.xx.xxx | ||||
000-000-0000 | ||||
Xxxxxxx Xxxxxx | ||||
Agency Information Security Officer | ||||
xxxxxxxxx@xxx.xx.xxx | ||||
000-000-0000 | ||||
At Contractor: | Xxxxxxx Xxxxx | |||
Chief Privacy/Security Officer | ||||
Xxxxxxx.Xxxxx@xxxxxxxx.xxx | ||||
000-000-0000 | ||||
Contractor further agrees that it will:
A. | Not request, create, receive, use or disclose PHI other than as permitted or required by this Agreement, the Contract, or as required by law. |
B. | Establish, maintain and use appropriate administrative, physical and technical safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement or the Contract. Such safeguards must include an Information Security Program which consists of internal policies, standards and procedures built on the HIPAA Security Rules and the CMS HIPAA Security Series, unless DCH has agreed in writing that the control is not appropriate or applicable. |
C. | Implement and use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of DCH. Such safeguards must include an Information Security Program which consists of internal policies, standards and procedures built on the HIPAA Security Rules and the CMS HIPAA Security Series, unless DCH has agreed in writing that the control is not appropriate or applicable. |
D. | Implement the HITRUST Common Security Framework (CSF) by first quarter 2015; |
E. | In addition to the safeguards described above, Contractor shall include access controls that restrict access to PHI to the individuals listed on E-1 and E-2, as amended from time to time, shall implement encryption of all electronic PHI during transmission and will use the following safeguards to protect PHI at rest: |
(1) | Perimeter and multi-layer DMZ firewalls; |
(2) | Intrusion Prevention Systems (IPS); |
(3) | Data Loss Prevention (DLS) tools for Network and End-Point; |
Amendment #16 | Page 7 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
(4) | End-Point Protection (this includes host firewall, host IPS, Anti-virus and Malware protection, and full disk encryption for laptops) |
(5) | Network Access Controls (NAC) |
(6) | Web and Spam Filtering |
(7) | Anti-virus/Malware Protection (email) |
(8) | Database encryption |
(9) | Centralized Logging and Monitoring Solution |
(10) | Access Control Lists (this includes the following levels (1) File, Folder Share Level, (2) Database Level, and (3) Application Level) |
F. | Upon DCH’s reasonable request, but no more frequently than annually, obtain an independent assessment of Contractor’s implementation of the HITRUST Common Security Framework (CSF) and the additional safeguards required by this Agreement with respect to DCH PHI, provide the results of such assessments to DCH, and ensure that corrective actions identified during the independent assessment are implemented. |
G. | Mitigate, to the extent practicable, any harmful effect that may be known to Contractor from a use or disclosure of PHI by Contractor in violation of the requirements of this Agreement, the Contract or applicable regulations. Contractor shall bear the costs of mitigation, which shall include the reasonable costs of credit monitoring and may include credit restoration, if applicable, when the use or disclosure results in exposure of information commonly used in identity theft. |
H. | Maintain a business associate agreement with its agents or subcontractors to whom it provides PHI, in accordance with which such agents or subcontractors are contractually obligated to comply with at least the same obligations that apply to Contractor under this Agreement, and ensure that its agents or subcontractors comply with the conditions, restrictions, prohibitions and other limitations regarding the request for, creation, receipt, use or disclosure of PHI, that are applicable to Contractor under this Agreement and the Contract. |
I. | Report to DCH any use or disclosure of PHI that is not provided for by this Agreement or the Contract of which it becomes aware. |
J. | Make an initial report to the DCH in writing in such form as DCH may require within three (3) business days after Contractor (or any subcontractor) becomes aware of the unauthorized use or disclosure. This report will require Contractor to identify the following: |
i. | The nature of the impermissible use or disclosure (the “incident”), which will include a brief description of what happened, including the date it occurred and the date Contractor discovered the incident; |
ii. | The Protected Health Information involved in the impermissible use or disclosure, such as whether the full name, social security number, date of birth, home address, account number or other information were involved); |
Amendment #16 | Page 8 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
iii. | Who (by title, access permission level and employer) made the impermissible use or disclosure and who received the Protected Health Information as a result; |
iv. | What corrective or investigational action Contractor took or will take to prevent further impermissible uses or disclosures, to mitigate harmful effects, and to prevent against any further incidents; |
v. | What steps individuals who may have been harmed by the incident might take to protect themselves; and |
vi. | Whether Contractor believes that the impermissible use or disclosure constitutes a Breach of Unsecured Protected Health Information. |
Upon request by the DCH HIPAA Privacy and Security Officer or the DCH Information Security Officer, Contractor agrees to make a complete report to the DCH in writing within two weeks of the initial report that includes a root cause analysis and a proposed corrective action plan. Upon approval of a corrective action plan by the DCH, Contractor agrees to implement the corrective action plan and provide proof of implementation to the DCH within ten (10) business days of DCH’s request for proof of implementation.
K. | Report to the DCH HIPAA Privacy and Security Officer and the DCH Agency Information Security Officer any successful unauthorized access, modification, or destruction of PHI or interference with system operations in Contractor’s information systems as soon as practicable but in no event later than three (3) business days of discovery. If such a security incident resulted in a use or disclosure of PHI not permitted by this Agreement, Contractor shall also make a report of the impermissible use or disclosure as described above. Contractor agrees to make a complete report to the DCH in writing within two weeks of the initial report that includes a root cause analysis and, if appropriate, a proposed corrective action plan designed to protect PHI from similar security incidents in the future. Upon DCH’s approval of Contractor’s corrective action plan, Contractor agrees to implement the corrective action plan and provide proof of implementation to the DCH. |
L. | Upon DCH’s reasonable request and not more frequently than once per quarter, report to the DCH Agency Information Security Officer any (A) attempted (but unsuccessful) unauthorized access, use, disclosure, modification, or destruction of PHI or (B) attempted (but unsuccessful) interference with system operations in Contractor’s information systems. Contractor does not need to report trivial incidents that occur on a daily basis, such as scans, “pings,” or other routine attempts that do not penetrate computer networks or servers or result in interference with system operations. |
M. | Cooperate with DCH and provide assistance necessary for DCH to determine whether a Breach of Unsecured Protected Health Information has occurred, and whether notification of the Breach is legally required or otherwise appropriate. Contractor agrees to assist DCH in its efforts to comply with the HIPAA Privacy and Security Rules, as amended from time to time. To that end, the Contractor will abide by any requirements mandated by the HIPAA Privacy and Security Rules or any other applicable laws in the course of this Contract. Contractor warrants that it will cooperate with DCH, including cooperation with DCH privacy officials and other compliance officers required by the HIPAA Privacy and Security Rules |
Amendment #16 | Page 9 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
and all implementing regulations, in the course of performance of this Contract so that both parties will be in compliance with HIPAA.
N. | If DCH determines that a Breach of Unsecured Protected Health Information has occurred as a result of Contractor’s impermissible use or disclosure of PHI or failure to comply with obligations set forth in this Agreement or in the Privacy or Security Rules, provide all notifications to Individuals, HHS and/or the media, on behalf of DCH, after the notifications are approved by the DCH. Contractor shall provide these notifications in accordance with the security breach notification requirements set forth in 00 X.X.X. §00000 and 45 C.F.R. Parts 160 & 164 subparts A, D & E as of their respective Compliance Dates, and shall pay for the reasonable and actual costs associated with such notifications. |
In the event that DCH determines a Breach has occurred, without unreasonable delay, and in any event no later than thirty (30) calendar days after Discovery, Contractor shall provide the DCH HIPAA Privacy and Security Officer a list of Individuals and a copy of the template notification letter to be sent to Individuals. Contractor shall begin the notification process only after obtaining DCH’s approval of the template notification letter. Within ten (10) business days of receipt of the template notification letter, DCH shall either: send notice of approval to Contractor or send notice of modifications that must be made to the template notification letter.
O. | Make any amendment(s) to PHI in a Designated Record Set that DCH directs or agrees to pursuant to 45 CFR 164.526 within five (5) business days after request of DCH. Contractor also agrees to provide DCH with written confirmation of the amendment in such format and within such time as DCH may require. |
P. | In order to meet the requirements under 45 CFR 164.524, regarding an individual’s right of access, Contractor shall, within five (5) business days following DCH’s request, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the DCH, provide DCH access to the PHI in an individual’s Designated Record Set. However, if requested by DCH, Contractor shall provide access to the PHI in a Designated Record Set directly to the individual to whom such information relates. |
Q. | Give the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) or the Secretary’s designees access to Contractor’s books and records and policies, practices or procedures relating to the use and disclosure of PHI for or on behalf of DCH within five (5) business days after the Secretary or the Secretary’s designees request such access or otherwise as the Secretary or the Secretary’s designees may require. Contractor also agrees to make such information available for review, inspection and copying by the Secretary or the Secretary’s designees during normal business hours at the location or locations where such information is maintained or to otherwise provide such information to the Secretary or the Secretary’s designees in such form, format or manner as the Secretary or the Secretary’s designees may require. |
R. | Document all disclosures of PHI and information related to such disclosures as would be required for DCH to respond to a request by an Individual or by the Secretary for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. By no later than five (5) business days of receipt of a written request from DCH, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the DCH |
Amendment #16 | Page 10 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
HIPAA Privacy and Security Officer, Contractor shall provide an accounting of disclosures of PHI regarding an Individual to DCH. If requested by DCH, Contractor shall provide an accounting of disclosures directly to the individual. Contractor shall maintain a record of any accounting made directly to an individual at the individual’s request and shall provide such record to the DCH upon request.
S. | In addition to any indemnification provisions in the Contract, indemnify the DCH from any liability resulting from any violation of the HIPAA Privacy and Security Rules or Breach that arises from the conduct or omission of Contractor or its employee(s), agent(s) or subcontractor(s). Such liability will include, but not be limited to, all actual and direct costs and/or losses, civil penalties and reasonable attorneys’ fees imposed on DCH. |
T. | For any requirements in this Agreement that include deadlines, pay performance guarantee payments of $300.00 per calendar day, starting with the day after the deadline and continuing until Contractor complies with the requirement. Contractor shall ensure that its agreements with subcontractors enable Contractor to meet these deadlines. |
8. | DCH agrees that it will: |
A. | Notify Contractor of any new limitation in the applicable Notice of Privacy Practices in accordance with the provisions of the Privacy Rule if, and to the extent that, DCH determines in the exercise of its sole discretion that such limitation will affect Contractor’s use or disclosure of PHI. |
B. | Notify Contractor of any change in, or revocation of, authorization by an Individual for DCH to use or disclose PHI to the extent that DCH determines in the exercise of its sole discretion that such change or revocation will affect Contractor’s use or disclosure of PHI. |
C. | Notify Contractor of any restriction regarding its use or disclosure of PHI that DCH has agreed to in accordance with the Privacy Rule if, and to the extent that, DCH determines in the exercise of its sole discretion that such restriction will affect Contractor’s use or disclosure of PHI. |
D. | Prior to agreeing to any changes in or revocation of permission by an Individual, or any restriction, to use or disclose PHI, DCH agrees to contact Contractor to determine feasibility of compliance. DCH agrees to assume all costs incurred by Contractor in compliance with such special requests. |
9. | The Term of this Agreement shall be effective on the Effective Date and shall terminate when all of the PHI provided by DCH to Contractor, or created or received by Contractor on behalf of DCH, is destroyed or returned to DCH, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this section. |
A. | Termination for Cause. Upon DCH’s knowledge of a material breach of this Agreement by Contractor, DCH shall either: |
i. | Provide an opportunity for Contractor to cure the breach of Agreement within a reasonable period of time, which shall be within thirty (30) calendar days after receiving written notification of the breach by DCH; |
Amendment #16 | Page 11 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
ii. | If Contractor fails to cure the breach of Agreement, terminate the Contract upon thirty (30) calendar days notice; or |
iii. | If neither termination nor cure is feasible, DCH shall report the breach of Agreement to the Secretary of the Department of Health and Human Services. |
B. | Effect of Termination. |
i. | Upon termination of this Agreement, for any reason, DCH and Contractor shall determine whether return of PHI is feasible. If return of the PHI is not feasible, Contractor agrees to continue to extend the protections of this Agreement to the PHI for so long as the Contractor maintains the PHI and shall limit the use and disclosure of the PHI to those purposes that made return or destruction of the PHI infeasible. If at any time it becomes feasible to return or destroy any such PHI maintained pursuant to this paragraph, Contractor must notify DCH and obtain instructions from DCH for either the return or destruction of the PHI. |
ii. | Contractor agrees that it will limit its further use or disclosure of PHI only to those purposes DCH may, in the exercise of its sole discretion, deem to be in the public interest or necessary for the protection of such PHI, and will take such additional actions as DCH may require for the protection of patient privacy and the safeguarding, security and protection of such PHI. |
iii. | This Effect of Termination section survives the termination of the Agreement. |
10. | Interpretation. Any ambiguity in this Agreement shall be resolved to permit DCH and Contractor to comply with applicable laws, rules and regulations, the HIPAA Privacy Rule, the HIPAA Security Rule and any rules, regulations, requirements, rulings, interpretations, procedures or other actions related thereto that are promulgated, issued or taken by or on behalf of the Secretary; provided that applicable laws, rules and regulations and the laws of the State of Georgia shall supersede the Privacy Rule if, and to the extent that, they impose additional requirements, have requirements that are more stringent than or have been interpreted to provide greater protection of patient privacy or the security or safeguarding of PHI than those of the HIPAA Privacy Rule. |
11. | No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations or liabilities whatsoever. |
12. | All other terms and conditions contained in the Contract and any amendment thereto, not amended by this Agreement, shall remain in full force and effect. |
(Signatures on following page)
Amendment #16 | Page 12 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
IN WITNESS WHEREOF, Contractor, through its authorized officer and agent, has caused this Agreement to be executed on its behalf as of the date indicated.
WELLCARE OF GEORGIA, INC.
BY: | /s/ Xxxxx X. Xxxxxx | 2/27/14 | |
SIGNATURE | Date | ||
Xxxxx X. Xxxxxx | |||
President | |||
TITLE* | |||
* Must be President, Vice President, CEO or Other Officer Authorized to Execute on Behalf of and Bind the Entity to a Contract
Amendment #16 | Page 13 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
ATTACHMENT E-1
List of Individuals Permitted to Receive, Use and Disclose DCH PHI
The following Position Titles, as employees and/or representatives of Contractor, need access to DCH Protected Health Information in order for Contractor to perform the services described in the Contract:
• | Xxxxxxx Xxxxx – Regulatory Affairs |
• | Xxxxxx Xxxx – Reporting & Analytics |
• | Xxxxx Xxxxxxx – IT & Operations |
• | Xxxxxxxx Xxxxxxxx – Project Analysis |
• | Xxxx Xxxxxxx – Project Administration |
Transfers of PHI must comply with DCH Policy and Procedure 419: Appropriate Use of Information Technology Resources.
Approved methods of secure delivery of PHI between Contractor and DCH:
• | Secure FTP file transfer (preferred) |
• | Encrypted email or email sent through “secure tunnel” approved by DCH Information Security Officer |
• | Email of encrypted document (password must be sent by telephone only) |
• | Encrypted portable media device and tracked delivery method |
Contractor must update this list as needed and provide the updated form to DCH. Use of DCH Protected Health Information by individuals who are not described on this Attachment E-1, as amended from time to time, is impermissible and a violation of the Agreement. Contractor must update this Attachment E-1 as needed and provide the updated form to DCH.
DCH Project Leader Contact Information: | Xxxxxxxx X. Xxxxxx | ||
Deputy Director, Medicaid Operations | |||
Georgia Department of Community Health | |||
0 Xxxxxxxxx Xx., XX – 00xx Xxxxx | |||
Xxxxxxx, Xxxxxxx 00000 | |||
(000) 000-0000 | |||
Amendment #16 | Page 14 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
ATTACHMENT E-2
Part 1:
Please initial beside the correct option. Please select only one option.
_________ | Contractor DOES NOT need any user accounts to access DCH Information Systems. Do not complete Part 2 of this form. |
____X____ | Contractor DOES need user accounts to access DCH Information Systems. Please complete Part 2 of this form. |
Part 2:
Please complete the table below if you indicated that Contractor DOES need any user accounts to access DCH Information Systems. Please attach additional pages if needed.
List of Individuals Authorized to Access a DCH Information System Containing PHI
The following individuals, as employees and/or representatives of Contractor, need access to DCH Information Systems containing DCH Protected Health Information in order for Contractor to perform the services described in the Contract:
Full Name | Employer | DCH Information System | Type of Access (Read only? Write?) |
Separate Attachment | |||
The DCH Project Leader must submit a completed DCH Network Access Request Form for each individual listed above. Access will be granted and changed in accordance with DCH Policy and Procedure 435: Managing Authorization, Access and Control of Information Systems.
Contractor must notify the Project Leader identified in the Contract and the DCH Access Control Coordinator (xxxxxx@xxx.xx.xxx and xxxxxxxx@xxx.xx.xxx) immediately, but at least within 24 hours, after any individual on this list no longer needs the level of access described. Failure to provide this notification on time is a violation of the Agreement and will be reported as a security incident.
Contractor must update this Attachment E-2 as needed and provide the updated form to DCH.
DCH Project Leader Contact Information: | Xxxxxxxx X. Xxxxxx | ||
Deputy Director, Medicaid Operations | |||
Georgia Department of Community Health | |||
0 Xxxxxxxxx Xx., XX – 00xx Xxxxx | |||
Xxxxxxx, Xxxxxxx 00000 | |||
(000) 000-0000 | |||
Amendment #16 | Page 15 of 15 | |
Contract #0654 | ||
WELLCARE OF GEORGIA, INC. | ||
