AMENDMENT NO. 3 TO MASTER SERVICES AGREEMENT
Exhibit 10.19.9
AMENDMENT NO. 3 TO
THIS AMENDMENT NO. 3 TO MASTER SERVICES AGREEMENT (“Amendment 3”) is dated and effective as of April 14, 2003 (the “Amendment Effective Date”), by and between Exult, Inc., a Delaware corporation (“Service Provider”) and Bank of America Corporation (“Customer”). All capitalized terms used herein without definition shall have the meanings ascribed to them in that certain Master Services Agreement dated as of November 21, 2000 (as amended to date, the “Existing Agreement”), by and between Service Provider and Customer, unless otherwise provided in Section 14.3 below.
R E C I T A L S
WHEREAS, as part of the obligation to comply with applicable laws, the parties agree that the terms of this Amendment will apply to Service Provider with respect to HIPAA (as defined below) requirements.
WHEREAS, Service Provider and Customer desire to amend the Existing Agreement with respect to the group health plan component of the Benefits Process of the Services pursuant to the terms and conditions set forth herein.
NOW, THEREFORE, in consideration of the foregoing and other valuable consideration, the receipt of which is hereby acknowledged, the parties hereto agree as follows:
The Existing Agreement is hereby amended by adding section 14.3 as follows:
1. “14.3 The following terms apply with respect to Business Associate / HIPAA Privacy.
14.3.1 Definitions
14.3.1.1 Terms used in this Section 14.3, but not otherwise defined, shall have the meaning given in 45 CFR 160.103 and 164.501.
14.3.1.2 “Bank of America” means Bank of America Corporation, the plan sponsor of the Bank of America Group Benefits Program, and its participating subsidiaries.
14.3.1.3 “Business Associate” means Service Provider.
14.3.1.4 “Covered Entity” means the group health plan component of the Bank of America Group Benefits Program
14.3.1.5 “HIPAA” means the Health Insurance Portability and Accountability Act, Public Law 104-191, as such law may be amended from time to time.
14.3.1.6 “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E. A reference in this Section 14.3 to a section in the Privacy Rule means the section as in effect or as amended.
14.3.1.7 “Protected Health Information” has the meaning given the same term in 45 CFR 164.501, however limited to the information created or received by Business Associate from or on behalf of Covered Entity.
14.3.1.8 “Secretary” means the Secretary of the Department of Health and Human Services or his designee.
14.3.2 Obligations and Activities of Business Associate
14.3.2.1 Business Associate’s obligations under Section 14.3.2 are conditioned upon Covered Entity’s satisfactory performance of its obligations under Section 14.3.4 and Section 14.3.5. Any failure of
1
Covered Entity to perform its obligations hereunder shall excuse Business Associate from performing its obligations hereunder to the extent such performance is hindered or prevented by such failure to perform by Covered Entity. Business Associate’s obligations under this Section 14.3.2 exist and occur solely to the extent required by HIPAA and the Privacy Rule.
14.3.2.2 Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by this Section 14.3 or as required by Law.
14.3.2.3 Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Section 14.3.
14.3.2.4 Business Associate agrees to mitigate, to the extent commercially reasonable and practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Section 14.3.
14.3.2.5 Business Associate agrees to report to Covered Entity any known use or disclosure of the Protected Health Information not provided for by this Section 14.3.
14.3.2.6 Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to substantially the same restrictions and conditions that apply through this Section 14.3 to Business Associate with respect to such information.
14.3.2.7 Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner reasonably designated by Covered Entity, to Protected Health Information in a designated record set, if any, to Covered Entity or, as directed by Covered Entity, to an individual in order to meet the requirements under 45 CFR 164.524.
14.3.2.8 Business Associate agrees to make any amendment(s) to Protected Health Information in a designated record set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the reasonable request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. For all requested amendments under this Section 14.3.2.8, Business Associate shall be entitled to rely entirely on such requests for all matters relating to the accuracy and completeness of such Protected Health information.
14.3.2.9 Business Associate agrees, subject to Business Associate’s security requirements, confidentiality obligations and Section 17.0 (Audits) of this Agreement, to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner mutually agreed on by Covered Entity and Business Associate or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
14.3.2.10 Business Associate agrees to document such disclosures of Protected Health Information, and information related to such disclosures, as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.(i.e. the date of the disclosure, the name of the entity or person who received the Protected Health Information and, if known, the address of such entity or person, a description of the information disclosed and a brief statement of the purpose for the disclosure or a copy of the individual’s authorization or the request for disclosure).
14.3.2.11 Business Associate agrees to provide to Covered Entity or an individual, in time and manner reasonably designated by Covered Entity, information collected in accordance with Section 14.3.2.10, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.
14.3.2.12 The Parties acknowledge and agree that the obligations set forth in Sections 14.3.2.7 (access), 14.3.2.8 (amendment) and 14.3.2.10 (accounting) are needed so that Covered Entity can comply with the Privacy Rule in accordance with Section 8.2 (Changes in Law) and that Business Associate may incur costs and expenses to provide these new services on behalf of Covered Entity so that Covered Entity will be in compliance with the Privacy Rule. Due to the timing of the Privacy Rule
2
compliance date, Business Associate agrees to implement and provide the services set forth in this Section 14.3 for Covered Entity’s benefit prior to the Parties defining the impact on Fees and Service Levels (if any impact). Covered Entity and Business Associate agree to engage in Change Control Management to equitably adjust the Fees to compensate Business Associate, and changes in Service Levels, if any as soon as practicable after implementation of the new services and processes set forth in this Section 14.3 in response to changes in Law that apply to Covered Entity.
14.3.3: Permitted Uses and Disclosures by Business Associate
14.3.3.1 Except as otherwise limited in this Section 14.3, Business Associate may use or disclose Protected Health Information (i) to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity; (ii) for the proper management and administration of Business Associate or (iii) as required by Law.
14.3.4: Obligations of Covered Entity
14.3.4.1 Covered Entity shall provide Business Associate with a copy of the notice of privacy practices that Covered Entity produces in accordance with 45 CFR 164.520, as well as any changes to such notice.
14.3.4.2 Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an individual to use or disclose Protected Health Information, if such changes affect Business Associate’s permitted or required uses and disclosures. Covered Entity and Business Associate agree to use Change Control Management to deal with any such change in the use or disclosure of Protected Health Information.
14.3.4.3 Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522. Covered Entity and Business Associate agree to use Change Control Management to deal with any such change in the use or disclosure of Protected Health Information.
14.3.5: Permissible Requests by Covered Entity
14.3.5.1 Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule or HIPAA if done by Covered Entity except that Business Associate may use or disclose Protected Health Information for data aggregation services relating to the health care operations of the Covered Entity or for the management and administrative activities of Business Associate to the extent provided in the Agreement.
14.3.6: Term and Termination
14.3.6.1 This Section 14.3 shall be effective as of April 14, 2003 and shall expire upon the earlier of the expiration or termination of the Agreement or the date that either HIPAA or the Privacy Rule is repealed. 14.3.6.2 Any material breach of this Section 14.3 shall be subject to the provisions of Section 3.0 (Termination) of the Agreement.
14.3.6.2 Any material breach of this Section 14.3 shall be subject to the provisions of Section 3.0 (Termination) of the Agreement.
14.3.6.3 Except as provided in Section 14.3.6.4, upon termination of the Agreement for any reason, Business Associate shall return or destroy or require its agents and subcontractors to return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information unless required by HIPAA, the Privacy Rule or other applicable Law.
3
14.3.6.4 In the event that Business Associate reasonably determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Section 14.3 to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
14.3.7: Miscellaneous
14.3.7.1 The parties agree to take such action as is reasonably necessary to amend this Section 14.3 from time to time for Covered Entity to comply with the requirements of the Privacy Rule and HIPAA. Such amendments shall be subject to Section 8.2 of this Agreement.
14.3.7.2 The respective rights and obligations of Business Associate under Sections 14.3.6.3 and 14.3.6.4 of this Section 14.3 shall survive the termination of this Section 14.3.
14.3.7.3 Any ambiguity in this Section 14.3 shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule.”
2. No Other Changes. In all other respects, the Existing Agreement shall remain unchanged and in full force and effect in accordance with the terms thereof. In the event of any conflict between the terms of the Existing Agreement and the terms set forth herein, the terms set forth herein shall prevail and govern the interpretation of the agreement between the parties hereto.
IN WITNESS WHEREOF, each of the parties hereto has executed this Amendment 3 as of the Amendment Effective Date.
EXULT, INC.
By:
Name:
Title:
BANK OF AMERICA CORPORATION
By:
Name: Xxxxx X. Xxxxxx
Title: SVP Supply Chain Management
By:
Name: Xxxxx Xxxxxxxx
Title: SVP Personnel
4