Business Associate Amendment
Exhibit 10.103
[SEAL]
This Amendment (“Amendment”) supplements and is made a part of the CaliforniaCare Medical Services Agreement (“Agreement”) dated November 1, 1999 by and between Blue Cross of California (“Health Plan”) and Professional Care IPA (“Provider”).
A. Health Plan and Provider are parties to the Agreement pursuant to which Provider provides a service to, or performs a function on behalf of, Health Plan and, in connection therewith, uses or discloses Protected Health Information (“PHI”) that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and certain regulations found at 45 CFR Parts 160 through 164 (“HIPAA Regulations”);
B. Health Plan is a Covered Entity as that term is defined in the HIPAA Regulations. Provider creates or receives PHI from or on behalf of Health Plan and is, therefore, a Business Associate, as defined in the HIPAA Regulations;
C. Pursuant to the HIPAA Regulations, Provider, as a Business Associate of Health Plan, must agree in writing to certain mandatory provisions regarding the use and disclosure of PHI; and
D. The purpose of this Amendment is to satisfy the Business Associate contract requirements as set forth at § 164.504(e) of the HIPAA Regulations, as they may be amended from time-to-time.
NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the parties agree as follows:
1. Definitions. Unless otherwise provided in this Amendment, capitalized terms have the same meaning as set forth in the HIPAA Regulations.
2. Scope of Use and Disclosure of PHI. Except as otherwise limited in this Amendment:
a. Provider shall use and disclose PHI solely to provide the services, or perform the functions, described in the Agreement, provided that such use or disclosure would not violate the HIPAA Regulations if so used or disclosed by Health Plan.
b. Provider may use or disclose PHI for the proper management and administration of Provider or to provide Data Aggregation services to Health Plan.
3. Obligations of Provider. In connection with its use and disclosure of PHI, Provider shall:
a. Not use or disclose PHI other than as permitted or required by the Agreement or as Required By Law.
1
b. Use reasonable and appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Amendment.
c. Mitigate, to the extent practicable, any harmful effect that is known to Provider of a use or disclosure of PHI by Provider in violation of the requirements of this Amendment.
d. Report to Health Plan any use or disclosure of the PHI not provided for by this Amendment of which Provider becomes aware.
e. Require contractors, subcontractors, and/or agents to whom Provider provides PHI created or received by Provider on behalf of Health Plan to agree to the same restrictions and conditions that apply to Provider with respect to such PHI under this Amendment.
f. Provide access, within seven (7) days following Health Plan’s request, to PHI in a Designated Record Set, to Health Plan in order to meet the requirements under § 164.524 of the HIPAA Regulations. If Health Plan and Provider mutually agree, Provider may provide such access directly to Individual, provided that such access is provided to the Individual in the time-frames set forth in § 164.524 of the HIPAA Regulations.
g. Promptly make any amendment(s) to PHI in a Designated Record Set that the Health Plan directs or agrees to pursuant to § 164.526 of the HIPAA Regulations at the request of Health Plan.
h. Make internal practices, books, and records, including, but not limited to, policies and procedures, relating to the use and disclosure of PHI created or received by Provider on behalf of Health Plan available to the Secretary, and to Health Plan, if requested, in a time and manner designated by the Secretary, for purposes of the Secretary determining Health Plan’s compliance with the HIPAA Regulations.
i. Maintain for a period of six (6) years an accounting of all disclosures of PHI that are required to be maintained under § 164.528 of the HIPAA Regulations. Such accounting will include the date of the disclosure, the name of the recipient, a description of PHI disclosed and the purpose of the disclosure.
j. Provide within seven (7) days following Health Plan’s request, information collected in accordance with Section 3.i. of this Amendment, to permit Health Plan to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with § 164.528 of the HIPAA Regulations. If Health Plan and Provider mutually agree, Provider may provide such accounting directly to Individual, provided that such accounting is provided to the Individual in the time-frames set forth in § 164.528 of the HIPAA Regulations.
k. Make reasonable efforts to implement any restriction of the use or disclosure of PHI that Health Plan has agreed to under Section 4.c. of this Amendment.
4. Obligations of Health Plan. Health Plan shall:
a. Provide Provider with the notice of privacy practices that Health Plan furnishes to Individuals in accordance with § 164.520 of the HIPAA Regulations.
2
b. Promptly notify Provider of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Provider’s use or disclosure of PHI.
c. Promptly notify Provider of any restriction to the use or disclosure of PHI that Health Plan has agreed to in accordance with § 164.522 of the HIPAA Regulations, to the extent that such restriction may affect Provider’s use or disclosure of PHI.
d. Not request Provider to use or disclose PHI in any manner that would not be permissible under the HIPAA Regulations if so used or disclosed by Health Plan, unless such use or disclosure is necessary for the purposes of Data Aggregation or management and administrative activities of Provider under the Agreement.
e. Pay Provider five cents ($0.05) per page for all records and documents that Provider is obligated to provide to Health Plan under the terms of this Amendment.
5. Termination for Breach. Upon Health Plan’s knowledge of a material breach of the terms of this Amendment by Provider, Health Plan shall, in accordance with the notification requirement and cure period set forth in the Agreement, provide an opportunity for Provider to cure the breach or end the violation. Health Plan may terminate the Agreement if Provider does not cure the breach or end the violation within the cure period set forth in the Agreement.
6. Future Confidentiality of PHI. Upon the expiration or earlier termination of the Agreement, for any reason, Provider shall return or destroy all PHI received from Health Plan, or created or received by Provider on behalf of Health Plan that Provider still maintains and retain no copies of such PHI; provided that if such return or destruction of PHI is infeasible, Provider shall provide to Health Plan notification of the conditions that make return or destruction infeasible and shall extend the protections of this Amendment to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Provider maintains such PHI.
7. Amendment. The parties agree to take such action to amend this Amendment from time-to-time as is necessary for Health Plan to comply with the requirements of HIPAA and the HIPAA Regulations.
8. Survival. The respective rights and obligations of Provider under Section 6 of this Amendment shall survive the termination of the Agreement.
9. Interpretation. Any ambiguity in this Amendment shall be resolved to permit Health Plan to comply with the HIPAA Regulations.
3
10. Conflict of Terms. Whenever the terms of the Agreement and this Amendment are in conflict, the terms of this Amendment shall control.
11. Other Terms Remain in Force. Except as expressly modified by the terms of this Amendment, all of the terms and conditions set forth in the Agreement shall remain in full force and effect.
Effective Date. This Amendment shall be effective on April 14, 2003.
IN WITNESS WHEREOF, the parties have executed this Amendment as of the date(s) set forth below.
|
Professional Care IPA |
BLUE CROSS OF CALIFORNIA |
||
|
|
|
||
|
/s/ Xxxx Shinto |
|
/s/ Xxxxx Xxxx |
|
|
Signature |
Signature |
||
|
|
|
||
|
Xxxx Shinto, MD |
|
XXXXX XXXX |
|
|
Print Name |
Print Name |
||
|
|
|
||
|
Medical Director |
|
V.P. Network Services |
|
|
Title |
Title |
||
|
|
|
||
|
4/28/03 |
|
5/8/03 |
|
|
Date |
Date |
||
4
