Business Associate Agreement
Effective Date: January 26, 2021
This Business Associate Agreement (“Agreement”) is entered into by and between you (the Agent) or the Agency that you represent (“Business Associate”), on the one hand, and Warner Pacific Insurance Services, Inc. (“General Agent”) on the other.
WHEREAS, Business Associate is the agent/broker for its employer clients (“Employer”), which sponsor and maintain an employee welfare benefit plan (“Covered Entity”), and Warner Pacific Insurance Services, Inc. acts as a general agent with respect to insurance and HMO policies and contracts entered into by the Employer and Covered Entity;
WHEREAS, Business Associate’s services are required and have been retained in connection with the administration of the benefits offered by Covered Entity (a true and correct copy of the agreement between such employer/covered entity and Business Associate is retained by the Business Associate/Agent);
WHEREAS, in the course of providing services to Covered Entity, Business Associate may perform functions or activities involving the use or disclosure of PHI pertaining to participants and beneficiaries of Covered Entity, and, in turn, General Agent may perform functions or activities involving the use or disclosure of such PHI in the course of providing services to Business Associate;
WHEREAS, the Secretary of Health and Human Services has issued regulations requiring a contract between Covered Entity and Business Associate in order to protect against the unauthorized use and disclosure of protected health information by Business Associate, and, in turn, requiring a contract between Business Associate and General Agent to the extent that General Agent is a Subcontractor of Business Associate that creates, receives, maintains, or transmits PHI on behalf of Business Associate;
WHEREAS, this Agreement is intended to ensure that General Agent will establish and implement appropriate safeguards for PHI that General Agent may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that are performed;
NOW, THEREFORE, in consideration of the mutual promises and covenants contained in this Agreement and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
a. Unless the context clearly indicates otherwise, the following terms in this Agreement shall have the same meaning as those terms in 45 C.F.R. Part 160 or 164: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, Individual, Minimum Necessary, Required By Law, Secretary, Security Incident, and Use.
b. Specific definitions:
- “Business Associate” shall mean you (the Agent) or the Agency that you represent.
- “Covered Entity” shall mean the employer/covered entity to which the Business Associate has sold insurance products and for which the Business Associate has used General Agent for services.
- “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, as amended from time to time.
- “Privacy Rule” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164, subparts A and E.
- “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. 160.103, limited to the information created or received by General Agent from or on behalf of Covered Entity.
- “Security Rule” shall mean the Security Standards and Implementation Specifications in 45 C.F.R. Part 160 and Part 164, Subpart C.
- “Subcontractor” shall mean General Agent, to the extent that General Agent is a Subcontractor of Business Associate that creates, receives, maintains, or transmits PHI on behalf of Business Associate.
- “Unsecured PHI” shall have the same meaning as the term “unsecured protected health information” in 45 C.F.R. 164.402.
c. This Agreement also reflects federal breach notification requirements imposed on Business Associate when Unsecured PHI is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.
II. OBLIGATIONS AND ACTIVITIES OF GENERAL AGENT
General Agent agrees to:
a. Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law;
b. Use reasonable safeguards to prevent use or disclosure of protected health information other than as provided for by the Agreement or as required by law.
c. Implement administrative, physical, and technical safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule.
d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that receive protected health information from General Agent agree to the same restrictions, conditions, and requirements that apply to General Agent with respect to such information;
e. Provide access, at the request of Business Associate or Covered Entity, and in the time and manner designated by Business Associate or Covered Entity, to Protected Health Information in the original Designated Record Set to Covered Entity or, if directed by Covered Entity, to an Individual to meet the requirements under 45 C.F.R. 164.524, but only to the extent General Agent maintains the Designated Record Set;
f. Maintain and make available the information required to provide an accounting of disclosures to Business Associate as necessary to satisfy Business Associate’s or Covered Entity’s obligations under 45 CFR 164.528;
g. Comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s), but only to the extent General Agent is to carry out one or more of Covered Entity‘s obligation(s) under Subpart E of 45 CFR Part 164; and
h. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the Privacy Rule, unless otherwise protected from discovery or disclosure by law or unless otherwise prohibited from discovery or disclosure by law, .
i. Be familiar and comply with any applicable state privacy laws which are more stringent than the Privacy Rule, including but not limited to the Insurance Information and Privacy Protection Act, Cal. Ins. Code §§ 791-791.27 and the accompanying regulations promulgated by the California Department of Insurance, Cal. Admin. Code, title 10, §§ 2698.1689.24, the Confidentiality of Medical Information Act, Cal. Civ. Code §§ 56-56.37.
j. Mitigate, to the extent practicable, any harmful effect that is known to General Agent as a result of a use or disclosure of PHI in violation of this Agreement’s requirements or that would otherwise cause a Breach of Unsecured PHI.
k. Report to Covered Entity any use or disclosure of the Protected Health Information and/or any Security Incident not permitted by this Agreement or by law. General Agent agrees to report to Business Associate and/or Covered Entity any Breach of Unsecured PHI not provided for by the Agreement of which it becomes aware within 60 calendar days of discovery thereof as determined according to the discussion set out in 45 C.F.R. 164.410. To the extent commercially reasonable, such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by General Agent to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, General Agent shall provide any additional information reasonably requested by Business Associate and/or Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available.
III. PERMITTED USES AND DISCLOSURES BY GENERAL AGENT
a. General Agent may only use or disclose protected health information as necessary to perform the services set forth in the its service agreement with Business Associate, or to the extent required to perform the services for which it has been retained by Business Associate. These services may include:
- Coordination with Business Associate, carriers and other business associates, as directed
- Provide quoting services, proposal generation, applications, enrollment support, supplies, and materials for the carriers and plans selected by the Agent and the Covered Entity.
- Customer service support to Business Associate and his/her employer clients/covered entities.
b. General Agent may use PHI to de-identify the information consistent with 45 CFR 164.514(a)-(c).
c. General Agent may use or disclose protected health information as required by law.
d. General Agent may use Protected Health Information to provide data aggregation services to Covered Entity as permitted by 45 C.F.R. 164.504(e)(2)(i)(B).
e. General Agent may use Protected Health Information to report violations of law to federal and state authorities consistent with 45 C.F.R. 164.502(j)(1).
f. General Agent may disclose protected health information for the proper management and administration of General Agent or to carry out the legal responsibilities of General Agent, provided the disclosures are required by law, or General Agent obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies General Agent of any instances of which it is aware in which the confidentiality of the information has been breached.
IV. OBLIGATIONS OF BUSINESS ASSOCIATE
a. Business Associate shall notify General Agent of any limitation(s) in Covered Entity’s notice of privacy practices under 45 CFR 164.520, to the extent that such limitation may affect General Agent’s use or disclosure of PHI.
b. Business Associate shall notify General Agent of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect General Agent’s use or disclosure of PHI.
c. Business Associate shall notify General Agent of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect General Agent’s use or disclosure of PHI.
d. Business Associate must execute a separate Business Associate Agreement with its employer clients/covered entities referenced in this Agreement.
V. PERMISSIBLE REQUESTS BY BUSINESS ASSOCIATE
Business Associate, acting on its own or on behalf of its employer client/Covered Entity, shall not request General Agent to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as otherwise permitted by this Agreement.
VI. TERM AND TERMINATION
a. Term. The Term of this Agreement shall be effective as of the effective date of this Agreement, and shall terminate on the date the services agreement between the parties ends, the date General Agent is no longer retained to perform services for Business Associate, or the date Business Associate terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
b. Termination for Cause. The Parties authorize immediate termination of this Agreement if either party determines the other party has violated a material term of the Agreement, and that has not cured the breach or ended the violation within sixty days (60 days) of the notice of the breach, or the time specified by covered entity. Termination is also permissible on any ground, and on the terms, set forth in the services agreement between the parties.
c. Obligations of General Agent Upon Termination. Upon termination of this Agreement for any reason, General Agent, with respect to protected health information received from Business Associate, or created, maintained, or received by General Agent on behalf of Business Associate, shall:
- Retain only that protected health information which is necessary for General Agent to continue its proper management and administration or to carry out its legal responsibilities;
- Return to Business Associate the remaining protected health information that General Agent still maintains in any form;
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as General Agent retains the protected health information;
- Not use or disclose the protected health information retained by General Agent other than for the purposes for which such protected health information was retained; and
- Return to Business Associate the protected health information retained by General Agent when it is no longer needed by General Agent for its proper management and administration or to carry out its legal responsibilities.
d. Business Associate has the option of requesting, in writing, that General Agent return the protected health information to another business associate of Covered Entity.
d. Survival. The obligations of General Agent under this Section shall survive the termination of this Agreement.
a. Regulatory References. A reference in this Agreement to a section of applicable law means the section as in effect or as amended.
b. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of HIPAA and any other applicable law, including state laws, as applicable. No amendment of this Agreement shall be effective unless made in writing by the waiving party.
c. Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the Privacy Rule.
d. Counterparts. This Agreement may be executed in counterparts which, taken together, shall constitute the whole of this Agreement between the parties.
e. Assignment. This Agreement shall be binding upon and shall inure to the benefit of the parties and their respective successors, heirs, and assigns.
f. Conferring Rights or Remedies. Except as may be expressly set forth herein, the parties do not intend to confer any rights or remedies upon any person other than the parties to this Agreement.
g. Counsel. Each party to this Agreement has had the opportunity to consult with counsel of its choice as to the form and content of this Agreement and the advisability of executing it. The normal rule of construction to the effect that any ambiguities are to be resolved against the drafting party will not be employed in any interpretation of this Agreement.
h. Attorneys’ Fees and Costs. Except as otherwise specifically provided by law, all legal and other costs and expenses incurred in connection with this Agreement and the transactions contemplated hereby, including without limitation legal and accounting fees, shall be paid by the party incurring such expenses. In the event of any litigation or arbitration between the parties respecting or arising out of this Agreement, the prevailing party shall be entitled to recover reasonable attorneys’ fees and costs, whether or not any litigation proceeds to final judgment or determination.
i. Authorized Signature. Each party has authorized its undersigned representative whose signature appears below to execute this Agreement on that party’s behalf.
j. Arbitration. The parties recognize and confirm that this is an Agreement between honorable business organizations. This Agreement is to be construed consistent with its spirit as well as the letter of the Agreement. It is anticipated that any disagreements that may arise will be resolved between the parties by good faith negotiations. Should that not be possible, all disputes between the parties arising out of or relating to provisions of this Agreement, or concerning its interpretation or validity, whether before or after termination of this Agreement, shall be submitted to final and binding arbitration in accordance with, and under, the rules of practice and procedure for arbitration hearings of the Judicial Arbitration and Mediation Services, Inc. Arbitration shall be the parties’ exclusive remedy.
k. Choice of Law and Venue. This Agreement shall be construed and interpreted in accordance with the laws of the State of California in addition to any governing federal law. Any arbitration or other legal action between the parties respecting or arising out of this Agreement shall be held or filed in either the state or federal courts in the State of California, County of Los Angeles.
l. Notices. Any notice, demand, or request given in accordance with this Agreement shall be given by personal delivery; by messenger delivery; by facsimile transmission; by placing said notice in the United States mail, registered or first-class, postage prepaid; or by sending such notice via an overnight courier service. Notice shall be deemed given when delivered to a party, when the facsimile transmission occurs, or on the date when said notice is deposited in the United States mail, postage prepaid.
m. Notice shall be given to General Agent as follows: Warner Pacific Insurance Services, Inc., 32110 Agoura Road, Westlake Village, CA 91361, Phone: 800-801-2300; Attention: Human Resources Director.
n. Notice shall be given to Business Associate with the information provided and on file as follows: Agent Name and Agent Address or Fax; or, if Agent is employed by Agency, Agency Name and Agency Address or Fax.
m. Controlling Agreement. In the event any provision of this Agreement conflicts with the services agreement between the parties, this Agreement controls.
n. Severability. Whenever possible, each provision of this Agreement shall be interpreted in such a manner as to be effective and valid under applicable law, but if any provision of this Agreement shall be prohibited or invalid under such law, such provision shall be ineffective to the extent of such prohibition or invalidity without invalidating the remainder of such provision or the remaining provisions of this Agreement, each of which shall continue to be valid and binding upon the parties.
o. Waiver. A waiver by any party of any of the terms and conditions of this Agreement in any one instance shall not be deemed or construed to be a waiver of such term or condition for the future, or of any subsequent breach thereof, nor shall it be deemed a waiver of performance of any other obligation hereunder. No waiver shall be effective unless it is made in writing by the waiving party.