The URL can be used to link to this page

Home My WebLink AboutR-2015-055 EAP Agreement New Directions RESOLUTION NO. R-2015-055 A RESOLUTION APPROVING AND RATIFYING AN AGREEMENT WITH NEW DIRECTIONS EMPLOYEE ASSISTANCE PROGRAM FOR THE CITY OR RIVERSIDE, MISSOURI BE IT RESOLVED BY THE BOARD OF ALDERMEN OF THE CITY OF RIVERSIDE,MISSOURI AS FOLLOWS: THAT the Board of Aldermen hereby approves the Business Associate Agreement (a copy of which is attached hereto in its substantial form) with New Directions Behavioral Health, L.L.C., and further authorizes the Mayor or the City Administrator to sign the Agreement on behalf of the City; and FURTHER THAT the Mayor, the City Administrator, the Finance Director, and other appropriate City officials are hereby authorized to take any and all actions as may be deemed necessary or convenient to carry out and comply with the intent of this Resolution and to execute and deliver for and on behalf of the City all certificates, instruments, agreements and other documents, as may be necessary or convenient to perform all matters herein authorized. PASSED AND ADOPTED by the Board of Aldermen of the City of Riverside, Missouri, the day of 2015. or Kathleen L. R se ATTEST: Robin Kincai , City Clerk BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement("Agreement") is entered into as of 7!112015 ("Effective Date") by and between City of Riverside ("Covered Entity") and New Directions Behavioral Health, L.L.C. ("Business Associate") (each "Party" and collectively the"Parties"). WHEREAS, the Parties are committed to compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology and Clinical Health Act of 2009 ("HITECH"), all regulations promulgated thereunder, including but not limited to Title 45, Parts 160 and 164 and any future regulations promulgated under either HIPAA or HITECH; WHEREAS, the Business Associate will provide services to the Covered Entity that may involve the creation, receipt, use, transmission, maintenance, or disclosure of Protected Health Information (PHI); and WHEREAS, the Parties enter into this Agreement to protect the privacy and security of PHI disclosed to the Business Associate and to establish the terms and conditions for the use and disclosure of such PHI. RECITALS In consideration of the mutual promises set forth in this Agreement and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows: 1. Terms used but not otherwise defined in this Agreement will have the same meaning as the meaning ascribed to those terms in HIPAA, HITECH and their corresponding regulations. a. "Breach" shall have the meaning as set forth in 45 CFR 164.402. b. "Electronic Health Record" and "EHR"shall have the meaning as in §13400(5) of HITECH, and any corresponding regulations, limited to records created or received by the Business Associate from or on behalf of the Covered Entity. C. "Electronic Protected Health Information" or"EPHI" shall have the meaning as set forth in 45 CFR 160.103, limited to the information created of received by the Business Associate from or on behalf of the Covered Entity. d. 'Individual" shall have the meaning set forth in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). e. "Privacy Rule"means the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Parts 160 and 164, Subparts A and E. f. "Protected Health Information" or"PHI" shall have the meaning as set forth in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. g. "Security Incident" shall have the meaning as set forth in 45 CFR 164.304. h. "Secretary" shall mean the Secretary of the federal Department of Health and Human Services. i. "Security Rule"means the Security Standards and Implementation Specifications found at 45 CFR Parts 160 and 164, Subpart C. j. "Standards for Electronic Transactions Rule" means the final regulations issued by the Department of Health and Human Services concerning standard transactions and code sets under the Administration Simplification provisions found at 45 CFR Parts 160 and 162. k. "Unsecured Protected Health Information" shall have the meaning as set forth in 45 CFR 164.402 and the guidance issued under§13402(h)(2) of Public Law 111-5. 2. Obligations of Business Associate. a. Business Associate shall directly comply with the requirements found at 45 CFR 64.504 of the Privacy Rule and the privacy provisions of HITECH. b. Business Associate shall directly comply with the administrative, technical and physical safeguards, documentation requirements and policies and procedures in accordance with the Security Rule. C. Permitted Uses and Disclosures. Business Associate may not use or disclose PHI received from or created on behalf of Covered Entity except as permitted by this Agreement or as required by law. Business Associate will limit all uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose of the use or disclosure. Business Associate may: i. Use or disclose PHI to perform services as specified under an effective Services Agreement duly executed by both Parties, provided that any use or disclosure would not violate the Privacy or Security Rule if disclosed by the Covered Entity. ii. Use PHI to provide data aggregation services related to the health care operations of the Covered Entity, as provided in 45 CFR § 164.504(2)(i)(B). d. Safeguards. Business Associate shall use appropriate safeguards, including but not limited to, policies, procedures, training and documentation requirements to prevent the unauthorized use or disclosure of Covered Entity's PHI as required by the Security Rule and § 13401 of HITECH. Business Associate shall maintain a comprehensive information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Business Associate's operations and the nature and scope of its activities. Business Associates shall provide a copy of and evidence of such safeguards to Covered Entity upon request. e. If Business Associate electronically transmits or receives PHI on behalf of the Covered Entity, Business Associate shall comply with the Standards for Electronic Transactions Rule to the extent required by law. Business Associate will require any employee, agent, subagent, contractor, or subcontractor that assists Business Associate in electronically transmitting or receiving PHI to agree in writing to comply with the Standards for Electronic Transactions Rule to the extent required by law. f. Business Associate's Agents. Business Associate shall require any employee, agent, subagent, contractor, subcontractor, or any other person who may have access to Covered Entity's PHI to agree in writing to the same terms and conditions that apply to Business Associate with respect to Covered Entity's PHI. If Business Associate becomes aware of a pattern of activity or practice by an employee, agent, sub-agent, or contractor that violates this Agreement, Business Associate agrees to take steps to cure the breach or end the violation. If Business Associate is unable to cure the breach or end the violation within a reasonable time, Business Associate is required to terminate its arrangement with that employee, agent, sub-agent, or contractor. Nothing in this paragraph removes Business Associate's responsibility to report the breach to Covered Entity as found in this Section. g. Business Associate shall provide Covered Entity, within a reasonable time, all information to enable Covered Entity to respond to, provide access to, provide a copy of and account for disclosures of PHI in accordance with 45 CFR § 164.528. Upon requested by Covered Entity, Business Associate shall produce an accounting of disclosures to an Individual consistent with H I PAA. h. Business Associate shall provide Covered Entity, within a reasonable time, all information to enable Covered Entity respond to a request for access to PHI as provided in 45 CFR §164.524 or to amend PHI in accordance with 45 CFR §164.528. i. Business Associate shall notify Covered Entity of any request or demand by the Secretary or information related to the Covered Entity. Business Associate shall provide the Covered Entity with a copy of all information related to the Covered Entity that the Business Associate provides to the Secretary. j. If Business Associate receives a subpoena or similar request or notice from any judicial, administrative, or other regulatory body in connection with this Agreement, Business Associate will immediately notify Covered Entity and forward a copy of such subpoena, request, or notice to Covered Entity to enable Covered Entity to seek appropriate protections and exercise any rights it may have under law. k. Notification of Breach. Business Associate shall provide written notice to Covered Entity within a reasonable time after Business Associate discovers any unauthorized acquisition, access, use, or disclosure of PHI, or any successful Security Incident. The Business Associate shall be considered to have discovered an unauthorized acquisition, access, use, or disclosure of PHI, or successful Security Incident on the first day on which such Breach is known to Business Associate, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall include in the written notice the following: I. The date the unauthorized act occurred; ii. The date the unauthorized act was discovered by Business Associate; iii. The nature of the unauthorized acquisition, access, use, or disclosure, including to whom Covered Entity's PHI was disclosed; iv. The type of PHI involved; V. Who made the unauthorized use or disclosure and/or who received the unauthorized disclosure; vi. The steps Business Associate has taken or will take to mitigate harm from the unauthorized acquisition, use or disclosure; and vii. The corrective actions that Business Associate has taken or will take to prevent further unauthorized acts. I. Covered Entity shall be responsible for determining the need for and directing the implementation of any notifications of the unauthorized acquisition, use or disclosure of PHI. Business Associate shall, at Covered Entity's direction, cooperate with or perform any additional investigation or assessment necessary related to the unauthorized acquisition, use, or disclosure of PHI. M. Notification of Security Incident. Business Associate shall report in writing to Covered Entity any successful Security Incident within a reasonable time after Business Associate becomes aware of such Security Incident, and shall submit any requested follow-up documentation to Covered Entity upon request. Business Associate shall include in the written notice: L The date the Security Incident occurred; ii. The date the Security Incident was discovered by Business Associate; iii. The nature of the Security Incident; iv. The type of PHI involved; V. The steps Business Associate has taken or will take to mitigate harm from the Security Incident; and vi. The corrective actions that Business Associate has taken or will take to prevent further Security Incidents. n. Covered Entity shall be responsible for determining the need for and directing the implementation of any notifications of the unauthorized acquisition, use or disclosure of PHI. Business Associate shall, at Covered Entity's direction, cooperate with or perform any additional investigation or assessment necessary related to the unauthorized acquisition, use, or disclosure of PHI. o. Business Associate shall include in the written notice required under this Section, to the extent known by Business Associate: i. The identity of the individuals whose PHI was involved in the unauthorized act or Security Incident; ii. Any information necessary to enable the Covered Entity to assess the risk of harm to those individuals; and iii. Any information necessary to enable the Covered Entity to determine whether the unauthorized act or Security Incident qualifies as a Breach under HITECH. P. Business Associate agrees to supplement the notice required under this Section with any new information that becomes available. Upon request, Covered Entity may have access to any additional information to enable Covered Entity to meet its obligations with respect to an unauthorized acquisition, use, or disclosure of PHI or Security Incident. q. Business Associate shall exercise due diligence to become aware of any unauthorized access, use, or disclosure of PHI and/or Security Incidents. r. Business Associate agrees to attempt to mitigate any harmful effect that is known or reasonably anticipated by Business Associate resulting from any unauthorized acquisition, access, use, or disclosure of PHI or Security Incident. 3. Obligations of Covered Entity a. The Covered Entity will notify Business Associate of any facts or circumstances which affect Business Associate's access to, use, or disclosure of PHI is including: i. Any change in Covered Entity's notice of privacy practices; ii. Any change in, or withdrawal of, an authorization provided to Covered Entity pursuant to 45 CFR §164.522; and iii. Any restriction to Business Associate's use or disclosure of PHI in accordance with 45 CFR §164.522. b. From time to time upon reasonable notice, Covered Entity (or its agent) may inspect the facilities, systems, books and records of Business Associate to monitor compliance with this Agreement. C. Business Associate shall promptly remedy any violation of any term of this Agreement and shall certify the same to Covered Entity in writing. d. The fact that Covered Entity inspects, or fails to inspect, or has the right to inspect, Business Associate's facilities, systems, and procedures does not relieve Business Associate of its responsibility to comply with this Agreement, nor does Covered Entity's (i)failure to detect or(ii) upon detection, but failure to notify Business Associate or require Business Associate's remediation of any unsatisfactory practices constitute acceptance of such practice or a waiver of Covered Entity's enforcement rights under this Agreement. 4. Effective Date and Termination a. This Agreement is effective on the Effective Date, replaces and supersedes any prior Business Associate Agreement executed by the Parties. This Agreement supersedes any provision in any other Agreement executed by the Parties related to Business Associate's obligations concerning PHI with respect to the Privacy and Security Rule. b. This Agreement terminates on the date the Business Associate ceases to be obligated to perform the functions, activities, or services contemplated by this Agreement. 5. Termination a. This Agreement shall remain in full force and effect until termination of the business relationship of the parties contemplated by this Agreement. Any terms of this Agreement, which by their nature extend beyond the termination of the business relationship, shall remain in effect until fulfilled. b. A breach by Business Associate of any provision of this Agreement, as determined by Covered Entity, shall constitute a material breach of the Agreement and shall provide grounds for immediate termination of the Agreement. If termination of the Agreement is not feasible, the Covered Entity will report the breach to the Secretary to the extent required by law. C. Either Party may terminate the Agreement, effective immediately, if(i) the other Party is named as a defendant in a criminal proceeding for a violation of the Privacy Rule, the Security Rule, or HITECH; or(ii) a finding or stipulation that the other Party has violated the Privacy Rule, the Security Rule, or HITECH by any administrative or regulatory body, or civil proceeding.. d. Upon termination of the Agreement, Business Associate shall return or destroy all Covered Entity's PHI in accordance with 45 CFR § 164.504(e)(2)(ii)(1). If Business Associate is required by law to retain a copy of such information, Business Associate will maintain the PHI for the requisite period required by law, after which Business Associate shall return or destroy Covered Entity's PHI. This provision extends to all PHI that may be in the possession of Business Associate's employees, agents, sub-agents, or contractors. 6. Integration a. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the Privacy Rule, the Security Rule, HITECH and the regulations promulgated thereunder. b. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the Privacy Rule, the Security Rule, HITECH and the regulations promulgated thereunder. C. A reference in this Agreement to a specific section in HIPAA, the Privacy Rule, the Security Rule, HITECH, or the regulations promulgated thereunder means that section as amended from time to time. Should future amendments referenced in this Agreement change the section designation, or transfer a substantive regulatory provision to a different sections, the section references herein will be deemed to be amended accordingly. d. The provisions of this Agreement are severable and if any provision is held or declared to be illegal, invalid, or unenforceable, the remainder of the provisions in this Agreement will continue in full force and effect. 7. Assignment and Amendment a. This Agreement shall be binding on the Parties, their legal representatives, successors, heirs and assigns, provided however, that unless otherwise expressly stated in this Agreement, neither Party may assign any of its respective rights or delegate any of its respective obligations under this Agreement without the prior written consent of the other Party to this Agreement. b. Neither this Agreement, nor any provisions thereof, may be modified, amended, supplemented, or altered except by the written consent of the Parties. 8. Insurance Coverage a. During the term of this Agreement, Business Associate shall maintain liability insurance covering claims based on a violation of HIPAA and claims based on its obligations pursuant to this Agreement in an amount of not less than $1,000,000 per claim. 9. Governing Law a. The Parties agree and acknowledge that this Agreement, and the rights, remedies and obligations of the parties hereunder, will be governed and construed in accordance with the laws of the State of Missouri. IN WITNESS WHEREOF, the Parties hereto have duly executed this Agreement as of the date set forth above. Covered E New Directions Behavioral Health, LLC By: II By: Printed ' d PA m�l�S Printed Name: Noreen Vemara Title: C.I Title: VP, General Counsel Dated: ' q ' J Dated: 6/17/2015 BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement("Agreement") is entered into as of 7/1/2015 ("Effective Date") by and between City of Riverside ("Covered Entity") and New Directions Behavioral Health, L.L.C. ('Business Associate') (each "Party" and collectively the "Parties'). WHEREAS, the Parties are committed to compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology and Clinical Health Act of 2009 ("HITECH"), all regulations promulgated thereunder, including but not limited to Title 45, Parts 160 and 164 and any future regulations promulgated under either HIPAA or HITECH; WHEREAS, the Business Associate will provide services to the Covered Entity that may involve the creation, receipt, use, transmission, maintenance, or disclosure of Protected Health Information (PHI); and WHEREAS, the Parties enter into this Agreement to protect the privacy and security of PHI disclosed to the Business Associate and to establish the terms and conditions for the use and disclosure of such PHI. RECITALS In consideration of the mutual promises set forth in this Agreement and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows: 1. Terms used but not otherwise defined in this Agreement will have the same meaning as the meaning ascribed to those terms in HIPAA, HITECH and their corresponding regulations. a. 'Breach" shall have the meaning as set forth in 45 CFR 164.402. b. "Electronic Health Record" and "EHR"shall have the meaning as in §13400(5) of HITECH, and any corresponding regulations, limited to records created or received by the Business Associate from or on behalf of the Covered Entity. C. "Electronic Protected Health Information" or"EPHI" shall have the meaning as set forth in 45 CFR 160.103, limited to the information created of received by the Business Associate from or on behalf of the Covered Entity. d. "Individual' shall have the meaning set forth in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). e. 'Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Parts 160 and 164, Subparts A and E. f. 'Protected Health Information" or"PHI" shall have the meaning as set forth in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. g. "Security Incident' shall have the meaning as set forth in 45 CFR 164.304. h. "Secretary" shall mean the Secretary of the federal Department of Health and Human Services. i. "Security Rule" means the Security Standards and Implementation Specifications found at 45 CFR Parts 160 and 164, Subpart C. j. "Standards for Electronic Transactions Rule" means the final regulations issued by the Department of Health and Human Services concerning standard transactions and code sets under the Administration Simplification provisions found at 45 CFR Parts 160 and 162. k. "Unsecured Protected Health Information" shall have the meaning as set forth in 45 CFR 164.402 and the guidance issued under§13402(h)(2) of Public Law 111-5. 2. Obligations of Business Associate. a. Business Associate shall directly comply with the requirements found at 45 CFR 64.504 of the Privacy Rule and the privacy provisions of HITECH. b. Business Associate shall directly comply with the administrative, technical and physical safeguards, documentation requirements and policies and procedures in accordance with the Security Rule. C. Permitted Uses and Disclosures. Business Associate may not use or disclose PHI received from or created on behalf of Covered Entity except as permitted by this Agreement or as required by law. Business Associate will limit all uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose of the use or disclosure. Business Associate may: i. Use or disclose PHI to perform services as specified under an effective Services Agreement duly executed by both Parties, provided that any use or disclosure would not violate the Privacy or Security Rule if disclosed by the Covered Entity. ii. Use PHI to provide data aggregation services related to the health care operations of the Covered Entity, as provided in 45 CFR § 164.504(2)(i)(B). d. Safeguards. Business Associate shall use appropriate safeguards, including but not limited to, policies, procedures, training and documentation requirements to prevent the unauthorized use or disclosure of Covered Entity's PHI as required by the Security Rule and § 13401 of HITECH. Business Associate shall maintain a comprehensive information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Business Associate's operations and the nature and scope of its activities. Business Associates shall provide a copy of and evidence of such safeguards to Covered Entity upon request. e. If Business Associate electronically transmits or receives PHI on behalf of the Covered Entity, Business Associate shall comply with the Standards for Electronic Transactions Rule to the extent required by law. Business Associate will require any employee, agent, subagent, contractor, or subcontractor that assists Business Associate in electronically transmitting or receiving PHI to agree in writing to comply with the Standards for Electronic Transactions Rule to the extent required by law. f. Business Associate's Agents. Business Associate shall require any employee, agent, subagent, contractor, subcontractor, or any other person who may have access to Covered Entity's PHI to agree in writing to the same terms and conditions that apply to Business Associate with respect to Covered Entity's PHI. If Business Associate becomes aware of a pattern of activity or practice by an employee, agent, sub-agent, or contractor that violates this Agreement, Business Associate agrees to take steps to cure the breach or end the violation. If Business Associate is unable to cure the breach or end the violation within a reasonable time, Business Associate is required to terminate its arrangement with that employee, agent, sub-agent, or contractor. Nothing in this paragraph removes Business Associate's responsibility to report the breach to Covered Entity as found in this Section. g. Business Associate shall provide Covered Entity, within a reasonable time, all information to enable Covered Entity to respond to, provide access to, provide a copy of and account for disclosures of PHI in accordance with 45 CFR § 164.528. Upon requested by Covered Entity, Business Associate shall produce an accounting of disclosures to an Individual consistent with HIPAA. h. Business Associate shall provide Covered Entity, within a reasonable time, all information to enable Covered Entity respond to a request for access to PHI as provided in 45 CFR §164.524 or to amend PHI in accordance with 45 CFR §164.528. i. Business Associate shall notify Covered Entity of any request or demand by the Secretary or information related to the Covered Entity. Business Associate shall provide the Covered Entity with a copy of all information related to the Covered Entity that the Business Associate provides to the Secretary. j. If Business Associate receives a subpoena or similar request or notice from any judicial, administrative, or other regulatory body in connection with this Agreement, Business Associate will immediately notify Covered Entity and forward a copy of such subpoena, request, or notice to Covered Entity to enable Covered Entity to seek appropriate protections and exercise any rights it may have under law. k. Notification of Breach. Business Associate shall provide written notice to Covered Entity within a reasonable time after Business Associate discovers any unauthorized acquisition, access, use, or disclosure of PHI, or any successful Security Incident. The Business Associate shall be considered to have discovered an unauthorized acquisition, access, use, or disclosure of PHI, or successful Security Incident on the first day on which such Breach is known to Business Associate, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall include in the written notice the following: i. The date the unauthorized act occurred; ii. The date the unauthorized act was discovered by Business Associate; iii. The nature of the unauthorized acquisition, access, use, or disclosure, including to whom Covered Entity's PHI was disclosed; iv. The type of PHI involved; V. Who made the unauthorized use or disclosure and/or who received the unauthorized disclosure; vi. The steps Business Associate has taken or will take to mitigate harm from the unauthorized acquisition, use or disclosure; and vii. The corrective actions that Business Associate has taken or will take to prevent further unauthorized acts. I. Covered Entity shall be responsible for determining the need for and directing the implementation of any notifications of the unauthorized acquisition, use or disclosure of PHI. Business Associate shall, at Covered Entity's direction, cooperate with or perform any additional investigation or assessment necessary related to the unauthorized acquisition, use, or disclosure of PHI. M. Notification of Security Incident. Business Associate shall report in writing to Covered Entity any successful Security Incident within a reasonable time after Business Associate becomes aware of such Security Incident, and shall submit any requested follow-up documentation to Covered Entity upon request. Business Associate shall include in the written notice: i. The date the Security Incident occurred; ii. The date the Security Incident was discovered by Business Associate; iii. The nature of the Security Incident; iv. The type of PHI involved; V. The steps Business Associate has taken or will take to mitigate harm from the Security Incident; and vi. The corrective actions that Business Associate has taken or will take to prevent further Security Incidents. n. Covered Entity shall be responsible for determining the need for and directing the implementation of any notifications of the unauthorized acquisition, use or disclosure of PHI. Business Associate shall, at Covered Entity's direction, cooperate with or perform any additional investigation or assessment necessary related to the unauthorized acquisition, use, or disclosure of PHI. o. Business Associate shall include in the written notice required under this Section, to the extent known by Business Associate: i. The identity of the individuals whose PHI was involved in the unauthorized act or Security Incident; ii. Any information necessary to enable the Covered Entity to assess the risk of harm to those individuals; and iii. Any information necessary to enable the Covered Entity to determine whether the unauthorized act or Security Incident qualifies as a Breach under HITECH. P. Business Associate agrees to supplement the notice required under this Section with any new information that becomes available. Upon request, Covered Entity may have access to any additional information to enable Covered Entity to meet its obligations with respect to an unauthorized acquisition, use, or disclosure of PHI or Security Incident. q. Business Associate shall exercise due diligence to become aware of any unauthorized access, use, or disclosure of PHI and/or Security Incidents. r. Business Associate agrees to attempt to mitigate any harmful effect that is known or reasonably anticipated by Business Associate resulting from any unauthorized acquisition, access, use, or disclosure of PHI or Security Incident. 3. Obligations of Covered Entity a. The Covered Entity will notify Business Associate of any facts or circumstances which affect Business Associate's access to, use, or disclosure of PHI is including: i. Any change in Covered Entity's notice of privacy practices; ii. Any change in, or withdrawal of, an authorization provided to Covered Entity pursuant to 45 CFR §164.522; and iii. Any restriction to Business Associate's use or disclosure of PHI in accordance with 45 CFR §164.522. b. From time to time upon reasonable notice, Covered Entity (or its agent) may inspect the facilities, systems, books and records of Business Associate to monitor compliance with this Agreement. C. Business Associate shall promptly remedy any violation of any term of this Agreement and shall certify the same to Covered Entity in writing. d. The fact that Covered Entity inspects, or fails to inspect, or has the right to inspect, Business Associate's facilities, systems, and procedures does not relieve Business Associate of its responsibility to comply with this Agreement, nor does Covered Entity's (i) failure to detect or(ii) upon detection, but failure to notify Business Associate or require Business Associate's remediation of any unsatisfactory practices constitute acceptance of such practice or a waiver of Covered Entity's enforcement rights under this Agreement. 4. Effective Date and Termination a. This Agreement is effective on the Effective Date, replaces and supersedes any prior Business Associate Agreement executed by the Parties. This Agreement supersedes any provision in any other Agreement executed by the Parties related to Business Associate's obligations concerning PHI with respect to the Privacy and Security Rule. b. This Agreement terminates on the date the Business Associate ceases to be obligated to perform the functions, activities, or services contemplated by this Agreement. 5. Termination a. This Agreement shall remain in full force and effect until termination of the business relationship of the parties contemplated by this Agreement. Any terms of this Agreement, which by their nature extend beyond the termination of the business relationship, shall remain in effect until fulfilled. b. A breach by Business Associate of any provision of this Agreement, as determined by Covered Entity, shall constitute a material breach of the Agreement and shall provide grounds for immediate termination of the Agreement. If termination of the Agreement is not feasible, the Covered Entity will report the breach to the Secretary to the extent required by law. C. Either Party may terminate the Agreement, effective immediately, if(i)the other Party is named as a defendant in a criminal proceeding for a violation of the Privacy Rule, the Security Rule, or HITECH; or(ii) a finding or stipulation that the other Party has violated the Privacy Rule, the Security Rule, or HITECH by any administrative or regulatory body, or civil proceeding.. d. Upon termination of the Agreement, Business Associate shall return or destroy all Covered Entity's PHI in accordance with 45 CFR § 164.504(e)(2)(ii)(1). If Business Associate is required by law to retain a copy of such information, Business Associate will maintain the PHI for the requisite period required by law, after which Business Associate shall return or destroy Covered Entity's PHI. This provision extends to all PHI that may be in the possession of Business Associate's employees, agents, sub-agents, or contractors. 6. Integration a. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the Privacy Rule, the Security Rule, HITECH and the regulations promulgated thereunder. b. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the Privacy Rule, the Security Rule, HITECH and the regulations promulgated thereunder. C. A reference in this Agreement to a specific section in HIPAA, the Privacy Rule, the Security Rule, HITECH, or the regulations promulgated thereunder means that section as amended from time to time. Should future amendments referenced in this Agreement change the section designation, or transfer a substantive regulatory provision to a different sections, the section references herein will be deemed to be amended accordingly. d. The provisions of this Agreement are severable and if any provision is held or declared to be illegal, invalid, or unenforceable, the remainder of the provisions in this Agreement will continue in full force and effect. 7. Assignment and Amendment a. This Agreement shall be binding on the Parties, their legal representatives, successors, heirs and assigns, provided however, that unless otherwise expressly stated in this Agreement, neither Party may assign any of its respective rights or delegate any of its respective obligations under this Agreement without the prior written consent of the other Party to this Agreement. b. Neither this Agreement, nor any provisions thereof, may be modified, amended, supplemented, or altered except by the written consent of the Parties. S. Insurance Coverage a. During the term of this Agreement, Business Associate shall maintain liability insurance covering claims based on a violation of HIPAA and claims based on its obligations pursuant to this Agreement in an amount of not less than $1,000,000 per claim. 9. Governing Law a. The Parties agree and acknowledge that this Agreement, and the rights, remedies and obligations of the parties hereunder, will be governed and construed in accordance with the laws of the State of Missouri. IN WITNESS WHEREOF, the Parties hereto have duly executed this Agreement as of the date set forth above. Covered E New Directions Behavioral Health, LLC By: By: ic' Printedd f 2 m� S Printed Name: Noreen Veraara Title: CI� iir< Title: VP, General Counsel Dated: J Dated: 6/17/2015 NEW DIRECTION'S y June 17, 2015 City of Riverside Stacey Rasco Dear Stacey, Thank you for renewing your New Directions Employee Assistance Program (EAP) benefits. We are pleased to announce that your current fee structure of$26.51 PEPY, based on 78 reported employees, will continue during your 2015/2016 contract period. As part of your confirmed renewal, please return the attached Business Associate Agreement within 30 days to Cathy Titus at ctitus(&ndbh.com. This ensures the confidentiality and protection of information exchanged between New Directions and your organization. Happy, Healthy Employees Mean Better Business As a current partner with New Directions, you are familiar with how the EAP can assist your employees by offering helpful resources for any stage of life.The services you're used to, including counseling, management consultation, support for financial, relationship and legal issues all still exist and are constantly being refined to meet our customers' needs.All of these services are combined to help your business become more productive, with long-term, satisfied employees focused on goals and outcomes. What You've Had Before—Plus More Through utilization reports, you have seen where your employees benefit from our EAP.We now offer more beneficial services including: • Custom education and training • Team building • Mediation services • Managing company transitions • Conflict resolution • Fitness for Duty evaluations • Team building Talk with your account manager on how some of these discounted services can help your company achieve an even higher ROI with the EAP. Log On—And Encourage Your Employees to Do So Too In this year of renewed benefits and employees establishing goals, it's a good time to think through what's available and how to promote the EAP to your staff. Log on to www.ndbh.com with your access code Riverside and discover the wealth of information to help you and your employees achieve whole health.And don't forget, now your employees can use the Online Intake Tool to request an EAP session quickly and confidentially. For further information about EAP services or to address any other questions or concerns you may have, please contact your account manager, Kathy McNamee at(816)994-1425. New Directions is looking forward to working with City of Riverside during the upcoming year. With appreciation, Betsy Klein, Vice President EAP