Amendment No. 16 to Contract 0654 by and between the Georgia Department of Community Health and WellCare of Georgia, Inc

To delete the language in Section 6.0, Term of Contract, in its entirety and replace it with the following language:

To replace Attachment E, Business Associate Agreement, with the revised version of that agreement that is contained at Exhibit 1 to this Amendment.

This Amendment is contingent upon receiving approval from both CMS and DOAS and shall be effective once written notices of such approvals are received by DCH.  DCH shall notify Contractor in writing upon receipt of responses from CMS and DOAS.  In the event approval is denied by either CMS or DOAS, this Amendment shall be null and void and have no effect upon the Contract.

DCH and Contractor agree that they have assumed an obligation to perform the covenants, agreements, duties, and obligations of the Contract, as modified and amended herein, and agree to abide by all the provisions, terms and conditions contained in the Contract as modified and amended.

This Amendment shall be binding and inure to the benefit of the Parties hereto, their heirs, representatives, successors, and assigns. In the event of a conflict between the provisions of this Amendment and the Contract or any previous amendments, the provisions of this Amendment shall control and govern. Additionally, in the event of a conflict between this Amendment and any exhibit or attachment incorporated into this Amendment, the provisions of this Amendment shall control and govern.

It is understood by the Parties hereto that, if any part, term, or provision of this Amendment or this Amendment in its entirety is held to be illegal or in conflict with any law of this State, then DCH, at its sole option, may enforce the remaining unaffected portions or provisions of this Amendment or of the Contract and the rights and obligations of the Parties shall be construed and enforced as if the Contract or Amendment did not contain the particular part, term or provision held to be invalid.

This Amendment shall be construed in accordance with the laws of the State of Georgia.

All other terms and conditions contained in the Contract and any amendment thereto, not amended by this Amendment, shall remain in full force and effect.

Each Party has had the opportunity to be represented by counsel of its choice in negotiating this Amendment. This Amendment shall therefore be deemed to have been negotiated and prepared at the joint request, direction, and consideration of the Parties, at arms’ length, with the advice and participation of counsel, and will be interpreted in accordance with its terms without favor to any Party.

This amendment may be signed in any number of counterparts, each of which shall be an original, with the same effect as if the signatures thereto were upon the same instrument Any signature below that is transmitted by facsimile or other electronic means shall be binding and effective as the original.

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms have in HIPAA and in Title XIII of the American Recovery and Reinvestment Act of 2009 (the Health Information Technology for Economic and Clinical Health Act, or “HITECH”), and in the implementing regulations of HIPAA and HITECH. Implementing regulations are published as the Standards for Privacy and Security of Individually Identifiable Health Information in 45 C.F.R. Parts 160 and 164. Together, HIPAA, HITECH, and their implementing regulations are referred to in this Agreement as the “Privacy Rule and Security Rule.” If the meaning of any defined term is changed by law or regulation, then this Agreement will be automatically modified to conform to such change. The term “NIST Baseline Controls” means the baseline controls set forth in National Institute of Standards and Technology (NIST) SP 800-53 established for “moderate impact” information.

Except as limited in this Agreement, Contractor may use or disclose PHI only to the extent necessary to meet its responsibilities as set forth in the Contract provided that such use or disclosure would not violate the Privacy Rule or the Security Rule, if done by DCH. Furthermore, except as otherwise limited in this Agreement, Contractor may:

Use PHI for internal quality control and auditing purposes.

Use or disclose PHI as Required by Law.

After providing written notification to DCH’s Office of Inspector General, use PHI to make a report to a health oversight agency authorized by law to investigate DCH (or otherwise

Use and disclose PHI to consult with an attorney for purposes of determining Contractor’s legal options with regard to reporting conduct by DCH that Contractor in good faith believes to be unlawful, as permitted by 45 C.F.R. 164.502(j)(1).

Contractor represents and warrants that only individuals designated by title or name on Attachments E-1 and E-2 will request PHI from DCH or access DCH PHI in order to perform the services of the Contract, and these individuals will only request the minimum necessary amount of information necessary in order to perform the services.

Contractor represents and warrants that the individuals listed by title on Attachment E-1 require access to PHI in order to perform services under the Contract. Contractor agrees to send updates to Attachment E-1 whenever necessary. Uses or disclosures of PHI by individuals not described on Attachment E-1 are impermissible.

Contractor represents and warrants that the individuals listed by name on Attachment E-2 require access to a DCH information system in order to perform services under the Contract. Contractor agrees to notify the Project Leader and the Access Control Coordinator named on Attachment E-2 immediately, but at least within 24 hours, of any change in the need for DCH information system access by any individual listed on Attachment E-2. Any failure to report a change within the 24 hour time period will be considered a security incident and may be reported to Contractor’s Privacy and Security Officer, Information Security Officer and the Georgia Technology Authority for proper handling and sanctions.

Contractor agrees that it is a Business Associate to DCH as a result of the Contract, and represents and warrants to DCH that it complies with the Privacy Rule and Security Rule requirements that apply to Business Associates and will continue to comply with these requirements. Contractor further represents and warrants to DCH that it maintains and follows written policies and procedures to achieve and maintain compliance with the HIPAA Privacy and Security Rules that apply to Business Associates, including, but not limited to policies and procedures addressing HIPAA’s requirements that Business Associates use, request and disclose only the minimum amount of PHI necessary to perform their services, and updates such policies and procedures as necessary in order to comply with the HIPAA Privacy and Security Rules that apply to Business Associates and will continue to maintain and update such policies and procedures. These policies and procedures, and evidence of their implementation, shall be provided to DCH upon request. 

The Parties agree that a copy of all communications related to compliance with this Agreement will be forwarded to the following Privacy and Security Contacts:

Not request, create, receive, use or disclose PHI other than as permitted or required by this Agreement, the Contract, or as required by law.

Establish, maintain and use appropriate administrative, physical and technical safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement or the Contract. Such safeguards must include an Information Security Program which consists of internal policies, standards and procedures built on the HIPAA Security Rules and the CMS HIPAA Security Series, unless DCH has agreed in writing that the control is not appropriate or applicable.

Implement and use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of DCH. Such safeguards must include an Information Security Program which consists of internal policies, standards and procedures built on the HIPAA Security Rules and the CMS HIPAA Security Series, unless DCH has agreed in writing that the control is not appropriate or applicable.

Implement the HITRUST Common Security Framework (CSF) by first quarter 2015;

In addition to the safeguards described above, Contractor shall include access controls that restrict access to PHI to the individuals listed on E-1 and E-2, as amended from time to time, shall implement encryption of all electronic PHI during transmission and will use the following safeguards to protect PHI at rest:

Perimeter and multi-layer DMZ firewalls;

Intrusion Prevention Systems (IPS);

Data Loss Prevention (DLS) tools for Network and End-Point;

End-Point Protection (this includes host firewall, host IPS, Anti-virus and Malware protection, and full disk encryption for laptops)

Network Access Controls (NAC)

Web and Spam Filtering

Anti-virus/Malware Protection (email)

Database encryption

Centralized Logging and Monitoring Solution

Access Control Lists (this includes the following levels (1) File, Folder Share Level, (2) Database Level, and (3) Application Level)

Upon DCH’s reasonable request, but no more frequently than annually, obtain an independent assessment of Contractor’s implementation of the HITRUST Common Security Framework (CSF) and the additional safeguards required by this Agreement with respect to DCH PHI, provide the results of such assessments to DCH, and ensure that corrective actions identified during the independent assessment are implemented.

Mitigate, to the extent practicable, any harmful effect that may be known to Contractor from a use or disclosure of PHI by Contractor in violation of the requirements of this Agreement, the Contract or applicable regulations. Contractor shall bear the costs of mitigation, which shall include the reasonable costs of credit monitoring and may include credit restoration, if applicable, when the use or disclosure results in exposure of information commonly used in identity theft.

Maintain a business associate agreement with its agents or subcontractors to whom it provides PHI, in accordance with which such agents or subcontractors are contractually obligated to comply with at least the same obligations that apply to Contractor under this Agreement, and ensure that its agents or subcontractors comply with the conditions, restrictions, prohibitions and other limitations regarding the request for, creation, receipt, use or disclosure of PHI, that are applicable to Contractor under this Agreement and the Contract.

Report to DCH any use or disclosure of PHI that is not provided for by this Agreement or the Contract of which it becomes aware.

Make an initial report to the DCH in writing in such form as DCH may require within three (3) business days after Contractor (or any subcontractor) becomes aware of the unauthorized use or disclosure. This report will require Contractor to identify the following:

The nature of the impermissible use or disclosure (the “incident”), which will include a brief description of what happened, including the date it occurred and the date Contractor discovered the incident;

The Protected Health Information involved in the impermissible use or disclosure, such as whether the full name, social security number, date of birth, home address, account number or other information were involved);

Who (by title, access permission level and employer) made the impermissible use or disclosure and who received the Protected Health Information as a result;

What corrective or investigational action Contractor took or will take to prevent further impermissible uses or disclosures, to mitigate harmful effects, and to prevent against any further incidents;

What steps individuals who may have been harmed by the incident might take to protect themselves; and

Whether Contractor believes that the impermissible use or disclosure constitutes a Breach of Unsecured Protected Health Information.

Report to the DCH HIPAA Privacy and Security Officer and the DCH Agency Information Security Officer any successful unauthorized access, modification, or destruction of PHI or interference with system operations in Contractor’s information systems as soon as practicable but in no event later than three (3) business days of discovery. If such a security incident resulted in a use or disclosure of PHI not permitted by this Agreement, Contractor shall also make a report of the impermissible use or disclosure as described above. Contractor agrees to make a complete report to the DCH in writing within two weeks of the initial report that includes a root cause analysis and, if appropriate, a proposed corrective action plan designed to protect PHI from similar security incidents in the future. Upon DCH’s approval of Contractor’s corrective action plan, Contractor agrees to implement the corrective action plan and provide proof of implementation to the DCH.

Upon DCH’s reasonable request and not more frequently than once per quarter, report to the DCH Agency Information Security Officer any (A) attempted (but unsuccessful) unauthorized access, use, disclosure, modification, or destruction of PHI or (B) attempted (but unsuccessful) interference with system operations in Contractor’s information systems. Contractor does not need to report trivial incidents that occur on a daily basis, such as scans, “pings,” or other routine attempts that do not penetrate computer networks or servers or result in interference with system operations.

Cooperate with DCH and provide assistance necessary for DCH to determine whether a Breach of Unsecured Protected Health Information has occurred, and whether notification of the Breach is legally required or otherwise appropriate. Contractor agrees to assist DCH in its efforts to comply with the HIPAA Privacy and Security Rules, as amended from time to time.  To that end, the Contractor will abide by any requirements mandated by the HIPAA Privacy and Security Rules or any other applicable laws in the course of this Contract.  Contractor warrants that it will cooperate with DCH, including cooperation with DCH privacy officials and other compliance officers required by the HIPAA Privacy and Security Rules

If DCH determines that a Breach of Unsecured Protected Health Information has occurred as a result of Contractor’s impermissible use or disclosure of PHI or failure to comply with obligations set forth in this Agreement or in the Privacy or Security Rules, provide all notifications to Individuals, HHS and/or the media, on behalf of DCH, after the notifications are approved by the DCH. Contractor shall provide these notifications in accordance with the security breach notification requirements set forth in 42 U.S.C. §17932 and 45 C.F.R. Parts 160 & 164 subparts A, D & E as of their respective Compliance Dates, and shall pay for the reasonable and actual costs associated with such notifications.

Make any amendment(s) to PHI in a Designated Record Set that DCH directs or agrees to pursuant to 45 CFR 164.526 within five (5) business days after request of DCH. Contractor also agrees to provide DCH with written confirmation of the amendment in such format and within such time as DCH may require.

In order to meet the requirements under 45 CFR 164.524, regarding an individual’s right of access, Contractor shall, within five (5) business days following DCH’s request, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the DCH, provide DCH access to the PHI in an individual’s Designated Record Set. However, if requested by DCH, Contractor shall provide access to the PHI in a Designated Record Set directly to the individual to whom such information relates.

Give the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) or the Secretary’s designees access to Contractor’s books and records and policies, practices or procedures relating to the use and disclosure of PHI for or on behalf of DCH within five (5) business days after the Secretary or the Secretary’s designees request such access or otherwise as the Secretary or the Secretary’s designees may require. Contractor also agrees to make such information available for review, inspection and copying by the Secretary or the Secretary’s designees during normal business hours at the location or locations where such information is maintained or to otherwise provide such information to the Secretary or the Secretary’s designees in such form, format or manner as the Secretary or the Secretary’s designees may require.

Document all disclosures of PHI and information related to such disclosures as would be required for DCH to respond to a request by an Individual or by the Secretary for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. By no later than five (5) business days of receipt of a written request from DCH, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the DCH

In addition to any indemnification provisions in the Contract, indemnify the DCH from any liability resulting from any violation of the HIPAA Privacy and Security Rules or Breach that arises from the conduct or omission of Contractor or its employee(s), agent(s) or subcontractor(s). Such liability will include, but not be limited to, all actual and direct costs and/or losses, civil penalties and reasonable attorneys’ fees imposed on DCH.

For any requirements in this Agreement that include deadlines, pay performance guarantee payments of $300.00 per calendar day, starting with the day after the deadline and continuing until Contractor complies with the requirement. Contractor shall ensure that its agreements with subcontractors enable Contractor to meet these deadlines.

Notify Contractor of any new limitation in the applicable Notice of Privacy Practices in accordance with the provisions of the Privacy Rule if, and to the extent that, DCH determines in the exercise of its sole discretion that such limitation will affect Contractor’s use or disclosure of PHI.

Notify Contractor of any change in, or revocation of, authorization by an Individual for DCH to use or disclose PHI to the extent that DCH determines in the exercise of its sole discretion that such change or revocation will affect Contractor’s use or disclosure of PHI.

Notify Contractor of any restriction regarding its use or disclosure of PHI that DCH has agreed to in accordance with the Privacy Rule if, and to the extent that, DCH determines in the exercise of its sole discretion that such restriction will affect Contractor’s use or disclosure of PHI.

Prior to agreeing to any changes in or revocation of permission by an Individual, or any restriction, to use or disclose PHI, DCH agrees to contact Contractor to determine feasibility of compliance. DCH agrees to assume all costs incurred by Contractor in compliance with such special requests.

The Term of this Agreement shall be effective on the Effective Date and shall terminate when all of the PHI provided by DCH to Contractor, or created or received by Contractor on behalf of DCH, is destroyed or returned to DCH, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this section.

Termination for Cause. Upon DCH’s knowledge of a material breach of this Agreement by Contractor, DCH shall either:

Provide an opportunity for Contractor to cure the breach of Agreement within a reasonable period of time, which shall be within thirty (30) calendar days after receiving written notification of the breach by DCH;

If Contractor fails to cure the breach of Agreement, terminate the Contract upon thirty (30) calendar days notice; or

If neither termination nor cure is feasible, DCH shall report the breach of Agreement to the Secretary of the Department of Health and Human Services.

Upon termination of this Agreement, for any reason, DCH and Contractor shall determine whether return of PHI is feasible. If return of the PHI is not feasible, Contractor agrees to continue to extend the protections of this Agreement to the PHI for so long as the Contractor maintains the PHI and shall limit the use and disclosure of the PHI to those purposes that made return or destruction of the PHI infeasible. If at any time it becomes feasible to return or destroy any such PHI maintained pursuant to this paragraph, Contractor must notify DCH and obtain instructions from DCH for either the return or destruction of the PHI.

Contractor agrees that it will limit its further use or disclosure of PHI only to those purposes DCH may, in the exercise of its sole discretion, deem to be in the public interest or necessary for the protection of such PHI, and will take such additional actions as DCH may require for the protection of patient privacy and the safeguarding, security and protection of such PHI.

This Effect of Termination section survives the termination of the Agreement.

Interpretation. Any ambiguity in this Agreement shall be resolved to permit DCH and Contractor to comply with applicable laws, rules and regulations, the HIPAA Privacy Rule, the HIPAA Security Rule and any rules, regulations, requirements, rulings, interpretations, procedures or other actions related thereto that are promulgated, issued or taken by or on behalf of the Secretary; provided that applicable laws, rules and regulations and the laws of the State of Georgia shall supersede the Privacy Rule if, and to the extent that, they impose additional requirements, have requirements that are more stringent than or have been interpreted to provide greater protection of patient privacy or the security or safeguarding of PHI than those of the HIPAA Privacy Rule.

No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations or liabilities whatsoever.