Common Census, BenefitsUSA, and Common Benefits HIPAA & GLBA
The Data Management Agreement (the “Agreement”) between Common Census Inc. (CC) and the User is amended to include the following (i) Health Insurance Portability and Accountability Act (“HIPAA”) provisions, as required by 45 C.F.R. Parts 160-164 (the “Privacy and Security Rules”), (ii) Gramm-Leach-Bliley ACT (“GLBA”) provisions, as required by regulations promulgated by state departments of insurance (the “GLBA Rules”) and (iii) disclosure of compensation provisions:
A. HIPAA
1. Definitions. The following terms shall have the meaning set forth below:
- C.F.R. “C.F.R” means the Code of Federal Regulations.
- Designated Record Set. “Designated Record Set: has the meaning assigned to such term in 45 C.F.R. 164.501.
- Electronic Protected Health Information. “Electronic Protected Health Information” or “ePHI” means information that comes within paragraphs 1 (i) or 1 (ii) of the definition of “Protected Health Information”, as defined in 45 C.F.R. 160.103.
- Individual. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. 164.501 and shall include a person who qualifies as personal representative in accordance with 45 C.F.R. 164.502 (g).
- Protected Health Information. “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information”, as defined by C.F.R. 160.103, limited to the information created or received by User from or on behalf of CC.
- Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 C.F.R. 164.501.
- Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
- Secretary Incident. “Secretary Incident” shall have the same meaning as the term “security incident” in 45 C.F.R. 164.304.
- User. “User” means any individual who is accessing CC, Common Benefits, ND Enroller, or related technology.
2. Obligations of User:
- User agrees to not use or disclose PHI other than is permitted or required by the Agreement or as Required By Law. User shall also comply with any further limitations on uses and disclosures agreed to by CC in accordance with 45 C.F.R. 164.522 provided that such agreed upon limitations have been communicated to User according with Section 4.1(c) of this Agreement.
- User agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement.
- User agrees to mitigate, to the extent practicable, any harmful effect that is known to User of a use or disclosure of PHI by User in violation of the requirements of this Agreement.
- User agrees to report to CC any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware.
- User agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by User on behalf of CC agrees to the same restrictions and conditions that apply through this Agreement to User with respect to such information. In no event shall User, without CC prior written approval, provide PHI received from, or created or received by User on behalf of CC, to any employee or agent, including a subcontractor, if such employee, agent or subcontractor receives, process or otherwise has access to the PHI outside of the United States. Subcontractor(s) who work for CC are subject to the same terms and conditions as CC.
- User agrees to provide access to CC, at the request of CC and in the time and manner designated by CC, to PHI in a Designated Record Set or, as directed by CC, to an Individual in order to meet the requirements under 45 C.F.R. 164.524. CC’s determination of what constitutes “Protected Health Information” or a “Designated Record Set” shall be final and conclusive. If User provides copies or summaries of PHI to an Individual it may impose a reasonable, cost-based fee in accordance with 45 C.F.R. 164.524 (c)(4).
- User agrees to make any amendment(s) to PHI in a Designated Record Set that CC directs or agrees to pursuant to 45 C.F.R. 164.526 at the request of CC or an Individual, and in the time and manner designated by CC. User shall not charge any fee for fulfilling requests for amendment. CC’s determination of what PHI is subject to amendment pursuant to 45 C.F.R. 164.526 shall be final and conclusive.
- User agrees to make (i) internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by User on behalf of CC, and (ii) policies, procedures and documentation relating to the safeguarding of ePHI available to the CC, or at the request of the CC to the Secretary, in a time and manner designated by the CC or the Secretary, for purposes of the Secretary determining CC’s compliance with the Privacy and Security Rules.
- User agrees to document such disclosures of PHI as would be required for CC to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528.
- User agrees to provide to CC, in the time and manner designated by CC, the information collected in accordance with Section 2(i) of this Agreement, to permit CC to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528.
- User acknowledges that it shall request from CC and so disclose to its affiliates, subsidiaries, agents and subcontractors or other third parties, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder.
- With respect to ePHI, User shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of CC, as required by 45 C.F.R. Part 164, Subpart C.
- With respect to ePHI, User shall ensure that any agent, including a subcontractor, to whom it provides ePHI, agrees to implement reasonable and appropriate safeguards to protect it.
- User shall report to CC any Security Incident of which it becomes aware.
3. Permitted Uses and Disclosures by User
3.1 General Use and Disclosure
Except as otherwise limited in this Agreement, User may use or disclose PHI to perform its obligations under this Agreement, provided that such use or disclosure would not violate the Privacy and Security Rules if done by CC or the minimum necessary policies and procedures of CC.
3.2 Specific Use and Disclosure Provisions
- Except as otherwise limited in this Agreement, User may use PHI for the proper management and administration of the User or to carry out the legal responsibilities of the User.
- Except as otherwise limited in this Agreement, User may disclose PHI for the proper management and administration of the User, provided that disclosures are Required By Law, or User obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the User of any instances of which it is aware in which the confidentiality of the information has been breached.
- Except as otherwise limited in this Agreement, User may use PHI to provide Data Aggregation services to CC as permitted by 45 C.F.R. 164.504(e)(2)(i)(B).
- User may use PHI to report violation of law to appropriate Federal and State authorities, consistent with 45 C.F.R. 164.502(j)(1).
4. Obligations of CC
4.1 Provisions for CC to Inform User of Privacy Practices and Restrictions
- CC shall notify User of any limitation(s) in CC’s notice of privacy practices that CC produces in accordance with 45 C.F.R. 164.520 (as well as any changes to that notice), to the extent that such limitation(s) may affect User’s use or disclosure of PHI.
- CC shall provide User with any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes affect User’s use and disclosure of PHI.
- CC shall notify User of any restriction to the use or disclosure of PHI that CC has agreed to in accordance with 45 C.F.R. 164.522, to the extent that such restriction may affect User’s use or disclosure of PHI.
5. Miscellaneous
- Regulatory References. A reference in this Agreement to a section in the Privacy and Security Rules means the section as in effect or as amended.
- Amendment. Upon the enactment of any law or regulation affecting the use or disclosure of PHI, the safeguarding of ePHI or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, amend this Agreement in such manner as such party determines necessary to comply with such law or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to agree on an amendment within thirty (30) days thereafter, then either of the parties may terminate the Agreement on thirty (30) days written notice to the other party.
- Interpretation. Any ambiguity in this Agreement shall be resolved to permit CC to comply with the Privacy and Security Rules.
B. GLBA
In the event User maintains, processes, or otherwise is permitted access to customer information, as defined below, in the course of performing duties under this Agreement, User shall be subject to the following terms and conditions:
6. Definitions
- Customer Information. “Customer Information” means nonpublic personal financial and health information about a customer, whether in paper, electronic or other form. Customer Information includes any such information provided by the customer as part of a request for information about, or an application for, a CC insurance product or service. Even if no such insurance product or service is subsequently provided to the customer.
7. Obligations of User:
- User agrees to implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of Customer Information that are appropriate to User’s size, complexity, nature and scope of activities, and that is designed to:
(i) ensure the integrity and confidentiality of Customer Information;
(ii) protect against any anticipated threats or hazards to the security or integrity of Customer Information; and
(iii) protect against unauthorized access to, or use of, Customer Information that could result in substantial harm or inconvenience to any customer. - User agrees to ensure that any agent, including a subcontractor, to whom it provides Customer Information received from, or created or received by User on behalf of CC, agrees to the same restrictions and conditions that apply through this Agreement to User with respect to such Customer Information.
- In no event shall User, without CC’s prior written approval, provide Customer Information (received from, or created or received by User on behalf of CC) to any employee or agent, including a subcontractor, if such employee, agent or subcontractor receives, processes, or otherwise has access to the Customer Information outside of the United States. Any foreign worker(s) that is allowed access to PHI is subject to the same terms and conditions as the CC staff.
- User agrees to make policies, procedures, and documentation relating to the safeguarding of Customer Information available to CC, or at the request of CC to the applicable department of insurance, in a time and manner designated by CC or such department of insurance, for the purposes of the department determining CC’s compliance with GLBA.
- User agrees to affirm in writing, upon request from CC from time to time, User’s continued compliance with its obligations under this Agreement.
8. Miscellaneous:
- Amendment. Upon the enactment of any law or regulation affecting the safeguarding of Customer Information, or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, amend this Agreement in such manner as such party determines necessary to comply with such law or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to agree on an amendment within thirty (30) days thereafter, then either of the parties may terminate the Agreement on thirty (30) days written notice to the other party.
- Interpretation. Any ambiguity in this Agreement shall be resolved to permit CC to comply with GLBA state regulations.