The URL can be used to link to this page

Home My WebLink AboutAgreements/Contracts - Human ResourcesADDENDUM A: BUSINESS ASSOCIATE AGREEMENT 1. Effective Date. This Addendum shall be effective on December 23, 2024. 2. HIPAA Privacy Rule Compliance. The parties acknowledge that for purposes of fulfilling the obligations of Healthcare Management Administrators, Inc. (HMA) to Grant County (Plan Sponsor) and its Group Health Plan (GHP) under this Addendum, HMA is the Business Associate of GHP. The parties therefore desire to bring the Administrative Services Agreement between HMA and Plan Sponsor (Agreement) into compliance with (i) the Health Insurance Portability and Accountability Act of 1996, its implementing Administrative Simplification regulations (45 C.F.R. Parts 160-164, Subparts A and E), including the HIPAA Privacy Rule to Support Reproductive Health Care Privacy and (ii) the requirements of the Health Information Technology for Economic and Clinical Health ("HITECH") Act, as incorporated in the American Recovery and Reinvestment Act of 2009, along with any guidance and/regulations issued by the U.S. Department of Health and Human Services ("DHHS") , as well as any other state or federal privacy laws applicable to the relationship among Plan Sponsor, GHP, and HMA. The Implementing Regulations, the HITECH Act, and the Final Regulations are collectively referred to in this Addendum as "the HIPAA Requirements." GHP, Plan Sponsor and Business Associate agree to incorporate into this Addendum any regulations issued by DHHS with respect to the HITECH Act that relate to the obligations of business associates and that are required to be (or should be) reflected in the business associate agreement. 3. Definitions. Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in 45 CFR § § 160.103 and 164.501, and 42 CFR § 2.11. 3.1 Breach. Breach shall mean, as defined, in 45 C.F.R. § 164.402, the acquisition, access, use or disclosure of Unsecured Protected Health Information in a manner not permitted by the HIPAA Requirements that compromises the security or privacy of that Protected Health Information. 3.2 Business Associate. Business Associate has the meaning set forth in 45 C.F.R. § 160.103. 3.3 Business Associate Subcontractor. Business Associate Subcontractor shall mean, as defined in 45 C.F.R. § 160.103, any entity (including an agent) that creates, receives, maintains or transmits Protected Health Information on behalf of HMA. 3.4 Electronic PHI. Electronic PHI shall mean, as defined in 45 C.F.R. § 160.103, protected health information that is transmitted or maintained in any electronic media. 3.5 Group Health Plan. Group Health Plan means the Grant County. 3.6 Individual. Individual shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). 3.7 Limited Data Set. Limited Data set shall mean, as defined in 45 C.F.R § 164.514(e), Protected Health Information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: Names; postal address information other than town or city, State, and zip code; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate or license numbers; vehicle identifiers and serial numbers, including license plate numbers; devise identifiers and serial numbers; web universal resource locators (URLs); internet protocol (IP) address numbers; biometric Business Associate Agreement — HITECH 111317 #5693383 v1 / 43027-003 identifiers, including finger and voice prints; and full face photographic images and any comparable images. 3.8 Patient Identifying Information. Information, such as the name, address, social security number, or fingerprints, by which the identity of an individual having been diagnosed, treated, or referred for treatment for Substance Use Disorder, can be determined with reasonable accuracy either directly or by reference to the information (42 CFR § 2.11). 3.9 Protected Health Information. Protected Health Information means individually identifiable health information, including "reproductive healthcare information", created or received by HMA in the performance of its obligations under the Agreement on behalf of GHP from which the identity of an individual can reasonably be determined, including all information within the statutory meaning of Protected Health Information (45 CFR § 160.103). The term "Protected Health Information" or "PHI" in this Addendum shall mean both Electronic PHI and non -electric PHI, unless another meaning is clearly specified. 3.10 Plan Sponsor. Plan Sponsor means Grant County. 3.11 Privacy Rule. Privacy Rule means the standards for privacy set forth in 45 CFR Part 160 and Part 164, Subparts A and E. 3.12 Reproductive Healthcare Rule. Uses and disclosures, including those for which an attestation is required, under HIPAA Rule 45 CFR 164.502(a)(5)(iii)(A) and 45 CFR 164.509. 3.13 Regulatory References. A reference in this Addendum to a section in the Privacy Rule or the HITECH act means the section as in effect or as amended, and for which compliance is required. 3.14 Secretary. Secretary means the Secretary of the Department of Health and Human Services or his designee. 3.15 Security Incident. Security incident shall mean, as defined in 45 C.F.R. § 164.304, the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 3.16 Substance Use Disorder ("SUD") Counseling Notes. SUD Counseling Notes shall have the same meaning as 42 CFR §2.11. SUD Counseling Notes include notes recorded in any medium by a Part 2 Program provider who is a substance use disorder or mental health professional documenting or analyzing the contents of conversation during a private SUD counseling session or a group, joint, or family counseling session. 3.17 Summary Health Information. Summary Health Information shall mean information, which may be Protected Health Information that: 1) summarizes claims history, claims expenses, or types of claims for whom Employer has provided health care benefits under the GHP; and 2) from which the identifiers specified in 45 CFR § 164.514(b)(2)(i) have been deleted (except that zip codes can be aggregated to the level of a 5-digit zip code). 3.18 Unsecured Protected Health Information. Unsecured Protected Health Information shall mean, as defined in 45 C.F.R. § 164.402, Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by DHHS . Business Associate Agreement — HITECH 111317 #5693383 vl / 43027-003 3.19 All other terms used in this Addendum shall have the meanings set forth in the applicable definitions under the HIPAA Requirements. 4. General Terms 4.1 In the event of an inconsistency between the provisions of this Addendum and a mandatory term of the HIPAA Requirements (as these terms may be expressly amended from time to time by the DHHS or as a result of interpretations by DHHS, a court, or another regulatory agency with authority over the Parties), the interpretation of DHHS, such court or regulatory agency shall prevail. In the event of a conflict among the interpretations of these entities, the conflict shall be resolved in accordance with the rules of precedence. 4.2 Where provisions of this Addendum are different than those mandated by the HIPAA Requirements, but are nonetheless permitted by the HIPAA Requirements, the provisions of this Addendum shall control. 4.3 Except as expressly provided in the HIPAA Requirements, or this Addendum, this Addendum does not create any rights in third parties. 5. HMA Obligations and Application Of The Standards For Electronic Transactions. 5.1 Permitted Uses and Disclosures. HMA shall not use or further disclose Protected Health Information other than as: 1) permitted in writing by GHP; 2) authorized by an individual; 3 ) Required by Law; or 4) as permitted in this section as follows: 5.1.1 HMA agrees to create, receive, use, disclose, maintain, or transmit PHI in order to perform functions, activities, or services for, or on behalf of, GHP as specified in the Agreement or this Addendum, provided that such use or disclosure would not violate the HIPAA Requirements. 5.1.2 For the proper management and administration of HMA, or to carry out the legal responsibilities of HMA, provided that disclosures are required by law, or HMA obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies HMA of any instances of which it is aware in which the confidentiality of the information has been breached. Notwithstanding the foregoing, HMA may not use or disclose PHI for any of the Prohibited Purposes identified in 45 C.F.R. § 164.502(a)(5)(ii.i)(A)In the event of a third party request for reproductive health care information, HMA. shall notify GHP, who shall determine whether one or more of the conditions set forth under 45 C.F.R. § 164.502(a)(5)(iii)(B) apply to render such a request a Prohibited Purpose and HMA shall rely on GHP's determination. 5.1.3 In the event of a third party request for reproductive health care information that is not for a Prohibited Purpose as determined by GHP, HMA may disclose the information upon receipt of a valid attestation, as defined under 45 C.F.R. § 164.509. The validity of the attestation shall be determined by GHP and HMA shall rely on GHP's determination. 5.1.4 To provide Data Aggregation services to GHP as permitted by 45 CFR § 164.5 04(e)(2)(i)(B) . Business Associate Agreement — HITECH 111317 #5693383 vl / 43027-003 5.2 Protected Health Information to Plan Sponsor. GHP specifically authorizes HNIA to make disclosures of Protected Health Information to Plan Sponsor made in accordance with Section 7 of this Addendum. 5.3 Protected Health Information to Business Associates of GHP or Employer. GHP and Plan Sponsor specifically authorize HMA to disclose Protected Health Information to those Business Associates of GHP or Plan Sponsor identified in Exhibit 1 ("Designated Business Associates"). GHP or Plan Sponsor may revise Exhibit 1 upon advance written notice to HMA. GHP and Plan Sponsor are solely responsible for ensuring that Designated Business Associates comply with the applicable requirements of the Privacy Rule. HMA shall not be liable for any damages arising from HMA's disclosure of Protected Health Information to a Designated Business Associate. 5.4 Minimum Necessary. HMA will make reasonable efforts to use, disclose, or request only the minimum necessary Protected Health Information to accomplish the intended purpose. HMA agrees to utilize a Limited Data Set if practicable. 5.5 Safeguards. HNIA shall implement appropriate safeguards, and comply with the Security Standards (Subpart C of 45 C.F.R. Part 164) with respect to Electronic PHI, as necessary to prevent use or disclosure of the Protected Health Information in violation of this Addendum. HNIA shall report to GHP any breach of the use or disclosure of PHI under this Addendum, including reporting Breaches of Unsecured Protected Health Information as required by 45 C.F.R § 164.410 and as required by Section 8 below. 5.6 Flow -Down Obligations of Business Associate Subcontractors. HNIA agrees that as required by the HIPAA Requirements, HMA will enter into a written agreement with all Business Associate Subcontractors that: (i) requires them to comply with Privacy and Security provisions of this Agreement in the same manner as required of HMA, and (ii) notifies such Subcontractors that they will incur liability under the HIPAA Requirements for non-compliance with such provisions. Accordingly, HMA shall ensure that all Subcontractors agree in writing to the same privacy and security restrictions, conditions and requirements that apply to HMA with respect to PHI. 5.7 Standard Transactions. HMA will not enter into any trading partner agreement in connection with the conduct of Standard Transactions (as defined in 45 CFR, Part 162) for or on behalf of GHP that: (i) changes the definition, data condition, or use of a data element or segment in a Standard Transaction; (ii) adds any data elements or segments to the maximum defined data set; (iii) uses any code or data element that is not permitted in a Standard Transaction; or, (iv) changes the meaning or intent of a Standard Transaction or its implementation specification. Additionally, HMA will require any Business Associate Subcontractor involved with the conduct of such Standard Transactions to comply with each applicable requirement of 45 C.F.R. Part 162. 5.8 Inspection of Books and Records. So GHP may meet its access obligations to the Secretary under 45 CFR § 160.310, HMA shall make internal practices, books, and records relating to the use and disclosure of Protected Health Information created or received by HMA on behalf of GHP available to the Secretary, in a reasonable time and manner, for purposes of the Secretary determining compliance with the Privacy Rule by GHP. 5.9 Access. So GHP may meet its access obligations to Individuals under 45 CFR § 164.524, HMA shall provide access at the request of GHP, and in a reasonable time and manner, to an Individual to his or her Protected Health Information. Business Associate Agreement — HITECH 111317 #5693383 v1 / 43027-003 5.10 Amendment. So GHP may meet its amendment obligations under 45 CFR § 164.526, HMA shall make any amendment(s) to Protected Health Information as directed by GHP, or as requested by an Individual, in a reasonable time and manner, in accordance with the law. 5.11 Accountings. So GHP may meet its amendment obligations under 45 CFR § 164.528, HNIA shall document disclosures of Protected Health Information and information related to disclosures that would be required for GHP to respond to a request by an Individual for an accounting of disclosures of Protected Health Information. HMA will make available disclosure accountings for a period of 6 years prior to the date of request, but such accountings will not include disclosures prior to April 14, 2003. For repetitive disclosure of Protected Health Information for a single purpose to the same recipient, HMA may record the first disclosure along with the frequency and duration of subsequent disclosures. This accounting requirement does not apply to disclosures: (i) permitted or required by this Addendum for purposes of GHP payment or health care operations; (ii) to the individual who is the subject of the Protected Health Information disclosed or to that individual's personal representative; (iii) to persons involved in that individual's payment or treatment of health care; (iv) for notification for disaster relief purposes, (v) for national security or intelligence purposes; or (vi) to law enforcement officials or correctional institutions regarding inmates; (vii) pursuant to an authorization; (viii) for disclosures of certain PHI made as part of a limited data set; (ix) and for certain incidental disclosures that may occur where reasonable safeguards have been implemented. 5.12 Privacy Notice. So GHP may meet its amendment obligations under 45 CFR § 164.520, HMA, will, upon the written request of Plan Sponsor or GHP, assist GHP in preparing Notices of Privacy Practices, including a statement of whether GHP discloses or authorizes HNIA to disclose Protected Health Information to Plan Sponsor. GHP will be solely responsible for review and approval of the content, and distribution of the Notices, including that their content accurately reflects GHP's privacy policies, procedures and practices and complies with all requirements of 45 CFR § 164.520. HMA may charge Plan Sponsor a fee for this service and shall make the fee known to Plan Sponsor at the time of the written request. 5.13 Standards For Electronic Transactions. In connection with the services to be provided to Grant County (Plan Sponsor) and its Group Health Plan as identified in this agreement, HMA agrees that if it (or Business Associate Subcontractor) conducts an electronic transmission for which the Secretary of the Department of Health and Human Services has established a "standard transaction," HMA (or Business Associate Subcontractor) shall comply with the requirements of the Standards for Electronic Transactions (45 C.F.R. parts 160 and 162). 5.14 Transmissions of Standard Transactions. HMA agrees that, in connection with the transmission of standard transactions, it will not (and will not permit any Business Associate Subcontractor with which it might contract to): 5.14.1 Change the definition, data condition, or use of a data element or segment in a standard transaction; 5.14.2 Add any data elements or segments to the maximum defined data set; 5.14.3 Use any code or data elements that are either marked "not used" in the standard's implementation specification or are not in the standard's implementation specification; or Business Associate Agreement — HITECH 111317 #5693383 v1 / 43027-003 5.14.4 Change the meaning or intent of the standard's implementation specification(s). 5.15 Modifications to Standard Transactions by DHHS. HMA understands and agrees that from time -to -time the Department of Health and Human Services might modify the standard transactions now identified in 45 C.F.R. § § 162.1101 through 162.1802. HMA (and any Business Associate Subcontractor) agrees to abide by any changes to such standard transactions that might be applicable to the services to be supplied in connection with the Agreement. 5.16 Security Incidents. HMA shall report any Security Incident of which it becomes aware to GHP if that incident relates to electronic Protected Health Information subject to the following: 5.16.1 For security incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of PHI (including, for purposes of example and not for purposes of limitation, pings on HMA's firewall, port scans, attempts to log onto a system or enter a database with an invalid password or username, denial -of -service attacks that do not result in the system being taken off-line, or malware such as worms or viruses) (hereinafter "Unsuccessful Security Incidents"), HMA shall aggregate the data and, upon the GHP's written request, report to the GHP in accordance with the reporting requirements identified in Section 8. 5.16.2 HMA, will take all commercially reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to HNM resulting from a Security Incident; 5.16.3 HMA will permit termination of this Addendum if the GHP determines that HMA has violated a material term of this Addendum with respect to HNIA's security obligations and HMA is unable to cure the violation; and 5.16.4 Upon GHP's request, HMA will provide GHP with access to and copies of documentation regarding HMA's safeguards for PHI and Electronic PHI 5.17 Security of Electronic Protected Health Information. HNLA, will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of GHP, as required under 45 CFR Part 164, Subpart C. Additionally, HMA will implement policies and procedures that meet the Security Standards documentation per HIPAA Requirements. As also provided for in Section 5.6 above, HMA ensures any Business Associate Subcontractor agrees to implement reasonable and appropriate safeguards to protect Electronic PHI. 6. GHP and Plan Sponsor Obligations. 6.1 Privacy Notice. GHP shall provide HMA with a copy of the notice of privacy practices that GHP produces in accordance with 45 CFR § 164.520, as amended, as well as any changes to such notice. 6.2 Changes to, or Revocations of, Protected Health Information. GHP shall provide HMA with any changes to, or revocation of, permission by Individual to use or disclose Protected Health Information, if such changes affect HMA.'s permitted or required uses and disclosures. Business Associate Agreement — HITECH 111317 #5693383 v1 / 43027-003 6.3 Restrictions to Protected Health Information. GHP shall notify HNIA of any restriction to the use or disclosure of Protected Health Information that GHP has agreed to in accordance with 45 CFR § 164.522. 6.4 Prohibited Purposes and Attestation Regarding Reproductive Healthcare Information. Upon notice from HNIA of a third party request for reproductive health care information, GHP shall determine whether one or more of the conditions set forth under 45 C.F.R. § 164.502(a)(5)(iii)(A) apply to prohibit disclosure and for disclosures which are not so prohibited, GHP will determine the validity of the required attestation, pursuant to 45 C.F.R. §164.509. 6.5 Permissible Requests. GHP shall not request HNIA to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule. 6.6 Plan Sponsor Obligations. Plan Sponsor retains full and final authority and responsibility for GHP and its operation. HMA is empowered to act on behalf of GHP only as stated in the Agreement or this Addendum. 7. Disclosure to Plan Sponsor 7.1 Receipt of De -Identified Information. HMA may disclose De -identified Information, as defined in 45 C.F.R. § 164.514, to Plan Sponsor without Plan Sponsor's certification of compliance with the Privacy Rule. 7.2 Receipt of Summary Health Information. Upon Plan Sponsor's written request, HNIA may disclose Summary Health Information to Plan Sponsor without Plan Sponsor's certification of compliance with the Privacy Rule. Plan Sponsor may use Summary Health Information only to: 1) obtain premium bids for GHP; or 2) amend, modify, or terminate GHP. 7.3 Receipt of Protected Health Information. Plan Sponsor's access to, or receipt of, Protected Health Information creates Plan Sponsor obligations under the Privacy Rule and HMA may only provide such information to Plan Sponsor upon receiving Plan Sponsor's signed certification of compliance with the Privacy Rule. Under this agreement, the Plan Sponsor hereby certifies that it will, in compliance with the requirements of 45 Code of Federal Regulations § 164.504(f)(2), appropriately safeguard and limit the use and disclosure of enrollees' Protected Health Information which Employer may receive from HNIA. 8. Substance Use Disorder Counseling Notes 8.1 Disclosure of Information. SUD Counseling Notes, and any other information subject to the Part 2 Rule, may be exchanged under the terms of this agreement or any underlying agreement between the parties. To the extent information subject to the Part 2 Rule is exchanged, this section addresses the parties' obligations with respect to such information. 8.2 Receiving Party Obligations. The party receiving information subject to the Part 2 Rule shall: (A) Comply with the requirements of the Part 2 Rule with respect to all SUD Counseling Notes it receives; (B) Implement appropriate safeguards to prevent unauthorized uses and disclosures of SUD Counseling Notes, such safeguards will comply with the Part 2 Rule; Business Associate Agreement — HITECH 111317 #5693383 v1 / 43027-003 (C) Promptly report any unauthorized use, disclosure, or breach of SUD Counseling Notes and exercise reasonable efforts to assist the disclosing party with retrieving any confidential information that was used or disclosed by a party or its representative(s) without the specific prior written authorization of the disclosing party and to mitigate the harm caused by the unauthorized use or disclosure; (D) Refrain from redisclosing SUD Counseling Notes to any person or entity other than the Lawful Holder as defined under the Part 2 Rule, unless such redisclosure is permitted by an applicable provision of the Part 2 Rule, or guidance provided by the Substance Abuse and Mental Health Services Administration (SAMHSA), U.S. Department of Health and Human Services; and (E) Use SUD Counseling Notes for the payment and health care operations activities the receiving party performs under the terms of this agreement and for no other purpose, unless such use is permitted by an applicable provision of the Part 2 Rule. 8.3 Disclosing Party Obligations. The party disclosing the information subject to the Part 2 Rule shall: : (A) Make commercially reasonable efforts to require Part 2 Programs (as that term is defined in the Part 2 Rule) to notify the receiving party of any SUD Counseling Notes the Part 2 Program discloses directly to the receiving party in accordance with the terms of this agreement; and (B) Notify the receiving party of any SUD Counseling Notes the disclosing party discloses to receiving party; and (C) Disclose to the receiving party only the minimum Patient Identifying Information necessary, including SUD Counseling Notes, for the receiving party to perform its duties under their agreement or any underlying agreement between the parties. 9. Breach of Privacy or Security Reporting Obligations. 9.1 Report. HMA will report to GHP (in the manner and within the timeframes described below) any breaches of unsecured PHI and any breach or acquisition, access, use or disclosure of PHI as defined by 45 C.F.R. § 164.402. Where a breach is presumed under the regulations for acquisition, access, use or disclosure in a manner that is not permitted by Privacy and Security Rules, such breaches will not be disclosed if, following a risk assessment by HMA as set forth in regulation, there is a low probability that PHI has been compromised. 9.2 Notice of Breach. HMA will notify GHP following discovery and without unreasonable delay but in no event later than ten (10) calendar days following discovery, any "breach" of "unsecured Protected Health Information," as set forth in 8.1 above. Breaches by a Business Associate Subcontractor will be reported within ten days following report to HMA. HMA. shall cooperate with GHP in investigating the Breach and in meeting the GHP's obligations under the HITECH Act and any other security breach notification laws. HMA shall follow its notification to the GHP with a report that meets the requirements outlined immediately below. (A) For Successful Security Incidents and Breaches, HMA — without reasonable delay and in no event later than thirty (3 0) calendar days after HMA learns of such non - permitted use or disclosure (whether at HMA or at Business Associate Subcontractor) — shall provide GHP a report that will: (i) Identify (if known) each individual whose Unsecured Protected Health Information has been, or is reasonably believed to have been accessed, acquired, or disclosed; Business Associate Agreement — HITECH 111317 45693383 vl / 43027-003 (ii) Identify the nature of the non -permitted access, use, or disclosure including the date of the incident and the date of discovery; (iii) Identify the PHI accessed, used, or disclosed (e.g., name; social security number; date of birth); (v) Identify what corrective action HMA took or will take to prevent further non -permitted accesses, uses, or disclosures; (vi) Identify what HMA did or will do to mitigate any deleterious effect of the non -permitted access, use, or disclosure; and (vii) Provide other such information, including a written report, as GHP may reasonably request. (B) For Unsuccessful Security Incidents of which we are aware, HMA shall provide GHP, upon its written request, a report that: (i) identifies the categories of Unsuccessful Security Incidents as described in Section 5.16.1; (ii) indicates whether HNIA believes its current defensive security measures are adequate to address all Unsuccessful Security Incidents, given the scope and nature of such incidents; and (iii) if the security measures are not adequate, the measures HMA will implement to address the security inadequacies. 10. Term and Termination. 10.1 Term. The term of this Addendum shall be the same as the Agreement. Upon termination of the Agreement, the terms of this Addendum shall remain in effect until all of the Protected Health Information provided by GHP to HMA or created or received by HMA on behalf of GHP, is destroyed or returned to GHP, or, if HMA claims it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section. 10.2 Termination for Breach. In addition to the termination rights set forth in the Agreement, upon Plan Sponsor's or GHP's knowledge of a material breach of this Addendum by HMA, Plan Sponsor shall either: 1) provide HMA with written notice and an opportunity for HMA to cure the breach or end the violation and terminate the Agreement if HMA does not cure the breach or end the violation within the time specified in writing by GHP; or 2) immediately terminate the Agreement if HMA has breached a material term of this Addendum and cure is not possible. GHP agrees that HMA shall have the right to terminate this Addendum or seek other remedies if GHP commits a material breach of this Addendum. 10.3 Effect of Termination. Upon termination of the Agreement, for any reason, HNIA shall return or destroy all Protected Health Information received from GHP, or created or received by HMA on behalf of GHP. HNIA shall retain no copies of the Protected Health Information EXCEPT in the event HMA determines that returning or destroying the Protected Health Information is infeasible, HMA shall extend the protections of this Addendum and the HIPAA Requirements to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as HMA maintains such Protected Health Information. 11. Amendment. The Parties shall take such action as is necessary to amend the Agreement or 'this Addendum as necessary to comply with the requirements of the Privacy and Security Rules and the Business Associate Agreement — HITECH 111317 #5693383 v1 / 43027-003 Health Insurance Portability and Accountability Act, Public Law 104-191 and accompanying regulations, as amended. 12. Continuing Privacy and Security Obligations. HNIA and GHP's obligations to protect the privacy and security of PHI it created, received, maintained, or transmitted in connection with services to be provided under the Agreement or this Addendum, will be continuous and survive termination of this Addendum or the Agreement. 13. Interpretation. Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits GHP to comply with the Privacy and Security Rules. 14. Counterparts. This Addendum may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. SIGNATURE PAGE FOLLOWS Business Associate Agreement — HITECH 111317 #5693383 vl / 43027-003 Grant County (Plan) Signature .4v�er6on Name 14 Z -D i Title //-/3-ZL/ Date HMA Signature Aadam Hussain Name President & CEO Title Date Grant County Signature O� Name Title Date * NOTE: EMPLOYER MUST ALSO COMPLETE, SIGN, AND RETURN AN EXHIBIT 1 * Business Associate Agreement — HITECH 111317 #5693383 vl / 43027-003