Docstoc

Risk Management Pharmacy Business Associate Agreement - DOC

Document Sample
Risk Management Pharmacy Business Associate Agreement - DOC Powered By Docstoc
					                                The University of Kansas Hospital
                                    Corporate Policy Manual
                                  Volume: 7-Fiscal Management
                                      Section: Contracting
                             POLICY: Sales and Service Representatives

Signature ________________________________________________________________
              Scott Glasrud / Executive Vice President and Chief Financial Officer

Formulation    _01/23/2008 Revised_______________             Reviewed _______________
Date                       Date                               Date

Position Responsible for Policy Updates ______________________________________
                          Scott Helt / Vice President, Health System Contracting & Procurement


        The University of Kansas Hospital Authority (“Hospital”) recognizes that Sales and Service
Representatives (collectively referred to herein as “Representatives”), and the Sales and Service
Organizations that such Representatives represent (collectively referred to herein as “Organizations”),
play an important role in providing information and services to the Hospital. Nevertheless,
Representatives are guests of the Hospital and as such, should provide information and services in a
manner consistent with the accepted rules of conduct of the Hospital. The following policy (“Policy”)
has been developed by the Health System Contracting and Procurement Department of the Hospital in
order to advance the safety and security of the Hospital and its patients and to promote good working
relationships between and among Representatives, Hospital staff members, clinicians and physicians.

In addition to Representatives and Organizations that conduct (or propose to conduct) business with
the Hospital, this Policy applies to all Hospital Departments, employees and programs and is intended
to function in conjunction with any existing departmental procedures relating to Representatives. In
the event that a disparity exists between a departmental policy and/or a departmental procedure, this
Policy shall take precedence. Members of the Hospital Medical Staff shall be made aware of the
Policy and its requirements for employees and Representatives.

All Representatives are required to follow all of the campus rules and regulations, including, but not
limited to, smoke-free campus, patient, employee and visitor designated parking, as well as The
Hospital Code of Conduct, including, but not limited to, the “Business Courtesies” section thereof.
The Hospital Health System Contracting and Procurement Department will make copies of any such
Hospital Policies and Procedures available to Representatives or employees upon request.

The term “Service Representatives” does not include service technicians who have been engaged by
the Hospital to perform maintenance or service on Hospital equipment. Activities of such service
technicians are governed by the Hospital Maintenance Service Agreement Policy.

I.     REGISTRATION PROCEDURE

For security purposes, it is necessary for the Hospital to restrict unauthorized and inappropriate access
by third parties to the Hospital’s facilities, patients, and employees. Consistent with this objective, each
and every time a Representative visits the Hospital, such Representative will be required to
immediately register in the Vendor Registration area located near the main entrance of the Hospital.
The Representative will be provided with additional instructions and procedures at that time.
Representatives electing to park in the multilevel parking garage must pay the appropriate parking rate
and may not present their parking ticket for inpatient validation. Vendors are also required to follow
all parking rules and regulations as delineated by all signage.

             In addition, certain Representatives will be required to undergo further registration procedures:

      (i)       Representatives representing pharmaceutical manufacturers or suppliers (“Pharmaceutical
                Representatives”) will be required to register in the Department of Pharmacy located in the
                basement of the Hospital in Room B400.

      (ii)      Representatives representing service vendors (“Service Representatives”) will be required
                to register in the Department of BioMed Technologies located in the basement of the
                Hospital in Room B212 both in and out and leaving a copy of the Field Service Report.

At the time of registration, each Representative shall be required to provide two forms of picture
identification, one of which must be an identification badge issued by the Organization such
Representative represents.

Representatives visiting Hospital Departments that are not physically located at the 3901 Rainbow
Boulevard location are required to register with the Hospital Department Director of that area.

Process: Prior to a Representative’s visit to a clinical program or Hospital Department, the Vendor
Registration staff will contact the applicable Hospital Department to verify the Representative’s
appointment. If approved by the Hospital Department, Vendor Registration will register the
Representative and issue the Representative a Hospital identification badge or sticker (“Hospital
Identification Badge”) before directing the Representative to the applicable Hospital Department.
Representatives are required to register with Vendor Registration at the beginning of every visit, even
when such visit is pursuant to a pre-scheduled appointment or a request from professional or clinical
staff member. Representatives’ patience and courtesy to the Registration Administrator are required.

Pre-scheduled after-hours appointments may be made with professional staff members in keeping with
the clinical limitations and/or the business needs of the Hospital, and at the request of a Hospital
Department Director, Executive Director, or Vice President. Vendor Registration shall be staffed 24-
hours per day, seven days per week. Representatives are required to register with Vendor Registration
regardless of the time of the applicable appointment.



A Representative’s failure to register for any reason shall be considered a violation of this Policy and
may result in the actions described in the “Enforcement” section of this Policy.



II.          IDENTIFICATION

When on Hospital premises, Representatives shall at all times wear the following two forms of
identification in a prominent location above the waist: (i) the Hospital Identification Badge issued by
Vendor Registration, and (ii) a photo identification badge issued by the Representative’s Organization.
Terms governing the use of the Hospital Identification Badges are set forth at Exhibit A. In the event a
Representative visits a Hospital Department prior to registering with Vendor Registration and
obtaining a Hospital Identification Badge, the Hospital Department will be required, under this Policy
to re-direct the Representative to the Vendor Registration.
III.           PRODUCT SAMPLES; AUTHORIZED AREAS FOR PRODUCT SAMPLES AND
               DEMONSTRATIONS

All product samples submitted for use within the Hospital must first be delivered to the:

       (i)       Manager of Clinical Support, if the product sample is a non-pharmaceutical product sample.

       (ii)      Pharmacy Department, if the product sample is a pharmaceutical product sample.
                 Pharmaceutical samples must comply with the Hospital’s Pharmaceutical Sample
                 Medications policy outlined in the Corporate Policy and Procedure regarding Patient
                 Care/Medication Management.

All product sample demonstrations and other business-related matters are to be carried out in non-
patient care areas. Representatives are not permitted in patient care areas, or in areas where the
processing, dispensing, or storage of Hospital assets occur, except by invitation from a member of the
professional staff with the approval of a Hospital Department Director, Executive Director, or Vice
President.

Product fairs, in-services, and demonstrations must be coordinated and authorized by the:

       (i) Hospital Health System Contracting and Procurement Department’s Manager of Clinical
               Support for non-pharmaceutical demonstrations.
       (ii) Hospital Pharmacy Department, for pharmaceutical demonstrations.

IV.            DEMONSTRATION AND LOANING OF EQUIPMENT

A Representative may place demonstration equipment, loaner equipment and/or medical-surgical
supplies into service at the Hospital at the request of a Department Director, Executive Director or
Vice President, and after the acceptance by the following:

       (i)       Bio-Medical Technologies Department (with respect to electronic devices or powered
                 equipment);

       (ii)      Information Technology Services (with respect to equipment added to the network);

       (iii)     Manager of Clinical Support (with respect to medical-surgical supplies); or

       (iv)      Pharmacy Department (with respect to pharmaceuticals or pharmaceutical devices).

All demonstration and/or loaner equipment shall be removed by the Organization loaning the
equipment immediately following the termination of the applicable loan, evaluation or demonstration
period, or sooner at the request of the applicable Department Director, Executive Director or Vice
President. Such removal shall be undertaken at the sole expense of the applicable Organization. In the
event that the placement is extended, a Department Director, Executive Director or Vice President
must authorize such extension through the written execution of a new equipment loan authorization
form, and any Agreement/Amendment/Attachment for such extension must be reviewed and approved
according to the Hospital Contract Policy. In the event demonstration and/or loaner equipment is put
into operation at the Hospital following the demonstration period, all institutional policies relating to
equipment acquisition and usage shall apply with respect to such equipment.

Unless otherwise specified in a written agreement signed by both the Hospital and the applicable
Organization, all product liability and patient liability for loaner equipment and equipment
demonstrations shall be retained by the Organization, and such Organization shall indemnify and hold
the Hospital, its directors, officers, employees and clinicians harmless from any and all claims arising
out of the use of such loaner or demonstration equipment.

V.          CONFIDENTIALITY

Business Processes and Business Arrangements: Representatives are prohibited from disclosing or
discussing the terms of current, future or pending contracts or business arrangements, including but not
limited to terms relating to pricing, purchase or duration, with members of the Hospital Medical Staff,
or other clinical or professional staff members, unless specifically authorized to do so, in advance and
in writing, by a Hospital Department Director, Executive Director, or Vice President. All discussion
related to the terms of current, future or pending contracts or business arrangements must include a
Hospital Department Director, Executive Director, Vice President or a member of the Health System
Contracting and Procurement Department, and may, if necessary, include members of the Hospital
Medical Staff, or other clinical or professional staff members. This Policy is not intended to prohibit
or restrict Representatives from discussing clinical issues related to product use or efficacy with
members of the Hospital Medical Staff or other clinical or professional staff members.

Specific questions regarding products that are being evaluated and/or considered by the Hospital for
contract award shall be directed to either one of the following individuals:

     (i)      The Assistant Director of Purchasing in the Health System Contracting and Procurement
              Department, when the product under evaluation is a non-pharmaceutical product, or

     (ii)     The Pharmacy Department Director, when the product under evaluation is a pharmaceutical
              product.



Information relating to the terms of current, future or pending contracts or business arrangements
involving the Hospital, including but not limited to Hospital contract pricing and group purchasing
contract pricing, is considered proprietary and confidential information of the Hospital. Failure on the
part of a Representative to adhere to the confidentiality provisions of this Policy will be considered a
violation of the procurement process and may result in the removal of the company or product from
consideration by the Hospital.

Clinical and/or Patient Information: Representatives are encouraged to execute, on their own behalf
and on behalf of the applicable Organization, a UNIVERSITY OF KANSAS HOSPITAL AUTHORITY
HIPAA BUSINESS ASSOCIATE ADDENDUM (“HIPAA BAA”) in substantially the same form as
attached hereto as Attachment A. Following execution of a HIPAA BAA, the Hospital Health System
Contracting and Procurement Department shall retain a copy of such HIPAA BAA on file and the
Representative will not be required to execute an additional HIPAA BAA.

In the event that a Representative’s Organization refuses to execute a HIPAA BAA, the Representative
will be required to sign a Vendor Privacy Form, in substantially the same form as attached hereto as
Attachment B, as part of the Representative’s registration process at the beginning of each visit to the
Hospital. In order to ensure that the Representative’s access to patient information is sufficiently
restricted, the Hospital shall have the discretion to restrict the Representative’s physical access within
the Hospital’s facilities to the Hospital Health System Contracting and Procurement Department.
Individuals authorized to exercise such discretion shall include any Department Director, Executive
Director or Vice President.
In no event will a Representative be allowed access to a Hospital Department, patient care department
or other department of the Hospital unless either a HIPAA BAA and/or a Vendor Privacy Form is
executed on behalf of that Representative and/or the applicable Organization.

VI.    AUTHORITY TO COMMIT HOSPITAL FUNDS

Authorization of Purchases: The Hospital Health System Contracting and Procurement Department
has been delegated the authority and responsibility for the acquisition of all material, equipment,
supplies, and services necessary to support the facility within the constraints of the Hospital budget.
Purchases are confirmed and binding only upon completion of a purchase order authorized and issued
by the Hospital Purchasing Department. In the event of an urgent need during non-business hours,
authorization may be issued by a Hospital Department Director, Executive Director or Vice President
subject to the limitations in existence in other Hospital policies governing payment approval. All
Representatives are hereby notified that physicians, surgeons, and other clinical staff are not authorized
to confirm the award of a contract, to obligate the Hospital for a contract, or to purchase any goods or
services on behalf of the Hospital at any time.

Failure to obtain an authorized purchase order shall result in non-payment of the product or service and
the product or service shall be considered a non-returnable gift to the Hospital. In addition, failure to
obtain an authorized purchase order through the Hospital Purchasing Department will be documented
as an instance of non compliance with this Policy and may result in the actions described in the
“Enforcement” section of this Policy. If filled by an Organization, any order placements made by a
physician, surgeon or other clinical staff member shall be considered null and void and shall not be
eligible for payment by the Hospital and shall result in the product or service being considered a non-
returnable gift to the Hospital.

Certain situations necessitate the need for “Bill Only” consignment purchases. In the event that a
vendor representative delivers a product for a specific case, it is required that the representative
provide an interim invoice on the date that the product is provided. “Bill Only” products provided
without an interim invoice will be considered a non-returnable gift to the Hospital.

Payment for Goods or Services: Payment for goods or services shall be made according to the
Hospital Policies and Procedures governing such processes. Invoices shall be submitted to the
Hospital by Representatives or by the applicable Organizations, according to the terms and limitations
listed on the Hospital purchase order and in the Hospital Policies and Procedures governing payment
activities. The Hospital-issued purchase order number must appear on all shipping labels and invoices
in order to be eligible for payment.

VII.   AUTHORITY TO NEGOTIATE BUSINESS, FINANCIAL AND CONTRACT TERMS

All business, financial and contract terms of all contracts must be negotiated and approved according
to the processes and approval requirements detailed in the Hospital Contracting Policy and Procedure
as administered through the Hospital Health System Contracting and Procurement Department. In
order to avoid and prevent misunderstandings and miscommunications between Representatives and
the Hospital, Representatives are required to refrain from non-clinical business communications
relating to the Hospital with physicians, surgeons, clinical staff, and other Hospital personnel other
than Department Directors, Executive Directors, Vice Presidents, and individuals in the Health System
Contracting and Procurement Department.
In the event that a physician, surgeon, clinical staff member, or other non-authorized Hospital
employee attempts to engage a Representative in non-clinical business communications relating to the
Hospital, the Representative is required to request that one of the authorized individuals indicated
above (i.e., a Department Director, Executive Director or Vice President) be included in the
communication.
In the event that a Representative is found to have engaged in non-clinical business communications
relating to the Hospital with an unauthorized party, including communications initiated by an
unauthorized party, such communications shall be considered a violation of this Policy and may result
in the actions described in the “Enforcement” section of this Policy.

VIII. PRODUCT RECALLS / PRODUCT ALERTS / PRODUCT NOTICES

All information related to product recalls, product alerts, and product notices must be sent via certified
mail to the following address:

       The University of Kansas Hospital Authority
       Director, Risk Management
       3901 Rainbow Boulevard, Hospital Executive Office
       Kansas City, Kansas 66160

With a copy to (for Pharmaceuticals):

       The University of Kansas Hospital Authority
       Director, Pharmacy
       3901 Rainbow Boulevard, B400 KUH
       Kansas City, Kansas 66160

With a copy to (for Medical and Surgical Supplies):

       The University of Kansas Hospital Authority
       Manager of Clinical Support
       3901 Rainbow Boulevard, B810 KUH
       Kansas City, Kansas 66160

With a copy to (for equipment to Bio-Med):

       The University of Kansas Hospital Authority
       Director, Bio-Med
       3901 Rainbow Boulevard, B212
       Kansas City, Kansas 66160


Failure to provide timely notice as directed above shall be considered a violation of this Policy and
may result in the actions described in the “Enforcement” section of this Policy.


IX.    ENFORCEMENT

This Policy is in support of the Hospital mission and its Five Star Goals of Quality, Cost, People,
Growth and Service, which Goals require strict adherence to this Policy.
All Representatives will be required to execute a copy of the form attached hereto as Exhibit B:
“External Party Acceptance of The University of Kansas Hospital Authority Sales and Service
Representative Policy” indicating knowledge, and acceptance of, the requirements of this Policy on the
part of the Representative and the Organization that such Representative represents.
Any violation of this Policy on the part of a Representative or applicable Organization may result in
the immediate removal of the Representative from the premises of the Hospital, as well as the loss on
the part of the Representative and/or applicable Organization to conduct business with, or on the
premises of, the Hospital. The Hospital shall determine in its sole discretion whether and when such
violations have taken place and all resulting penalties, including the loss of the ability to conduct
business with, or on the premises of, the Hospital.
The Hospital may take disciplinary action against employees who violate this Policy, which may
include any disciplinary action that the Hospital is authorized to take, up to and including termination
of employment.
Questions, comments, or concerns regarding this Policy and its requirements should be submitted in
writing to the address listed below:

       Vice President, Health System Contracting and Procurement
       The University of Kansas Hospital Authority—Westwood Campus
       2330 Shawnee Mission Parkway, Suite 310
       Westwood, KS 66205

X.     VENDOR RIGHTS AND OBLIGATIONS / DEFICIT REDUCTION ACT

As part of the Deficit Reduction Act of 2005, the Hospital Authority is required to inform its
contractors and agents about federal and state false claims laws. Federal and state false claim laws
make it a crime for any person or organization to knowingly make a false record or file a false claim
with the government for payment. “Knowing” can include deliberate or reckless ignorance of facts
that make the claim false. An example of a possible false claim includes someone knowingly billing a
payer, such as Medicare or Medicaid, for services that were not provided. Violation of the false claims
laws can result in penalties of up to three times the value of the false claim, fines of $5,000 to $11,000
per claim as well as exclusion from participation in federal and/or state health care programs. A
person who knows a false claim was filed for payment can file a lawsuit and, in some cases, receive a
reward for bringing original information about a violation to the government’s attention.

It is the policy of the Hospital Authority to comply with all state and federal laws that prohibit the
filing of false claims with any governmental health care program. The Hospital Authority has
implemented an “Employee Awareness and Understanding of False Claims Prohibitions Policy” to
educate employees, contractors and other agents about these laws and the procedures implemented by
the Hospital Authority for ensuring ongoing compliance with these requirements. Contractors or
agents are encouraged to review this policy for further guidance on this topic. Furthermore,
contractors and agents have an obligation to report suspected false claims or violations of other
applicable laws to the Hospital Authority's Chief Compliance Officer, the Compliance Hotline (913-
588-5434) or management.


                       (The Remainder of this Page is Intentionally Left Blank).
                                          Exhibit A:
                                Hospital Identification Badges




A Hospital Identification Badge containing the words “BUSINESS REPRESENTATIVE” in red print
shall be provided to any Representative who represents an Organization that has not executed a
Business Associate Agreement with the University of Kansas Hospital Authority, (“Hospital”).
Representatives wearing red print Hospital Identification Badges are prohibited from having access or
direct exposure to patients of the Hospital or to PHI (as defined below), except in those situations in
which the patient(s) at issue signs an authorization form permitting such access. Representatives with
Hospital Identification Badges printed in red are not allowed in patient rooms, operating rooms,
resident rooms or nurses’ stations, and are prohibited from participating in patient rounds.
A Hospital Identification Badge containing the words “BUSINESS REPRESENTATIVE” in green
print shall be provided to any Representative who represents an Organization that has executed a
Business Associate Agreement with the Hospital. Representatives wearing green print Hospital
Identification Badges are not required to obtain a patient authorization form as a condition of
accessing PHI. Pursuant to the applicable Hospital HIPAA Privacy policies and procedures,
Hospital employees are authorized to release PHI to Representatives wearing green print Hospital
Identification Badges on a need-to-know basis only and in as minimal amount necessary to
accomplish the patient or organizational goals of the disclosure.
Pharmaceutical Representatives shall be prohibited from accessing PHI and shall be eligible for red
print Hospital Identification Badges only.
All Hospital Identification Badges will automatically expire after 24 hours by means of the
development of red hash marks through the printed information on the Hospital Identification Badge.
If a Hospital employee observes a Representative wearing an expired Hospital Identification Badge,
such employee is required to direct the Representative to VENDER REGISTRATION to acquire a new
temporary Hospital Identification Badge. Hospital employees who have questions about this
procedure, or who encounter non-compliant Representatives should contact the Hospital HIPAA
Commitment Office at 913-945-5490.

For the purposes of this Exhibit A, the term Protected Health Information, or PHI, shall be defined as
follows: Any information, whether oral or recorded in any form or medium, that:

          Is created or received by a health care provider, health plan, public health authority,
           employer, life insurer, school or university, or health care clearinghouse; and,
   Relates to the past, present, or future physical or mental health or condition of an
    individual; the provision of health care to an individual; or the past, present, or future
    payment for the provision of health care to an individual.
                                          Exhibit B:
                                 External Party Acceptance of

                        The University of Kansas Hospital Authority
                          Sales and Service Representative Policy

The signature below indicates and confirms the recognition and acceptance of The University of
Kansas Hospital Authority Sales and Service Representative Policy by the undersigned vendor
representative (“Representative”) on his or her own behalf and on behalf of the organization listed
below (“Organization”).

The undersigned Representative hereby acknowledges and agrees that any violation of this Policy on
the part of the Representative or the Representative’s Organization may result in the loss of the ability
to, on behalf of the Representative and/or Organization to conduct business with, or on the premises of,
The University of Kansas Hospital Authority (“Hospital”). The Hospital shall determine in its sole
discretion whether and when such violations have taken place and all resulting penalties, including the
loss of any privileges to conduct business, or on the premises of, the Hospital.

The undersigned Representative further represents and warrants that he or she is authorized to execute
this External Party Acceptance form on behalf of the Organization listed below. In the event the
Representative does not have such authority, the Representative shall be denied access to the
Hospital’s facilities until such time as this External Policy Acceptance form is signed by an authorized
individual.


Signature:            ___________________________________________________

Date:                 ___________________________________________________

Printed Name:         ___________________________________________________

Organization:         ___________________________________________________

Address:              ___________________________________________________

City, State, Zip:     ___________________________________________________
                                            Attachment A:

                     UNIVERSITY OF KANSAS HOSPITAL AUTHORITY
                        HIPAA BUSINESS ASSOCIATE ADDENDUM

This HIPAA Business Associate Addendum (“Addendum”) is entered into by and between the
University of Kansas Hospital Authority, a public body corporate and independent instrumentality of
the State of Kansas, on behalf of itself and its subsidiaries, located at 3901 Rainbow Boulevard,
Kansas City, Kansas 66160 (hereinafter referred to as “the Hospital Authority”), and
_______________,      on      behalf     of     itself   and      its    affiliates,  located    at
___________________________________________________________ (hereinafter referred to as
“Business Associate”) (each a “Party”, and collectively, the “Parties”), and is effective as of
____________, 2004 (the “Addendum Effective Date”).

RECITALS

WHEREAS, the Hospital Authority is a Covered Entity pursuant to the Health Insurance Portability
and Accountability Act of 1996, (“HIPAA”) and the implementation regulations codified at 45 C.F.R.
parts 160 and 164 ("Privacy Rule");

WHEREAS, this Addendum is attached, supplements and is made a part of any agreement which the
Parties have entered into that requires Business Associate to be provided with, to have access to, and/or
to create Protected Health Information (“PHI”) (collectively, the “Underlying Agreement”);

WHEREAS, the Hospital Authority wishes to disclose certain information to Business Associate, or,
if applicable, to allow Business Associate to create or receive information on behalf of the Hospital
Authority (collectively “Information”) pursuant to the terms of the Underlying Agreement and this
Addendum, some of which may constitute PHI;

WHEREAS, the Hospital Authority and Business Associate intend to protect the privacy and provide
for the security of PHI disclosed to Business Associate pursuant to the Underlying Agreement in
compliance with HIPAA and the Privacy Rule, and other applicable laws; and

WHEREAS, the purpose of this Addendum is to satisfy certain standards and requirements of HIPAA
and the Privacy Rule, as the same may be amended from time to time.

NOW, THEREFORE, in consideration of the mutual promises below and the exchange of
Information pursuant to this Addendum, the parties agree as follows:

   1. Background and Purpose. This Addendum shall govern Business Associate’s receipt, use,
      disclosure and creation of PHI under the Underlying Agreement. It supplements and/or amends
      the Underlying Agreement as required to allow the Hospital Authority to comply with the
      Privacy Rule, as defined below. Except as so supplemented and/or amended, the terms of the
      Underlying Agreement shall continue unchanged and shall apply with full force and effect to
      govern the matters addressed in this Addendum and in the Underlying Agreement.

   2. Definitions. Unless otherwise defined in this Addendum, all capitalized terms used in this
      Addendum shall have the meanings ascribed in the Privacy Rule; provided, however, that PHI
      shall have the meaning ascribed in 45 C.F.R. § 164.501, limited to the Information Business
      Associate receives from or creates or receives on behalf of the Hospital Authority as the
      Hospital Authority’s business associate.
3. Obligations of Business Associate.

      a. Permitted Uses and Disclosures. Business Associate may use and/or disclose PHI
         received by Business Associate from the Hospital Authority, or, if applicable, created or
         received by Business Associate on behalf of the Hospital Authority, pursuant to this
         Addendum (hereinafter collectively referred to as “the Hospital Authority’s PHI”) in
         order to perform its obligations in the Underlying Agreement and in accordance with
         the permitted and required uses and disclosures, including the purpose, reasons and
         types of persons to whom the Business Associate may disclose the Hospital Authority’s
         PHI, as set forth in the Underlying Agreement. Additionally, Business Associate may:
              i. use the PHI in its possession for its proper management and administration and
                 to carry out the legal responsibilities of the Business Associate;
             ii. disclose the PHI in its possession to a third party for the purpose of Business
                 Associate's proper management and administration or to carry out the legal
                 responsibilities of Business Associate, provided that the disclosures are (a)
                 required by law or (b) Business Associate obtains reasonable assurances from
                 the third party that such PHI will be held confidentially and used or further
                 disclosed only as required by law or for the purpose for which it was disclosed
                 to the third party and the third party notifies the Business Associate of any
                 instances of which it is aware in which the confidentiality of the Information has
                 been breached; and
            iii. de-identify any and all PHI obtained by the Business Associate under this
                 Addendum at any location with the Hospital Authority’s prior written consent,
                 and use such de-identified data, in accordance with all of the de-identification
                 requirements of the Privacy Rule.

          Notwithstanding any other provision herein to the contrary, Business Associate agrees
          to make reasonable efforts to use or disclose the “Minimum Necessary” amount of
          information, as such term is defined in the Privacy Rule, required to conduct the
          authorized activities herein. The Hospital Authority agrees that it will make reasonable
          efforts to limit disclosures to Business Associate of the PHI necessary to perform its
          services under the Underlying Agreement.

      b. Uses and Disclosures Restricted. Business Associate shall not use or further disclose
         the Hospital Authority’s PHI other than as permitted or required by this Addendum or
         as permitted or required by law.

      c. Safeguards. Business Associate shall use appropriate safeguards to prevent use or
         disclosure of the Hospital Authority’s PHI other than as provided for by this
         Addendum.

      d. Reporting of Disclosures. Business Associate shall promptly report to the Hospital
         Authority any use or disclosure of the Hospital Authority’s PHI other than as provided
         for by this Addendum of which Business Associate becomes aware.

      e. Business Associate’s Agents. Business Associate shall ensure that any agents,
         including subcontractors, to whom it provides PHI received by Business Associate from
         the Hospital Authority, or, if applicable, created or received by Business Associate on
         behalf of the Hospital Authority, agree in writing to the same restrictions and conditions
         that apply to Business Associate in this Addendum with respect to such PHI.
      f. Availability of Information to the Hospital Authority. Within twenty (20) days of
         receiving a written request from the Hospital Authority, Business Associate shall make
         available to the Hospital Authority Hospital Authority’s PHI contained in a Designated
         Record Set as the Hospital Authority may require to fulfill the Hospital Authority’s
         obligations to provide access to individuals with respect to PHI pursuant to HIPAA and
         the Privacy Rule.

      g. Amendment of PHI. Within thirty (30) days of receiving a written request from the
         Hospital Authority, Business Associate shall make the Hospital Authority’s PHI
         contained in a Designated Record Set available to the Hospital Authority to fulfill the
         Hospital Authority’s obligations to amend PHI pursuant to HIPAA and the Privacy
         Rule, and Business Associate shall, as directed by the Hospital Authority, incorporate
         any amendments to PHI provided to Business Associate by the Hospital Authority into
         copies of such PHI maintained by Business Associate.

      h. Internal Practices. Business Associate shall make its internal practices, books and
         records relating to the use and disclosure of PHI received by Business Associate from
         the Hospital Authority, or, if applicable, created or received by Business Associate on
         behalf of the Hospital Authority, available to the Secretary of the U.S. Department of
         Health and Human Services, or his or her designee, for purposes of determining the
         Hospital Authority’s compliance with HIPAA and the Privacy Rule.

      i. Accountings. Business Associate agrees to document disclosures of PHI and
         information related to such disclosures as would be required for the Hospital Authority
         to promptly respond to a request by an individual for an accounting of disclosures of
         such individual’s PHI by Business Associate in compliance with HIPAA and the
         Privacy Rule. Within thirty (30) days of receiving a written request from the Hospital
         Authority, Business Associate agrees to provide to the Hospital Authority information
         collected in accordance with the requirements of this Section 2.i to permit the Hospital
         Authority to make a timely and prompt response to a request by an individual for such
         accounting.

      j. Notification of Breach. During the term of this Addendum, Business Associate shall
         notify the Hospital Authority in writing within forty-eight (48) hours of any
         unauthorized use or disclosure of PHI in violation of this Addendum. Business
         Associate shall mitigate, to the extent practicable, any harmful effect that is known to
         Business Associate of a use or disclosure of PHI by Business Associate in violation of
         the requirements of this Addendum.

4. Security Rule. Business Associate agrees to use appropriate safeguards to prevent use or
   disclosure of the PHI other than as provided for by the Underlying Agreement. Without
   limiting the generality of the foregoing sentence, and effective on the date on which the
   Security Rule requires compliance by the Hospital Authority, Business Associate shall:

      a. Implement administrative, physical, and technical safeguards that reasonably and
         appropriately protect the confidentiality, integrity, and availability of Electronic
         Protected Health Information as required by the Security Rule;

      b. Ensure that any agent, including a subcontractor, to whom Business Associate provides
         Electronic Protected Health Information agrees to implement reasonable and
         appropriate safeguards to protect Electronic Protected Health Information; and
       c. Report to the Hospital Authority any security incident (as defined by the Security Rule)
          of which Business Associate becomes aware.

5. Termination.

       a. Material Breach. Should the Hospital Authority become aware of a breach of a
          material term of this Addendum by Business Associate, the Hospital Authority shall
          provide Business Associate with written notice of such breach in sufficient detail to
          enable Business Associate to understand the specific nature of the breach. The Hospital
          Authority shall be entitled to terminate the Underlying Agreement associated with such
          breach if, after the Hospital Authority provides the notice to Business Associate,
          Business Associate fails to cure the breach within a reasonable time period specified by
          the Hospital Authority in such notice; provided, however, that such time period
          specified by the Hospital Authority shall be a reasonable time period based on the
          nature of the breach involved as determined by the Hospital Authority.

       b. Reasonable Steps to Cure Breach. Business Associate agrees to cooperate with the
          Hospital Authority as necessary to mitigate, to the extent practicable, any harmful effect
          that results from a use or disclosure of PHI by Business Associate in violation of the
          requirements of this Addendum or the Privacy Rule. If Business Associate’s efforts to
          cure such breach or end such violation are unsuccessful, or cure is not possible, the
          Hospital Authority may either: (i) terminate the Underlying Agreement associated with
          the breach, if feasible; (ii) if termination of the Underlying Agreement is not feasible,
          report Business Associate’s breach or violation to the Secretary of the Department of
          Health and Human Services; or (iii) take such legal or equitable actions available in or
          pursuant to the Underlying Agreement attached hereto.

       c. Effect of Termination. Upon termination of the Underlying Agreement for any reason,
          Business Associate shall return or destroy all PHI received by Business Associate from
          the Hospital Authority, or, if applicable, created or received by Business Associate on
          behalf of the Hospital Authority, that Business Associate still maintains in any form,
          and shall retain no copies of such PHI, if feasible. If return or destruction is not feasible,
          this Addendum shall continue to apply to such information and, without limitation to
          the foregoing, Business Associate shall extend the protections of this Addendum to such
          information and limit further use and disclosure of such PHI to those purposes that
          make the return or destruction of such PHI infeasible for so long as the Business
          Associate maintains such PHI.

       d. Judicial or Administrative Proceedings. Notwithstanding any other provision herein,
          the Hospital Authority may terminate the applicable Underlying Agreement, effective
          immediately, upon a finding or stipulation that Business Associate violated any
          applicable standard or requirement of HIPAA, the Privacy Rule or any other applicable
          laws relating to the security or privacy of PHI, relating to the Underlying Agreement, in
          any criminal, administrative or civil proceeding in which the Business Associate is a
          named party.

6. Amendment. The parties acknowledge that state and federal laws relating to electronic data
   security and privacy are rapidly evolving and that amendment of this Addendum may be
   required to provide for procedures to ensure compliance with such developments. To the extent
   that any relevant provision of the Privacy Rule is materially amended in a manner that changes
   the obligations of Business Associate or the Hospital Authority that are embodied in the terms
   of this Addendum, the parties specifically agree to enter into good faith negotiations to
      implement the standards and requirements of HIPAA, the Privacy Rule and any other
      applicable laws relating to the security or privacy of PHI. If the parties cannot agree to an
      amendment within thirty (30) days after negotiations begin, then either party may terminate this
      Addendum upon ninety (90) days written notice to the other.

   7. No Third Party Beneficiaries. Nothing expressed or implied in this Addendum is intended to
      confer, nor shall anything herein confer, upon any person other than the Hospital Authority,
      Business Associate and their respective successors or assigns, any rights, remedies, obligations
      or liabilities whatsoever.

   8. Effect on Underlying Agreement. In the event of any inconsistencies between this Addendum
      and the Underlying Agreement, the terms of this Addendum shall prevail to the extent
      necessary to allow the Hospital Authority to comply with the Privacy Rule. All other terms of
      the Underlying Agreement shall remain in full force and effect.

   9. Interpretation. This Addendum and the Underlying Agreement shall be interpreted as to
      implement and comply with the Privacy Rule. The parties agree that any ambiguity in this
      Addendum shall be resolved in favor of a meaning that complies and is consistent with the
      HIPAA Privacy Rule.

   10. Notices. All notices to the Hospital Authority or Business Associate required under this
       Addendum shall be sufficient if provided by certified mail, return receipt, or by fax, followed
       by certified mail, return receipt to the addresses above in the opening paragraph. If to the
       Hospital Authority, with a copy to:

                     Polsinelli Shalton Welte & Suelthaus
                     c/o Mr. Frank J. Ross, Jr., Esq.
                     700 W. 47th Street, Suite 1000
                     Kansas City, Missouri 64112

IN WITNESS WHEREOF, the parties hereto have duly executed this Addendum as of the
Addendum Effective Date.


University of Kansas Hospital Authority            BUSINESS ASSOCIATE

By: ______________________________                 By: ______________________________

Print Name: _______________________                Print Name: _______________________

Title: ____________________________                Title: ____________________________

Date: ____________________________                 Date: ____________________________
                                                 Attachment B:

                        UNIVERSITY OF KANSAS HOSPITAL AUTHORITY
                                    Vendor Privacy Form


I, the undersigned vendor representative (“Representative”), hereby attest and affirm that should I encounter
any Protected Health Information (as defined by the Health Insurance Portability and Accountability Act of
1996 and the regulations promulgated thereunder) during the course of my business dealings with The
University of Kansas Hospital Authority (“Hospital Authority”), I shall maintain such information under
strict confidentiality, and I agree not to use or disclose such PHI unless expressly authorized in writing to do
so by the Hospital Authority.

I understand that failure to so comply may result in my being barred from the Hospital Authority.
premises with respect to all future business dealings. Such a breach of confidentiality may further
subject me and/or the organization listed below (“Organization”) to legal action on the part of the
Hospital Authority as may be required or permitted under federal and/or state law.

I further acknowledge and agree that any violation of this Vendor Privacy Form, by myself or the
Organization listed below, may result in the loss of privileges to conduct business with the Hospital
Authority. The Hospital Authority shall determine in its sole discretion whether and when such
violations have taken place and all resulting penalties, including the loss of any privileges to
conduct business with, or on the premises of, the Hospital Authority.

The undersigned Representative further represents and warrants that he or she is authorized to
execute this Vendor Privacy Form on behalf of the Organization listed below. In the event the
Representative does not have such authority, the Representative shall be denied access to the
Hospital’s facilities until such time as this Vendor Privacy Form is signed by an authorized
individual.



___________________________________________
Signature                     Date
                                                                            [Business Card Stapled Here]
___________________________________________
Printed Name

___________________________________________
Title

___________________________________________
Organization Name

___________________________________________
Address

___________________________________________
Phone                         Fax

___________________________________________
Email

				
DOCUMENT INFO
Description: Risk Management Pharmacy Business Associate Agreement document sample