FBFS HIPAA Agreement
HIPAA NotificationThis notification is being sent by OCI Insurance and FinancialServices INC. in order to comply with HIPAA regulations. This willallow us to continue to send you personal information we receivefrom or about your clients.Please accept the terms of this agreement at the bottom of thepage.BUSINESS ASSOCIATE AGREEMENTTHIS BUSINESS ASSOCIATE AGREEMENT (“Agreement”), entered into and effective this day inFebuary, 2010, is by and between you, the broker, (“Business Associate”) and OCI Insurance andFinancial Services INC. (“OCI”); and shall be collectively known herein as the “Parties”.WHEREAS, OCI wishes to commence a business relationship with “Business Associate” as defined inthe Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) including all pertinentregulations, issued by the U.S. Department of Health and Human Services as either have beenamended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act(“the HITECH Act”), as Title XIII of Division A and Title IV of Division B of the American Recovery andReinvestment Act of 2009; andWHEREAS, the nature of the prospective contractual relationship between OCI and BusinessAssociate may involve the exchange of Protected Health Information (“PHI”) as defined under HIPAA;andFor good and lawful consideration OCI and Business Associate enter into this agreement for thepurpose of ensuring compliance with the requirements of HIPAA, its implementing regulations, and theHITECH Act.In consideration of the premises and promises contained herein, it is mutually agreed by and betweenOCI and its Business Associates as follows:I. DEFINITIONSA. Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR164.501 and shall include a person who qualifies as a personal representative in accordancewith 45 CFR 164.502(g).B. Breach. “Breach” shall have the same meaning as the term “breach” in 13400 of the HITECHAct and shall include the unauthorized acquisition, access, use or disclosure of PHI thatcompromises the security or privacy of such information.C. Designated Record Set. “Designated Record Set” shall have the same meaning as the term“designated record set” in 45 CFR 164.501.D. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually IdentifiableHealth Information in 45 CFR Part 160 and Part 164, Subparts A and B, as amended by theHITECH Act and as may otherwise be amended from time to time.E. Protected Health Information. “Protected Health Information” or “PHI” shall have the samemeaning as the term “protected health information” in 45 CFR 164.501, limited to theinformation created or received by Business Associate from or on behalf of OCI.F. Required By Law. “Required By Law” shall have the same meaning as the term “required by
law” in 45 CFR 164.501.G. Secretary. “Secretary” shall mean the “Secretary of the U. S. Department of Health andHuman Services” or his designee.H. Unsecured Protected Health Information. “Unsecured Protected Health Information” or“Unsecured PHI” shall mean PHI that is not secured through the use of a technology ormethodology specified by the Secretary in guidance or as otherwise defined in the 13402(h)of the HITECH Act.II. USE OR DISCLOSURE OF PHI BY BUSINESS ASSOCIATEA. Except as otherwise limited in this Agreement, Business Associates may use or disclose PHIto perform functions, activities, or services for, or on behalf of OCI, provided that each use ordisclosure would not violate the Privacy Rule.B. Business Associate shall only use and disclose PHI if such use or disclosure complies witheach applicable requirement of 45 CFR 164.504(e).C. Business Associate shall be directly responsible for full compliance with the relevantrequirements of the Privacy Rule to the same extent as OCI.III. DUTIES OF BUSINESS ASSOCIATE RELATIVE TO PHIA. Business Associate shall not use or disclose PHI other than as permitted or required by thisAgreement or as Required by Law.B. Business Associate shall implement administrative, physical and technical safeguards thatreasonably and appropriately protect the confidentiality, integrity, and availability of theelectronic PHI that it creates, receives, maintains or transmits on behalf of OCI.C. Business Associate shall immediately notify OCI of any use or disclosure of PHI in violation ofthis Agreement.D. Business Associates shall orally notify OCI of a Breach of Unsecured PHI within 24 hours ofBusiness Associate’s (or Business Associate’s employee, officer, or agent) discovery of suchBreach, followed by a report in writing, except where a law enforcement official determinesthat a notification would impede a criminal investigation or cause damage to national security.Business Associate’s written notification to OCI here under shall:1. Be made to OCI within 48 hours of the initial oral report,2. Include the individual whose Unsecured PHI has been, or is reasonably believed tohave been, the subject of a Breach, and3. Be in substantially the same form as EXHIBIT A hereto.E. In the event of an unauthorized use or disclosure of PHI or a Breach of Unsecured PHI,Business Associate shall mitigate to the extent practicable any harmful effects of saiddisclosure that are known to it.F. Business Associate agrees to ensure that any agent, including a subcontractor, to whom itprovides PHI, received from, or created or received by Business Associate on behalf of OCI,agrees to the same restrictions and conditions that apply through this Agreement to BusinessAssociate with respect to such information.G. To the extent applicable, Business Associate shall provide access to PHI in a DesignatedRecord Set at reasonable times, at the request of OCI or, as directed by OCI to an Individualin order to meet the requirements under 45 CFR 164.524.H. To the extent applicable, Business Associate shall make any amendment(s) to PHI in aDesignated Record Set that OCI directs or agrees to pursuant to 45 CFR 164.526 at therequest of OCI or an Individual.I. Business Associate shall, upon request with reasonable notice, provide OCI access to itspremises for a review and demonstration of its internal practices and procedures forsafeguarding PHI.
J. Business Associate agrees to document such disclosures of PHI and information related tosuch disclosures as would be required for OCI to respond to a request by an individual for anaccounting of disclosures of PHI in accordance with 45 CFR 164.528. Should an Individualmake a request to OCI for an accounting of disclosures of his or her PHI pursuant to 45 CFR164.528, Business Associate agrees to promptly provide OCI with information in a format andmanner sufficient to respond to the individual’s request.K. Business Associate shall upon request with reasonable notice, provide OCI with anaccounting of uses and disclosures of PHI provided to it by OCI.L. Business Associate shall make its internal practices, books, records, and any other materialrequest by the Secretary relating to the use, disclosure, and safeguarding of PHI receivedfrom OCI available to the Secretary for the purpose of determining compliance with thePrivacy Rule. The aforementioned information shall be made available to the Secretary in themanner and place as designated by the Secretary or the Secretary’s duly appointed delegate.Under this Agreement, Business Associate shall comply and cooperate with any request fordocuments or other information from the Secretary directed to OCI that seeks documents orother information held by Business Associate.M. Business Associate may use Protected Health Information to report violations of law toappropriate Federal and State authorities, consistent with 42 CFR 164.502(j)(I).N. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for theproper management and administration of Business Associate, provided that disclosures areRequired By Law, or Business Associate obtains reasonable assurances from the person towhom the information is disclosed that it will remain confidential and used or further disclosedonly as Required By Law or for the purpose for which it was disclosed to the person, and theperson notifies Business Associate of any instances of which it is aware in which theconfidentiality of the information has been breached.IV. TERM AND TERMINATIONA. Term. The Term of this Agreement shall be effective as of the date first above written andshall terminate when all of the PHI provided by OCI to Business Associate, or created orreceived by Business Associate on behalf of OCI, is destroyed or returned to OCI, or, if it isinfeasible to return or destroy PHI, protections are extended to such information, inaccordance with the termination provisions in this Section IV.B. Termination for Cause. Upon OCI’s knowledge of a material breach by Business Associate,OCI shall:1. Provide an opportunity for Business Associate to cure the breach or end the violationand, if Business Associate does not cure the breach or end the violation within thetime specified by OCI, terminate this Agreement:2. Immediately terminate this Agreement if Business Associate has breached a materialterm of this Agreement and cure is not possible; or3. If neither termination nor cure is feasible, report the violation to the Secretary.C. Effect of Termination.1. Except as provided in paragraph C(2) of this section, upon termination of thisAgreement, for any reason, Business Associate shall return or destroy all PHIreceived from OCI, or created or received by Business Associate on behalf of OCI.This provision shall apply to PHI that is in the possession of subcontractors or agentsof Business Associate. Business Associate shall not retain any copies of the PHI.2. In the event that Business Associate determines that returning or destroying the PHIis infeasible, Business Associate shall provide to OCI written notification of theconditions that make return or destruction infeasible. After written notification that
return or destruction of PHI is infeasible, Business Associate shall extend theprotections of this Agreement to such PHI and limit further uses and disclosures ofsuch PHI to those purposes that make the return or destruction infeasible, for so longas Business Associate maintains such PHI.3. Should Business Associate make a disclosure of PHI in violation of this Agreement,OCI shall have the right to immediately terminate any contract other than thisAgreement, then in force between the Parties.V. CONSIDERATIONBusiness Associate recognizes that the promises it has made in this Agreement shall, henceforth, bedetrimentally relied upon by OCI in choosing to continue or commence a business relationship withBusiness Associate.VI. REMEDIES IN EVENT OF BREACHBusiness Associate hereby recognizes that irreparable harm will result to OCI, and to the business ofOCI, in the event of breach by Business Associate of any of the covenants and assurances containedin this Agreement. As such, in the event of breach of any of the covenants and assurances containedin Section II or III above, OCI shall be entitled to restrain Business Associate from any continuedviolation of Sections II or III. Furthermore, in the event of breach of Sections II or III by BusinessAssociate, OCI is entitled to reimbursement and indemnification from Business Associate for OCI’sreasonable attorneys’ fees and expenses and costs that were reasonably incurred as a proximateresult of Business Associates breach. The remedies contained in this Section VI shall be in addition to(and not supersede) any action for damages and/or any other remedy OCI may have for breach of anypart of this Agreement.VII. MODIFICATIONThis Agreement may only be modified through a written document signed by the Parties and, thus, nooral modification hereof shall be permitted. The Parties agree to take such action as is necessary toamend this Agreement from time to time as is necessary for OCI to comply with the requirements ofthe Privacy Rule and HIPAA.VIII. INTERPRETATION OF THIS CONTRACT IN RELATION TO OTHER CONTRACTS BETWEENTHE PARTIESShould there be any conflict between the language of this contract and any other contract entered intobetween the Parties (either previous or subsequent to the date of this Agreement), the language andprovisions of this Agreement shall control and prevail unless the Parties specifically refer in asubsequent written agreement to this Agreement by its title and date and specifically state that theprovisions of the later written agreement shall control over this Agreement.IX. COMPLIANCE WITH STATE LAWThe Business Associate acknowledges that by accepting the PHI from OCI, it becomes a holder ofhealth records information and is subject to the provisions of Arizona law. If the HIPAA Privacy orSecurity Rules and the laws of Nebraska conflict regarding the degree of protection provided for PHI,Business Associate shall comply with the more restrictive protection requirement.X. MISCELLANEOUSA. Ambiguity. Any ambiguity in this Agreement shall be resolved to permit OCI to comply withthe Privacy Rule.B. Regulatory Reference. A reference in this Agreement to a section in the Privacy Rule meansthe section as in effect or as amended.C. Notice to OCI. Any notice required under this Agreement to be given to OCI shall be made inwriting to:
4221 N 203rd StreetSuite 200 Elkhorn, NE 68022Attention: Privacy Officer402-330-8700D. Notice to Business Associate. Any notice required under this Agreement to BusinessAssociate shall be made in writing to Business Associate’s address on file with OCI at thetime said Notice is required.IN WITNESS WHEREOF and acknowledging acceptance and agreement of the foregoing, the Partiesaffix their signatures hereto.
Leave this empty:
Your legal name
Your email address
Signed by Charles Olson
Signed On: 9th March 2020
If you have questions about the contents of this document, you can email the document owner.
Document Name: FBFS HIPAA Agreement
Agree & Sign