16 minute read
SCHEDULE B COMPENSATION SCHEDULE
Health Benefits Program Management (medical and prescription drug)
$8.25* ** Per enrolled employee per month
*This fee is subject to a 3% increase annually
** Fee is subject to change if enrollment shifts more than +/- 10%
Ancillary Benefits Program Management
HORAN will accept standard commission from your administrator or insurer for the following benefits programs.
• Dental
• Vision
• Short term disability
• Long term disability
• Group life insurance
• Voluntary and supplemental life insurance
• Worksite benefits (critical illness, long term care, supplemental hospital indemnity, or any other similar lines of coverage)
• Other lines of coverage implemented after the effective date of this agreement
Insurer Bonus and Override Payments
Our compensation may vary based on the type of program you have and the vendors you select. In addition to the professional fees referenced above and in accordance with industry custom, HORAN may receive additional monetary and non-monetary compensation from insurers, insurance intermediaries, or other vendors which may be contingent upon volume, profitability or other factors. HORAN will disclose any such arrangements as reported by the insurer on Form 5500 Schedule A (if applicable). To further assist you in evaluating any potential conflicts of interest and to provide pricing transparency, HORAN will disclose any amounts not otherwise reported upon your request.
Travel
Horan expects travel expenses annually including airfare, transportation, and lodging. We will bill for travel or allow you to provide for travel expenses through your preferred partners. If HORAN provides travel, we will provide a detailed record of the actual expenses (without any markup) and bill on a quarterly basis.
Subcontracted Services
This compensation schedule does not include services provided through a third-party vendor (where applicable) where the contract is held by Client or HORAN
HORAN Associates, Inc.
Messer Construction Company
By: By: Title: Title: Name: Name: Date: Date:
Schedule C
Business Associate Agreement
WHEREAS, pursuant to the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, 110 Stat. 2024 (Aug. 21, 1996) (“HIPAA”), the Office of the Secretary of the Department of Health and Human Services has issued: (1) regulations providing Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Subparts A and E of Part 164 (“Privacy Rule”); (2) regulations providing Security Standards for the Protection of Electronic Protected Health Information at 45CFRPart 160andSubpart CofPart164(the“SecurityRule”);and(3)regulationsmodifyingthePrivacy Rule, Security Rule, Enforcement and Breach Notification Rules; and
WHEREAS, the privacy and security provisions of HIPAA have been amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the American Recovery and Reinvestment Act of 2009, and any and all references in this Agreement to the “HIPAA Rules” shall be deemed to include the Privacy Rule, the Security Rule, HITECH, the Enforcement and Breach Notification Rules, and all existing and future implementing regulations, as they become effective; and
WHEREAS, the HIPAA Rules provide, among other things, that a Covered Entity is permitted to disclose Protected Health Information (“PHI”) to a Business Associate and allow the Business Associate to obtain, receive, and create PHI on the Covered Entity’s behalf, only if the Covered Entity obtains satisfactory assurances in the form of a written contract, that the Business Associate will appropriately safeguard the PHI; and
WHEREAS, Messer Construction Company (the “Plan Sponsor”) maintains one or more Health Plans (“Plans”) and has engaged HORAN Associates, Inc. (“Business Associate”) to perform services, which may be described in a separate contract (the “Services Arrangement”) and Business Associate may receive PHI, or create and receive such information in the performance of services on behalf of such Plans. Plan Sponsor and Business Associate desire to determine the terms under which they shall comply with the HIPAA Rules;
NOW THEREFORE, the Plans, Plan Sponsor, and Business Associate agree as follows:
1. GENERAL HIPAA COMPLIANCE PROVISIONS
1.1. HIPAA Definitions. Except as otherwise provided in this Agreement, all capitalized terms contained in this Agreement shall have the meanings set forth in the HIPAA Rules.
1.2. HIPAA Readiness. Business Associate agrees that it will be fully compliant with the requirements of the HIPAA Rules that apply to Business Associates by the compliance dates established under such rules to the extent necessary to enable the Plans to comply with their obligations under the HIPAA Rules.
1.3. Changes in Law. Business Associate agrees that it will comply with any changes in the HIPAA Rules by the compliance date established for any such changes. If, due to such a change, either or all oftheparties are nolonger requiredtotreat PHIinthemannerprovidedfor inthis Agreement,theparties shall renegotiate this Agreement, subject to the requirements of Section 5. Any such renegotiation shall occur as soon as practicable following the occurrence of the change.
1.4. Nature of Relationship. The parties acknowledge that:
1.4.1. Each Plan is a Group Health Plan and a Covered Entity;
1.4.2. Business Associate is a Business Associate of one of more of the Plans; and
1.4.3. Messer ConstructionCompany isthePlanSponsor(asdefinedinsection3(16)(b) of Employee Retirement Income Security Act of 1974 29 USC § 1001 et seq., as amended (“ERISA”)) of each Plan,is not a CoveredEntity, and actsin the capacity of a plan sponsor as defined inthe HIPAA Rules.
1.4.4. Whenever reference is made in this Agreement to actions or undertakings of a Plan, to reports or information provided by the Business Associate to a Plan, or to instructions to the Business Associate from a Plan, the reference to the Plan shall be to the person or entity designated in such Plan’s documents as having responsibility for Plan administration or, if no designation is made therein, the Plan Sponsor.
1.4.5. The relationship of the Business Associate to any Plan (or the Plan Sponsor) is solely a contractual relationship and nothing in the Services Arrangement or this Agreement shall be interpreted as creating an agency relationship with the Business Associate under Federal common law.
2. TREATMENT OF PHI
2.1. Permitted Uses and Disclosures of PHI.
2.1.1. Uses and Disclosures on Behalf of the Plan. The Business Associate shall be permitted to use and disclose PHI for the services Business Associate is providing to the Plan or Plan SponsorpursuanttotheServicesArrangement,whichmayincludebutnotbelimitedtoTreatment,Payment activities and/or Health Care Operations, and as otherwise required to perform its obligations under this Agreement and the Services Arrangement.
2.1.2. Other Permitted Uses and Disclosures. In addition to the uses and disclosures set forth in Section 2.1.1, Business Associate may use or disclose PHI received from, or created or received on behalf of, the Plan under the following circumstances:
2.1.2.1. Disclosures to the Plan Sponsor. Business Associate may provide: i. Summary Health Information to the Plan Sponsor upon Plan Sponsor’s written request which specifies that the purpose of the request is either: (a) to obtain premium bids for providing health insurance coverage to a Plan; and/or (b) to modify, amend or terminate a Plan; ii. Information to the Plan Sponsor on whether an individual is participating in a Plan or is enrolled or has disenrolled from any insurance coverage offered by the Plan; and iii. PHI to the Plan Sponsor for purposes of Plan Administration Functions,providedthatthePlanSponsorhasprovidedtoBusinessAssociate: (a)acopyof PlanSponsor’s certification to the applicable Plan under 45 CFR 164.504(f)(2) relating to the required amendment of such Plan’s plan documents (the “Certification”), and (b) a list of employees of or descriptions of positions with Plan Sponsor who are authorized in accordance with the applicable plan documents to receive PHI from the Business Associate in connection with Plan Administration Functions of such Plan.
2.1.2.2. Use of PHI for Management, Administration, and Legal Responsibilities. Business Associate is permitted to use PHI if necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities.
2.1.2.3. Disclosure of PHI For Management, Administration, and Legal Responsibilities. Business Associate is permitted to disclose PHI if necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, provided that the disclosureisrequiredbylaw,or BusinessAssociate obtainsreasonableassurancesfrom thepersontowhom the PHI is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, the person will use appropriate safeguards to prevent use or disclosure of the information, and the person will notify Business Associate immediately of any instance of which it is aware in which the confidentiality of the PHI has been breached.
2.1.2.4. Data Aggregation Services. Business Associate is permitted to use or disclose PHI to provide data aggregation services, as that term is defined by 45 CFR §164.501, relating to the health care operations of a Plan.
2.1.2.5. De-identification. Business Associate is permitted to use PHI to de-identify the information in accordance with 45 CFR §164.514. Once de-identified, the information is no longer PHI or subject to the terms of this Agreement and may be used or disclosed by the Business Associate as long as the information does not include a key or other mechanism that would enable the information to be identified.
2.1.3. Further Uses Prohibited. Except as provided in Sections 2.1.1 and Section 2.1.2, Business Associate is prohibited from further using or disclosing any information received from the Plan, or from anyother Business Associateofthe Plan,for any commercial purposes of Business Associate. Business Associate shall not use or disclose Genetic Information for underwriting purposes in violation of the HIPAA Rules.
2.2. Minimum Necessary. Business Associate shall only request, use, and disclose the minimum amount of PHI necessary to accomplish the purposes of the request, use, or disclosure. Business Associate and Plan Sponsor acknowledge that the phrase “minimum necessary” shall be interpreted in accordance with the HIPAA Rules.
2.3. Prohibited,Unlawful,orUnauthorized Use and Disclosure of PHI. BusinessAssociate shall not use or further disclose any PHI received from, or created or received on behalf of, a Plan, in a manner that would violate the requirements of the Privacy Rule if done by the Plan.
2.4. Required Safeguards. Business Associate will develop, implement, maintain, and use appropriate safeguards to prevent use or disclosure of PHI received from, or created or received on behalf of, a Plan or other than as provided for in this Agreement or as required by law, including adopting policies and procedures regarding the safeguarding of PHI; and providing training to relevant employees on such policies and procedures to prevent the improper use or disclosure of PHI. To the extent Business Associate will carry out one or more of Plan Sponsor’s obligations under the Privacy Rule, the Business Associate will comply with the requirements of the Privacy Rules that apply to the Plan Sponsor in the performance of such obligations.
2.5. Mitigation of Improper Uses or Disclosures. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
2.6. Reporting of Unauthorized Uses and Disclosures. Business Associate shall promptly report in writing to the applicable Plan any use or disclosure of PHI not provided for under this Agreement, of which Business Associate becomes aware.
2.7. Security Rule.
2.7.1. Security Safeguards. Business Associate agrees to implement administrative, physical, and technical safeguards set forth in the Security Rule that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that Business Associate creates, receives, maintains, or transmits on behalf of any Plan or Plan Sponsor.
2.7.2. Security Incidents. Business Associate agrees to report to the Plans and Plan Sponsor any unauthorized access, use, disclosure, modification, or destruction of information or interference with information system operations which affect Electronic PHI created, received, maintained, or transmitted on behalf of any Plan of which Business Associate becomes aware. Business Associate agrees to also report to the Plan and Plan Sponsor any attempted unauthorized access affecting Electronic PHI created, received, maintained, or transmitted on behalf of any Plan of which Business Associate becomes aware; provided that Business Associate determines that the attempted access was material and credible.
2.8. Breach Notifications. Business Associate agrees to notify the applicable Plan and the Plan Sponsor of any Breach of Unsecured PHI within 10 days from the date of discovery.
2.8.1. Information About Breach. Business Associate shall provide a report to the Plan within 15 days of discovery of a Breach except when despite all reasonable efforts by Business Associate to obtain the information required, circumstances beyond the control of the Business Associate necessitate additional time. Under such circumstances Business Associate shall provide to the Plan the required information as soon as possible and without unreasonable delay, but in no event later than 30 calendar days from the date of discovery of a Breach. A Breach will be treated as discovered in accordance with 45 CFR §164.410. The Business Associate’s report shall include: (i) the date of the Breach; (ii) the dateofdiscoveryoftheBreach;(iii)alist ofeachindividualwhoseUnsecuredPHIhasbeenorisreasonably believed to have been used, accessed, acquired, or disclosed during the Breach; (iv) a description of the type of Unsecured PHI involved; (v) the identity of who made the non-permitted use or disclosure and who received the non-permitted disclosure (if known); and (vi) any other details necessary to complete an assessment of whether the PHI has been compromised.
2.8.2. Notification to Individual and Others. Unless otherwise agreed between the Plan Sponsor and Business Associate, the Plan shall be responsible to provide notification to individuals whose Unsecured PHI has been disclosed, as well as the Secretary of Health and Human Services and the media, as required by the HIPAA Rules.
2.8.3. Investigation and New Procedures. Business Associateagreestoinvestigate the Breachandto establishprocedures to mitigatelosses and protect against futureBreaches, and to provide a description of these procedures and the specific findings of the investigation to the Plan in the time and manner reasonably requested by the Plan.
2.9. Plan Participant Requests. The Plans, Plan Sponsor and Business Associate acknowledge that Plan participants have certain rights under the Privacy Rule to access, amend and receive an accounting of certain disclosures of their PHI. Business Associate further understands that the Plans have developed specific policies and procedures to be followed for Plan participants who make such requests as an exercise of their rights under the Privacy Rule. A request by a Plan participant or such participant’s personal representative made in accordance with such policies and procedures to access, amend or receive an accounting of disclosures of the participant’s PHI is referred to herein as a “Formal HIPAA Request.”
2.9.1. Access to PHI. Within 30 days of a Plan’s request on behalf of an individual, Business Associate agrees to make available to the Plan any relevant PHI in a Designated Record Set received from, or created orreceived on behalf of the Plan in accordance with the Privacy Rule. If Business Associate receives, directly or indirectly, a request from an individual requesting PHI, Business Associate shall notify the Plan in writing promptly of such request no later than 10 business days of receiving such request.IfaPlanrequestsanelectroniccopyofPHIthat ismaintainedelectronicallyinaDesignatedRecord Set in the Business Associate’s custody or control, Business Associate will provide an electronic copy in the form and format specified by the Plan if it is readily producible in such format; if it is not readily producible in such format, Business Associate will work with the Plan to determine an alternative form and format that enables the Plan to meet its electronic access obligations under 45 CFR §164.524.
2.9.2. Amendment of PHI. Within 30 days of a Plan’s request, Business Associate agrees to make available to the Plan any relevant PHI in a Designated Record Set received from, or created or received on behalf of, the Plan so the Plan may fulfill its obligations to amend such PHI pursuant to the Privacy Rule. Business Associate shall incorporate any amendments to PHI into any and all PHI Business Associate maintains. If Business Associate receives, directly or indirectly, a request from an individual for an amendment to PHI, Business Associate shall notify the Plan in writing promptly of such request no later than 10 business days of receiving such request. Each Plan shall have full discretion to determine whether the requested amendment shall occur.
2.9.3. Accounting of Disclosures. Business Associate shall maintain, beginning as of the date Business Associate first receives PHI from a Plan or the Plan Sponsor, an accounting of those disclosures of PHI it receives from, or creates or receives on behalf of the Plans which are not excepted from disclosure accounting under the Privacy Rule. Within 30 days of a Plan’s request, Business Associate shall make available to such Plan, the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528. If Business Associate receives, directly or indirectly, a request from an individual requesting an accounting of disclosures of PHI, Business Associate shall notify the applicable Planinwritingpromptlyofsuchrequestnolaterthan10businessdaysofreceivingsucharequest. Business Associate shall provide such an accounting based on an individual’s Formal HIPAA Request to the Plan and the Plan shall have full discretion to determine whether the requested accounting shall be provided to the requesting individual. Business Associate will maintain the disclosure information for at least 6 years following the date of the accountable disclosure to which the disclosure information relates.
2.10. Restrictions and Confidential Communications. Business Associate shall, uponnotice from a Plan in accordance with Section 3.3, accommodate any restriction to the use or disclosure of PHI and any request for confidential communications to which such Plan has agreed in accordance with the Privacy Rule.
2.11. Subcontractors. Business Associate will require each of its agents, including any subcontractor (if permitted under the applicable Services Arrangement), to whom it provides PHI received from, or created or received on behalf of, a Plan to agree, in a written agreement with Business Associate, to comply with the Security Rule, and to agree to all of the same restrictions and conditions contained in this Agreement or the HIPAA Rules that apply to Business Associate with respect to such information.
2.12. Audit. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received on behalf of, the Plans available to the Secretary of Health and Human Services upon request for purposes of determining compliance by the Plans with the HIPAA Rules.
2.13. Enforcement. Business Associate acknowledges that it is subject to civil and criminal enforcement for failure to comply with the HIPAA Rules.
3. OBLIGATIONS OF COVERED ENTITY
3.1. Notice of Privacy Practices. The Plans shall notify Business Associate of any limitations in its notice of privacy practices, to the extent such limitations may affect the Business Associate’s use or disclosure of PHI in accordance with 45 CFR 164.520, as well as any changes to such notice.
3.2. Revocation of Permission. Each Plan shall provide Business Associate with any changes in, or revocation of, permission by any individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures with respect to such Plan.
3.3. Notice of Restrictions and Confidential Communications. Each Plan shall notify Business Associate of any restriction on the use or disclosure of PHI that such Plan has agreed to in accordance with 45 CFR § 164.522. The applicable Plan shall notify Business Associate of any restriction on the use or disclosure of PHI and any request for confidential communications to which, in accordance with the Privacy Rule, such Plan has agreed.
3.4. Permissible Requests By the Plan. Except as provided in Section 2.1, the Plans shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity.
4. AMENDMENT AND TERMINATION
4.1. Term and Termination. The Term of this Agreement shall be effective as of the date this Agreement is signed, and shall terminate when all of the PHI provided by the Plan to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with Section 4.3.
4.2. TerminationforViolationof Agreement. Withoutlimiting therightsof the parties under the Services Arrangement, the applicable Plan(s) will have the right to terminate this Agreement and the ServicesArrangement ifBusiness Associatehasengagedinanactivityorpracticethat constitutesamaterial breach or violation of Business Associate’s obligations regarding PHI under this Agreement and, on notice of such material breach or violation from such Plan(s) or Plan Sponsor, fails to take reasonable and diligent steps to cure the breach or end the violation. The applicable Plan(s) will follow the notice of termination procedures (if any) applicable to the Services Arrangement. Notwithstanding the termination of this Agreement, Business Associate shall continue to comply with Section 4.3 hereof after termination of this Agreement.
4.3. ReturnofPHI. At terminationofthis Agreement or the ServicesArrangement,whichever shall be first to occur, Business Associate shall return to the Plans all PHI received from, or created or received on behalf of, such Plans that Business Associate maintains in any form and shall retain no copies of such information. This provision shall also apply to PHI that is in the possession of any Subcontractor of Business Associate. Further, Business Associate shall require any such Subcontractor to certify to Business Associate that it has returned or destroyed all such information. If such return is not feasible, Business Associate shall notify the applicable Plan(s) thereof and Business Associate shall destroy such
PHI and/or extend the protections of this Agreement to such PHI retained by Business Associate and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
5. MISCELLANEOUS PROVISIONS
5.1. Third-Party Beneficiary. No individual or entity is intended to be a third-party beneficiary to this Agreement.
5.2. Severability. If any provisions of this Agreement shall be held by a court of competent jurisdiction to be no longer required by the HIPAA Rules, the parties shall exercise their best efforts to determine whether such provision shall be retained, replaced, or modified.
5.3. Procedures. Thepartiesshallcomplywithproceduresmutuallyagreeduponbytheparties to facilitate the Plans’ compliance with the HIPAA Rules, including procedures for employee sanctions and procedures designed to mitigate the harmful effects of any improper use or disclosure of the PHI of any Plans.
5.4. Choice of Law. This Agreement shall be governed by, and construed in accordance with, the laws of the state of Ohio, except to the extent federal law applies.
5.5. Headings. The headings and subheadings of the Agreement have been inserted for convenience of reference only and shall not affect the construction of the provisions of the Agreement.
5.6. Cooperation. Thepartiesshall agreetocooperateandtocomplywithproceduresmutually agreed upon to facilitate compliance by the Plans with the HIPAA Rules, including procedures designed to mitigate the harmful effects of any improper use or disclosure of the Plans’ PHI.
5.7. Notice. All notices, requests, demands, approvals, and other communications required or permitted by this Agreement shall be in writing and sent by certified mail or by personal delivery. Such notice shall be deemed given on any date of delivery by the United States Postal Service. Any notice shall be sent to the following address (or such subsequent address provided by the applicable party):
5.7.1. If to a Plan or the Plan Sponsor:
5.7.2. If to Business Associate:
HORAN Associates, Inc. Privacy Officer
8044 Montgomery Road, Suite 640 Cincinnati OH 45236
5.8. Conflict. In the event of any conflict between the provisions of the Services Arrangement and this Agreement, the terms of this Agreement shall govern to the extent necessary to assure the Plans’ compliance with the HIPAA Rules.
IN WITNESS WHEREOF, the undersigned, having full authority to bind their respective principals, have executed this Agreement as of this day of , 2022
Messer Construction Co. Health Care Plan and Messer Construction Co. Health and Welfare Plan
Messer Construction Company
By: By: Title: Title:
Name: Name:
Date: Date:
HORAN Associates, Inc.
By: Title:
Name:
Date:
