The URL can be used to link to this page

Home My WebLink About19-144 • Resolution No. 19-144 RESOLUTION AUTHORIZING EXECUTION OF SERVICE AGREEMENTS WITH P&A ADMINISTRATIVE SERVICES, INC. FOR FLEXIBLE SPENDING, DEPENDENT CARE AND HEALTH RETIREMENT ACCOUNT PROGRAMS BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF ELGIN, ILLINOIS, that Richard G. Kozal, City Manager, and Kimberly A. Dewis, City Clerk, be and are hereby authorized and directed to execute Service Agreements on behalf of the City of Elgin with P&A Administrative Services, Inc., for flexible spending dependent care and health retirement account programs, a copy of which is attached hereto and made a part hereof by reference. s/David J. Kaptain David J. Kaptain, Mayor Presented: October 23, 2019 Adopted: October 23, 2019 Omnibus Vote: Yeas: 9 Nays: 0 Attest: s/ Kimberly Dewis Kimberly Dewis, City Clerk BUSINESS ASSOCIATE AGREEMENT (HRA) This Agreement is hereby entered into and made effective as of January 1, 2020, (the "Effective Date"), by and between the CITY OF ELGIN, Illinois, a municipal corporation, 150 Dexter Court, Elgin, IL 60120 (as the "City"), and P&A ADMINISTRATIVE SERVICES, INC., a New York corporation, 17 Court Street, Suite 500, Buffalo, NY 14202-3294 ("Business Associate"). 1. Definitions. a. Breach. "Breach" shall have the same meaning as the term "breach" in 45 CFR§ 164.402. b. Breach Notification Rule."Breach Notification Rule"shall mean the Standards and Implementation Specifications for Notification of Breaches of Unsecured Protected Health Information under 45 CFR Parts 160 and 164, subparts A and D. c. Business Associate. "Business Associate" shall mean P&A Administrative Services, Inc. d. Covered Entity."Covered Entity" shall mean the City of Elgin Health Reimbursement Account Plan for Retired Employees. e. Electronic Protected Health Information. "Electronic Protected Health Information" shall have the same meaning as the term "electronic protected health information" in 45 CFR §.160.103. f. Electronic Transactions Rule."Electronic Transactions Rule"shall mean the final regulations issued by HHS concerning standard transactions and code sets under 45 CFR Parts 160 and 162. g. Enforcement Rule. "Enforcement Rule"shall mean the Enforcement Provisions set forth in 45 CFR Part 160. h. Genetic Information. "Genetic Information" shall have the same meaning as the term "genetic information" in 45 CFR.§ 160.103. i. HHS. "HHS" shall mean the Department of Health and Human Services. j. HIPAA Rules. "HIPAA Rules" shall mean the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. k. HITECH Act."HITECH Act"shall mean the Health Information Technology for Economic and Clinical . Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009. I. Privacy Rule. "Privacy Rule" shall mean the Privacy Standards and Implementation Specifications at 45 CFR Parts 160 and 164, subparts A and E. m. Protected Health Information. "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of City pursuant to this Agreement. n. Required by Law. "Required by Law"shall have the same meaning as the term "required by law" in 45 CFR § 164.103. o. Security Incident. "Security Incident" shall have the same meaning as the term "security incident" in 45 CFR§ 164.304. p. Security Rule. "Security Rule" shall mean the Security Standards and Implementation Specifications at 45 CFR Parts 160 and 164, subparts A and C. q. Services Agreement. "Services Agreement" shall mean the "Section 105(h)/Health Reimbursement Account Services Agreement" of even date herewith between the City of Elgin and the Business Associate including any subsequent amendments or restatements thereto. r. Subcontractor. "Subcontractor"shall have the same meaning as the term "subcontractor"in 45 CFR § 160.103. s. Transaction. "Transaction" shall have the meaning given the term "transaction" in 45 CFR § 160.103. t. Unsecured Protected Health Information. "Unsecured Protected Health Information" shall have the meaning given the term "unsecured protected health information"in 45 CFR § 164.402. 2. Privacy and Security of Protected Health Information. a. Permitted Uses and Disclosures. Business Associate is permitted to use and disclose Protected Health Information only as set forth below: (i) Functions and Activities on City's Behalf. Business Associate shall provide the services described in a certain administrative services agreement of even date herewith (the "Services Agreement"). The Business Associate hereby is authorized to de-identify Protected Health Information whenever, in its best judgment, it is necessary to do so to comply with the HIPAA Rules. (ii) Business Associate's Operations. Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate or to carry out Business Associate's legal responsibilities, provided that— (A) The disclosure is Required by Law; or (B) Business Associate obtains reasonable assurance from any person or entity to which • Business Associate will disclose Protected Health Information that the person or entity will 2 (1) Hold the Protected Health Information in confidence and use or further disclose the Protected Health Information only for the purpose for which Business Associate disclosed Protected Health Information to the person or entity or as Required by Law; and (2) Promptly notify Business Associate of any instance of which the person or entity becomes aware in which the confidentiality of Protected Health Information was breached. (iii) Minimum Necessary. Business Associate will,in its performance of the functions,activities, services, and operations specified above, make reasonable efforts to use, to disclose, and to request only the minimum amount of Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request, except that Business Associate will not be obligated to comply with this minimum-necessary limitation if neither Business Associate nor City is required to limit its use, disclosure, or request to the minimum necessary under the HIPAA Rules. Business Associate and City acknowledge that the phrase "minimum necessary" shall be interpreted in accordance with the HITECH Act and the HIPAA Rules. b. Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose Protected Health Information, except as permitted or required by this Agreement or in writing by City or as Required by Law. This Agreement does not authorize Business Associate to use or disclose City'sProtected Health Information in a manner that would violate the HIPAA Rules if done by City, except as permitted for Business Associate's proper management and administration, as described above. c. Information Safeguards. (i) Privacy of Protected Health Information. Business Associate will develop, implement, maintain,and use appropriate administrative, technical,and physical safeguards to protect the privacy of Protected Health Information. The safeguards must reasonably protect Protected Health Information from any intentional or unintentional use or disclosure in violation of the Privacy Rule and limit incidental uses or disclosures made pursuant to a use or disclosure otherwise permitted by this Agreement. To the extent the parties agree that the Business Associate will carry out directly one or more of City's obligations under the Privacy Rule, the Business Associate will comply with the requirements of the Privacy Rule that apply to the City in the performance of such obligations. (ii) Security of City's Electronic Protected Health Information. Business Associate will comply with the Security Rule and will use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on City's behalf. 3 (iii) No Transfer of PHI Outside United States. Business Associate will not transfer Protected Health Information outside the United States without the prior written consent of the City. In this context, a "transfer" outside the United States occurs if Business Associate's workforce members, agents, or subcontractors physically located outside the United States are able to access, use, or disclose Protected Health Information. d. Subcontractors. Business Associate will require each of its Subcontractors to agree, in a written agreement with Business Associate, to comply with the provisions of the Security Rule; to appropriately - safeguard Protected Health Information created, received, maintained, or transmitted on behalf of the Business Associate; and to apply the same restrictions and conditions that apply to the Business Associate with respect to such Protected Health Information. e. Prohibition on Sale of Protected Health Information. Effective immediately, Business Associate shall not engage in any sale(as defined in the HIPAA rules) of Protected Health Information. f. Prohibition on Use or Disclosure of Genetic Information. Effective immediately, Business Associate shall not use or disclose Genetic Information for underwriting purposes in violation of the HIPAA rules. g. Penalties for Noncompliance. Business Associate acknowledges that it is subject to civil and criminal enforcement for failure to comply with the HIPAA Rules, to the extent provided by the HITECH Act and the HIPAA Rules. 3. Compliance with Electronic Transactions Rule. If Business Associate conducts in whole or part electronic Transactions on behalf of City for which HHS has established standards, Business Associate will comply, and will require any Subcontractor it involves with the conduct of such Transactions to comply, with each applicable requirement of the Electronic Transactions Rule and of any operating rules adopted by HHS with respect to Transactions. 4. Individual Rights. a. Access. Business Associate will, within twenty-nine calendar days following City's request, make available to City(or, at City's written direction, to an individual or the individual's designee)for inspection and copying Protected Health Information about the individual that is in a Designated Record Set in Business Associate's custody or control, so that Cityy may meet its access obligations under 45 CFR § 164.524. If City requests an electronic copy of Protected Health Information that is maintained electronically in a Designated Record Set in the Business Associate's custody or control, Business Associate will provide an electronic copy in the form and format specified by the City if it is readily producible in such format; if it is not readily producible 4 in such format, Business Associate will work with City to determine an alternative form and format that will enable City to meet its electronic access obligations under 45 CFR § 164.524. b. Amendment. Business Associate will, upon receipt of written notice from City, promptly amend or permit City access to amend any portion of an individual's Protected Health Information that is in a Designated Record Set in the custody or control of the Business Associate, so that City may meet its amendment obligations under 45 CFR § 164.526. c. Disclosure Accounting.To allow City to meet its obligations to account for disclosures of Protected Health Information under 45 CFR§ 164.528: (i) Disclosures Subject to Accounting. Business Associate will record the information specified below ("Disclosure Information") for each disclosure of Protected Health Information, not excepted from disclosure accounting as specified below, that.Business Associate makes to City or to a third party. (ii) Disclosures Not Subject to Accounting. Business Associate will not be obligated to record Disclosure Information or otherwise account for disclosures of Protected Health Information if City need not account for such disclosures under the HIPAA Rules. • (iii) Disclosure Information. With respect to any disclosure by Business Associate of Protected Health Information that is not excepted from disclosure accounting under the HIPAA Rules, Business Associate will record the following Disclosure Information as applicable to the type of accountable disclosure made: (A) Disclosure Information Generally. Except for repetitive disclosures of Protected Health Information as specified below,the Disclosure Information that Business Associate must record for each accountable disclosure is (i) the disclosure date, (ii)the name and (if known)address of the entity to which Business Associate made the disclosure, (iii) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of the disclosure. (B) Disclosure Information for Repetitive Disclosures. For repetitive disclosures of Protected Health Information that Business Associate makes for a single purpose to the same person or entity(including City), the Disclosure Information that Business Associate must record is either the Disclosure Information specified above for each accountable disclosure, or (i) the Disclosure Information specified above for the first of the repetitive accountable disclosures; (ii) the frequency, periodicity,or number of the repetitive accountable disclosures; and(iii)the date of the last of the repetitive accountable disclosures. 5 (iv) Availability of Disclosure Information. Business Associate will maintain the Disclosure Information for at least six years following the date of the accountable disclosure to which the Disclosure Information relates. Business Associate will make the Disclosure Information available to • City fifty-nine calendar days following City's request for such Disclosure Information to comply with an individual's request for disclosure accounting. d. Restriction Agreements and Confidential Communications. City shall notify Business Associate of any limitations in the notice of privacy practices of City under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information. Business Associate will comply with any notice from City to(1)restrict use or disclosure of Protected Health Information pursuant to 45 CFR § 164.522(a), or (2) provide for confidential communications of Protected Health Information pursuant to 45 CFR § 164.522(b), provided that City notifies Business Associate in writing of the restriction or confidential communications obligations that Business Associate must follow. City will promptly notify Business Associate in writing of the termination of any such restriction or confidential communications requirement and, with respect to termination of any such restriction, instruct Business Associate whether any of the Protected Health Information will remain subject to the terms of the restriction agreement. 5. Breaches and Security Incidents. a. Reporting. (i) Impermissible Use or Disclosure. Business Associate will report to City any use or disclosure of Protected Health Information not permitted by this Agreement not more than fifty-nine calendar days after Business Associate discovers such non-permitted use or disclosure. (ii) Breach of Unsecured Protected Health Information. Business Associate will report to City any potential Breach of Unsecured Protected Health Information not more than fifty-nine calendar days after discovery of such potential Breach. Business Associate will treat a potential Breach as being discovered in accordance with 45 CFR § 164.410. Business Associate will make the report to City's Privacy Officer. If a delay is requested by a law-enforcement official in accordance with 45 CFR§ 164.412, Business Associate may delay notifying City for the applicable time period. Business Associate's report will include at least the following, provided that absence of any information will not be cause for Business Associate to delay the report: (A) Identify the nature of the Breath, which will include a brief description of what happened,. including the date of any Breach and the date of the discovery of any Breach; 6 (B) Identify the types of Protected Health Information that were involved in the Breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, or other information were involved); (C) Identify who made the non-permitted use or.disclosure and who received the non-permitted disclosure; (D) Identify what corrective or investigational action Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects, and to protect against any further Breaches; (E) Identify what steps the individuals who were subject to a Breach should take to protect themselves; (F) Provide such other information, including a written report and risk assessment under 45 CFR § 164.402, as City may reasonably request. (iii) Security Incidents. Business Associate will report to City any Security Incident of which Business Associate becomes aware. Business Associate will make this report once per month,except if any such Security Incident resulted in a disclosure not permitted by this Agreement or Breach of Unsecured Protected Health Information, Business Associate will make the report in accordance with the provisions set forth above. b. Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect known to the Business Associate resulting from a use or disclosure in violation of this Agreement. 6. Term and Termination. a. Term. This Agreement shall be effective as the Effective Date, and shall remain in effect until the Service Agreement terminates. b. Right to Terminate for Cause. Notwithstanding "a" above, City may terminate this Agreement if it determines, in its sole discretion,that Business Associate has breached any provision of this Agreement, and after written notice to Business Associate of the breach, Business Associate has failed to cure the breach within thirty calendar days after receipt of the notice. Any such termination will be effective immediately or at such other date specified in City's notice of termination. c. Treatment of Protected Health Information on Termination. (i) Return or Destruction of City's Protected Health Information Is Feasible. Upon termination of this Agreement, Business Associate will, if feasible, return to City or destroy all Protected Health Information in whatever form or medium, including all copies thereof and all data, compilations, and other works derived therefrom.that allow identification of any individual who is a subject of the ' Protected Health Information. This provision shall apply to Protected Health Information that is in the possession of any Subcontractors of Business Associate. Further, Business Associate shall require any such Subcontractor to certify to Business Associate that it has returned or destroyed all such information which could be returned or destroyed. Business Associate will complete these obligations as promptly as possible, but not later than thirty calendar days following the effective date of the termination of this Agreement. (ii) Procedure When Return or Destruction Is Not Feasible. Business Associate will identify any Protected Health Information, including any Protected Health Information that Business Associate has disclosed to Subcontractors, that cannot feasibly be returned to City or destroyed and explain why return or destruction is infeasible. Business Associate will limit its further use or disclosure of such information to those purposes that make return or destruction of such information infeasible. Business Associate will complete these obligations as promptly as possible, but not later than thirty calendar days following the effective date of the termination or other conclusion of Agreement. (iii) Continuing Privacy and Security Obligation. Business Associate's obligation to protect the privacy and safeguard the security of Protected Health Information as specified in this Agreement will be continuous and survive termination or other conclusion of this Agreement. 7. General Provisions. a. Definitions. All terms that are used but not otherwise defined in this Agreement shall have the meaning specified under HIPAA, including its statute, regulations, and other official government guidance. b. Inspection of Internal Practices, Books, and Records. Business Associate will make its internal practices, books, and records relating to its use and disclosure of Protected Health Information available to City and to HHS to determine compliance with the HIPAA Rules. c. Amendment to Agreement. This Agreement may be amended only by a written instrument signed by the parties. In case of a change in applicable law, the parties agree to negotiate in good faith to adopt such amendments as are necessary to comply with the change in law. d. No Third-Party Beneficiaries. Nothing in this Agreement shall be construed as creating any rights or benefits to any third parties. e. Interpretation. Any ambiguity in the Agreement shall be resolved to permit City and Business Associate to comply with the applicable requirements under the HIPAA Rules. f. Severability. The invalidity or unenforceability of any provisions of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement, which shall remain in full force and effect. • 8 g. Construction and Interpretation. The section headings contained in this Agreement are for reference purposes only and shall not in any way affect the meaning or interpretation of this Agreement.This Agreement has been negotiated by the parties at arm's-length and each of them has had an opportunity to modify the language of the Agreement. Accordingly, the Agreement shall be treated as having been drafted equally by the parties, and the language shall be construed as a whole and according to its fair meaning.Any presumption or principle that the language is to be construed against any party shall not apply. This Agreement may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. h. Notices. All notices and communications required by this Agreement shall be in writing. Such notices and communications shall be given in one of the following forms: (i) by delivery in person, (ii) by a nationally-recognized, next-day courier service, (iii) by first-class, registered or certified mail, postage prepaid; or(iv) by electronic mail to the address that each party specifies in writing. i. Entire Agreement. This Agreement constitutes the entire agreement between the parties with respect to its subject matter and constitutes and supersedes all prior agreements, representations and understandings of the parties, written or oral, with regard to this same subject matter. j. Law/Venue. This agreement is subject to and governed by the laws of the State of Illinois. Venue for the resolution of any disputes or the enforcement of any rights arising out of or in connection with this agreement shall be the Circuit Court of Kane County, Illinois. P&A hereby irrevocably consents to the jurisdiction of the Circuit Court of Kane County, Illinois for the enforcement of any rights, the resolution of any disputes and/or for the purposes of any lawsuit brought pursuant to this agreement or the subject matter hereof; and P&A agrees that service by first class U.S. mail to P&A Administrative Services, Inc., 17 Court Street,Suite 150, Buffalo, New York, 14202-3294 shall constitute effective service. Both parties hereto waive any rights to a jury. k. No Modification. There shall be no modification of this agreement, except in writing and executed with the same formalities as the original. I. Interest. P&A hereby waives any and all claims or rights to interest on money claimed to be due pursuant to this agreement, and waives any and all such rights to interest to which it may otherwise be entitled pursuant to law, including, but not limited to, pursuant to the Local Government Prompt Payment Act (50 ILCS 505/1, et seq.), as amended, or the Illinois Interest Act (815 ILCS 205/1, et seq.), as amended. The provisions of this paragraph shall survive any expiration, completion and/or termination of this agreement. m. Compliance with law. Notwithstanding any other provision of this agreement, it is expressly agreed and understood that in connection with the performance of this agreement, P&A shall comply with all 9 • applicable federal, state, city and other requirements of law, including, but not limited to, any applicable requirements regarding prevailing wages, minimum wage, workplace safety and legal status of employees. Without limiting the foregoing, P&A hereby certifies, represents and warrants to the City that all of P&A's employees and/or agents who will be providing products and/or services with respect to this agreement shall be legally authorized to work in the United States. P&A shall also, at its expense, secure all permits and licenses, pay all charges and fees, and give all notices necessary and incident to the due and lawful prosecution of the work, and/or the products and/or services to be provided for in this agreement. The City shall have the right to audit any records in the possession or control of P&A to determine P&A's compliance with the provisions of this section. In the event the City proceeds with such an audit, P&A shall make available to the City P&A's relevant records at no cost to the City. City shall pay any and all costs associated with any such audit. n. Execution. This agreement may be executed in counterparts, each of which shall be an original and all of which shall constitute one and the same agreement. For the purposes of executing this agreement, any signed copy of this agreement transmitted by fax machine or e-mail shall be treated in all manners and respects as an original document. The signature of any party on a copy of this agreement transmitted by fax machine or e-mail shall be considered for these purposes as an original signature and shall have the same legal effect as an original signature. Any such faxed or e-mailed copy of this agreement shall be considered to have the same binding legal effect as an original document. At the request of either party any fax or e- mail copy of this agreement shall be re-executed by the parties in an original form. No party to this agreement shall raise the use of fax machine or e-mail as a defense to this agreement and shall forever waive such defense. o. Conflict. In the event of any conflict between the terms and provisions of this purchase agreement and Attachment A hereto, the terms and provisions of this purchase agreement shall control. p. Limitation of Damages. In no event shall City be liable for any monetary damages in excess of the purchase price contemplated by this agreement. In no event shall City be liable for any consequential, special or punitive damages, or any damages resulting from loss of profit. • to Q IN WITNESS WHEREOF, the parties have entered into this Agreement as of the Effective'Date. Print Name CITY O IN Ad /•?` 361 .. Sig Richard G.K+zal,City Manager /11 Attes,_//, Title City T rk Dated: October 23, 2019 11 BUSINESS ASSOCIATE AGREEMENT (FSA) This Agreement is hereby entered into and made effective as of January 1, 2020 (the"Effective Date"), by and between the CITY OF ELGIN, Illinois, a municipal corporation, 150 Dexter Court, Elgin, IL 60120 (as the "City") , and P&A ADMINISTRATIVE SERVICES, INC., a New York corporation, 17 Court Street, Suite 500, Buffalo, NY 14202-3294 ("Business Associate"). 1. Definitions. a. Breach. "Breach" shall have the same meaning as the term "breach" in 45 CFR § 164.402. b. Breach Notification Rule. "Breach Notification Rule"shall mean the Standards and Implementation Specifications for Notification of Breaches of Unsecured Protected Health Information under 45 CFR Parts 160 and 164, subparts A and D. c. Business Associate. "Business Associate" shall mean P&A Administrative Services, Inc. d. Covered Entity. "Covered Entity"shall mean the Medical Expense Reimbursement Account Option under the City of Elgin Flexible Benefits Plan. e. Electronic Protected Health Information. "Electronic Protected Health Information" shall have the same meaning as the term "electronic protected health information" in 45 CFR § 160.103. f. Electronic Transactions Rule."Electronic Transactions Rule"shall mean the final regulations issued by HHS concerning standard transactions and code sets under 45 CFR Parts 160 and 162. g. Enforcement Rule. "Enforcement Rule"shall mean the Enforcement Provisions set forth in 45 CFR Part 160. h. Genetic Information. "Genetic Information" shall have the same meaning as the term "genetic information" in 45 CFR§ 160.103. i. HHS. "HHS" shall mean the Department of Health and Human Services. j. HIPAA Rules. "HIPAA Rules" shall mean the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. k. HITECH Act."HITECH Act"shall mean the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009. I. Privacy Rule. "Privacy Rule" shall mean the Privacy Standards and Implementation Specifications at 45 CFR Parts 160 and 164, subparts A and E. m. Protected Health Information. "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of City pursuant to this Agreement. • n. Required by Law. "Required by Law" shall have the same meaning as the term "required by law" in 45 CFR§ 164.103. . o. Security Incident. "Security Incident" shall have the same meaning as the term "security incident" in 45 CFR § 164.304. p. Security Rule. "Security, Rule" shall mean the Security Standards and Implementation Specifications at 45 CFR Parts 160 and 164, subparts A and C. q. Services Agreement. "Services Agreement" shall mean the "Flexible Benefits Plan Services Agreement" of even date herewith between the City of Elgin and the Business Associate including any subsequent amendments or restatements thereof. r. Subcontractor. "Subcontractor"shall have the same meaning as the term"subcontractor"in 45 CFR § 160.103. s. Transaction. "Transaction" shall have the meaning given the term "transaction" in 45 CFR § 160.103. t. Unsecured Protected Health Information. "Unsecured Protected Health Information"shall have the meaning given the term "unsecured protected health information"in 45 CFR§ 164.402. 2. Privacy and Security of Protected Health Information. a. Permitted Uses and Disclosures. Business Associate is permitted to use and disclose Protected Health Information only as set forth below: (i) Functions and Activities on City's Behalf. Business Associate shall provide the services described in a. certain administrative services agreement of even date herewith (the "Services Agreement"). The Business Associate hereby is authorized to de-identify Protected Health Information whenever, in its best judgment, it is necessary to do so to comply with the HIPAA Rules. (ii) Business Associate's Operations. Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate or to carry out Business Associate's legal responsibilities, provided that— (A) The disclosure is Required by Law; or (B) Business Associate obtains reasonable assurance from any person or entity to which Business Associate will disclose Protected Health Information that the person or entity will— •2 (1) Hold the Protected Health Information in confidence and use or further disclose the Protected Health Information only for the purpose for which Business Associate disclosed Protected Health Information to the person or entity or as Required by Law; and (2) Promptly notify Business Associate of any instance of which the person or entity becomes aware in which the confidentiality of Protected Health Information was breached. (iii) Minimum Necessary. Business Associate will, in its performance of the functions,activities, services, and operations specified above, make reasonable efforts to use, to disclose,and to request only the minimum amount of Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request, except that Business Associate will not be obligated to comply with this minimum-necessary limitation if neither Business Associate nor City is required to limit its use, disclosure, or request to the minimum necessary under the HIPAA Rules. Business Associate and City acknowledge that the phrase "minimum necessary" shall be interpreted in accordance with the HITECH Act and the HIPAA Rules. b. Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose Protected Health Information, except as permitted or required by this Agreement or in writing by City or as Required by Law.This Agreement does not authorize Business Associate to use or disclose City's Protected Health Information in a manner that would violate the HIPAA Rules if done by City, except as permitted for Business Associate's proper management and administration, as described above. c. Information Safeguards. (i) Privacy of Protected Health Information. Business Associate will develop, implement, maintain,and use appropriate administrative, technical,and physical safeguards to protect the privacy •of Protected Health Information. The safeguards must reasonably protect Protected Health Information from any intentional or unintentional use or disclosure in violation of the Privacy Rule and limit incidental uses or disclosures made pursuant to a use or disclosure otherwise permitted by this Agreement. To the extent the parties agree that the Business Associate will carry out directly one or more of City's obligations under the Privacy Rule, the Business Associate will comply with the requirements of the Privacy Rule that apply to the City in the performance of such obligations. (ii) Security of City's Electronic Protected Health Information. Business Associate will comply with the Security Rule and will use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on City's behalf. 3 (iii) No Transfer of PHI Outside United States. Business Associate will not transfer Protected Health Information outside the United States without the prior written consent of the City. In this context, a "transfer" outside the United States occurs if Business Associate's workforce members, agents, or subcontractors physically located outside the United States are able to access, use, or disclose Protected Health Information. d. Subcontractors. Business Associate will require each of its Subcontractors to agree, in a written agreement with Business Associate, to comply with the provisions of the Security Rule; to appropriately safeguard Protected Health Information created, received, maintained, or transmitted on behalf of the Business Associate; and to apply the same restrictions and conditions that apply to the Business Associate with respect to such Protected Health Information. e. Prohibition on Sale of Protected Health Information. Effective immediately, Business Associate shall not engage in any sale(as defined in the HIPAA rules)of Protected Health Information. f. Prohibition on Use or Disclosure of Genetic Information. Effective immediately, Business Associate shall not use or disclose Genetic information for underwriting purposes in violation of the HIPAA rules. g. Penalties for Noncompliance. Business Associate acknowledges that it is subject to civil and criminal enforcement for failure to comply with the HIPAA Rules, to the extent provided by the HITECH Act and the HIPAA Rules. 3. Compliance with Electronic Transactions Rule. If Business Associate conducts in whole or part electronic Transactions on behalf of City for which HHS has established standards, Business Associate will comply, and will require any Subcontractor it involves with the conduct of such Transactions to comply, with each applicable requirement of the Electronic Transactions Rule and of any operating rules adopted by HHS with respect to Transactions. 4. Individual Rights. a. Access. Business Associate will, within twenty-nine calendar days following City's request, make available to City(or, at City's written direction, to an individual or the individual's designee)for inspection and copying Protected Health Information about the individual that is in a Designated Record Set in Business Associate's custody or control, so that City may meet its access obligations under 45 CFR§ 164.524. If City requests an electronic copy of Protected Health Information that is maintained electronically in a Designated Record Set in the Business Associate's custody or control, Business Associate will provide an electronic copy in the form and format specified by the City if it is readily producible in such format;if it is not readily producible 4 in such format, Business Associate will work with City to determine an alternative form and format that will enable City to meet its electronic access obligations under 45 CFR§ 164.524. b. Amendment. Business Associate will, upon receipt of written notice from City, promptly amend or permit City access to amend any portion of an individual's Protected Health Information that is in a Designated Record Set in the custody or control of the Business Associate, so that City may meet its amendment obligations under 45 CFR § 164.526. c. Disclosure Accounting.To allow City to meet its obligations to account for disclosures of Protected Health Information under 45 CFR§ 164.528: (i) Disclosures Subject to Accounting. Business Associate will record the information specified below ("Disclosure Information") for each disclosure of Protected Health Information, not excepted from disclosure accounting as specified below, that Business Associate makes to City or to a third party. (ii) Disclosures Not Subject to Accounting. Business Associate will not be obligated to record Disclosure Information or otherwise account for disclosures of Protected Health Information if City need not account for such disclosures under the HIPAA Rules. (iii) Disclosure Information. With respect to any disclosure by Business Associate of Protected Health Information that is not excepted from disclosure accounting under the HIPAA Rules, Business Associate will record the following Disclosure Information as applicable to the type of accountable disclosure made: (A) Disclosure Information Generally. Except for repetitive disclosures of Protected Health Information as specified below, the Disclosure Information that Business Associate must record for each accountable disclosure is (i) the disclosure date, (ii) the name and (if known)address of the entity to which Business Associate made the disclosure, (iii) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of the disclosure. (B) Disclosure Information for Repetitive Disclosures. For repetitive disclosures of Protected Health Information that Business Associate makes for a single purpose to the same person or entity(including City), the Disclosure Information that Business Associate must record is either the Disclosure Information specified above for each accountable disclosure, or (i) the Disclosure Information specified above for the first of the repetitive accountable disclosures;(ii) the frequency, periodicity, or number of the repetitive accountable disclosures; and(iii)the date of the last of the repetitive accountable disclosures. 5 • (iv) Availability of Disclosure Information. Business Associate will maintain the Disclosure Information for at least six years following the date of the accountable disclosure to which the Disclosure Information relates. Business Associate will make the Disclosure Information available to City fifty-nine calendar days following City's request for such Disclosure Information to comply with an individual's request for disclosure accounting. d.Restriction Agreements and Confidential Communications.City shall notify Business Associate of any limitations in the notice of privacy practices of City under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information. Business Associate will comply with any notice from City to (1)restrict use or disclosure of Protected Health Information pursuant to 45 CFR § 164.522(a), or (2) provide for confidential communications of Protected Health Information pursuant to 45 CFR § 164.522(b), provided that City notifies Business Associate in writing of the restriction or confidential communications obligations that Business Associate must follow. City will promptly notify Business Associate in writing of the termination of any such restriction or confidential communications requirement and,with respect to termination of any such restriction, instruct Business Associate whether any of the Protected Health Information will remain subject to the terms of the restriction agreement. 5. Breaches and Security Incidents. a. Reporting. (i) Impermissible Use or Disclosure. Business Associate will report to City any use or disclosure of Protected Health Information not permitted by this Agreement not more than fifty-nine calendar days after Business Associate discovers such non-permitted use or disclosure. (ii) Breach of Unsecured Protected Health Information. Business Associate will report to City any potential Breach of Unsecured Protected Health Information not more than fifty-nine calendar days after discovery of such potential Breach. Business Associate will treat a potential Breach as being discovered in accordance with 45 CFR § 164.410. Business Associate will make the report to City's Privacy Officer. If a delay is requested by a law-enforcement official in accordance with 45 CFR § 164.412, Business Associate may delay notifying City for the applicable time period. Business Associate's report will include at least the following, provided that absence of any information will not be cause for Business Associate to delay the report: (A) Identify the nature of the Breach, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of any Breach; 6 (B) Identify the types of Protected Health Information that were involved in the Breach (such as whether full name, Social Security number, date of birth, home address, account number, - diagnosis, or other information were involved); (C) Identify who made the non-permitted use or disclosure and who received the non-permitted disclosure; (D) Identify what corrective or investigational action Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects, and to protect against any further Breaches; (E) Identify what steps the individuals who were subject to a Breach should take to protect themselves; (F) Provide such other information, including a written report and risk assessment under 45 CFR§.164.402,as City may reasonably request. (iii) Security Incidents. Business Associate will report to City any Security Incident of which Business Associate becomes aware. Business Associate will make this report once per month, except if any such Security Incident resulted in a disclosure not permitted by this Agreement or Breach of Unsecured Protected Health Information, Business Associate will make the report in accordance with the provisions set forth above. b. Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect known to the Business Associate resulting from a use or disclosure in violation of this Agreement. 6. Term and Termination. a. Term. This Agreement shall be effective as the Effective Date, and shall remain in effect until the Service Agreement terminates. b. Right to Terminate.for Cause. Notwithstanding "a" above, City may terminate this Agreement if it determines, in its sole discretion, that Business Associate has breached any provision of this Agreement, and after written notice to Business Associate of the breach, Business Associate has failed to cure the breach within thirty calendar days after receipt of the notice. Any such termination will be effective immediately or at such other date specified in City's notice of termination. c. Treatment of Protected Health Information on Termination. (i) Return or Destruction of City's Protected Health Information Is Feasible. Upon termination of this Agreement, Business Associate will, if feasible, return to City or destroy all Protected Health Information in whatever form or medium, including all copies thereof and all data, compilations, and other works derived therefrom that allow identification of any individual who is a subject of the 7 Protected Health Information. This provision shall apply to Protected Health Information that is in the possession of any Subcontractors of Business Associate. Further, Business Associate shall require any such Subcontractor to certify to Business Associate that it has returned or destroyed all such information which could be returned or destroyed. Business Associate will complete these obligations as promptly as possible, but not later than thirty calendar days following the effective date of the termination of this Agreement. (ii) Procedure When Return or Destruction Is Not Feasible.Business Associate will identify any Protected Health Information, including any Protected Health Information that Business Associate has disclosed to Subcontractors, that cannot feasibly be returned to City or destroyed and explain why return or destruction is infeasible. Business Associate will limit its further use or disclosure of such information to those purposes that make return or destruction of such information infeasible. Business Associate will complete these obligations as promptly as possible, but not later than thirty calendar • days following the effective date of the termination or other conclusion of Agreement. (iii) Continuing Privacy and Security Obligation. Business Associate's obligation to protect the privacy and safeguard the security of Protected Health Information as specified in this Agreement will be continuous and survive termination or other conclusion of this Agreement. 7. General Provisions. a. Definitions. All terms that are used but not otherwise defined in this Agreement shall have the meaning specified under HIPAA, including its statute, regulations, and other official government guidance. b. Inspection of Internal Practices, Books, and Records. Business Associate will make its internal practices, books, and records relating to its use and disclosure of Protected Health Information available to City and to HHS to determine compliance with the HIPAA Rules. c. Amendment to Agreement.This Agreement may be amended only by a written instrument signed by the parties. In case of a change in applicable law,the parties agree to negotiate in good faith to adopt such amendments as are necessary to comply with the change in law. d. No Third-Party Beneficiaries. Nothing in this Agreement shall be construed as creating any rights or benefits to any third parties. e. Interpretation. Any ambiguity in the Agreement shall be resolved to permit City and Business Associate to comply with the applicable requirements under the HIPAA Rules. f. Construction and Interpretation. The section headings contained in this Agreement.are.for reference purposes only and shall not in any way affect the meaning or interpretation of this Agreement. This Agreement has been negotiated by the parties at arm's-length and each of them has had an opportunity to 8 • modify the language of the Agreement. Accordingly, the Agreement shall be treated as having been drafted equally by the parties,and the language shall be construed as a whole and according to its fair meaning.Any presumption or principle that the language is to be construed against any party shall not apply. This Agreement may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. g. Notices. All notices and communications required by this Agreement shall be in writing. Such notices and communications shall be given in one of the following forms: (i) by delivery in person, (ii) by a nationally-recognized, next-day courier service, (iii) by first-class, registered or certified mail, postage prepaid; or(iv) by electronic mail to the address that each party specifies in writing. h. Entire Agreement. This Agreement constitutes the entire agreement between the parties with respect to its subject matter and constitutes and supersedes all prior agreements, representations and understandings of the parties, written or oral, with regard to this same subject matter. i. LawNenue. This agreement is subject to and governed by the laws of the State of Illinois. Venue for the resolution of any disputes or the enforcement of any rights arising out of or in connection with this agreement shall be the Circuit Court of Kane County, Illinois. P&A hereby irrevocably consents to the jurisdiction of the Circuit Court of Kane County, Illinois for the enforcement of any rights, the resolution of any disputes and/or for the purposes of any lawsuit brought pursuant to this agreement or the subject matter hereof; and P&A agrees that service by first class U.S. mail to P&A Administrative Services, Inc., 17 Court Street, Suite 500, Buffalo, NY 14202-3294 shall constitute effective service. Both parties hereto waive any rights to a jury. j. No Modification. There shall be no modification of this agreement, except in writing and executed with the same formalities as the original. k. Interest. P&A hereby waives any and all claims or rights to interest on money claimed to be due pursuant to this agreement, and waives any and all such rights to interest to which it may otherwise be entitled pursuant to law, including, but not limited to, pursuant to the Local Government Prompt Payment Act (50 ILCS 505/1, et seq.), as amended, or the Illinois Interest Act (815 ILCS 205/1, et seq.), as amended. The provisions of this paragraph shall survive any expiration, completion and/or termination of this agreement. I. Compliance with law. Notwithstanding any other provision of this agreement, it is expressly agreed and understood that in connection with the performance of this agreement, P&A shall comply with all applicable federal, state, city and other requirements of law, including, but not limited to, any applicable requirements regarding prevailing wages, minimum wage, workplace safety and legal status of employees. Without limiting the foregoing, P&A hereby certifies, represents and warrants to the City that all of P&A's 9 employees and/or agents who will be providing products and/or services with respect to this agreement shall be legally authorized to work in the United States. P&A shall also, at its expense, secure all permits and licenses, pay all' charges and fees, and give all notices necessary and incident to the due and lawful prosecution of the work, and/or the products and/or services to be provided for in this agreement. The City shall have the right to audit any records in the possession or control of P&A to determine P&A's compliance with the provisions of this section. In the event the City proceeds with such an audit, P&A shall make available to the City P&A's relevant records at no cost to the City. City shall pay any and all costs associated with any such audit. m. Execution. This agreement may be executed in counterparts, each of which shall be an original and all of which shall constitute one and the same agreement. For the purposes of executing this agreement, any signed copy of this agreement transmitted by fax machine or e-mail shall be treated in all manners and respects as an original document. The signature of any party on a copy of this agreement transmitted by fax machine or e-mail shall be considered for these purposes as an original signature and shall have the same legal effect as an original signature. Any such faxed or e-mailed copy of this agreement shall be considered to have the same binding legal effect as an original document. At the request of either party any fax or e- mail copy of this agreement shall be re-executed by the parties in an original form. No party to this agreement shall raise the use of fax machine or e-mail as a defense to this agreement and shall forever waive such defense. n. Conflict. In the event of any conflict between the terms and provisions of this purchase agreement and Attachment A hereto, the terms and provisions of this purchase agreement shall control. o. Limitation of Damages. In no event shall City be liable for any monetary damages in excess of the purchase price contemplated by this agreement. In no event shall City be liable for any consequential, special or punitive damages, or any damages resulting from loss of profit. D IN WITNESS WHEREOF, the parties have entered into this Agreement as of the Effective Date. Print Name CITY IN Sig/u / Richard G. Kozal, City Manager �l 1r r Ares _ è?cJ Attest Title City Clerk Dated: October 23, 2019 10 • • • SECTION 105(h)/HEALTH REIMBURSEMENT ACCOUNT SERVICES AGREEMENT This Agreement is hereby entered into and made effective as of January 1, 2020 (the "Effective Date"), by and between the CITY OF ELGIN, Illinois, a municipal corporation, 150 Dexter Court, Elgin, IL 60120 (the "Employer"), and P&A ADMINISTRATIVE SERVICES, INC., a New York corporation, 17 Court Street, Suite 500, Buffalo, NY 14202-3294 ("P&A"). WITNESSETH: WHEREAS, the Employer desires to establish as of the Effective Date a "health reimbursement arrangement" (as described at IRS Notice 2002-45, 2002-28 I.R.B. 93) for the benefit of certain retired employees (the "Plan"); and WHEREAS, the Employer desires to retain P&A to provide technical and administrative services with respect to the Plan, and P&A desires to provide such services upon certain terms and conditions; NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein and for other good and valuable consideration, sufficiency of which is hereby mutually acknowledged, the parties hereto, with the intention of being legally bound hereby, covenant and agree as follows: 1. Services. P&A shall provide the following services with respect to the Plan: a. prepare such Plan documents as shall be necessary to properly establish the Plan as of the Effective Date, including but not limited to a formal Plan document and a summary of the material provisions of the Plan for distribution to the retired employees eligible to participate in the Plan ("Participants").At the time provided to the Employer,such documents shall comply with all applicable legal requirements; b. provide each Participant with an electronic payment card that may be used to pay expenses that are eligible for reimbursement, and such additional cards for use by family members of the Participant as he or she reasonably shall request; c. substantiate the eligibility of expenses paid by use of an electronic payment card to the extent required by applicable law; d. make available a form to be used in the submission of benefit claims; e. receive, review and, when authorized by the Plan and by applicable law, approve claims; f. from time to time, notify the Employer of the aggregate amount of funds needed from the Employer to pay pending approved claims and receive said funds as transmitted by the Employer, g. pay approved benefit claims from funds made available by the Employer for that purpose. Claims shall be paid by check or, where authorized by a Participant, by direct electronic deposit to a bank account of the Participant; and h. perform such benefits discrimination testing as P&A shall reasonably deem necessary to assure the Plan's continuing compliance under 26 U.S.Code Section 105(h). 2. Compensation. As compensation for the services rendered hereunder, the Employer shall pay P&A such fees as are set forth in Schedule A attached hereto and made a part hereof as Attachment A. P&A may modify this fee schedule as of the beginning of any Plan Year commencing after the Effective Date. P&A shall notify the Employer in writing of any modification to the fee schedule not less than ninety (90)days before the beginning of the Plan Year in which the modification is to become effective. Should the Employer be unwilling to accept any such modification, it may exercise its right to terminate the Agreement in accordance with Section 5 below. 3. Employer Responsibilities. a. The Employer shall notify P&A in writing of any event or occurrence that affects the group of employees who are eligible to participate in the Plan. b. The Employer shall provide P&A on a timely basis with such other information as P&A deems necessary or appropriate for the discharge of its responsibilities hereunder, including any information that must be obtained from the Employer to prepare annual reports for the plan. 4. Responsibilities of the Parties and Indemnification. The responsibilities and liabilities of P&A are only those set forth herein, and no others shall be implied. P&A shall have no duty or authority to make, or to compel the Employer to make payment of any benefit under the Plan. Except for its own misconduct or negligence, P&A shall not indemnify the Employer or any other provider of benefits under the Plan, with respect to its liability to pay benefits to Participants. Except for its own misconduct or negligence, neither PM nor any of its officers, directors, or employees, nor any agent of or counsel for any of the foregoing, shall be liable to anyone at any time interested in the Plan, for any act or omission in providing services hereunder. P&A shall indemnify and hold harmless the Employer from any claim, liability, obligation or charge arising out of P&A's misconduct, negligence or other wrongdoing in connection with activities or responsibilities arising out of or relating to this Agreement.The Employer shall indemnify and hold harmless P&A from any claim, liability, obligation or charge arising out of the Employer's misconduct, negligence or other wrongdoing in connection with activities or responsibilities arising out of or relating to this Agreement. 5. Termination. The initial term of this Agreement shall commence on the Effective Date and shall end on the last day of the first twelve-month Plan Year commencing on or after that date.Thereafter, • 6 this Agreement automaticallyshall be renewed for each additional Plan Year unless one of the parties 9 hereto gives the other party notice in writing of its desire to terminate the Agreement as of the end of a specified Plan Year not less than sixty (60) days prior to the end of that Plan Year. Notwithstanding the foregoing, this Agreement shall terminate (a) automatically if either party is adjudicated a bankrupt or suffers appointment of a temporary or permanent receiver, trustee or custodian for all or a substantial part of their assets, which shall not be discharged within thirty (30) days of appointment, or makes an assignment for the benefit of creditors, or(b)after written notice by one party of the other party's material breach of, or material failure to perform, its obligations hereunder unless such breach or failure is cured within ten (10) days of said notice. Any,notice of breach must provide all such details as are known to the non-breaching party regarding the nature of the other party's alleged breach, the specific obligation hereunder to which the alleged material breach relates, the approximate date on which the alleged breach occurred and the identity of any personnel of the other party that were involved. Failure to provide such detail shall render said notice ineffective, and null and void for purposes of this Agreement. Should the Employer cause this Agreement to be terminated other than in accordance with the preceding paragraph, the Employer immediately shall become obligated to pay P&A as liquidated damages an amount equal to seventy-five percent of the fees that would have been due had the Agreement remained in effect for the period (i) commencing on the date next following the date on which the Agreement prematurely was or will become terminated, and (ii)ending on the earliest date as of which the Employer properly could have terminated the Agreement by giving the advance notice prescribed hereunder on the date the Employer first notified P&A in writing of the Employer's intention to terminate the Agreement. For purposes of calculating this liquidated damages amount, the fees due to P&A hereunder for services it provided in the month preceding the month within which P&A first was notified of the premature termination of the Agreement shall be the fees due for each month during the period described in the preceding sentence. 6. Confidentiality. All books and records, including the data therein, pertaining to each party which may come into the hands of the other are to be treated as confidential and private records, and the other party shall not disclose information from such records unless it is required by law or authorized by the initial party in writing prior to such disclosure. Employer's good faith compliance with the requirements of the Illinois Freedom of Information Act (5 ILCS 140/1, et seq.) shall not be construed as, and shall not consitute a breach of this agreement. Both parties reserve the right to control the use of any of their symbols, trademarks, computer programs and service marks currently existing or hereafter established. Both parties agree that they will not use the computer programs work, symbols, trademarks, service marks, or other devices of the other in advertising,promotional material,or otherwise and will not advertise 3 or display such devices without the prior written consent of the other party. In addition, both parties further agree that any such work, symbols, trademarks, service marks, or other devices furnished by one party to the other shall remain the property of the initial party and shall be returned by the other party upon demand of the initial party upon termination of this Agreement. 7. HIPAA Compliance.The parties hereto acknowledge that they have entered into a separate Business Associate Agreement of even date herewith, a copy, of which is appended hereto and made a part hereof as Attachment B. 8. Binding Effect. This Agreement shall inure to the benefit of and be binding upon the parties, their legal representatives, contractors, agents, successors and assigns. 9. Integration. By their making of this Agreement, the parties hereto hereby acknowledge that this Agreement supersedes any previous understandings between them with respect to all matters contained herein and contains the entire understanding and agreement between them with respect to all matters contained herein and cannot be amended, modified or supplemented except by a subsequent written agreement entered into by both parties. 10. Subcontracting. P&A shall not subcontract any portion of this Agreement without the prior written approval of the Employer. 11. Non-Exclusive Arrangement. Nothing contained herein shall be construed to prevent either party from independently operating or participating in any other agreement concerning plan administration services independent and unrelated to the services and obligations of the parties pursuant to this Agreement. 12. Waiver of Breach. The waiver by either party of a breach or violation of any provision of this Agreement shall not operate as or be construed as a waiver of a breach or violation of any other provision of this Agreement or of any subsequent breach or violation thereof. 13. Severability. In the event any provision of this Agreement is rendered invalid or unenforceable,the remaining provisions of this Agreement shall remain in full force and effect. 14. Enforcement. If any action at law or in equity(including arbitration) is necessary to enforce or interpret any one or more of the terms of this Agreement, the prevailing party shall be entitled to reasonable attorneys' fees, costs and necessary disbursements in addition to any other relief to which such party may be entitled. 15. Notice.Any notice hereunder by either party shall be deemed to have been duly given three (3) business days after mailing by First Class U.S. mail, addressed to the party to whom or which notice is intended to be given at such party's address as stated above or to such other address as each party shall specify in writing to the other, unless otherwise specifically provided for herein. 16. LawNenue. This agreement is subject to and governed by the laws of the State of Illinois. Venue for the resolution of any disputes or the enforcement of any rights arising out of or in connection with this agreement shall be the Circuit Court of Kane County, Illinois. P&A hereby irrevocably consents to the jurisdiction of the Circuit Court of Kane County, Illinois for the enforcement of any rights, the resolution of any disputes and/or for the purposes of any lawsuit brought pursuant to this agreement or the subject matter hereof; and P&A agrees that service by first class U.S. mail to P&A Administrative Services, Inc., 17 Court Street, Suite 500, Buffalo, New York, 14202-3294 shall constitute effective service. Both parties hereto waive any rights to a jury. 17. Interest. P&A hereby waives any and all claims or rights to interest on money claimed to be due pursuant to this agreement,and waives any and all such rightsto interest to which it may otherwise be entitled pursuant to law, including, but not limited to, pursuant to the Local Government Prompt Payment Act (50 ILCS 505/1, et seq.), as amended, or the Illinois Interest Act (815 ILCS 205/1, et seq.), as amended. The provisions of this paragraph shall survive any expiration, completion and/or termination of this agreement. 18. Compliance with law. Notwithstanding any other provision of this agreement,it is expressly agreed and understood that in connection with the performance of this agreement, P&A shall comply with. all applicable federal, state, city and other requirements of law, including, but not limited to,any applicable requirements regarding prevailing wages, minimum wage, workplace safety and legal status of employees. Without limiting the foregoing, P&A hereby certifies, represents and warrants to the City that all of P&A's employees and/or agents who will be providing products and/or services with respect to this agreement shall be legally authorized to work in the United States. P&A shall also, at its expense, secure all permits and licenses, pay all charges and fees, and give all notices necessary and incident to the due and lawful prosecution of the work, and/or the products and/or services to be provided for in this agreement. The City shall have the'right to audit any records in the possession or control of P&A to determine P&A's compliance with the provisions of this section. In the event the City proceeds with such an audit, PM shall make available to the City P&A's relevant records at no cost to the City. City shall pay any and all costs associated with any such audit. 19. Execution. This agreement may be executed in counterparts, each of which shall be an original and all of which shall constitute one and the same agreement. For the purposes of executing this agreement, any signed copy of this agreement transmitted by fax machine or e-mail shall be treated in all manners and respects as an original document. The signature of any party on a copy of this agreement transmitted by fax machine or e-mail shall be considered for these purposes as an original signature and shall have the same legal effect as an original signature. Any such faxed or e-mailed copy of this • agreement shall be considered to have the same binding legal effect as an original document. At the request ofeither party any fax or e-mail copy of this agreement shall be re-executed by the parties in an original form. No party to this agreement shall raise the use of fax machine or e-mail as a defense to this agreement and shall forever waive such defense. 20. Conflict. In the event of any conflict between the terms and provisions of this purchase agreement and Attachment A hereto, the terms and provisions of this service agreement shall control. 21. Limitation of Damages. In no event shall City be liable for any'monetary damages in • excess of the purchase price contemplated by this agreement. In no event shall City be liable for any consequential, special or punitive damages, or any damages resulting from loss of profit. IN WITNESS WHEREOF, the parties have entered into this Agreement as of the Effective Date. P&A ADA ISTRATIVVERVICES, INC. ClT GIN • Sinai - / Richard G. Kozal, City Manager / Ric , Attest:%4 &le-4A Title Cit lerk Dated: October 23, 2019 ATTACHMENT A The Employer shall pay to P&A: 1. INSTALLATION FEE.N/A 2. MONTHLY ADMINISTRATION FEES.Administration fees for each calendar month commencing while this Agreement remains in effect. As of the first day of each Plan Year,P&A shall determine if an Annual Minimum Fee of$1,250.00 is due with respect to that Plan Year. This Annual Minimum Fee shall be due only if the following total is less than $1,250.00: The number of individuals who are eligible to receive benefits under the Plan as of the first day of the Plan Year multiplied by$3.15(the per Participant monthly fees described below)then multiplied again by 12 months. If it is determined,with respect to a particular Plan Year,that the Annual Minimum Fee provision above does not apply, then beginning in the second month of that Plan Year, the Employer shall be provided with invoices for services performed during the preceding month. The fees for a given month shall equal $3.15 for each individual who was eligible for the reimbursement of expenses under the Plan as of the first day of that month,including(I)any individual who,on that date,would have been eligible for reimbursement but for the fact that he or she already had been reimbursed for the full amount of benefits available to him or her under the terms of the Plan;(ii)any individual whose eligibility for the Plan had terminated prior to that date but who,on that date, remained eligible to submit post-termination run-out claims under the terms of the-Plan or whose family members remained eligible to submit such claims;and(iii)any individual who had elected COBRA coverage prior to that date and whose COBRA coverage remained in effect on that date. If it is determined to apply, the Annual Minimum Fee shall be due and payable within thirty (30) days after P&A provides the Employer with an invoice with respect to same.Once paid,this Annual Minimum Fee shall be credited against the Employer's obligation for monthly fees as determined in accordance with the preceding paragraph, and P&A shall not begin to send monthly invoices for fees until the total of all such fees accrued to date exceeds the amount of the Annual Minimum Fee. Any invoice for monthly fees shall be due and payable within thirty(30)days after receipt by the Employer. 3. REQUESTED ADDITIONAL SERVICES AND MATERIALS. For such services and materials requested by the Employer that are in addition to the services and materials described in Section 1 of this Agreement, P&A shall be entitled to such additional compensation from the requesting party as is mutually agreed upon by the requesting party and P&A. 4. MAILING EXPENSES. The cost of any mailing required under the Agreement the rate for which exceeds the first class rate charged by the U.S.Post Office. 5. RECOUPMENT OF PENALTIES AND FEES. The amount of any penalty or like fee that Is imposed on PM as a result of any action or inaction by the Employer or by the employees or other agents of the Employer with respect to the administration of the Plan, including but not limited to returned check charges or ACH rejection fees. PM shall be entitled to immediately recoup any such penalty or fee from the Employer after giving the Employer written notice that P&A has paid such amount. Note: Should the Employer elect to change the terms of the Plan or should changes in applicable laws necessitate changes to the Plan documents,P&A will provide the Employer with a quote as to the cost of having P&A make the document changes. ATTACHMENT B BUSINESS ASSOCIATE AGREEMENT _., _ 8 • ATTACHMENT B BUSINESS ASSOCIATE AGREEMENT (HRA) This Agreement is hereby entered into and made effective as of January 1, 2020, (the "Effective Date"), by and between the CITY OF ELGIN, Illinois, a municipal corporation, 150 Dexter Court, Elgin, IL 60120 (as the "City"), and P&A ADMINISTRATIVE SERVICES, INC., a New York corporation, 17 Court Street, Suite 500, Buffalo, NY 14202-3294 ("Business Associate"). 1. Definitions. a. Breach. "Breach" shall have the same meaning as the term "breach" in 45 CFR § 164.402. b. Breach Notification Rule. "Breach Notification Rule" shall mean the Standards and Implementation Specifications for Notification of Breaches of Unsecured Protected Health Information under 45 CFR Parts 160 and 164, subparts A and D. c. Business Associate. "Business Associate" shall mean P&A Administrative Services, Inc. d. Covered Entity. "Covered Entity" shall mean the City of Elgin Health Reimbursement Account Plan for Retired Employees. e. Electronic Protected Health Information. "Electronic Protected Health Information".shall have the same meaning as the term "electronic protected health information" in 45 CFR § 160.103. f. Electronic Transactions Rule. "Electronic Transactions Rule"shall mean the final regulations issued by HHS concerning standard transactions and code sets under 45 CFR Parts 160 and 162. g. Enforcement Rule. "Enforcement Rule"shall mean the Enforcement Provisions set forth in 45 CFR Part 160. h. Genetic Information. "Genetic Information" shall have the same meaning as the term "genetic information" in 45 CFR'§ 160.103. i. HHS. "HHS" shall mean the Department of Health and Human Services. j. HIPAA Rules. "HIPAA Rules" shall mean the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. k. HITECH Act."HITECH Act"shall mean the Health Information Technology for Economic and Clinical . Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009. L Privacy Rule. "Privacy Rule" shall mean the Privacy Standards and Implementation Specifications at 45 CFR Parts 160 and 164, subparts A and E. m. Protected Health Information. "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of City pursuant to this Agreement. • n. Required by Law. "Required by Law"shall have the same meaning as the term "required by law"in 45 CFR § 164.103. o. Security Incident. "Security Incident" shall have the same meaning as the term "security incident" in 45 CFR§ 164.304. p. Security Rule. "Security Rule" shall mean the Security Standards and Implementation Specifications at 45 CFR Parts 160 and 164, subparts A and C. q. Services Agreement. "Services Agreement" shall mean the "Section 105(h)/Health Reimbursement Account Services Agreement" of even date herewith between the City of Elgin and the Business Associate including any subsequent amendments or restatements thereto. • r. Subcontractor. "Subcontractor"shall have the same meaning as the term"subcontractor"in 45 CFR § 160.103. s. Transaction. "Transaction" shall have the meaning given the term "transaction" in 45 CFR § 160.103. t. Unsecured Protected Health Information. "Unsecured Protected Health Information" shall have the meaning given the term "unsecured protected health information" in 45 CFR § 164.402. 2. Privacy and Security of Protected Health Information. a. Permitted Uses and Disclosures. Business Associate is permitted to use and disclose Protected Health Information only as set forth below: (i) Functions and Activities on City's Behalf. Business Associate shall provide the services described in a certain administrative services agreement of even date herewith (the "Services Agreement"). The Business Associate hereby is authorized to de-identify Protected Health Information whenever, in its best judgment, it is necessary to do so to comply with the HIPAA Rules. (ii) Business Associate's Operations. Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.Business Associate may disclose Protected Health . Information for the proper management and administration of the Business Associate or to carry out Business Associate's legal responsibilities, provided that— . (A) The disclosure is Required by Law; or (B) Business Associate obtains reasonable assurance from any person or entity to which • Business Associate will disclose Protected Health Information that the person or entity will--- 2 (1) Hold the Protected Health Information in confidence and use or further disclose the Protected Health Information only for the purpose for which Business Associate disclosed Protected Health Information to the person or entity or as Required by Law; and (2) Promptly notify Business Associate of any instance of which the person or entity becomes aware in which the confidentiality of Protected Health Information was breached. (iii) Minimum Necessary. Business Associate will,in its performance of the functions, activities, services, and operations specified above, make reasonable efforts to use, to disclose, and to request only the minimum amount of Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request, except that Business Associate will not be obligated to comply with this minimum-necessary limitation if neither Business Associate nor City is required to limit its use, disclosure, or request to the minimum necessary under the HIPAA Rules. Business Associate and City acknowledge that the phrase "minimum necessary" shall be interpreted in accordance with the HITECH Act and the HIPAA Rules. b. Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose Protected Health Information, except as permitted or required by this Agreement or in writing by City or as Required by Law. This Agreement does not authorize Business Associate to use or disclose City'sProtected Health Information in a manner that would violate the HIPAA Rules if done by City, except as permitted for Business Associate's proper management and administration, as described above. c. Information Safeguards. (i) Privacy of Protected Health Information. Business Associate will develop, implement, maintain,and use appropriate administrative, technical,and physical safeguards to protect the privacy of Protected Health Information. The safeguards must reasonably protect Protected Health Information from any intentional or unintentional use or disclosure in violation of the Privacy Rule and limit incidental uses or disclosures made pursuant to a use or disclosure otherwise permitted by this Agreement. To the extent the parties agree that the Business Associate will carry out directly one or more of City's obligations under the Privacy Rule, the Business Associate will comply with the requirements of the Privacy Rule that apply to the City in the performance of such obligations. (ii) Security of City's Electronic Protected Health Information. Business Associate will comply with the Security Rule and will use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on City's behalf. 3 • (iii) No Transfer of PHI Outside United States. Business Associate will not transfer Protected Health Information outside the United States without the prior written consent of the City. In this context, a "transfer" outside the United States occurs if Business Associate's workforce members, • agents, or subcontractors physically located outside the United States are able to access, use, or disclose Protected Health Information. d. Subcontractors. Business Associate will require each of its Subcontractors to agree, in a written agreement with Business Associate, to comply with the provisions of the Security Rule; to appropriately safeguard Protected Health Information created, received, maintained, or transmitted on behalf of the Business Associate; and to apply the same restrictions and conditions that apply to the Business Associate with respect to such Protected Health Information. e. Prohibition on Sale of Protected Health Information. Effective immediately, Business Associate shall not engage in any sale(as defined in the HIPAA rules)of Protected Health Information. f. Prohibition on Use or Disclosure of Genetic Information. Effective immediately, Business Associate shallnot use or disclose Genetic Information for underwriting purposes in violation of the HIPAA rules. g. Penalties for Noncompliance. Business Associate acknowledges that it is subject to civil and criminal enforcement for failure to comply with the HIPAA Rules, to the extent provided by the HITECH Act and the HIPAA Rules. 3. Compliance with Electronic Transactions Rule. If Business Associate conducts in whole or part electronic Transactions on behalf of City for which HHS has established standards, Business Associate will comply, and will require any Subcontractor it involves with the conduct of such Transactions to comply, with each applicable requirement of the Electronic Transactions Rule and of any operating rules adopted by HHS with respect to Transactions. 4. Individual Rights. a. Access. Business Associate will, within twenty-nine calendar days following City's request, make available to City(or, at City's written direction, to an individual or the individual's designee)for inspection and copying Protected Health Information about the individual that is in a Designated Record Set in Business Associate's custody or control, so that Cityy may meet its access obligations under 45 CFR § 164.524. If City requests an electronic copy of Protected Health Information that is maintained electronically in a Designated Record Set in the Business Associate's custody or control,Business Associate will provide an electronic copy in the form and format specified by the City if it is readily producible in such format; if it is not readily producible 4 • in such format, Business Associate will work with City to determine an alternative form and format that will enable City to meet its electronic access obligations under 45 CFR § 164.524. b. Amendment. Business Associate will, upon receipt of written notice from City, promptly amend or permit City access to amend any portion of an individual's Protected Health Information that is in a Designated Record Set in the custody or control of the Business Associate, so that City may meet its amendment obligations under 45 CFR § 164.526. c. Disclosure Accounting.To allow City to meet its obligations to account for disclosures of Protected Health Information under 45 CFR§ 164.528: (i) Disclosures Subject to Accounting. Business Associate will record the information specified below ("Disclosure Information") for each disclosure of Protected Health Information, not excepted from disclosure accounting as specified below, that Business Associate makes to City or to a third party. (ii) Disclosures Not Subject to Accounting. Business Associate will not be obligated to record Disclosure Information or otherwise account for disclosures of Protected Health Information if City need not account for such disclosures under the HIPAA Rules. (iii) Disclosure Information. With respect to any disclosure by Business Associate of Protected Health Information that is not excepted from disclosure accounting under the HIPAA Rules, Business Associate will record the following Disclosure Information as applicable to the type of accountable disclosure made: (A) Disclosure Information Generally. Except for repetitive disclosures of Protected Health Information as specified below, the Disclosure Information that Business Associate must record for each accountable disclosure is (i)the disclosure date, (ii) the name and (if known)address of the entity to which Business Associate made the disclosure, (iii) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of the disclosure. (B) Disclosure Information for Repetitive Disclosures. For repetitive disclosures of Protected Health Information that Business Associate makes for a single purpose to the same person or . entity(including City), the Disclosure Information that Business Associate must record is either the Disclosure Information specified above for each accountable disclosure, or (i) the Disclosure Information specified above for the first of the repetitive accountable disclosures; (ii) the frequency, periodicity, or number of the repetitive accountable disclosures; and (iii)the date of the last of the repetitive accountable disclosures. 5 (iv) Availability of Disclosure Information. Business Associate will maintain the Disclosure Information for at least six years following the date of the accountable disclosure to which the Disclosure Information relates. Business Associate will make the Disclosure Information available to " City fifty-nine calendar days following City's request for such Disclosure Information to comply with an individual's request for disclosure accounting. d. Restriction Agreements and Confidential Communications. City shall notify Business Associate of any limitations in the notice of privacy practices of City under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure Of Protected Health Information. Business Associate will comply with any notice from City to(1)restrict use or disclosure of Protected Health Information pursuant to 45 CFR § 164.522(a), or (2) provide for confidential communications of Protected Health Information pursuant to 45 CFR § 164.522(b), provided that City notifies Business Associate in writing of the restriction or confidential communications obligations that Business Associate must follow. City will promptly notify Business Associate in writing of the termination of any such restriction or confidential communications requirement and, with respect to termination of any such restriction, instruct Business Associate whether any of the Protected Health Information will remain subject to the terms of the restriction agreement. 5. Breaches and Security Incidents. a. Reporting. (i) Impermissible Use or Disclosure. Business Associate will report to City any use or disclosure of Protected Health Information not permitted by this Agreement not more than fifty-nine calendar days after Business Associate discovers such non-permitted use or disclosure. (ii) Breach of Unsecured Protected Health Information. Business Associate will report to City any potential Breach of Unsecured Protected Health Information not more than fifty-nine calendar days after discovery of such potential Breach.Business Associate will treat a potential Breach as being discovered in accordance with 45 CFR § 164.410. Business Associate will make the report to City's Privacy Officer. If a delay is requested by a law-enforcement official in accordance with 45 CFR § 164.412, Business Associate may delay notifying City for the applicable time period. Business Associate's report will include at least the following, provided that absence of any information will not be cause for Business Associate to delay the report: (A) Identify the nature of the Breach, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of any Breach; • •6 (B) Identify the types of Protected Health Information that were involved in the Breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, or other information were involved); (C) Identify who made the non-permitted use or disclosure and who received the non-permitted disclosure; (D) Identify what corrective or investigational action Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects, and to protect against any further Breaches; (E) Identify what steps the individuals who were subject to a Breach should take to protect themselves; (F) Provide such other information, including a written report and risk assessment under 45 CFR § 164.402, as City may reasonably request. (iii) Security Incidents. Business Associate will report to City any Security Incident of which Business Associate becomes aware. Business Associate will make this report once per month, except if any such Security Incident resulted in a disclosure not permitted by this Agreement or Breach of Unsecured Protected Health Information, Business Associate will make the report in accordance with the provisions set forth above. b. Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect known to the Business Associate resulting from a use or disclosure in violation of this Agreement: 6. Term and Termination. a. Term. This Agreement shall be effective as the Effective Date, and shall remain in effect until the Service Agreement terminates. b. Right to Terminate for Cause. Notwithstanding "a" above, City may terminate this Agreement if it determines,in its sole discretion,that Business Associate has breached any provision of this Agreement, and after written notice to Business Associate of the breach, Business Associate has failed to cure the breach within thirty calendar days after receipt of the notice. Any such termination will be effective immediately or at such other date specified in City's notice of termination. c. Treatment of Protected Health Information on Termination. (i) Return or Destruction of City's Protected Health Information Is Feasible. Upon termination of this Agreement, Business Associate will, if feasible, return to City or destroy all Protected Health Information in whatever form or medium, including all copies thereof and all data, compilations, and other works derived therefrom that allow identification of any individual who is a subject of the 7 ' Protected Health Information. This provision shall apply to Protected Health Information that is in the possession of any Subcontractors of Business Associate. Further, Business Associate shall require any such Subcontractor to certify to Business Associate that it has returned or destroyed all such information which could be returned or destroyed. Business Associate will complete these obligations as promptly as possible, but not later than thirty calendar days following the effective date of the termination of this Agreement. (ii) Procedure When Return or Destruction Is Not Feasible. Business Associate will identify any Protected Health Information, including any Protected Health Information that Business Associate has disclosed to Subcontractors, that cannot feasibly be returned to City or destroyed and explain why return or destruction is infeasible. Business Associate will limit its further use or disclosure of such information to those purposes that make return or destruction of such information infeasible. Business Associate will complete these obligations as promptly as possible, but not later than thirty calendar days following the effective date of the termination or other conclusion of Agreement. • (iii) Continuing Privacy and Security Obligation. Business Associate's obligation to protect the privacy and safeguard the security.of Protected Health Information as specified in this Agreement will be continuous and survive termination or other conclusion of this Agreement. 7. General Provisions. a. Definitions. All terms that are used but not otherwise defined in this Agreement shall have the meaning specified under HIPAA, including its statute, regulations, and other official government guidance. b. Inspection of Internal Practices, Books, and Records. Business Associate will make its internal practices, books, and records relating to its use and disclosure of Protected Health Information available to City and to HHS to determine compliance with the HIPAA Rules. c. Amendment to Agreement. This Agreement may be amended only by a written instrument signed by the parties. In case of a change in applicable law, the parties agree to negotiate in good faith to adopt such amendments as are necessary to comply with the change in law. d. No Third-Party Beneficiaries. Nothing in this Agreement shall be construed as creating any rights or benefits to any third parties. e. Interpretation. Any ambiguity in the Agreement shall be resolved to permit City and Business Associate to comply with the applicable requirements under the HIPAA Rules. f. Severability. The invalidity or unenforceability of any provisions of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement, which shall remain in full force and effect. 8 • g. Construction and Interpretation. The section headings contained in this Agreement are for reference purposes only and shall not in any way affect the meaning or interpretation of this Agreement. This Agreement has been negotiated by the parties at arm's-length and each of them has had an opportunity to modify the language of the Agreement. Accordingly, the Agreement shall be treated as having been drafted equally by the parties,and the language shall be construed as a whole and according to its fair meaning.Any presumption or principle that the language is to be construed against any party shall not apply. This Agreement may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. h. Notices. Ali notices and communications required by this Agreement shall be in writing. Such notices and communications shall be given in one of the following forms: (i) by delivery in person, (ii) by a nationally-recognized, next-day courier service, (iii) by first-class, registered or certified mail, postage prepaid; or(iv) by electronic mail to the address that each party specifies in writing. i. Entire Agreement. This Agreement constitutes the entire agreement between the parties with respect to its subject matter and constitutes and supersedes all prior agreements, representations and understandings of the parties, written or oral, with regard to this same subject matter. j. Law/Venue. This agreement is subject to and governed by the laws of the State of Illinois. Venue for the resolution of any disputes or the enforcement of any rights arising out of or in connection with this agreement shall be the Circuit Court of Kane County, Illinois. P&A hereby irrevocably consents to the jurisdiction of the Circuit Court of Kane County, Illinois for the enforcement of any rights, the resolution of any disputes and/or for the purposes of any lawsuit brought pursuant to this agreement or the subject matter hereof; and P&A agrees that service by first class U.S. mail to P&A Administrative Services, Inc., 17 Court Street,Suite 150, Buffalo, New York, 14202-3294 shall constitute effective service. Both parties hereto waive any rights to a jury. k. No Modification. There shall be no modification of this agreement, except in writing and executed with the same formalities as the original. I. Interest. PM hereby waives any and all claims or rights to interest on money claimed to be due pursuant to this agreement, and waives any and all such rights to interest to which it may otherwise be entitled pursuant to law, including, but not limited to, pursuant to the Local Government Prompt Payment Act (50 ILCS 505/1, et seq.), as amended, or the Illinois Interest Act (815 ILCS 205/1, et seq.), as amended. The provisions of this paragraph shall survive any expiration, completion and/or termination of this agreement. m. Compliance with law. Notwithstanding any other provision of this agreement, it is expressly agreed and understood that in connection with the performance of this agreement, P&A shall comply with all 9 • applicable federal, state, city and other requirements of law, including, but not limited to, any applicable requirements regarding prevailing wages, minimum wage, workplace safety and legal status of employees. Without limiting the foregoing, P&A hereby certifies, represents and warrants to the City that all of P&A's employees and/or agents who will be providing products and/or services with respect to this agreement shall be legally authorized to work in the United States. P&A shall also, at its expense, secure all permits and licenses, pay all charges and fees, and give all notices necessary and incident to the due and lawful prosecution of the work, and/or the products and/or services to be provided for in this agreement. The City shall have the right to audit any records in the possession or control of P&A to determine P&A's compliance with the provisions of this section. In the event the City proceeds with such an audit, P&A shall make available to the City P&A's relevant records at no cost to the City. City shall pay any and all costs associated with any such audit. n. Execution. This agreement may be executed in counterparts, each of which shall be an original and all of which shall constitute one and the same agreement. For the purposes of executing this agreement, any signed copy of this agreement transmitted by fax machine or e-mail shall be treated in all manners and respects as an original document. The signature of any party on a copy of this agreement transmitted by fax machine or e-mail shall be considered for these purposes as an original signature and shall have the same legal effect as an original signature. Any such faxed or e-mailed copy of this agreement shall be considered to have the same binding legal effect as an original document. At the request of either party any fax or e- mail copy of this agreement shall be re-executed by the parties in an original form. No party to this agreement shall raise the use of fax machine or e-mail as a defense to this agreement and shall forever waive such defense. o. Conflict. In the event of any conflict between the terms and provisions of this purchase agreement and Attachment A hereto, the terms and provisions of this purchase agreement shall control. p. Limitation of Damages. In no event shall City be liable for any monetary damages in excess of the purchase price contemplated by this agreement. In no event shall City be liable for any consequential, special or punitive damages, or any damages resulting from loss of profit. 10 L IN WITNESS WHEREOF, the parties have entered into this Agreement as of the Effective Date. Print Name CITY Fft Sig �` Richard G. Ko I,City Manager Atte /LL Title City Cler Dated: October 23,2019 11 FLEXIBLE BENEFITS ADMINISTRATION SERVICES AGREEMENT This Agreement is hereby entered into and made effective as of January 1, 2020 (the "Effective Date"), by and between the CITY OF ELGIN, Illinois, a municipal corporation, 150 Dexter Court, Elgin, IL 60120(the "Employer"), and P&A ADMINISTRATIVE SERVICES, INC., a New York corporation, 17 Court Street, Suite 500, Buffalo, NY 14202-3294 ("P&A"). WITNESSETH: WHEREAS, the Employer desires to establish a cafeteria plan as defined in Section 125 of the Internal Revenue Code for eligible employees (the "Plan"); and WHEREAS, the Employer desires to retain P&A to provide administrative services with respect to the Plan, and P&A desires to provide such services upon certain terms and conditions; NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein and for other good and valuable consideration, sufficiency of which is hereby mutually acknowledged, the parties hereto, with the intention of being legally bound hereby, covenant and agree as follows: 1. Services. P&A shall provide the following services with respect to the Plan: a. prepare such Plan documents as shall be necessary to properly establish the Plan as of the Effective Date, including a formal Plan document, a summary of the material provisions of the Plan for distribution to employees eligible to participate in -the Plan ("Participants"), and a form for use in enrolling eligible employees. At the time provided to the Employer, all such documents shall conform in all respects with all applicable laws, regulations and formal governmental guidance; b. with the assistance of the Employer, enroll Participants in the Plan; c. provide to each Participant who elects benefits under the Plan's Medical Expense Reimbursement Account benefit option or Dependent Care Assistance Account benefit option an electronic payment card that may be used to pay expenses that are eligible for reimbursement under that benefit option, and such additional cards for use by family members of the Participant as he or she reasonably shall request; d. substantiate the eligibility of expenses paid by use of an electronic payment card to the extent required by applicable law; e. provide Participants who have elected flexible spending account benefits under the Plan with a form to use in submitting flexible spending account claims; f. receive, review and, when authorized by the Plan and by applicable law, approve flexible spending account claims; g. from time to time, notify the Employer of the aggregate amount of funds needed from the Employer to pay pending approved claims and receive said funds as transmitted by the Employer; h. pay approved flexible spending account claims from funds made available by the Employer for that purpose. Claims shall be paid by check or, where authorized by a claimant, by direct electronic deposit to a bank account of the claimant; i. provide with each flexible spending account claim paid by check a statement of the Participant's remaining account balance under the flexible spending account from which the payment has been made; j. before the end of each Plan Year of the Plan as described in the Plan document (the "Plan Year"), provide to each Participant who elected any flexible spending account - benefits for that Plan Year a statement setting forth each of his or her flexible spending account balances and advise of the potential forfeiture of any balances not used to reimburse the Participant for eligible expenses incurred prior to the end of that Plan Year; and k. perform such benefits discrimination testing as PM shall reasonably deem necessary to assure the Plan's continuing compliance under 26 U.S. Code Section 125. 2. Compensation. As compensation for the services rendered hereunder, the Employer shall pay P&A such fees as are set forth in Schedule A attached hereto and made a part hereof as Attachment A. P&A may modify this fee schedule as of the beginning of any Plan Year commencing after the initial term of the Agreement(as described in Section 5 hereof). P&A shall notify the Employer in writing of any modification to the fee schedule not less than ninety (90) days before the beginning of the Plan Year in which the modification is to become effective. Should the Employer be unwilling to accept any such modification, it may exercise its right to terminate the Agreement in accordance with Section 5. 3. Employer Responsibilities. a. The Employer shall notify P&A in writing of any event or occurrence that affects the group of employees who are eligible for reimbursement of expenses under the Plan (e.g., hiring of a new employee, termination of an employee, change in hours-worked) as soon as is reasonably practicable. b. The Employer shall provide PM on a timely basis with such other information as P&A reasonably shall request in furtherance of its responsibilities hereunder as soon as is reasonably practicable. c. The Employer shall provide PM with the funds necessary to pay all claims that qualify for reimbursement under the Plan. PM shall not be obligated to advance funds to 2 the Employer for this purpose. d. The Employer shall be responsible for assuring that withholding from its payroll is consistent in all respects with salary reduction elections made under the Plan and for preparing Forms W-2 that reflect benefits that were received by Participants during the reporting year to the extent required by law. 4. Responsibilities of the Parties and Indemnification. The responsibilities and liabilities of P&A are only those set forth herein,and no others shall be implied. P&A shall have no duty or authority to make, or to compel the Employer to make payment of any benefit under the Plan. Except for its own misconduct or negligence, P&A shall not indemnify the Employer or any other provider of benefits under the Plan, with respect to its liability to pay benefits to Participants. Except for its own misconduct or negligence, neither P&A nor any of its officers, directors, or employees, nor any agent of or counsel for any of the foregoing, shall be liable to anyone at any time interested in the Plan, for any act or omission in providing services hereunder. P&A shall indemnify and hold harmless the Employer from any claim, liability, obligation or charge arising out of P&A's misconduct, negligence or other wrongdoing in connection with activities or responsibilities arising out of or relating to this Agreement. The Employer shall indemnify and hold harmless P&A from any claim, liability, obligation or charge arising out of the Employer's misconduct, negligence or other wrongdoing in connection with activities or responsibilities arising out of or relating to this Agreement. 5. Term; Termination. The initial term of this Agreement shall commence on the Effective Date and shall end on the last day of the first twelve-month Plan Year commencing on or after that date. Thereafter, this Agreement automatically shall be renewed for each additional Plan Year unless one of the parties hereto gives the other party notice in writing of its desire to terminate the Agreement as of the end of a specified Plan Year not less than sixty (60) days prior to the end of that Plan Year. Notwithstanding the foregoing, this Agreement shall terminate (a) automatically if either party is adjudicated a bankrupt or suffers appointment of a temporary or permanent receiver, trustee or custodian for all or a substantial part of their assets, which shall not be discharged within thirty (30) days of appointment, or makes an assignment for the benefit of creditors, or(b)after written notice by one party of the other party's material breach of, or material failure to perform, its obligations hereunder unless such breach or failure is cured within ten (10)days of said notice. Any notice of breach must provide all such details as are known to the non-breaching party regarding the nature of the other party's alleged breach, the specific obligation hereunder to which the alleged material breach relates, the approximate date on which the alleged breach occurred and the identity of any personnel of the other party that were involved. Failure to provide such detail shall render said notice ineffective,and null and void for purposes of this Agreement. 3 Should the Employer cause this Agreement to be terminated other than in accordance with the preceding paragraph, the Employer immediately shall become obligated to pay P&A as liquidated damages an amount equal to seventy-five percent of the fees that would have been due had the Agreement remained in effect for the period (i)commencing on the date next following the date on which the Agreement prematurely was or will become terminated, and (ii) ending on the earliest date as of which the Employer properly could have terminated the Agreement by giving the advance notice prescribed hereunder on the date the Employer first notified P&A in writing of the Employer's intention to terminate the Agreement. For purposes of calculating this liquidated damages amount, the fees due to P&A hereunder for services it provided in the month preceding the month within which P&A first was notified of the premature termination of the Agreement shall be the fees due for each month during the period described in the preceding sentence. 6. Confidentiality.All books and records, including the data therein, pertaining to each party which may come into the hands of the other are to be treated as confidential and private records, and the other party shall not disclose information from such records unless it is required by law or authorized by the initial party in writing prior to such disclosure. Employer's good faith compliance with the requirements of the Illinois Freedom of Information Act(5 ILCS 14011, et seq.)shall not be construed as, and shall not constitute a breach of this agreement. Both parties reserve the right to control the use of any of their symbols, trademarks, computer programs and service marks currently existing or hereafter established. Both parties agree that they will not use the computer programs work, symbols,trademarks, service marks, or other devices of the other in advertising, promotional material, or otherwise and will not advertise or display such devices without the prior written consent of the other party. In addition, both parties further agree that any such work, symbols, trademarks, service marks, or other devices furnished by one party to the other shall remain the property of the initial party and shall be returned by the other party upon demand of the initial party upon termination of this Agreement. 7. HIPAA Compliance. The parties hereto acknowledge that they have entered into a separate Business Associate Agreement of even date herewith (the Employer doing so on behalf of the Plan), a copy of which is appended hereto and made a part hereof as Attachment B. 8. Binding Effect. This Agreement shall inure to the benefit of and be binding upon the parties, their legal representatives, contractors, agents, successors and assigns. 9. Integration. By their making of this Agreement, the parties hereto hereby acknowledge that this Agreement supersedes any previous understandings between them with respect to all matters contained herein and contains the entire understanding and agreement between them with respect to all matters contained herein and cannot be amended, modified or supplemented except by a subsequent written agreement entered into by both parties. 4 10. Subcontracting. P&A shall not subcontract any portion of this Agreement without the prior written approval of the Employer. 11. Non-Exclusive Arrangement. Nothing contained herein shall be construed to prevent either party from independently operating or participating in any other agreement concerning plan administration services independent and unrelated to the services and obligations of the parties pursuant to this Agreement. 12. Waiver of Breach. The waiver by either party of a breach or violation of any provision of this Agreement shall not operate as or be construed as a waiver of a breach or violation of any other provision of this Agreement or of any subsequent breach or violation thereof. 13. . Severability. In the event any provision of this Agreement is rendered invalid or unenforceable, the remaining provisions of this Agreement shall remain in full force and effect. 14. Enforcement. If any action at law or in equity(including arbitration)is necessary to enforce or interpret any one or more of the terms of this Agreement, the prevailing party shall be entitled to reasonable attorneys' fees, costs and necessary disbursements in addition to any other relief to which such party may be entitled. 15. Notice. Any notice hereunder by either party shall be deemed to have been duly given three (3) business days after mailing by First Class U.S. mail, addressed to the party to whom or which notice is intended to be given at such party's address as stated above or to such other address as each party shall specify in writing to the other, unless otherwise specifically provided for herein. 16. Law/Venue. This agreement is subject to and governed by the laws of the State of Illinois. Venue for the resolution of any disputes or the enforcement of any rights arising out of or in connection with this agreement shall be the Circuit Court of Kane County, Illinois. P&A hereby irrevocably consents to the jurisdiction of the Circuit Court of Kane County, Illinois for the enforcement of any rights, the resolution of any disputes and/or for the purposes of any lawsuit brought pursuant to this agreement or the subject matter hereof; and P&A agrees that service by first class U.S. mail to P&A Administrative Services, Inc., 17 Court Street, Suite 500, Buffalo, New York, 14202-3294 shall constitute effective service. Both parties hereto waive any rights to a jury. 17. Interest. P&A hereby waives any and all claims or rights to interest on money claimed to be due pursuant to this agreement, and waives any and all such rights to interest to which it may otherwise be entitled pursuant to law, including, but not limited to, pursuant to the Local Government Prompt Payment Act(50 ILCS 505/1, et seq.), as amended, or the Illinois Interest Act(815 ILCS 205/1, et seq.), as amended. The provisions of this paragraph shall survive any expiration, completion and/or termination of this agreement. 18. Compliance with law. Notwithstanding any other provision of this agreement, it is 5 expressly agreed and understood that in connection with the performance of this agreement, P&A shall P Y 9 comply with all applicable federal, state, city and other requirements of law, including, but not limited to, any applicable requirements regarding prevailing wages, minimum wage, workplace safety and legal status of employees. Without limiting the foregoing, P&A hereby certifies, represents and warrants to the City that all of P&A's employees and/or agents who will be providing products and/or services with respect to this agreement shall be legally authorized to work in the United States. P&A shall also, at its expense, secure all permits and licenses, pay all charges and fees, and give all notices necessary and incident to the due and lawful prosecution of the work, and/or the products and/or services to be provided for in this agreement. The City shall have the right to audit any records in the possession or control of P&A to determine P&A's compliance with the provisions of this section. In the event the City proceeds with such an audit, P&A shall make available to the City P&A's relevant records at no cost to the City. City shall pay any and all costs associated with any such audit. 19. Execution. This agreement may be executed in counterparts, each of which shall be an original and all of which shall constitute one and the same agreement. For the purposes of executing this agreement, any signed copy of this agreement transmitted by fax machine or e-mail shall be treated in all manners and respects as an original document. The signature of any party on a copy of this agreement transmitted by fax machine or e-mail shall be considered for these purposes as an original signature and shall have the same legal effect as an original signature. Any such faxed or e-mailed copy of this agreement shall be considered to have the same binding legal effect as an original document. At the request of either party any fax or e-mail copy of this agreement shall be re-executed by the parties in an original form. No party to this agreement shall raise the use of fax machine or e-mail as a defense to this agreement and shall forever waive such defense. 20. Conflict. In the event of any conflict between the terms and provisions of this purchase agreement and Attachment A hereto, the terms and provisions of this purchase agreement shall control. 21. Limitation of Damages. In no event shall City be liable for any monetary damages in • excess of the purchase price contemplated by this agreement. In no event shall City be liable for any consequential, special or punitive damages, or any damages resulting from loss of profit. 6 • IN WITNESS WHEREOF, the parties have entered into this Agreement as of the Effective Date. P&A A'MINISTRATI SERVICES, INC. CITY • LGIN Sign-AI Ire Richard G. Kozal, City Manager Attest. �%GC�d - Title Ci Clerk Date: October 23, 2019 F:1Legal DeptlAgreement\Agr-PBA-Flexible Benefits Admin-Redlined 10-1-19.docx 7 ATTACHMENT A ' The Employer will pay to P&A: . 1. INSTALLATION FEE. N/A 2. ADMINISTRATION FEES.Administration fees for each calendar month commencing while this Agreement remains in effect. After open enrollment of Plan Participants has been completed for each Plan Year, PM shall determine if an Annual Minimum Fee in the amount of$1,250.00 is due with respect to that Plan Year. This Annual Minimum Fee shall be due only if the following total is less than $1,250.00: The number of Plan Participants who enrolled in the Plan's Flexible Spending Account option during open enrollment multiplied by$3.30(the per Participant monthly fees described below)then multiplied again by 12 months. If,in accordance with the preceding paragraph,it is determined that an Annual Minimum Fee is not due with respect to a particular Plan Year,then starting in the second month of that Plan Year,monthly invoices shall be sent to the Employer for administrative services provided during the preceding month.The fees for services provide during a particular month shall equal$3.30 for each individual who was eligible for the reimbursement of expenses under any of the Plan's Flexible Spending Account options as of the first day of that month on account of a salary reduction agreement in effect on that date or otherwise, including (i)any individual who, on that date, would have been eligible for reimbursement under any of the Plan's Flexible Spending Account options but for the fact that he or she previously was reimbursed for the full amount of his or her benefit election for the Plan Year;(ii)any individual whose eligibility to make additional salary reduction contributions to the Plan had terminated prior to that date but who,on that date,remained eligible to submit post-termination run-out claims under the terms of the Plan;and(iii)any individual who had elected COBRA coverage prior to that date and whose COBRA coverage remained in effect on that date. If it is determined to apply with respect to a particular Plan Year, the Annual Minimum Fee shall be due and payable within thirty(30)days after P&A provides the Employer with an invoice with respect to same.Once paid,this Annual Minimum Fee shall be credited against the Employer's obligation for monthly fees as determined in accordance with the preceding paragraph, and P&A shall not send the Employer an invoice for any monthly fees until the total of all such fees accrued to date exceeds the amount of the Annual Minimum Fee. Monthly fees shall be due and payable within thirty(30)days after P&A provides the Employer with an invoice with respect to same. 3. REQUESTED ADDITIONAL SERVICES AND MATERIALS. For such services and materials requested by the Employer that are in addition to the services and materials described in Section 1 of this Agreement, PM shall be entitled to • such additional compensation from the requesting party as is mutually agreed upon by the requesting party and PM. 4. MAILING EXPENSES. The cost of any mailing required under the Agreement the rate for which exceeds the first class rate charged by the U.S. Post Office. 5. RECOUPMENT OF PENALTIES AND FEES. The amount of any penalty or like fee that is imposed on PM as a result of any action or inaction by the Employer or by the employees or other agents of the Employer with respect to the administration of the Plan, including but not limited to returned check charges or ACH rejection fees.PM shall be entitled to immediately recoup any such penalty or fee from the Employer after giving the Employer written notice that PM has paid such amount. • Note;Should4he•Employer-elect•to•change•the-terms-of-thePlan-orshould-changes-irrapplicable-laws-necessitate-changes" "'�"' to the Plan documents,P&A will provide the Employer with a quote as to the cost of having P&A make the document changes. ATTACHMENT B BUSINESS ASSOCIATE AGREEMENT 9 ATTACHMENT B BUSINESS ASSOCIATE AGREEMENT (FSA) This Agreement is hereby entered into and made effective as of January 1, 2020 (the"Effective Date"), by and between the CITY OF ELGIN, Illinois, a municipal corporation, 150 Dexter Court, Elgin, IL 60120 (as the "City") , and P&A ADMINISTRATIVE SERVICES, INC., a New York corporation, 17 Court Street, Suite 500, Buffalo, NY 14202-3294 ("Business Associate"). 1. Definitions. a. Breach. "Breach" shall have the same meaning as the term "breach" in 45 CFR § 164.402. b. Breach Notification Rule. "Breach Notification Rule" shall mean the Standards and Implementation Specifications for Notification of Breaches of Unsecured Protected Health Information under 45 CFR Parts 160 and 164, subparts A and D. c. Business Associate. "Business Associate" shall mean P&A Administrative Services, Inc. d. Covered Entity. "Covered Entity" shall mean the Medical Expense Reimbursement Account Option under the City of Elgin Flexible Benefits Plan. e. Electronic Protected Health Information. "Electronic Protected Health Information" shall have the same meaning as the term "electronic protected health information" in 45 CFR § 160.103. f. Electronic Transactions Rule. "Electronic Transactions Rule"shall mean the final regulations issued by HHS concerning standard transactions and code sets under 45 CFR Parts 160 and 162. g. Enforcement Rule. "Enforcement Rule"shall mean the Enforcement Provisions set forth in 45 CFR Part 160. h. Genetic Information. "Genetic Information" shall have the same meaning as the term "genetic information"in 45 CFR § 160.103. i. HHS. "HHS" shall mean the Department of Health and Human Services. j. H1PAA Rules. "HIPAA Rules" shall mean the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. k. HITECH Act. "HITECH Act"shall mean the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009. I. Privacy Rule. "Privacy Rule" shall mean the Privacy Standards and Implementation Specifications at 45 CFR Parts 160 and 164, subparts A and E. m. Protected Health Information. "Protected Health Information"shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of City pursuant to this Agreement. • n. Required by Law. "Required by Law" shall have the same meaning as the term "required by law"in 45 CFR § 164.103. o. Security Incident. "Security Incident" shall have the same meaning as the term "security incident" in 45 CFR§ 164.304. p. Security Rule. "Security Rule" shall mean the Security Standards and Implementation Specifications at 45 CFR Parts 160 and 164, subparts A and C. q. Services Agreement. "Services Agreement" shall mean the "Flexible Benefits Plan Services Agreement" of even date herewith between the City of Elgin and the Business Associate including any subsequent amendments or restatements thereof. r.Subcontractor. "Subcontractor"shall have the same meaning as the term"subcontractor"in 45 CFR § 160.103. s. Transaction. "Transaction" shall have the meaning given the term "transaction" in 45 CFR § 160.103. t. Unsecured Protected Health Information. "Unsecured Protected Health Information" shall have the meaning given the term "unsecured protected health information" in 45 CFR§ 164.402. 2. Privacy and Security of Protected Health Information. a. Permitted Uses and Disclosures. Business Associate is permitted to use and disclose Protected Health Information only as set forth below: (i) Functions and Activities on City's Behalf. Business Associate shall provide the services described in a certain administrative services agreement of even date herewith (the "Services Agreement"). The Business Associate hereby is authorized to de-identify Protected Health Information whenever, in its best judgment, it is necessary to do so to comply with the HIPAA Rules. (ii) Business Associate's Operations. Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate or to cavy out Business Associate's legal responsibilities, provided that— (A) The disclosure is Required by Law; or (B) Business Associate obtains reasonable assurance from any person or entity to which Business Associate will disclose Protected Health Information that the person or entity will-- 2 • (1) Hold the Protected Health Information in confidence and use or further disclose the Protected Health Information only for the purpose for which Business Associate disclosed Protected Health Information to the person or entity or as Required by Law; and (2) Promptly notify Business Associate of any instance of which the person or entity becomes aware in which the confidentiality of Protected Health Information was breached. (iii) Minimum Necessary. Business Associate will, in its performance of the functions,activities, services, and operations specified above, make reasonable efforts to use, to disclose, and to request only the minimum amount of Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request, except that Business Associate will not be obligated to comply with this minimum-necessary limitation if neither Business Associate nor City is required to limit its use, disclosure, or request to the minimum necessary under the HIPAA Rules. Business Associate and City acknowledge that the phrase "minimum necessary" shall be interpreted in accordance with the HITECH Act and the HIPAA Rules. b. Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose Protected Health Information, except as permitted or required by this Agreement or in writing by City or as Required by Law. This Agreement does not authorize Business Associate to use or disclose City's Protected Health Information in a manner that would violate the HIPAA Rules if done by City, except as permitted for Business Associate's proper management and administration, as described above. c. Information Safeguards. (i) Privacy of Protected Health Information. Business Associate will develop, implement, maintain,and use appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information. The safeguards must reasonably protect Protected Health Information from any intentional or unintentional use or disclosure in violation of the Privacy Rule and limit incidental uses or disclosures made pursuant to a use or disclosure otherwise permitted by this Agreement. To the extent the parties agree that the Business Associate will carry out directly one or more of City's obligations under the Privacy Rule, the Business Associate will comply with the requirements of the Privacy Rule that apply to the City in the performance of such obligations. (ii) Security of City's Electronic Protected Health Information. Business Associate will comply with the Security Rule and will use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic _ Protected Health Information that Business Associate creates, receives, maintains, or transmits on City's behalf. 3 • (iii) No Transfer of PHI Outside United States. Business Associate will not transfer Protected Health Information outside the United States without the prior written consent of the City. In this context, a "transfer" outside the United States occurs if Business Associate's workforce members, agents, or subcontractors physically located outside the United States are able to access, use, or disclose Protected Health Information. d. Subcontractors. Business Associate will require each of its Subcontractors to agree, in a written agreement with Business Associate, to comply with the provisions of the Security Rule; to appropriately safeguard Protected Health Information created, received, maintained, or transmitted on behalf of the Business Associate; and to apply the same restrictions and conditions that apply to the Business Associate with respect to such Protected Health Information. e. Prohibition on Sale of Protected Health Information. Effective immediately, Business Associate shall not engage in any sale (as defined in the HIPAA rules) of Protected Health Information. f. Prohibition on Use or Disclosure of Genetic Information. Effective immediately, Business Associate shall not use or disclose Genetic Information for underwriting purposes in violation of the HIPAA rules. g. Penalties for Noncompliance. Business Associate acknowledges that it is subject to civil and criminal enforcement for failure to comply with the HIPAA Rules, to the extent provided by the HITECH Act and the HIPAA Rules. 3. Compliance with Electronic Transactions Rule. If Business Associate conducts in whole or part electronic Transactions on behalf of City for which HHS has established standards, Business Associate will comply, and will require any Subcontractor it involves with the conduct of such Transactions to comply, with each applicable requirement of the Electronic Transactions Rule and of any operating rules adopted by HHS with respect to Transactions. 4. Individual Rights. a. Access. Business Associate will, within twenty-nine calendar days following City's request, make available to City(or, at City's written direction, to an individual or the individual's designee)for inspection and copying Protected Health Information about the individual that is in a Designated Record Set in Business Associate's custody or control, so that City may meet its access obligations under 45 CFR § 164.524. If City requests an electronic copy of Protected Health Information that is maintained electronically in a Designated Record Set in the Business Associate's custody or control, Business Associate will provide an electronic copy in the form and format specified by the City if it is readily producible in such format;if it is not readily producible 4 in such format, Business Associate will work with City to determine an alternative form and format that will enable City to meet its electronic access obligations under 45 CFR§ 164.524. b. Amendment. Business Associate will, upon receipt of written notice from City, promptly amend or permit City access to amend any portion of an individual's Protected Health Information that is in a Designated Record Set in the custody or control of the Business Associate, so that City may meet its amendment obligations under 45 CFR § 164.526. c. Disclosure Accounting.To allow City to meet its obligations to account for disclosures of Protected Health Information under 45 CFR § 164.528: (i) Disclosures Subject to Accounting. Business Associate will record the information specified below ("Disclosure Information") for each disclosure of Protected Health Information, not excepted from disclosure accounting as specified below, that Business Associate makes to City or to a third party. . (ii) Disclosures Not Subject to Accounting. Business Associate will not be obligated to record Disclosure Information or otherwise account for disclosures of Protected Health Information if City need not account for such disclosures under the HIPAA Rules. (iii) Disclosure Information. With respect to any disclosure by Business Associate of Protected Health Information that is not excepted from disclosure accounting under the HIPAA Rules, Business Associate will record the following Disclosure Information as applicable to the type of accountable disclosure made: (A) Disclosure Information Generally. Except for repetitive disclosures of Protected Health Information as specified below, the Disclosure Information that Business Associate must record for each accountable disclosure is (i) the disclosure date, (ii) the name and (if known)address of the entity to which Business Associate made the disclosure, (iii) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of the disclosure. (B) Disclosure Information for Repetitive Disclosures. For repetitive disclosures of Protected Health Information that Business Associate makes for a single purpose to the same person or entity(including City), the Disclosure Information that Business Associate must record is either the Disclosure Information specified above for each accountable disclosure, or (i) the Disclosure Information specified above for the first of the repetitive accountable disclosures;(ii) the frequency, periodicity, or number of the repetitive accountable disclosures; and(iii)the date of the last of the repetitive accountable disclosures. • 5 • (iv) Availability of Disclosure Information. Business Associate will maintain the Disclosure Information for at least six years following the date of the accountable disclosure to which the Disclosure Information relates. Business Associate will make the Disclosure Information available to City fifty-nine calendar days following City's request for such Disclosure Information to comply with an individual's request for disclosure accounting. d. Restriction Agreements and Confidential Communications.City shall notify Business Associate of any limitations in the notice of privacy practices of City under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information. Business Associate will comply with any notice from City to(1)restrict use or disclosure of Protected Health Information pursuant to 45 CFR § 164.522(a),_ or (2) provide for confidential communications of Protected Health Information pursuant to 45 CFR § 164.522(b), provided that City notifies Business Associate in writing of the restriction or confidential communications obligations that Business Associate must follow. City will promptly notify Business Associate in writing of the termination of any such restriction or confidential communications requirement and,with respect to termination of any such restriction, instruct Business Associate whether any of the Protected Health Information will remain subject to the terms of the restriction agreement. 5. Breaches and Security Incidents. a. Reporting. (i) Impermissible Use or Disclosure. Business Associate will report to City any use or disclosure of Protected Health Information not permitted by this Agreement not more than fifty-nine calendar days after Business Associate discovers such non-permitted use or disclosure. (ii) Breach of Unsecured Protected Health Information. Business Associate will report to City any potential Breach of Unsecured Protected Health Information not more than fifty-nine calendar days after discovery of such potential Breach. Business Associate will treat a potential Breach as being discovered in accordance with 45 CFR § 164.410. Business Associate will make the report to City's Privacy Officer. If a delay is requested by a law-enforcement official in accordance with 45 CFR § 164.412, Business Associate may delay notifying City for the applicable time period. Business Associate's report will include at least the following, provided that absence of any information will not be cause for Business Associate to delay the report: (A) Identify the nature of the Breach, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of any Breach; 6 (B) Identify the types of Protected Health Information that were involved in the Breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, or other information were involved); (C) Identify who made the non-permitted use or disclosure and who received the non-permitted disclosure; (D) Identify what corrective or investigational action Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects, and to protect against any further Breaches; (E) Identify what steps the individuals who were subject to a Breach should take to protect themselves; (F) Provide such other information, including a written report and risk assessment under 45 CFR§ 164.402, as City may reasonably request. (iii) Security Incidents. Business Associate will report to City any Security Incident of which Business Associate becomes aware. Business Associate will make this report once per month, except if any such Security Incident resulted in a disclosure not permitted by this Agreement or Breach of Unsecured Protected Health Information, Business Associate will make the report in accordance with the provisions set forth above. b. Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect known to the Business Associate resulting from a use or disclosure in violation of this Agreement. 6. Term and Termination. a. Term. This Agreement shall be effective as the Effective Date, and shall remain in effect until the Service Agreement terminates. b. Right to Terminate for Cause. Notwithstanding "a" above, City may terminate this Agreement if it determines, in its sole discretion, that Business Associate has breathed any provision of this Agreement,and after written notice to Business Associate of the breach, Business Associate has failed to cure the breach within thirty calendar days after receipt of the notice. Any such termination will be effective immediately or at such other date specified in City's notice of termination. c. Treatment of Protected Health Information on Termination. (i) Return or Destruction of City's Protected Health Information Is Feasible. Upon termination of this Agreement, Business Associate will, if feasible, return to City or destroy all Protected Health Information in whatever form or medium, including all copies thereof and all data, compilations, and other works derived therefrom that allow identification of any individual who is a subject of the Protected Health Information. This provision shall apply to Protected Health Information that is in the possession of any Subcontractors of Business Associate. Further, Business Associate shall require any such Subcontractor to certify to Business Associate that it has returned or destroyed all such information which could be returned or destroyed. Business Associate will complete these obligations as promptly as possible, but not later than thirty calendar days following the effective date of the termination of this Agreement. (ii) Procedure When Return or Destruction Is Not Feasible. Business Associate will identify any Protected Health Information, including any Protected Health Information that Business Associate has disclosed to Subcontractors, that cannot feasibly be returned to City or destroyed and explain why return or destruction is infeasible. Business Associate will limit its further use or disclosure of such information to those purposes that make return or destruction of such information infeasible. Business Associate will complete these obligations as promptly as possible, but not later than thirty calendar days following the effective date of the termination or other conclusion of Agreement. (iii) Continuing Privacy.and Security Obligation. Business Associate's obligation to protect the privacy and safeguard the security of Protected Health Information as specified in this Agreement will be continuous and survive termination or other conclusion of this Agreement. 7. General Provisions. a. Definitions. All terms that are used but not otherwise defined in this Agreement shall have the meaning specified under HIPAA, including its statute, regulations, and other official government guidance. b. Inspection of Internal Practices, Books, and Records. Business Associate will make its internal practices, books, and records relating to its use and disclosure of Protected Health Information available to City and to HHS to determine compliance with the HIPAA Rules. c. Amendment to Agreement. This Agreement may be amended only by a written instrument signed by the parties. In case of a change in applicable law, the parties agree to negotiate in good faith to adopt such amendments as are necessary to comply with the change in law. d. No Third-Party Beneficiaries. Nothing in this Agreement shall be construed as creating any rights or benefits to any third parties. e. Interpretation. Any ambiguity in the Agreement shall be resolved to permit City and Business Associate to comply with the applicable requirements under the HIPAA Rules. f. Construction and Interpretation. The section headings contained in this Agreement are for reference purposes only and shall not in any way affect the meaning or interpretation of this Agreement.This Agreement has been negotiated by the parties at arm's-length and each of them has had an opportunity to 8 • modify the language of the Agreement. Accordingly, the Agreement shall be treated as having been drafted - equally by the parties,and the language shall be construed as a whole and according to its fair meaning.Any presumption or principle that the language is to be construed against any party shall not apply. This Agreement may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. g. Notices. All notices and communications required by this Agreement shall be in writing. Such notices and communications shall be given in one of the following forms: (i) by delivery in person, (ii) by a nationally-recognized, next-day courier service, (iii) by first-class, registered or certified mail, postage prepaid; or(iv) by electronic mail to the address that each party specifies in writing. h. Entire Agreement. This Agreement constitutes the entire agreement between the parties with respect to its subject matter and constitutes and supersedes all prior agreements, representations and understandings of the parties, written or oral, with regard to this same subject matter. i. Law/Venue. This agreement is subject to and governed by the laws of the State of Illinois. Venue for the resolution of any disputes or the enforcement of.any rights arising out of or in connection with this agreement shall be the Circuit Court of Kane County, Illinois. P&A hereby irrevocably consents to the jurisdiction of the Circuit Court of Kane County, Illinois for the enforcement of any rights, the resolution of any disputes and/or for the purposes of any lawsuit brought pursuant to this agreement or the subject matter hereof; and P&A agrees that service by first class U.S. mail to P&A Administrative Services, Inc., 17 Court Street, Suite 500, Buffalo, NY 14202-3294 shall constitute effective service. Both parties hereto waive any rights to a jury. j. No Modification. There shall be no modification of this agreement, except in writing and executed with the same formalities as the original. k. Interest. P&A hereby waives any and all claims or rights to interest on money claimed to be due pursuant to this agreement, and waives any and all such rights to interest to which it may otherwise be entitled pursuant to law, including, but not limited to, pursuant to the Local Government Prompt Payment Act (50 ILCS 505/1, et seq.), as amended, or the Illinois Interest Act (815 ILCS 205/1, et seq.), as amended. The provisions of this paragraph shall survive any expiration, completion and/or termination of this agreement. I. Compliance with law. Notwithstanding any other provision of this agreement, it is expressly agreed and understood that in connection with the performance of this agreement, P&A shall comply with all applicable federal, state, city and other requirements of law, including, but not limited to, any applicable requirements regarding prevailing wages, minimum wage, workplace safety and legal status of employees. Without limiting the foregoing, P&A hereby certifies, represents and warrants to the City that all of P&A's 9 • employees and/or agents who will be providing products and/or services with respect to this agreement shall be legally authorized to work in the United States. PSA shall also, at its expense, secure all permits and licenses, pay all charges and fees, and give all notices necessary and 'incident to the due and lawful prosecution of the work, and/or the products and/or services to be provided for in this agreement. The City shall have the right to audit any records in the possession or control of P&A to determine PSA's compliance with the provisions of this section. In the event the City proceeds with such an audit, PSA shall make available to the City P&A's relevant records at no cost to the City. City shall pay any and all costs associated with any such audit. m. Execution. This agreement may be executed in counterparts, each of which shall be an original and all of which shall constitute one and the same agreement. For the purposes of executing this agreement, any signed copy of this agreement transmitted by fax machine or e-mail shall be treated in all manners and respects as an original document. The signature of any party on a copy of this agreement transmitted by fax machine or e-mail shall be considered for these purposes as an original signature and shall have the same legal effect as an original signature. Any such faxed or e-mailed copy of this agreement shall be considered to have the same binding legal effect as an original document. At the request of either party any fax or e- mail copy of this agreement shall be re-executed by the parties in an original form. No party to this agreement shall raise the use of fax machine or e-mail as a defense to this agreement and shall forever waive such defense. n. Conflict. In the event of any conflict between the terms and provisions of this purchase agreement and Attachment A hereto, the terms and provisions of this purchase agreement shall control. o. Limitation of Damages. In no event shall City be liable for any monetary damages in excess of the purchase price contemplated by this agreement. In no event shall City be liable for any consequential, special or punitive damages, or any damages resulting from loss of profit. t� IN WITNESS WHEREOF, the parties have entered into this Agreement as of the Effective Date. Print Name CI ' �■� —L •13,.0 Sig u Richard G. Koz-I, City Manag r �(�,: `� des Attest.- i� Title City Clerk Dated: October 23, 2019 10