PROVIDER TRADING PARTNER AGREEMENT FOR DIRECT DATA ENTRY SERVICES
This Trading Partner Agreement For Direct Data Entry Services (hereinafter "Agreement") is made by and between United Concordia Companies, Inc. ("UCCI"), and "Provider," a licensed health care provider further identified on the form found at Appendix A attached.
WHEREAS, UCCI performs certain claims processing and administrative services; and,
WHEREAS, Provider renders certain professional health care services ("Services") to members of employer groups and individuals, and submits documentation of those Services to UCCI; and,
WHEREAS, Provider desires to transmit and UCCI desires to receive certain electronic communications (further defined below under the definition for Direct Data Entry), containing certain claims and billing information that may include identifiable financial and/or protected health information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 45 Code of Federal Regulations Parts 160-164, and applicable regulations that implement Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq. (the "GLB Regulations") now or as later amended; and,
WHEREAS, UCCI agrees to safeguard any and all PHI or other Data received from Provider, and Provider agrees to safeguard any and all PHI or other Data transmitted to UCCI in accordance with any applicable HIPAA and the GLB Regulations; and,
WHEREAS, UCCI and Provider (the "Parties") desire to set forth in writing their understanding with respect to these communications and the covenant of confidentiality and non-disclosure of PHI or other Data.
NOW THEREFORE, in consideration of the mutual promises and covenants contained herein and other good and valuable consideration, the receipt of which is hereby acknowledged, the Parties hereto agree as follows:
I. DEFINITIONS
Data. Any information provided and/or made available by either of the Parties to the other, and includes, but is not limited to enrollment and eligibility data, claims data, and PHI.
Direct Data Entry. Data that is input by the Provider into UCCI's computer systems without passing through any other party by means of a direct internet interface into those systems.
Health and Human Services ("HHS") Privacy Standard Regulation. 45 Code of Federal Regulations ("CFR") at Title 45, Parts 160 through 164.
HHS Transaction Standard Regulation. 45 CFR Parts 160 and 162.
Individual. The person who is the subject of the Data, as defined by 45 CFR § 164.501.
Proprietary Data. That information used in UCCI's business or business practices to which Provider would not otherwise have access but for its contractual relationship with UCCI, including but not limited to information systems technologies and practices, and operational processes.
II. INTRODUCTION
This Agreement authorizes the Provider to electronically submit or access previously submitted Data, including PHI, through a public or private telecommunications network in an efficient and cost-effective manner without limiting the obligations of each party as set forth in this Agreement or imposed by applicable law, solely for the purposes set forth herein, in accordance with the terms "Standard" and "Transactions" as defined at 45 CFR § 160.103 (hereinafter aggregated and referred to as "Standard Transactions"), and the privacy standards described and referenced below. Any Data, Proprietary Data or PHI exchanged under this Agreement is to be used and exchanged solely as authorized by HIPAA, and is further subject to the terms and conditions set forth in this Agreement.
III. TERM, TERMINATION and SUSPENSION
The term of this Agreement shall commence upon its execution. Provider agrees that its ability to electronically transmit or access Data will cease if Provider or UCCI terminates this Agreement.
Either party may terminate this Agreement without cause upon sixty- (60) days written notice or immediately by either party for cause. Cause shall include, but not be limited to, breach of any material term(s) of this Agreement, fraud, abuse, and/or failure to protect PHI. The terminating party may rescind notice of termination if the other party successfully cures the breach complained of to the terminating party's satisfaction. Each party may also temporarily suspend electronic communications under this Agreement to protect computer or data systems in cases of emergencies, or to perform maintenance. Each party agrees to minimize the frequency and duration of these temporary suspensions.
IV. UCCI OBLIGATIONS
A. ID(s) and Password(s). Upon execution of this Agreement, Provider will select logon ID(s) and password(s) to use to authenticate its identity when transmitting or accessing data electronically. UCCI shall retain title to all logon ID(s) and password(s), and reserves the right to change, withdraw or suspend any logon ID or password at any time, for any reason, or if required to do so by law, regulation, or court order. UCCI further retains, in its sole discretion, the right to approve, disapprove or withdraw Provider access to its system(s) or to certain or all of the Data contained within the system(s).
B. Data. The kinds or format of Data Provider may submit and UCCI may receive pursuant to this Agreement may change as a result of changes in law or regulation, or actions taken by an employer group in accordance with the terms and conditions of certain health care benefits contracts, or changes made to those contracts. UCCI does not warrant the accuracy of the Data Provider accesses. No electronic communication will give rise to any obligation until it is accessible by UCCI in UCCI's systems. In addition, acceptance by UCCI of the Data Provider sends to UCCI electronically does not constitute guarantee of reimbursement.
V. PROVIDER OBLIGATIONS and AUTHORIZATIONS
A. Provision of/Access to Data. Provider may provide UCCI with Data electronically, including minimum necessary PHI (see 45 CFR § 164.502(b)), in accordance with the terms of this Agreement. Provider is solely responsible to ensure that the Data it provides UCCI is correct. Provider may access only the Data it inputs into UCCI's systems.
B. Logon ID and Password. Provider agrees to protect logon ID(s) and password(s) from compromise, release or discovery by any unauthorized person, and shall not disclose logon ID(s) and password(s) to any third party in any manner. If a breach of this provision occurs, Provider must notify UCCI immediately by calling Dental Electronic Services at (800) 633-5430. Provider acknowledges and agrees that only Provider personnel it designates shall be permitted to use the logon ID(s) and password(s). Provider's use of logon ID(s) and password(s) constitutes an Electronic Signature that confirms Provider's willingness to: remain bound by these terms and conditions and ratify any transaction conducted electronically by UCCI.
C. Provider's Costs. Provider shall assume all its internal costs to transmit and access Data electronically including, but not limited to, the costs of computers, terminals, connections, modems, and browsers that, if necessary to comply with law or regulation, have the capability to use HIPAA-mandated code-set Standard Transactions; and the costs of providing sufficient security measures to safeguard receipt and transmission of PHI in electronic transactions that involve using the internet in accordance with 42 USC § 1320d-2(d), 45 CFR § 164.530 and the implementing regulations issued by HHS to preserve the integrity and confidentiality of, and to prevent non-permitted use or violations of disclosure of PHI. Provider acknowledges that any changes made to Data may impact any reimbursement it may receive.
D. Authorization to Use Data. Provider's use of a UCCI system or process under this Agreement constitutes authorization and direction to UCCI to use PHI or other Data to adjudicate and process health care claims UCCI receives from Provider. Provider may access and transmit only that Data related to services it provides for its patients. Provider acknowledges that UCCI may disclose the PHI it makes available to UCCI concerning Individuals who are members of a plan to the plan sponsor consistent with HIPAA's requirements and the language set forth herein.
VI. INDEMNIFICATION
Each party shall release, defend, indemnify and hold harmless the other party, its corporate subsidiaries, affiliates officers, directors, employees, agents, persons, firms, divisions, successors and assigns, against any and all: liability, losses or damages, whether direct or indirect, to person or property; claims; judgments; costs and reasonable attorney's fees; legal action or potential for the same which may result from that first party's improper use or unauthorized disclosure or use of Data or PHI in violation of this Agreement. Each party assumes all liability for any damage, whether direct or indirect, to the Data or the other party's information systems caused by the unauthorized use of such Data or information systems by the first party, its employees or agents or any third party who gains access to the systems through their acts or omissions. Neither party shall be liable to the other party for damages caused by circumstance beyond its control, including, without limitation: "hackers" who gain access to the system or Data in spite of a party's compliant security measures, a major disaster, epidemic, the complete or partial destruction of its facilities, riot, civil insurrection, war or similar causes. Neither party shall be liable to the other party for any special, incidental, exemplary or consequential damages.
VII. COMPLIANCE WITH PRIVACY STANDARDS
Each party will develop, implement, maintain and use appropriate administrative, technical and physical Data safeguards, in compliance with 42 U.S.C. § 1320d-2(d), 45 CFR § 164.530(c) and patient confidentiality provisions of applicable state statutes or regulations, and shall comply with any applicable GLB Regulations, or any amendments to any of these statutes or regulations.
Each party shall execute trading partner, and/or business associate agreements with subcontractors or agents that provide services involving maintenance, use or disclosure of PHI, ensuring that any subcontractors or agents to whom it provides PHI agree in writing to those restrictions that, with respect to such PHI, apply to that individual subcontractor or agent. Each party agrees that it will not maintain, use, make available or further disclose PHI other than as permitted or equired by this Agreement or as required by law.
If any activity under this Agreement would cause any Party to be considered a "Business Associate" of any other Party under 45 CFR. § 160.103, the following restrictions will apply to all uses and disclosures of PHI. The Business Associate will: (i) Not use or further disclose PHI other than as permitted or required by this Agreement, or to comply with judicial process or any applicable statute or regulation; (ii) Notify the other Party in advance of any disclosure of PHI that the Business Associate is required to make under any judicial or regulatory directive; (iii) Use appropriate safeguards to prevent use or disclosure of PHI other than for the purposes required in this Agreement; (iv) Report to the other parties any use or disclosure of PHI not provided for in this Agreement of which the Business Associate becomes aware; (v) Ensure that any agents or subcontractors to whom the Business Associate discloses PHI received from another party, or created on behalf of another party, agrees to the same restrictions and conditions that apply to the protection of information under this Agreement; (vi) Make PHI available to individuals as required by 45 CFR § 164.524; (vii) Make PHI available for amendment and incorporate any amendments to PHI in accordance with 45 CFR § 164.526; (viii) Make available the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528; (ix) Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or collected by the Business Associate on behalf of another Party, available to the Secretary of HHS when called upon for purposes of determining the other Party's compliance with federal privacy standards; and (x) At termination of this Agreement, if feasible, return or destroy all PHI received from another Party, or created or collected by the Business Associate on behalf of the other Party, that the Business Associate still maintains in any form and retain no copies of such PHI or, if such return or destruction is not feasible, or if the PHI is still used to perform business functions, continue to treat all such PHI in accordance with the limits provided in this Agreement, and applicable law and regulation.
VIII. SYSTEMS AND PERSONNEL SECURITY/UNAUTHORIZED DISCLOSURES.
The Parties shall comply with the final version of the data security standard promulgated by HHS (proposed version found at 45 CFR Part 142, published August 12, 1998, 63 Federal Register, Pages 43241-43280, the "Security Standard"). On or before the required compliance date of the final Security Standard, the Parties will adopt any necessary modifications to their practices for maintaining PHI or transmitting PHI electronically, and shall provide any written assurances required under the final Security Standard to prevent unauthorized access to Data. If an unauthorized disclosure of PHI, or the discovery of unauthorized access to and/or tampering with the Data or UCCI's Proprietary Data is discovered, the disclosing party will immediately report to the other party, using the most expeditious medium available, no later than twenty-four (24) hours after such discovery/disclosure is made, the following information: (i) the nature of the disclosure, (ii) PHI used or disclosed, (iii) the individual(s) who made and received the disclosure, (iv) any corrective action taken to prevent further disclosure(s) and mitigate the effect of the current disclosure(s), and (v) any such other information reasonably requested by the non-disclosing party. The Parties will cooperate in the event of any litigation concerning unauthorized use, transfer or disclosure of such Data.
IX. COMPLIANCE WITH STANDARD TRANSACTIONS
If required, the Parties shall comply with each applicable regulation if performing "Standard Transactions" including but not limited to the requirements and prohibitions found at 45 CFR § 162.915.
X. NOTICES
Any notice relating to this Agreement shall be in writing and transmitted by Provider to either (i) U.S. Mail, first class, postage prepaid to Dental Electronic Services, 4401 Deer Path Road, P.O. Box 69408, Harrisburg, Pa 17106, or to such other address as is later supplied by UCCI; or (ii) facsimile transmission to (717) 260-7131, or to such other number as is later supplied by UCCI; and by UCCI to the address and number found at Appendix A. Notices or communications shall be deemed given (a) in the case of transmittal by U.S. mail, on the date of receipt by the addressee and (b) in the case of or facsimile transmission, on the date the facsimile is sent.
XI. RECORDS AND AUDIT
The Parties shall maintain, in accordance with their document retention policies and applicable law and regulation, and for a minimum of seven (7) years, true and correct copies of any source documents from which they reproduce Data. UCCI reserves the right to audit those records and security methods of Provider necessary to ensure compliance with this Agreement or to ensure that adequate security precautions have been made to prevent unauthorized disclosure of any Data.
XII. SURVIVAL OF PROVISIONS
Any provision of this Agreement that requires or reasonably contemplates the performance or existence of obligations by either party after the termination of the Agreement shall survive such termination.
XIII. ASSIGNMENT
No right or interest in this Agreement shall be assigned by either party without the prior written permission of the other party.
XIV. GOVERNING LAW
The construction, interpretation and performance of this Agreement and all transactions under it shall be governed by the laws of the Commonwealth of Pennsylvania, except to the extent federal law preempts them.
XV. WAIVER OF RIGHTS
No course of dealing or failure of either party to strictly enforce any term, right or condition of the Agreement shall be construed as a waiver of such term, right or condition.
XVI. SEVERABILITY
If any provisions of this Agreement shall be deemed invalid or unenforceable, such invalidity or unenforceability shall not invalidate or render unenforceable the entire Agreement, but rather the entire Agreement shall be construed as if not containing those invalid or unenforceable provision(s), and the rights and obligations of each party shall be construed and enforced accordingly.
XVII. ENTIRE AGREEMENT
This Agreement and any Exhibits and Attachments thereto shall constitute the entire Agreement between the Parties with respect to the subject matter of this Agreement and shall not be altered, varied, revised or amended except in writing signed by both Parties. The provisions of this Agreement supersede all prior oral or written quotations, communications, agreements and understandings of the Parties with respect to the subject matter of this Agreement.
BY CLICKING ON THE "I Agree" BUTTON FOUND BELOW, the individual with authority to bind Provider is representing that he/she has read the foregoing Agreement and agrees on behalf of the party it represents to be bound by it. For purposes of this Agreement, an electronic signature shall have the full force and legal effect of an original signature.