Services Agreement [Amendment No. 4] - Exult Inc. and Prudential Insurance Co. of America
AMENDMENT NO. 4 TO SERVICES AGREEMENT
HIPAA BUSINESS ASSOCIATE AMENDMENT
This HIPAA Business Associate Amendment (the "AMENDMENT"), shall be effective as
of April 14, 2003 (the "EFFECTIVE DATE"), shall amend that certain Services
Agreement by and between Prudential and Company dated as of January 11, 2002, as
amended (the "SERVICES AGREEMENT"), and is entered into by and between The
Prudential Insurance Company of America ("PLAN SPONSOR"), with offices at 751
Broad Street, Newark, NJ 07102 and the Administrative Committee on behalf of The
Prudential Welfare Benefits Plan, The Prudential Flexible Benefits Plan, the
Prudential Medical Access Plan and the Prudential Executive Medical Access Plan
("PLAN ADMINISTRATOR") (together "PRUDENTIAL") and Exult, Inc. ("COMPANY").
Prudential and Company agree that the terms and conditions of this Amendment
shall supplement and govern uses and disclosures of Protected Health Information
("PHI") as defined in the federal health Privacy Rules (as defined below), and
shall be effective and apply notwithstanding any conflicting provisions of the
Services Agreement.
Company and Prudential acknowledge the provisions herein are set forth pursuant
to the requirements promulgated by the Secretary ("SECRETARY") of the Department
of Health & Human Services pursuant to the Health Insurance Portability and
Accountability Act of 1996 (Pub. L. 104-191), and promulgated in the Standards
for Privacy of Individually Identifiable Health Information at 45 CFR part 160
and part 164, subparts A and E (the "PRIVACY RULES").
Company and Prudential further acknowledge that (i) Company is, or may be deemed
to be, a "Business Associate" of Prudential, as the term is defined under the
Privacy Rules, and (ii) The Prudential Welfare Benefits Plan, The Prudential
Flexible Benefits Plan, the Prudential Medical Access Plan and the Prudential
Executive Medical Access Plan are "Covered Entities" as that term is defined
under the Privacy Rules. The terms used in this Amendment, but not otherwise
defined, shall have the same meanings as those terms in 45 CFR 160.103 and
164.501 or in the Services Agreement, as applicable. References to the Privacy
Rules shall mean as enacted and shall include any later amendments, deletions or
revisions.
A. OBLIGATIONS OF COMPANY
1. Company shall only use or disclose PHI as set forth in and in accordance
with this Amendment or as required by law. Company shall not use or
disclose PHI in any manner, for any other purpose, or disclose it to any
third party, other than as authorized by this Amendment or as required by
law. The term "REQUIRED BY LAW" shall have the same meaning as the term
"required by law" in 45 CFR Section 164.501. "PHI" shall have the same
meaning as it has in 45 CFR Section 164.501 of the Privacy Rules, limited
to the information created or received by Company from or
<PAGE>
AMENDMENT NO. 4 TO SERVICES AGREEMENT
HIPAA BUSINESS ASSOCIATE AMENDMENT
on behalf of Prudential. The PHI subject to this Amendment shall be that
pertaining to any "INDIVIDUAL" (as that term is defined in 45 CFR Section
164.501 of the Privacy Rules, and shall include a person who qualifies as a
personal representative in accordance with 45 CFR 164.502(g)) who has made
application to be or is covered under: the Medical, Global Medical, Dental,
Global Dental, Vision, or Long Term Care Benefits provided under the Prudential
Welfare Benefits Plan; the Health Care Reimbursement Benefits provided under the
Prudential Flexible Benefits Plan; the Prudential Medical Access Plan; or the
Prudential Executive Medical Access Plan and whose PHI is subject to the Privacy
Rules. Company hereby represents that it will make reasonable efforts to limit
any PHI it shall require from Prudential to the minimum necessary, as defined in
45 CFR Section 164.502(b), for the Company's stated purposes under the Services
Agreement and acknowledges that Prudential shall rely upon such representation
with respect to any request for PHI from Company. Company shall not use or
disclose PHI in a manner that would violate the requirements of the Privacy
Rules if such use or disclosure were made by Prudential. In addition:
(a) Company may use or disclose PHI for the proper management and
administration of Company, and to carry out the legal
responsibilities of Company; provided that:
(i) the disclosure is required by law; or
(ii) Company obtains reasonable assurance from a third
person to whom the PHI is disclosed that such PHI
will remain confidential, be used or further
disclosed only as required by law or for the
reasons it was disclosed to the third person, and
the third person notifies Company of any instances
of which it is aware in which the confidentiality
of the PHI has been breached;
(b) Company may use or disclose PHI to provide data aggregation services
relating to the "HEALTH CARE OPERATIONS," (as defined in the Privacy
Rules) of Prudential if such services are provided for in the
applicable arrangements or agreements between Prudential and
Company.
2. Company shall not use or further disclose PHI other than as permitted or
required by this Amendment or as required by law.
3. Company shall use appropriate safeguards to prevent use or disclosure of
PHI other than as provided for by this Amendment or as required by law.
4. Company shall report to Prudential any use or disclosure of PHI, not
provided for by this Amendment or as required by law, of which Company
becomes aware.
5. Company shall ensure that any agents, including any subcontractors, to
whom it provides PHI received from, or created or received by the Company
on behalf of Prudential agrees to substantially the same restrictions and
conditions that apply to it through this Amendment with respect to such
PHI.
6. Company shall, at the reasonable request of Prudential make available PHI
to Prudential in accordance with Section 164.524 of the Privacy Rules.
<PAGE>
AMENDMENT NO. 4 TO SERVICES AGREEMENT
HIPAA BUSINESS ASSOCIATE AMENDMENT
7. Company shall make available, at the reasonable request of Prudential, PHI
for amendment by Prudential and shall incorporate any amendments to PHI in
Company's designated record sets in accordance with Section 164.526 of the
Privacy Rules. For all requested amendments under this Section 7, Company
shall be entitled to rely entirely on such requests for all matters
relating to the accuracy and completeness of such PHI.
8. Company will reasonably assist Prudential in responding to any disclosure
request made by a subject of PHI. Accordingly, Company will keep an
accounting of all disclosures ("Disclosures") of PHI (the "DISCLOSURE
ACCOUNTING") on an ongoing basis and maintain the Disclosure Accounting
for a period of at least six (6) years from the date of each Disclosure.
For the purposes of this Amendment, Disclosures shall not include any
disclosure of PHI by Company (i) to carry out treatment, payment and
health care operations solely as set forth in 45 CFR Section 164.506; (ii)
pursuant to an instruction from Prudential as approved by an authorization
received from a subject of PHI; (iii) directly to the subject of the PHI;
or (iv) that occurred prior to the April 14, 2003. At a minimum, the
Disclosure Accounting shall contain (w) the date of the Disclosure; (x)
the name of the entity or person who received the PHI and, if known, the
address of such entity or person; (y) a brief description of the PHI
disclosed; and (z) a brief statement of the purpose of the Disclosure that
reasonably informs the subject of the PHI of the basis for the Disclosure;
or in lieu of such statement a copy of the subject's written authorization
or request for Disclosure pursuant to the Privacy Rules. Company will
provide the Disclosure Accounting to Prudential within forty-five (45)
days after receipt of a written request from Prudential.
9. Subject to Company's security requirements, confidentiality obligations
and the audit rights set forth in the Services Agreement, Company shall
make its internal practices, books, and records relating to the use and
disclosure of PHI received from, or created or received by the Company on
behalf of, Prudential available to Prudential or, at the request of
Prudential, to the Secretary for purposes of the Secretary determining
Prudential's compliance with the Privacy Rules.
10. Company agrees to use commercially reasonable efforts to mitigate, to the
extent practicable, any harmful effect that is known to Company of a use
or disclosure of PHI in violation of the requirements of this Amendment.
11. Company's obligations under this Amendment exist and occur solely to the
extent required by the Privacy Rules.
B. OBLIGATIONS OF PRUDENTIAL
1. Prudential shall provide Company with a copy of the Notice of Privacy
Practices Prudential produces in accordance with the Privacy Rules, as
well as any changes to such Notice of Privacy Practices.
2. Prudential shall provide Company with any changes in, or revocation of,
permission by Individuals to use or disclose PHI, if such changes affect
Company's permitted uses or disclosures.
<PAGE>
AMENDMENT NO. 4 TO SERVICES AGREEMENT
HIPAA BUSINESS ASSOCIATE AMENDMENT
3. Prudential shall notify Company of any restriction to the use or
disclosure of PHI Prudential agrees to in accordance with the Privacy
Rules.
4. Prudential shall not request Company to use or disclose PHI in any manner
that would not be permissible under the Privacy Rules if done by
Prudential.
5. Company's obligations under this Amendment are conditioned upon
Prudential's satisfactory performance of its obligations hereunder. Any
failure of Prudential to perform its obligations hereunder shall excuse
Company from performing its obligations hereunder to the extent such
performance is hindered or prevented by such failure to perform by
Prudential. Prudential and Company agree to discuss in good faith any
modifications or changes to the Services provided pursuant to the Services
Agreement and the fees paid thereunder that result from any changes in the
use or disclosure of PHI.
C. TERM AND TERMINATION
1. Term. The term of this Amendment shall be effective as of the Effective
Date of this Amendment and shall terminate upon the earlier of: (i) the
Privacy Rules are repealed or no longer in effect; (ii) the termination of
expiration of the Services Agreement pursuant to its terms; or (ii) all of
the PHI provided by Prudential to Company, or created or received by
Company on behalf of Prudential, is destroyed or returned to Prudential,
or, if it is infeasible to return or destroy PHI, protections are extended
to such information, in accordance with this Amendment.
2. Termination for Cause. Upon Prudential's knowledge of a material breach of
this Amendment by Company, Prudential shall either:
(a) terminate this Amendment if Company fails to cure such breach within
thirty (30) days after receipt of written notice thereof; or
(b) immediately terminate this Amendment if Company has breached a
material term of this Amendment and cure is not reasonably possible;
or
(c) if neither termination nor cure is feasible, Prudential shall report
the violation to the Secretary.
3. Effect of Termination. (a) Upon termination of this Amendment for any
reason, Company shall return or destroy all PHI received from Prudential,
or created or received by Company on behalf of Prudential. This provision
shall apply to PHI that is in the possession of subcontractors or agents
of Company. Company shall retain no copies of the PHI; (b) in the event
that Company determines that returning or destroying the PHI is
infeasible, Company shall provide to Prudential notification of the
conditions that make return or destruction infeasible. Company shall
extend the protections of this Agreement to such PHI and limit further
uses and disclosures of such PHI to those purposes that make return or
destruction infeasible, for so long as Company maintains such PHI.
<PAGE>
AMENDMENT NO. 4 TO SERVICES AGREEMENT
HIPAA BUSINESS ASSOCIATE AMENDMENT
D. MISCELLANEOUS.
1. Regulatory References. A reference in this Amendment to a section in the
Privacy Rules means the section as in effect or amended.
2. Amendment. The Parties agree to take such reasonable action as is
necessary to amend this Amendment from time to time as is necessary for
Prudential to comply with the requirements of the Privacy Rules and the
Health Insurance Portability and Accountability Act of 1996, Public Law
104-191.
3. Survival. The respective rights and obligations of Company under Section C
(3) of this Amendment shall survive the termination of this Agreement
and/or the other agreements or arrangements.
4. Interpretation. Any ambiguity in this Amendment shall be resolved in favor
of a meaning that permits Prudential to comply with the Privacy Rules.
5. Limitation of Liability. IN NO EVENT SHALL COMPANY'S TOTAL AGGREGATE
LIABILITY TO PRUDENTIAL ARISING FROM OR RELATING TO THIS AMENDMENT EXCEED
[***]*, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT OR
OTHERWISE; AND COMPANY SHALL NOT BE LIABLE TO PRUDENTIAL FOR ANY INDIRECT,
INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY OR SPECIAL DAMAGES,
INCLUDING WITHOUT LIMITATION LOST PROFITS OR REVENUE, EVEN IF COMPANY HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
6. No Warranties. COMPANY SPECIFICALLY DISCLAIMS ANY AND ALL WARRANTIES OF
ANY KIND WITH REGARD TO ANY SUBJECT MATTER OF THIS AMENDMENT, INCLUDING
WITHOUT LIMITATION ANY WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,
FUNCTIONALITY OR MERCHANTABILITY, WHETHER EXPRESS OR IMPLIED.
7. Effect on Services Agreement. Prudential and Company agree that any
failure of Company to achieve any Service Levels under the Services
Agreement or performance of any other obligations under the Services
Agreement shall be excused to the extent such failures are caused by
Company's performance of its obligations under this Amendment.
8. No Third Party Beneficiaries. Nothing in this Amendment is intended to
confer any rights, benefits, remedies, obligations or liabilities on any
third party (including without limitation any employees or agents of
either party) other than the parties or their respective successors and
assigns.
<PAGE>
AMENDMENT NO. 4 TO SERVICES AGREEMENT
HIPAA BUSINESS ASSOCIATE AMENDMENT
Except as amended herein, all terms and conditions of the Services Agreement
between the Parties shall remain in full force and effect in accordance with
such agreement.
Agreed to and Accepted by:
NAME DATE
----------------------------------------------------
The Prudential Insurance Company of America
NAME DATE
----------------------------------------------------
The Administrative Committee on behalf of The Prudential Welfare Benefits Plan,
The Prudential Flexible Benefits Plan, the Prudential Medical Access Plan and
the Prudential Executive Medical Access Plan
NAME DATE
----------------------------------------------------
Exult, Inc