Services Agreement [Amendment No. 4] - Exult Inc. and Prudential Insurance Co. of America
AMENDMENT NO. 4 TO SERVICES AGREEMENT HIPAA BUSINESS ASSOCIATE AMENDMENT This HIPAA Business Associate Amendment (the "AMENDMENT"), shall be effective as of April 14, 2003 (the "EFFECTIVE DATE"), shall amend that certain Services Agreement by and between Prudential and Company dated as of January 11, 2002, as amended (the "SERVICES AGREEMENT"), and is entered into by and between The Prudential Insurance Company of America ("PLAN SPONSOR"), with offices at 751 Broad Street, Newark, NJ 07102 and the Administrative Committee on behalf of The Prudential Welfare Benefits Plan, The Prudential Flexible Benefits Plan, the Prudential Medical Access Plan and the Prudential Executive Medical Access Plan ("PLAN ADMINISTRATOR") (together "PRUDENTIAL") and Exult, Inc. ("COMPANY"). Prudential and Company agree that the terms and conditions of this Amendment shall supplement and govern uses and disclosures of Protected Health Information ("PHI") as defined in the federal health Privacy Rules (as defined below), and shall be effective and apply notwithstanding any conflicting provisions of the Services Agreement. Company and Prudential acknowledge the provisions herein are set forth pursuant to the requirements promulgated by the Secretary ("SECRETARY") of the Department of Health & Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191), and promulgated in the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E (the "PRIVACY RULES"). Company and Prudential further acknowledge that (i) Company is, or may be deemed to be, a "Business Associate" of Prudential, as the term is defined under the Privacy Rules, and (ii) The Prudential Welfare Benefits Plan, The Prudential Flexible Benefits Plan, the Prudential Medical Access Plan and the Prudential Executive Medical Access Plan are "Covered Entities" as that term is defined under the Privacy Rules. The terms used in this Amendment, but not otherwise defined, shall have the same meanings as those terms in 45 CFR 160.103 and 164.501 or in the Services Agreement, as applicable. References to the Privacy Rules shall mean as enacted and shall include any later amendments, deletions or revisions. A. OBLIGATIONS OF COMPANY 1. Company shall only use or disclose PHI as set forth in and in accordance with this Amendment or as required by law. Company shall not use or disclose PHI in any manner, for any other purpose, or disclose it to any third party, other than as authorized by this Amendment or as required by law. The term "REQUIRED BY LAW" shall have the same meaning as the term "required by law" in 45 CFR Section 164.501. "PHI" shall have the same meaning as it has in 45 CFR Section 164.501 of the Privacy Rules, limited to the information created or received by Company from or <PAGE> AMENDMENT NO. 4 TO SERVICES AGREEMENT HIPAA BUSINESS ASSOCIATE AMENDMENT on behalf of Prudential. The PHI subject to this Amendment shall be that pertaining to any "INDIVIDUAL" (as that term is defined in 45 CFR Section 164.501 of the Privacy Rules, and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g)) who has made application to be or is covered under: the Medical, Global Medical, Dental, Global Dental, Vision, or Long Term Care Benefits provided under the Prudential Welfare Benefits Plan; the Health Care Reimbursement Benefits provided under the Prudential Flexible Benefits Plan; the Prudential Medical Access Plan; or the Prudential Executive Medical Access Plan and whose PHI is subject to the Privacy Rules. Company hereby represents that it will make reasonable efforts to limit any PHI it shall require from Prudential to the minimum necessary, as defined in 45 CFR Section 164.502(b), for the Company's stated purposes under the Services Agreement and acknowledges that Prudential shall rely upon such representation with respect to any request for PHI from Company. Company shall not use or disclose PHI in a manner that would violate the requirements of the Privacy Rules if such use or disclosure were made by Prudential. In addition: (a) Company may use or disclose PHI for the proper management and administration of Company, and to carry out the legal responsibilities of Company; provided that: (i) the disclosure is required by law; or (ii) Company obtains reasonable assurance from a third person to whom the PHI is disclosed that such PHI will remain confidential, be used or further disclosed only as required by law or for the reasons it was disclosed to the third person, and the third person notifies Company of any instances of which it is aware in which the confidentiality of the PHI has been breached; (b) Company may use or disclose PHI to provide data aggregation services relating to the "HEALTH CARE OPERATIONS," (as defined in the Privacy Rules) of Prudential if such services are provided for in the applicable arrangements or agreements between Prudential and Company. 2. Company shall not use or further disclose PHI other than as permitted or required by this Amendment or as required by law. 3. Company shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Amendment or as required by law. 4. Company shall report to Prudential any use or disclosure of PHI, not provided for by this Amendment or as required by law, of which Company becomes aware. 5. Company shall ensure that any agents, including any subcontractors, to whom it provides PHI received from, or created or received by the Company on behalf of Prudential agrees to substantially the same restrictions and conditions that apply to it through this Amendment with respect to such PHI. 6. Company shall, at the reasonable request of Prudential make available PHI to Prudential in accordance with Section 164.524 of the Privacy Rules. <PAGE> AMENDMENT NO. 4 TO SERVICES AGREEMENT HIPAA BUSINESS ASSOCIATE AMENDMENT 7. Company shall make available, at the reasonable request of Prudential, PHI for amendment by Prudential and shall incorporate any amendments to PHI in Company's designated record sets in accordance with Section 164.526 of the Privacy Rules. For all requested amendments under this Section 7, Company shall be entitled to rely entirely on such requests for all matters relating to the accuracy and completeness of such PHI. 8. Company will reasonably assist Prudential in responding to any disclosure request made by a subject of PHI. Accordingly, Company will keep an accounting of all disclosures ("Disclosures") of PHI (the "DISCLOSURE ACCOUNTING") on an ongoing basis and maintain the Disclosure Accounting for a period of at least six (6) years from the date of each Disclosure. For the purposes of this Amendment, Disclosures shall not include any disclosure of PHI by Company (i) to carry out treatment, payment and health care operations solely as set forth in 45 CFR Section 164.506; (ii) pursuant to an instruction from Prudential as approved by an authorization received from a subject of PHI; (iii) directly to the subject of the PHI; or (iv) that occurred prior to the April 14, 2003. At a minimum, the Disclosure Accounting shall contain (w) the date of the Disclosure; (x) the name of the entity or person who received the PHI and, if known, the address of such entity or person; (y) a brief description of the PHI disclosed; and (z) a brief statement of the purpose of the Disclosure that reasonably informs the subject of the PHI of the basis for the Disclosure; or in lieu of such statement a copy of the subject's written authorization or request for Disclosure pursuant to the Privacy Rules. Company will provide the Disclosure Accounting to Prudential within forty-five (45) days after receipt of a written request from Prudential. 9. Subject to Company's security requirements, confidentiality obligations and the audit rights set forth in the Services Agreement, Company shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the Company on behalf of, Prudential available to Prudential or, at the request of Prudential, to the Secretary for purposes of the Secretary determining Prudential's compliance with the Privacy Rules. 10. Company agrees to use commercially reasonable efforts to mitigate, to the extent practicable, any harmful effect that is known to Company of a use or disclosure of PHI in violation of the requirements of this Amendment. 11. Company's obligations under this Amendment exist and occur solely to the extent required by the Privacy Rules. B. OBLIGATIONS OF PRUDENTIAL 1. Prudential shall provide Company with a copy of the Notice of Privacy Practices Prudential produces in accordance with the Privacy Rules, as well as any changes to such Notice of Privacy Practices. 2. Prudential shall provide Company with any changes in, or revocation of, permission by Individuals to use or disclose PHI, if such changes affect Company's permitted uses or disclosures. <PAGE> AMENDMENT NO. 4 TO SERVICES AGREEMENT HIPAA BUSINESS ASSOCIATE AMENDMENT 3. Prudential shall notify Company of any restriction to the use or disclosure of PHI Prudential agrees to in accordance with the Privacy Rules. 4. Prudential shall not request Company to use or disclose PHI in any manner that would not be permissible under the Privacy Rules if done by Prudential. 5. Company's obligations under this Amendment are conditioned upon Prudential's satisfactory performance of its obligations hereunder. Any failure of Prudential to perform its obligations hereunder shall excuse Company from performing its obligations hereunder to the extent such performance is hindered or prevented by such failure to perform by Prudential. Prudential and Company agree to discuss in good faith any modifications or changes to the Services provided pursuant to the Services Agreement and the fees paid thereunder that result from any changes in the use or disclosure of PHI. C. TERM AND TERMINATION 1. Term. The term of this Amendment shall be effective as of the Effective Date of this Amendment and shall terminate upon the earlier of: (i) the Privacy Rules are repealed or no longer in effect; (ii) the termination of expiration of the Services Agreement pursuant to its terms; or (ii) all of the PHI provided by Prudential to Company, or created or received by Company on behalf of Prudential, is destroyed or returned to Prudential, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with this Amendment. 2. Termination for Cause. Upon Prudential's knowledge of a material breach of this Amendment by Company, Prudential shall either: (a) terminate this Amendment if Company fails to cure such breach within thirty (30) days after receipt of written notice thereof; or (b) immediately terminate this Amendment if Company has breached a material term of this Amendment and cure is not reasonably possible; or (c) if neither termination nor cure is feasible, Prudential shall report the violation to the Secretary. 3. Effect of Termination. (a) Upon termination of this Amendment for any reason, Company shall return or destroy all PHI received from Prudential, or created or received by Company on behalf of Prudential. This provision shall apply to PHI that is in the possession of subcontractors or agents of Company. Company shall retain no copies of the PHI; (b) in the event that Company determines that returning or destroying the PHI is infeasible, Company shall provide to Prudential notification of the conditions that make return or destruction infeasible. Company shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as Company maintains such PHI. <PAGE> AMENDMENT NO. 4 TO SERVICES AGREEMENT HIPAA BUSINESS ASSOCIATE AMENDMENT D. MISCELLANEOUS. 1. Regulatory References. A reference in this Amendment to a section in the Privacy Rules means the section as in effect or amended. 2. Amendment. The Parties agree to take such reasonable action as is necessary to amend this Amendment from time to time as is necessary for Prudential to comply with the requirements of the Privacy Rules and the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. 3. Survival. The respective rights and obligations of Company under Section C (3) of this Amendment shall survive the termination of this Agreement and/or the other agreements or arrangements. 4. Interpretation. Any ambiguity in this Amendment shall be resolved in favor of a meaning that permits Prudential to comply with the Privacy Rules. 5. Limitation of Liability. IN NO EVENT SHALL COMPANY'S TOTAL AGGREGATE LIABILITY TO PRUDENTIAL ARISING FROM OR RELATING TO THIS AMENDMENT EXCEED [***]*, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT OR OTHERWISE; AND COMPANY SHALL NOT BE LIABLE TO PRUDENTIAL FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY OR SPECIAL DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS OR REVENUE, EVEN IF COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 6. No Warranties. COMPANY SPECIFICALLY DISCLAIMS ANY AND ALL WARRANTIES OF ANY KIND WITH REGARD TO ANY SUBJECT MATTER OF THIS AMENDMENT, INCLUDING WITHOUT LIMITATION ANY WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, FUNCTIONALITY OR MERCHANTABILITY, WHETHER EXPRESS OR IMPLIED. 7. Effect on Services Agreement. Prudential and Company agree that any failure of Company to achieve any Service Levels under the Services Agreement or performance of any other obligations under the Services Agreement shall be excused to the extent such failures are caused by Company's performance of its obligations under this Amendment. 8. No Third Party Beneficiaries. Nothing in this Amendment is intended to confer any rights, benefits, remedies, obligations or liabilities on any third party (including without limitation any employees or agents of either party) other than the parties or their respective successors and assigns. <PAGE> AMENDMENT NO. 4 TO SERVICES AGREEMENT HIPAA BUSINESS ASSOCIATE AMENDMENT Except as amended herein, all terms and conditions of the Services Agreement between the Parties shall remain in full force and effect in accordance with such agreement. Agreed to and Accepted by: NAME DATE ---------------------------------------------------- The Prudential Insurance Company of America NAME DATE ---------------------------------------------------- The Administrative Committee on behalf of The Prudential Welfare Benefits Plan, The Prudential Flexible Benefits Plan, the Prudential Medical Access Plan and the Prudential Executive Medical Access Plan NAME DATE ---------------------------------------------------- Exult, Inc