This Electronic Trading Partner Agreement (“Agreement”) is made as of the day of , 200 (“Effective Date”), by and between Blue Cross & Blue Shield of Rhode Island (“Company”), and
(“Trading Partner”) (each, a “Party” and, collectively, the “Parties”).
WHEREAS, both Parties are entering into this Agreement to facilitate, through transmission via electronic formats consistent with or otherwise compliant with the HIPAA Standards for Electronic Transactions, 45 C.F.R. Parts 160 and 162, as may be amended or modified from time to time (the “HIPAA Transactions Regulations”), the submission and receipt of electronic transactions specified in the HIPAA Transactions Regulations,
NOW, THEREFORE, in consideration for the mutual promises herein, the Parties agree as follows:
I. TERM AND TERMINATION
1.1 Term of Agreement. This Agreement shall remain in effect for an initial period of one (1) year from the Effective Date, and shall automatically renew for successive periods of one (1) year unless terminated pursuant to Section 1.2 (“Voluntary Termination”) or Section 1.3 (“Termination for Cause”).
1.2 Voluntary Termination. Either Party may terminate this Agreement on thirty-one (31) days prior written notice to the other Party.
1.3 Termination for Cause. Either Party may terminate this Agreement upon thirty-one (31) days prior written notice to the other Party upon the default by the other Party of any material obligation of this Agreement, provided that the written notice sets forth the default with reasonable specificity and the default is incurable or, being capable of cure, has not been cured within the thirty-one (31) day period after receipt of the written notice.
II. OBLIGATIONS OF THE PARTIES
2.1 Mutual Obligations. The mutual obligations of Company and Trading Partner shall include the following:
(a) EDI Data Transmission Accuracy. The Parties shall take reasonable care to ensure that Data Transmissions are timely, complete, accurate and secure. Each Party shall take reasonable precautions to prevent unauthorized access to the other Party’s Operating System, Data Transmissions or the contents of an Envelope (defined as “a control structure in a format mutually agreeable to Company and Trading Partner for the electronic interchange of one or more encoded Data Transmissions between Company and Trading Partner”) transmitted to or from either Party.
(b) Testing and Certification. Prior to the initial Data Transmission, each Party shall test, at its own expense, and cooperate with the other Party in testing each Party’s Data Transmission process to ensure the accuracy, timeliness, completeness and security (confidentiality and integrity) of the Data Transmission process. Upon completion of such testing, each Party shall provide the other Party with evidence that such Party has successfully tested compliance of the Data Transmission process with the HIPAA Transactions Regulations.
(c) Data and Data Transmission Security. Company and Trading Partner shall maintain security mechanisms reasonably sufficient to protect their own Operating Systems, including any Data maintained on such systems and any Data Transmissions between them, as more fully set forth in Section 3.1 (“Security”) below.
(d) Security Access Codes. The Security Access Codes that Company issues to Trading Partner shall, when affixed to Data Transmissions, be sufficient to verify the identity of the transmitter and to authenticate the
Data Transmission, thereby establishing the Data Transmission’s validity. Data Transmissions having a Security Access Code affixed to them shall be deemed to have been “written” or “signed” by the sender. Computer printouts of the information contained in such Data Transmissions and documents that have been electronically or magnetically recorded and kept in the normal course of the sender’s or receiver’s business shall be considered original business records admissible in any judicial, arbitration, mediation or administrative proceeding to the same extent and under the same conditions as other business records originated and maintained in documentary form.
(e) System Operations. Each Party, at its own expense, shall provide and maintain the software, equipment, communication lines, services, and testing necessary to meet minimum system requirements, to effectively and reliably conduct Data Transmissions, and to effectively use the Data received from the other Party. In the event that either Party implements a change in system environment, each Party shall (i) give the other Party at least ninety (90) days notice of any such change that will effect the ability to conduct Data Transmissions, and (ii) cooperate to conduct such further testing as may be reasonably necessary, and subsequent to such further testing, each Party shall communicate its approval to re-commence the Data Transmissions.
(f) Compliance with HIPAA Transaction Regulations. Each Party shall, and shall cause its applicable subcontractors and agents to, comply with the applicable requirements of the HIPAA Transactions Regulations. With respect to each Data Transmission, each Party agrees that, in accordance with 45 C.F.R. § 162.915, it shall not (i) change the definition, data condition, or use of a data element or segment in a standard adopted by the HIPAA Transactions Regulations; (ii) add any data elements or segments to the maximum defined data set as proscribed in the HIPAA Transactions Regulations; (iii) use any code or data elements that are either marked “not used” or are not in a standard’s implementation specification pursuant to the HIPAA Transactions Regulations; or (iv) change the meaning or intent of any of the HIPAA Transactions Regulations’ implementation specifications.
(g) Compliance with HIPAA Implementation Guides. The American National Standards Institute has developed implementation specifications for each of the electronic transactions contemplated under the HIPAA Transactions Regulations (the “HIPAA Implementation Guides”), which specify certain standards for data exchanged between parties using electronic media. Both Parties shall conduct the Data Transmissions in accordance with the specifications set forth in the applicable HIPAA Implementation Guides. [NOTE: To the extent that BCBSRI has created any companion guides to serve as supplements to the HIPAA Implementation Guides, this provision should be extended to require compliance with the companion guides as well, providing that such guides do not require any action that would violate the HIPAA Transactions Regulations.]
2.2 Trading Partner Obligations. Trading Partner shall:
(a) Make commercially reasonable efforts to protect and maintain the confidentiality of Security Access Codes issued to Trading Partner by Company.
(b) Limit disclosure of Security Access Codes to authorized personnel on a need-to-know basis.
(c) (i) If Trading Partner is a health care provider: Each 270(Membership Eligibility)/276(Claims Status)/278 (Preauthorization) submitted to the BCBSRI system by Trading Partner shall be limited to requests for BCBSRI beneficiary data with respect to a patient currently being treated or served by the Trading Partner, or who has contacted the submitter about treatment or service, or for whom Trading Partner has received a referral from a health care provider that has treated or served that patient.
(ii) If a Trading Partner is a health care clearinghouse:
(A) Trading Partner shall not submit a 270/276/278 to the BCBSRI system except as an authorized agent of the health plan or health care provider identified in the 270/276/278 and pursuant to a business associate contract, as required by 45 C.F.R. §§ 164.314(a) and 164.504(e), with the health plan or health care provider.
(B) If Trading Partner submits a 270 to the BCBSRI system which has been prepared by a provider or health plan utilizing its services, Trading Partner shall ensure the entity provides sufficient security measures, including user ID and password, to be able to associate the 270/276/278 with the specific person/submitter from the entity, as applicable, that submitted the 270/276/278.
(iii) If a Trading Partner is a health plan: Each 270/276/278 submitted to the BCBSRI system by Trading Partner shall be limited to requests for BCBSRI beneficiary data with respect to an individual who is a current or previous enrollee of Trading Partner.
(d) Trading Partner shall send Realtime 270/276/278’s in a single threaded fashion to BCBSRI unless approved by authorized BCBSRI personnel. Those Trading Partners sending in Batch mode do not have this restriction.
2.3 Company’s Obligations. Company shall:
Provide Trading Partner with Security Access Codes that shall allow Trading Partner access to Company’s Operating System. The Parties acknowledge and agree that such Security Access Codes are confidential. Company reserves the right to change Security Access Codes at any time and in such manner as Company, in its sole discretion, deems necessary; provided, however, that Company shall timely notify Trading Partner of any changes made to Security Access Codes and timely inform Trading Partner of the new Security Access Codes (if any).
III. CONFIDENTIALITY AND SECURITY
3.1 Security. Each Party shall maintain commercially reasonable security procedures to prevent unauthorized access to and misuse of Data, Data Transmissions, Security Access Codes, Envelope, backup files, source documents or the Party’s Operating System and to ensure, at a minimum, the same level of protection afforded to its paper equivalents and as required to meet any applicable Federal or State regulatory standard, including, but not limited to, the Security Standards for the Protection of Electronic Health Information set forth at 45 C.F.R. Part 160 and Part 164, Subparts A and C, as such may be amended from time to time. Trading Partner shall immediately notify Company of any unauthorized attempt to obtain access to or otherwise tamper with Company’s Data, Data Transmissions with Company, Company’s Security Access Codes, Envelope (to the extent Company’s security might be adversely affected by such unauthorized attempts to gain access to, or tamper with, Envelope), backup files relating to Company’s Data, Company’s source documents or Company’s Operating System.
3.2 Proprietary Information. Trading Partner shall treat Company’s information agreed by the Parties to be proprietary and requiring confidential handling (“Proprietary Information”) obtained or learned in connection with this Agreement as confidential and shall not use Company’s Proprietary Information for Trading Partner’s own commercial benefit or any other purpose not authorized in this Agreement or by Company; provided, however, that nothing in this Agreement is to be construed as preventing Trading Partner from using Company’s Proprietary Information for the purposes of the submission and transmission of, and other activities relating to, health insurance enrollment and eligibility information and claims and payment for medical services and supplies. Trading Partner shall make commercially reasonable efforts to safeguard Company’s Proprietary Information against unauthorized disclosure and use.
3.3 Confidentiality of Individually Identifiable Health Information. Both Parties agree to comply with the Standards for Privacy of Individually Identifiable Health Information set forth at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as such may be amended from time to time (the “Privacy Rule”). Each Party shall take reasonably necessary steps to protect the privacy and confidentiality of individually identifiable health information received from the other Party and shall comply with the Privacy Rule and with any other applicable State or Federal law or regulation governing the privacy and confidentiality of beneficiary’s individually identifiable health information.
4.1 Notices. Any notice pertaining to this Agreement shall be in writing. Notice shall be deemed given when personally delivered to the Party’s authorized representative listed below, or sent by means of a reputable overnight courier or by certified mail, postage prepaid, return receipt requested. A notice sent by overnight courier or by certified mail shall be deemed given on the date of receipt or refusal of receipt. All notices shall be addressed to the appropriate Party as follows:
If to Company: Blue Cross & Blue Shield of Rhode Island
Attn: Director – Information Assurance 000 Xxxxxxxxxxx Xxxxxx
Xxxxxxxxxx, XX 00000
If to Trading Partner:
4.2 Agents and Subcontractors. To the extent that either Party engages an agent or subcontractor to conduct any Data Transmission on its behalf, such Party shall require such agent or subcontractor to conduct such Data Transmission in accordance with the HIPAA Transactions Regulations.
The Parties shall be bound by all the terms, provisions and conditions of this Agreement upon execution of the Agreement by each Party’s authorized representative.
By: Name: Title: Address: City, State, Zip: Contact: Title: Telephone: _( )
COMPANY (Blue Cross & Blue Shield of Rhode Island)
By Name: Title: Address: City, State, Zip: Contact: Title: Telephone: ( )