Red Hook WatchIndependent Community Resource

Business Associate Agreement — Village of Red Hook and Marshall+Sterling Employee Benefits, Inc.

Meetings/Documents/wd::dc_1994_marshall_sterling_business_associate_agr
Working document2025-04-29
Open original on source siteView version history →Meeting on 2025-04-29 →

MARSHALL +STERLING

Village of Red Hook

Business Associate Agreement

This Agreement is made and entered into this 29** day of April 2025, by and between Village of Red Hook (VORH) and Marshall+Sterling Employee Benefits, Inc (“MSEB”) (collectively, the “Parties”.

VORH has entered into an agreement with MSEB for broker, agent and consulting services; and

MSEB acknowledges that it is a “Business Associate” of VORH as those terms are defined by the Health Insurance Portability and Accountability Act and its implementing regulations (45 C.F.R. Parts 160-164) (“HIPAA”).

In Consideration of the mutual covenants and conditions contained in this Agreement, the parties agree as follows:

  1. Definitions. Capitalized terms in this Agreement and not otherwise defined herein shall have the meanings set forthin HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”), which definitions are hereby incorporated by reference.

  2. Obligations and Activities of Marshall+Sterling Employee Benefits.

    • 2.1 MSEB agree to use or disclose Protected Health Information (“PHI”) received from or on behalf of VORH or created for VORH only as permitted or required by this Agreement, as required by law, or for MSEB internal management and compliance purposes.

    • 2.2 MSEB agrees to develop, implement, maintain and use appropriate administrative, technical, and physical safeguards to protect the privacy of the PHI other than as provided for by this Agreement. The safeguards must reasonably protect PHI from any intentional or unintentional use or disclosure in violation of the Security and Privacy Rules and limit incidental uses or disclosures made pursuant to a use or disclosure otherwise permitted by this Agreement.

    • 2.3 MSEB agree to comply with the Security and Privacy Rules and will use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that MSEB creates, receives, maintains, or transmits on VORH’s behalf. MSEB will also implement the technologies and methodologies used to render the electronic PHI that it creates, receives, maintains, or transmits on behalf of VORH unusable, unreadable, or indecipherable to unauthorized individuals as required by the HITECH Act and the Department of Health and Human Services (“HHS”).

    • 2.4 MSEB agrees to mitigate, to the extent practicable, any harmful effect that is known to MSEB of a use or disclosure of PHI by MSEB in violation of the requirements of this Agreement.

Rev 3/21

pg.1

MARSHALL +STERLING

  • 2.5 MSEB agrees to report to VORH, any use or disclosure of PHI not provided for by this Agreement of which it becomes aware not more than thirty (30) calendar days after MSEB discovers such non-permitted use or disclosure.

  • 2.6 MSEB agrees to report to VORH the aggregate number of unsuccessful, unauthorized attempts to access, use, disclose, modify, or destroy electronic PHI or to interfere with system operations in an information system containing electronic PHI, including pings. Such reports will be provided once per month, on or before the 10 calendar day of such month. MSEB will report to VORH any successful unauthorized access, use, disclosure, modification, or destruction of electronic PHI or any successful interference with system operations in an information system containing electronic PHI, in writing, as soon as feasible.

  • 2.7 MSEB agrees to provide notification to VORH of any potential Breach of Unsecured PHI no later than thirty (30) days after the discovery of such potential Breach by Marshall+Steriing Employee Benefits, unless a delay is allowed under applicable law. Breachis defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. MSEB shall treat a potential Breachas being discovered in accordance with 45 CFR §164.410. The notification shall consist of the following: (i) A brief description of the breach, including the date of the breach and the date of discovery; (ii) Identify the types of PHI that were involved in the breach; (iii) Identify who made the non-permitted use or disclosure and who received it; (iv) Identify what corrective action has been taken; and (v) Provide such other information, including a written report and risk assessment under 45 CFR §164.402, as VORH may request.

  • 2.8 MSEB agrees to ensure that any agent, including a subcontractor, to whom it provides PHI, received from, or created or received by MSEB on behalf of VORH, agrees to the same restrictions and conditions that apply through this Agreement to MSEB with respect to such information. Moreover, MSEB shall ensure that any such agency or subcontractor agrees to implement reasonable and appropriate safeguards to protect the member’s PHI.

  • 2.9 MSEB Inc agrees to provide access, at the written request of VORH, and in the time and manner mutually agreed by the parties or designated by the Secretary, to PHI ina Designated Record Set in MSEB’s custody or control, to VORH or, as directed by VORH, to an Individual or the Individual’s designee, in order to meet the requirements under 45 C.F.R. § 164.524. Effective September 23, 2013, if VORH requests an electronic copy of PHI that is maintained electronically in a Designated Record Set in MSEB’s custody or control, MSEB will provide an electronic copy in the form and format specified by VORH if it is readily producible in such format; if it is not readily producible, MSEB will work with VORH to determine an alternative form and format that enable VORH to meetits electronic access obligations under 45 C.F.R. § 164.524.

  • 2.10 MSEB agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 162.526 at the request of VORH

Rev 3/21

pg. 2

MARSHALL «STERLING

or anIndividual, and in the time and manner mutually agreed by the parties or designated by the Secretary.

  • 2.11 MSEB agrees not to receive, directly or indirectly, remuneration in exchange for any PHI of an Individual unless VORH received valid authorization from the Individual or unless an exception under HIPAA or the HITECH Act applies.

  • 2.12 MSEB agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by MSEB on behalf of VORH, available to VORH, or to the Secretary, in a time and manner mutually agreed by the parties or designated by the Secretary, for purposes of the Secretary determining VORH’s compliance with the Security and Privacy Rules.

  • 2.13 MSEB agrees to document such disclosures of PHI and information related to such disclosures as would be required for VORH to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R § 164.528.

  • 2.14 MSEB agrees to provide to VORH or an Individual member, in a time and manner mutually acceptable to the parties, information collected in accordance with this Agreement, to permit VORH to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

  • 2.15 Inthe event that MSEB transmits or receives any Covered Electronic Transactions on behalf of VORH, it shall comply with all applicable provisions of the Standards for Electronic Transactions Rule to the extent required by law, and shall ensure that any agents that assist MSEB in conducting Covered Electronic Transactions on behalf of VORH agree in writing to comply with the Standards for Electronic Transactions Rule to the extent required by law.

  1. Permitted Uses and Disclosures by MSEB. Except as otherwise limited in this Agreement, MSEB may use or disclose PHI to perform functions, activities, or services for, or on behalf of VORH, provided that such use or disclosure would not violate the Security and Privacy Rules if done by VORH including the minimum necessary requirements thereto.

    • 3.1 Except as otherwise limited in this Agreement, MSEB may use PHI for the proper management and administration of MSEB or to carry out the legal responsibilities of MSEB.

    • 3.2 Except as otherwise limited in this Agreement, MSEB may use or disclose PHI to perform functions, activities or securities for, or on behalf of VORH provided that such use or disclosure would not violate the Security and Privacy Rules if done by VORH, or the minimum necessary policies and procedures of the Covered Entity.

    • 3.3 Except as otherwise limited in this Agreement, MSEB may use PHI to provide administrative services to VORH as permitted by 45 C.F.R § 164.504(e)(2)(i)(A).

Rev 3/21

pg. 3

MARSHALL +STERLING

  • 3.4 Except as otherwise limited in this Agreement, MSEB may disclose PHI for the proper management and administration of MSEB , provided that disclosures are Required by Law, or MSEB obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law orfor the purpose[for] which[it] was disclosed to the person, andthe person[notifies] MSEB of any instances of which it is aware in which the confidentiality of the information has been breached.

  • 3.5 Except as otherwise limited in this Agreement, MSEB may use PHI to provide Data Aggregation services to VORH as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

  • 3.6 MSEB may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

  1. Obligations of VORH. Upon request, VORH shall provide MSEB with a copy of its Notice of Privacy Practices and Restrictions:

    • 4.1 VORH shall notify MSEB of any limitations in the Notice of Privacy Practices of VORH in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect MSEB ’s use or disclosure of PHI.

    • 4.2 VORH shall notify MSEB of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect MSEB ’s use or disclosure of PHI.

    • 4.3 VORH shall notify MSEB of any restriction to the use or disclosure of PHI that VORH has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect MSEB use or disclosure of PHI.

  2. Permissible Requests by VORH. Except as otherwise permitted by this Agreement, VORH shall not request MSEB to use or disclosure PHi in any manner that would not be permissible under the Security and Privacy Rules if done by VORH, except that MSEB may use or disclose PHI for Data Aggregation, or management and administrative activities of MSEB as further specified herein this Business Associate Agreement.

  3. Terms and Termination.

    • 6.1 Term. The Term of this Agreement shall be effective upon execution of this Agreement by both parties, and shall terminate when all of the PHI provided by VORH to MSEB, or created or received by MSEB on behalf of VORH, is destroyed or returned to VORH or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.

Rev 3/21

pg. 4

MARSHALL --STERLING

  • 6.2 Termination for Cause. Upon VORH’s knowledge ofa material breach of any provision of this Agreement by MSEB , VORH shall either:

    • 6.2.1. Provide an opportunity for MSEB to cure the breach or end the violation and terminate this Agreement if MSEB does not cure the breach or end the violation within the time specified by VORH;

    • 6.2.2. Immediately terminate this Agreement if MSEB has breached a material term of this Agreement and cure is not possible; or

    • 6.2.3. If neither termination nor cure is feasible, VORH shall report the violation to the Secretary.

6.3.Effect of Termination.

  • 6.3.1. Except as provided in the following paragraph, upon termination of this Agreement, for any reason, MSEB shall return or destroy all PHI received from VORH, or created or received by MSEB on behalf of VORH. This provision shall apply to PHI that is in the possession of subcontractors or agents of MSEB. MSEB shall retain no copies of the PHI.

  • 6.3.2. In the event that MSEB determines that returning or destroying the PHI is infeasible, MSEB shall provide to VORH notification of the conditions that make return or destruction infeasible. MSEB shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as MSEB maintains such PHI.

7. Legal Actions.

  • 7.1 Response to Subpoenas. In the event that MSEB receives a subpoena (or similar notice or request) from anyjudicial, administrative or other party arising out of or in connection with this Agreement, including, but not limited to, any unauthorized use or disclosure of PHI or any failure in MSEB shall promptly forward a copy of such subpoena to VORH and afford VORH the opportunity to be a part of the decision making with regard to the subpoena including but not limited to responding to the subpoena.

7.2 Indemnity.

  • 7.2.1 MSEB will indemnify and hold harmless VORH and any member affiliate, trustee, officer, director, employee, volunteer or agent from and against any claim, cause of action, liability, damage, cost or expense, including attorneys’ fees and court or proceeding costs, arising out of or in connection with any unauthorized use or disclosure of PHI or any failure in security measures affecting PHI or any other

Rev 3/21

pg. 5

MARSHALL +STERLING

breach of the terms of this Agreement by MSEB_ or any person or entity under MSEB ’s control.

  • 7.2.2. VORH will indemnify and hold harmless MSEB and any MSEB affiliate, trustee, officer, director, employee, volunteer or agent from and against any claim, cause of action, liability, damage, cost or expense, including attorneys’ fees and court or proceeding costs, arising out of or in connection with any unauthorized use or disclosure of PHI or any failure in security measures affecting PHI or any other breach of the terms of this Agreement by VORH or any person or entity under VORH’s control.

7.3 Right to Tender or Undertake Defense.

  - 7.3.1 If VORH is named a party in anyjudicial, administrative or other proceeding arising out of orin connection with any unauthorized use or disclosure of PHI or any failure in MSEB’s security or privacy measures affecting PHI, electronic PHI, or any other breach of the terms of this Agreement by (1) MSEB, (2) any personor entity under MSEB ‘scontrol, or (3) its subcontractors or agents, VORH will have the option at any time either (1) to tender their defense to MSEB, in which case MSEB will provide qualified attorneys to represent VORH’s interests at MSEB ’s expense, or (2) undertake their own defense, choosing the attorneys, consultants and other appropriate professionals to representheir interes **t** s, in which case MSEB will be responsible for and pay the reasonable fees and expenses of such attorneys, consultants and other professionals. 

  - 7.3.2 IfMSEB isnameda partyin any judicial, administrative or other proceeding arising out of or in connection with any unauthorized use or disclosure of PHI or any failure in VORH’s security or privacy measures affecting PHI, electronic PHI, or any other breach of the terms of this Agreement by (1) VORH, (2) any person or entity under VORH’s control, or (3) VORH’s subcontractors or agents, MSEB will have the option at any time either (1) to tender its defense to VORH, in which case VORH will provide qualified attorneys to represent MSEB ’s interests at VORH’s expense, or (2) undertake its own defense, choosing the attorneys, consultants and other appropriate professionals to represent its interests, in which case VORH will be responsible for and pay the reasonable fees and expenses of such attorneys, consultants and other professionals.

  • 7.4 Right to Control Resolution. VORH will have the sole right and discretion to settle, compromise or otherwise resolve any and all claims, causes of actions, liabilities or damages against them, notwithstanding that VORH may have tendered their defense to MSEB . Any such resolution shall not relieve MSEB of its obligation to indemnify VORH.

  • 8 General Provisions.

Rev 3/21

pg. 6

MARSHALL “STERLING

  • 8.1 Regulatory References. Areference inthis Agreement toa section inthe Securityand Privacy Rules means the section as in effect or as amended.

  • 8.2 Amendment. The Parties agree totake such action as is necessary to amend this Agreement from time to time as is necessary for VORH to comply with the requirements of the Security and Privacy, HIPAA and the HITECH Act.

  • 8.3 Survival. The respective rights and obligations of MSEB under this Agreement shall survive the termination of this Agreement.

  • 8.4 Interpretation. Any ambiguity in this Agreement shall be resolved to permit VORH to comply with the Security and Privacy Rules.

  • 8.5 No Third-Parties. Nothing express or implied in this Agreement is intended to confer, nor shall anythingin this Agreement confer, upon any person or entity other than the parties and their respective successors or assigns any rights, remedies, obligations, or liabilities whatsoever.

  • 8.6 Conflicts. To the extent that the law of the state in which VORH does business is more stringent than Federal law regarding privacy issues, the law of such state shall control, unless such state law is preempted by the Federal law.

  • 8.7 Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original, and all of which shall constitute one binding agreement.

The Parties hereto execute this Agreement the date indicated above.

==> picture [92 x 11] intentionally omitted <==

----- Start of picture text -----

Village of Red Hook ----- End of picture text -----

==> picture [13 x 11] intentionally omitted <==

----- Start of picture text -----

By ----- End of picture text -----

Title:

==> picture [235 x 121] intentionally omitted <==

----- Start of picture text -----

MSEB BV Title: President, MSEB . ----- End of picture text -----

Rev 3/21

pg. 7