exhibit c test

Exhibit C

Exhibit C to the CSS Health ADVANCED PRACTICE MANAGEMENT AGREEMENT For CareSource Medicare, Marketplace, or Medicaid MTM Requirements

Requirements

Overview

This clinical pharmacy opportunity requires appropriately licensed pharmacists to provide Comprehensive Medication Reviews (CMRs) and Targeted Medication Reviews (TMRs), based on CMS standards for Medicare Part D. The CMR/TMRs will consist of a patient assessment and medication action plan as outlined in the CSS Health MTM system. The CMR/TMR can be conducted in person, by phone or via videoconference. The pharmacist is required to conduct the outreach required to engage the patient in a CMR/TMR, and document all contact attempts in the CSS Health system.

Reimbursement

Pharmacy agrees payment will be made only for CMRs and TMRs as completed within the CSS Health system. CSS Health will pay pharmacies for CMRs and TMRs completed for any CareSource line of business – Medicare, Marketplace, or Medicaid, as assigned and completed in the tool.
Reimbursement:
  • $75 per completed CMR
  • $12 per completed TMR

Participation Fees: None

I would like to opt into this opportunity
MM slash DD slash YYYY

Business Associate Agreement

This Business Associate Agreement ("BAA"), effective the day of . , is entered into by and between STAR MTM, LLC dba CLINICAL SUPPORT SERVICES., a Delaware New York Corporation, as an Affiliated Covered Entity pursuant to 45 CFR § 164.105(b) ("Covered Entity"), and ("Business Associate") (individually "Party"; collectively "Parties")
RECITALS
  • WHEREAS, the Parties have entered into an agreement entitled ADVANCED PRACTICE MANAGEMENT AGREEMENT, effective as of July 10, 2021, pursuant to which Business Associate will provide certain services in exchange for consideration to Covered Entity ("Services Agreement") and, pursuant to such Services Agreement, Business Associate is considered a “business associate” of Covered Entity, as that term is defined by HIPAA;
  • WHEREAS, the Parties desire to protect the privacy and provide for the security of the PHI pursuant to HIPAA and the HITECH Act (including "the HIPAA Rules" as defined below);
  • WHEREAS, HIPAA and the HITECH Act require the Parties to enter into a contract containing specific requirements pertaining to Business Associate's use and disclosure of PHI received from, or created, received, maintained, or transmitted on behalf of, Covered Entity;
  • WHEREAS, the Parties enter into this BAA for the intended purpose of satisfying the requirements of HIPAA and the HITECH Act, including the requirements for business associate agreements, which shall addend and supplement the Services Agreement and shall supersede any conflicting or inconsistent terms and provisions of the Services Agreement subject to HIPAA and the HITECH Act, including any exhibits or other attachments thereto and all documents incorporated therein by reference;
  • NOW THEREFORE, for and in consideration of the recitals above, the Parties’ respective obligations under the Services Agreement, compliance with HIPAA and the HITECH Act, the mutual covenants and conditions below, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties enter into this BAA and agree as follows:

SECTION 1 - DEFINITIONS

Capitalized terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in HIPAA or the HITECH Act.

  1. Breach Notification Requirements. "Breach Notification Requirements" means the requirements of 42 USC §17932 and the rules issued thereunder, including 45 CFR Part 164, Subpart D.
  2. Business Associate. "Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR § 160.103 and, in reference to the Party to this BAA, shall mean and the subcontractors, agents, and person(s) or entity(ies) under Business Associate's control.
  3. Covered Entity. "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR § 160.103, and in reference to the Party to this BAA, shall mean STAR MTM LLC DBA CLINICAL SUPPORT SERVICES, INC., operating as an affiliated covered entity for purposes of compliance with HIPAA and the HITECH Act, pursuant to 45 CFR § 164.1 05(b).
  4. Electronic Protected Health Information (E-PHI). "Electronic Protected Health Information" shall mean information that is a subset of "protected health information," as defined in 45 CFR § 160.103, paragraphs 1(i) or 1(ii), limited, for purposes of this BAA, to the information created, received, maintained or transmitted by Business Associate for, or on behalf of, Covered Entity. The term PHI shall include E-PHI unless specifically differentiated herein.
  5. HIPAA. "HIPAA" shall mean the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, as the same may be amended from time to time, and the rules issued thereunder including, but not limited to, the Privacy, Security, Breach Notification, and Enforcement Rules ("the HIPAA Rules") at 45 CFR Parts 160 and 164.
  6. HITECH Act. "HITECH Act" shall mean the Health Information Technology for Economic and Clinical Health Act, enacted under Title XIII of the American Recovery and Reinvestment Act of 2009 “ARRA"), Pub. L. 111-5, as the same may be amended from time to time, and the rules issued thereunder including, but not limited to, the HIPAA Rules.
  7. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
  8. Protected Health Information ("PHI"). "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR §160.103, limited, for purposes of this BAA, to the information created, received, maintained, or transmitted by Business Associate for, or on behalf of, Covered Entity.
  9. Unsecured Protected Health Information ("Unsecured PHI"). "Unsecured Protected Health Information" shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance issued under section 13402(h)(2) of Pub. L. 111-5.

SECTION 2 - OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

  1. Prohibition on Unauthorized Use or Disclosure. Business Associate will not use or disclose PHI other than as permitted or required by the Services Agreement, this BAA, HIPAA, the HITECH Act, or as required by law.
  2. Safeguards. Business Associate will implement appropriate administrative, technical, and physical safeguards (including written policies and procedures), consistent with the provisions of 45 CFR §164.530(c), to prevent the use or disclosure of PHI other than as provided for by the Services Agreement, including any intentional or unintentional use or disclosure that violates the provisions of HIPAA or the HITECH Act, and that reasonably and appropriately manage the selection, development, implementation, and maintenance of security measures designed to protect the confidentiality, integrity, and availability of the PHI, as required of covered entities by 45 CFR Part 160 and Part 164, Subpart C.
  3. Documentation of Safeguards. Upon request by Covered Entity, Business Associate will provide to Covered Entity documentation (including a copy of written policies and procedures) demonstrating that Business Associate has implemented the safeguards required by Section 2.2.
  4. Duty to Identify, Mitigate, Document, and Report. With respect to (i) a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA, (ii) a discovered breach of Unsecured PHI, or (iii) a suspected or known security incident (excluding inconsequential incidents that occur on a daily basis such as scans or "pings" that are not allowed past Business Associate's firewalls), Business Associate agrees:
    1. Identify. To identify and appropriately respond to any suspected or known occurrences;
    2. Mitigate. Mitigate, to the extent practicable, any harmful effect known to Business Associate related to the occurrence;
    3. Document. Document the occurrence and its outcome;
    4. Report. Report the occurrence to Covered Entity in writing, as required by 45 CFR §164.410, in either a summary or a detailed report, as appropriate considering the circumstances; and
    5. Additional Requirements. Comply with the additional requirements of Section 4.1 with respect to security incidents or breaches of Unsecured PHI.
  5. Subcontractors and Agents. Business Associate agrees to ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI for the Business Associate on behalf of the Covered Entity agree in writing to the same restrictions and condition that apply to the Business Associate with respect to such information and will implement reasonable and appropriate safeguards to protect it. If Business Associate learns of a pattern of activity or practice of a subcontractor that constitutes a breach or violation of the subcontractor's obligation under the contract or other arrangement with Business Associate, Business Associate must take reasonable steps to secure the breach or end the violation, as applicable, and if such steps are unsuccessful, terminate the contract or arrangement if feasible. In all events, Business Associate will be liable for the acts and omissions of its subcontractors and agents.
  6. Access and Amendment of PHI. With respect to PHI maintained by Business Associate for, or on behalf of, Covered Entity in a designated record set:
    1. Responsibility. Business Associate is responsible to make available and timely respond to requests to access or amend such PHI, by an Individual or the Individual's designee, and to otherwise take any measures necessary to satisfy Covered Entity's obligations under 45 CFR §§ 164.524 and 164.526.
    2. Limited Delegation of Authority. Covered Entity delegates to Business Associate sole authority to determine on behalf of Covered Entity whether to deny a request for access or amendment of such PHI, provided that this delegation is revocable at will by Covered Entity upon notice to Business Associate.
    3. Production to Covered Entity. Upon request, Business Associate will make the PHI available to Covered Entity for inspection and copying as necessary to enable Covered Entity to fulfill its obligations under the Privacy Rule, including without limitation 45 CFR §§ 164.524 and 164.526.
  7. Accounting of Disclosures.
    1. Disclosure Tracking and Accounting. Business Associate agrees to document certain non-routine disclosures of PHI, any required information related to such disclosures, and otherwise maintain and timely provide to Covered Entity or directly to an Individual, upon request, the information required for an accounting of disclosures in the time and manner required by, and as otherwise necessary to satisfy Covered Entity's obligations under, 45 CFR § 164.528.
    2. Accounting of Disclosures of Electronic Health Records. If and to the extent Business Associate uses or maintains an electronic health record, as that term is defined in Section 13400 of the HITECH Act, that includes PHI, Business Associate shall respond to requests from Individuals for an accounting of disclosures as described, and in the time and manner required by § 13405(c) of the HITECH Act. Business Associate acknowledges that Covered Entity will, in response to a request for an accounting by an Individual, provide a list of business associates with contact information as permitted by §13405(c)(3)(B).
    3. Survival of Accounting Obligation. Business Associate agrees to maintain an accounting of disclosures described in subsection,(a)above for a period of six (6) years after termination of this BAA.
  8. Inspection of Books and Records. Business Associate agrees to make internal practices, books, and records relating to its use and disclosure of PHI pursuant to the Services Agreement or this BAA available to Covered Entity or to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for purposes of determining compliance with HIPAA and the HITECH Act.
  9. Compliance with HIPAA Rules. Except as otherwise set forth herein, to the extent that Business Associate is obligated by the Services Agreement to carry out one or more of Covered Entity's obligations under Subparts C, D, or E of 45 CFR §164, Business Associate agrees to comply with the requirements of said Subparts, as applicable to Covered Entity, in the performance of such obligations.
  10. Compliance with Standard Transactions and Code Sets. If Business Associate conducts in whole or part a "transaction", as defined in 45 CFR § 160.103, for or on behalf of Covered Entity, Business Associate will comply, and will require any subcontractor or agent involved with the conduct of such transactions to comply, with each applicable standard, implementation specification, or other requirement as set forth in 45 CPR Parts 160 and 162.
  11. Demands for Production of PHI.
    1. Receipt by Business Associate. If Business Associate receives a 'subpoena, civil or administrative demand, or any other demand for production of PHI ("document demand"), other than an Individual right request, Business Associate shall provide a copy of such demand to Covered Entity within five (5) days of receipt. To the extent the PHI that is the subject of the demand is in the possession of Business Associate and a response is warranted according to the standards contained in 45 CPR § 164.512( e), Business Associate shall timely respond to the document demand.
    2. Receipt by Covered Entity. If Covered Entity receives a subpoena, civil or administrative demand, or any other demand for production of PHI ("document demand"), other than an Individual right request, Business Associate shall provide to Covered Entity any PHI responsive to such demand and shall assist and cooperate with Covered Entity in responding to such document demand in a timely manner and in accordance with the standards under 45 CPR § 164.512(e).

SECTION 3 - PERMITTED USES AND DISCLOSURES

  1. Business Associate Services. As a general rule, the Business Associate may only use or disclose PHI as necessary to perform its obligations and services set forth in the Services Agreement or this BAA, provided that such use or disclosure would not violate HIPAA or the HITECH Act if carried out by Covered Entity, or as required by law.
  2. Minimum Necessary Use and Disclosure. Business Associate shall comply with the minimum necessary standard (45 CPR § 164.502(b)) in its uses and disclosures of, and requests for, PHI and, to the extent practicable, will restrict its uses and disclosures to a Limited Data Set (as that term is defined in 45 CPR § 164.514(e)(2)).
  3. Other Permitted Uses. Business Associate may also, but only as permitted or required by the Services Agreement and if necessary, use or disclose PHI as follows: (i) for the proper management and administration, or to carry out the legal responsibilities, of Business Associate, provided any disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and only used or further disclosed as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and (ii) if applicable, for the provision of de-identification or data aggregation services to the Covered Entity under the terms of the Services Agreement and as permitted by 45 CFR §§ 164.514 and 164.504(e)(2)(i)(B).
  4. Pursuant to an Authorization. Business Associate may use or disclose PHI pursuant to a valid authorization by an Individual that satisfies the requirements of 45 CPR § 164.508.

SECTION 4 - BREACH IDENTIFICATION AND NOTIFICATION

  1. Monitoring and Reporting Incidents of Unauthorized Use or Disclosure of Unsecured PHI. Business Associate will take reasonable steps to monitor the unauthorized acquisition, access, use, and disclosure (subsequently referred to as use or disclosure) of Unsecured PHI. In particular, individuals who use or disclose PHI on behalf of Business Associate will be required to report all such unauthorized use or disclosure to Business Associate's Privacy Officer or designated individual.
  2. Determination Whether Unauthorized Use or Disclosure Constitutes Breach. Upon receiving a report of unauthorized use or disclosure, Business Associate will undertake a risk assessment to determine whether the unauthorized use or disclosure constitutes a breach of Unsecured PHI. Business Associate will make and retain records of such determinations, including the basis for determinations that unauthorized uses or disclosures are not breaches of Unsecured PHI.
  3. Notice to Affected Individuals of Breach. If the unauthorized use or disclosure constitutes a breach, Business Associate will notify the Individual(s) whose Unsecured PHI was used or disclosed improperly in accordance with the Breach Notification Requirements via written notice, substitute notice, or notice in urgent situations, as appropriate. Such notification will be provided without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the breach. Business Associate will provide Covered Entity with a copy of the notice it determines is required by this paragraph within a sufficient time prior to its required distribution date for review and approval by Covered Entity, which approval will not be unreasonably withheld.
  4. Notice to Media of Breaches Involving More Than 500 Residents of Same State or Jurisdiction. If a breach involves more than 500 residents of the same State or jurisdiction, Business Associate will notify the media in accordance with the Breach Notification Requirements. Such notification will be provided without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the breach. Business Associate will provide Covered Entity with a copy of the notice it determines is required by this paragraph within a sufficient time prior to its required distribution date for review and approval by Covered Entity, which approval will not be unreasonably withheld.
  5. Notice to Covered Entity of Breaches Involving 500 or More Individuals. If a breach involves 500 or more individuals, Business Associate will notify Covered Entity with all the appropriate information so Covered Entity can notify HHS in the manner specified in the Breach Notification Requirements and on the HHS website. Business Associate will provide such notification without unreasonable delay and in no case later than thirty (30) calendar days after discovery of the breach.
  6. Maintenance of Log and Annual Notice to Covered Entity of Breaches Involving Less than 500 Individuals. Business Associate will maintain a log of breaches involving less than 500 Individuals and, not later than thirty (30) days after the end of each calendar year, notify Covered Entity with all the appropriate information so Covered Entity can notify HHS in the manner specified in the Breach Notification Requirements and on the HHS website.
  7. Delayed Notification. Notwithstanding paragraph (c) or (d) above, if a law enforcement official provides Business Associate with a statement that the notification required under paragraph (c) or (d) above would impede a criminal investigation or cause damage to national security, Business Associate may delay the notification for the period of time set forth in the statement. If the law enforcement official provides an oral statement, Business Associate shall document the statement in writing, including the name of the law enforcement official making the statement, and may delay the notification required under paragraph (c) or (d) for no longer than thirty (30) days from the date of the oral statement, unless the law enforcement official provides a written statement during that time that specifies a different time period. Business Associate shall be obligated to maintain evidence to demonstrate that the required notification under this paragraph was made.
  8. Reimbursement by Business Associate. To the extent Covered Entity incurs expenses and costs in determining whether, and to what extent, the notification requirements apply to a breach of Unsecured PHI by Business Associate or one of its subcontractors or agents and whether, and to what extent, the Business Associate's response to a breach of Unsecured PHI complies with its notification obligations, as required by this Section 4.1, in addition to any other remedies that may be available to Covered Entity, Business Associate will reimburse Covered Entity for any expenses and costs incurred (including attorney’s fees and third party forensic analysis costs) in determining the actions required to comply with the notification obligations under HIPAA and the HITECH Act.

SECTION 5 – TERM AND TERMINATION

  1. Term. The Term of this BAA shall be effective as of the effective date of the Services Agreement and shall terminate when all PHI is returned to Covered Entity or, with prior permission of Covered Entity, destroyed or, if it is infeasible to return or destroy PHI, protections are extended to such PHI in accordance with the termination provisions of this Section 5.
  2. Termination for Cause. Notwithstanding any provision in the Services Agreement, Covered Entity may terminate the Services Agreement and this BAA if Covered Entity determines, in its sole discretion, Business Associate has breached any provision of this BAA or otherwise violated HIPAA or the HITECH Act. Covered Entity shall provide written notice to Business Associate and an opportunity for Business Associate to cure the breach or end the violation within ten (10) business days of such written notice, unless cure is not possible. If Business Associate fails to cure the breach or end the violation within the specified time period or cure is not possible, the Services Agreement and this BAA shall automatically and immediately terminate, unless termination is infeasible. Business Associate acknowledges that, if cure is not possible and termination of the Services Agreement and BAA is infeasible, as determined in the sole discretion of the Covered Entity, Covered Entity shall have the right to report the violation to the Secretary.
  3. Termination after Repeated Violations. Notwithstanding any provision in the Services Agreement, Covered Entity may terminate the Services Agreement and this BAA if Covered Entity determines, in its sole discretion, Business Associate has repeatedly breached any provision of this BAA or otherwise violated HIPAA or the HITECH Act, irrespective of whether, or how promptly, Business Associate may remedy such violation after being notified of the same.
  4. Obligations Upon Termination. Business Associate's obligations to protect the privacy and security of PHI shall be continuous and shall survive termination, cancellation, expiration or other conclusion of this BAA or the Services Agreement. Upon termination of the Services Agreement, Business Associate will forward to Covered Entity, or to Covered Entity's designee, the records necessary for continued administration of Covered Entity. After the forwarding of said records, whatever PHI remains with Business Associate will be subject to the following:
    1. Except as provided in paragraph (b) of this Section 5.4, upon termination, cancellation, expiration, or other conclusion of this BAA or the Services Agreement, for any reason, Business Associate shall return or, if Covered Entity gives written permission, destroy PHI in whatever form or medium and retain no copies of such PHI. Business Associate will complete such return or destruction as soon as possible, but in no event later than sixty (60) days from the date of the termination of the Services Agreement or this BAA. Within ten (10) days of the return or destruction of all PHI by Business Associate, Business Associate shall provide written certification to Covered Entity that the return or destruction of PHI has been completed.
    2. In the event that Business' Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BAA (and of any additional requirements imposed by subsequent changes to HIPAA or the HITECH Act) to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for so long as Business Associate maintains such PHI.

SECTION 6 - INDEMNIFICATION

  1. Indemnification by Business Associate. Business Associate will indemnify and hold harmless Covered Entity and any affiliate, officer, director, employee or agent of Covered Entity from and against any claim, cause of action, liability, damage, civil monetary penalties, cost or expense, including attorneys' fees and Court or proceeding costs, arising out of, or in connection with, any use or disclosure of PHI that violates or is not permitted by this BAA, HIPAA, or the HITECH Act, or other breach of this BAA by Business Associate or any subcontractor, agent, person, or entity under' Business Associate's control.
  2. Right to Tender or Undertake Defense. If Covered Entity is named a party in any judicial, administrative, or other proceeding arising out of, or in connection with, any non-permitted or violating use or disclosure of PHI or other breach of this BAA by Business Associate or any subcontractor, agent, person, or entity under Business Associate's control, Covered Entity will, have the option at any time either to: (i) tender its defense to Business Associate, in which case Business Associate will provide qualified attorneys, consultants, and other appropriate professionals to represent Covered Entity's interests at Business Associate's expense; or (ii) undertake its own defense, choosing the attorneys, consultants, and other appropriate professionals to represent its interests, in which case Business Associate' will be responsible for and pay the reasonable fees and expenses of such attorneys, consultants, and other professionals.
  3. Right to Control Resolution. Covered Entity will have the sole right and discretion to settle, compromise, or otherwise resolve any and all claims, causes of actions, liabilities, or damages against it, notwithstanding that Covered Entity may have tendered its defense to Business Associate. Any such resolution will not relieve Business Associate of its obligation to indemnify Covered Entity under this BAA.
  4. Insurance. Upon request by Covered Entity, Business Associate shall obtain and maintain insurance coverage against improper uses and, disclosures of PHI by Business Associate, naming Covered Entity as an additional insured. Upon request, Business Associate shall provide a certificate evidencing such insurance coverage.
  5. Conflicts. With respect to any breaches or violation of this BAA, the provisions in this Section 6 supersede any inconsistent terms contained in the Services Agreement

SECTION 7 - MISCELLANEOUS

  1. Regulatory References. A reference in this BAA to a section of HIPAA or the HITECH Act means the section as in effect or as amended and for which compliance is required.
  2. Ownership of PHI. Business Associate acknowledges and agrees that all PHI subject to the terms of the Services Agreement or this BAA shall be owned exclusively by Covered Entity.
  3. Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of HIPAA, the HITECH Act, or any other applicable law.
  4. Assignment. Neither Party may assign its respective rights and obligations under this BAA without the prior written consent of the other Party, except, to a parent or subsidiary company.
  5. Effect on Services Agreement. Except as specifically required to implement the purposes of this BAA, or to the extent inconsistent with this BAA, all other terms of the Services Agreement shall remain in full force and effect.
  6. Survival. A change, waiver, or discharge of any liability or obligation under this BAA on any one or more occasions shall not constitute or be deemed, a waiver of performance of any continuing or other obligation or prohibit enforcement of any obligation on any other occasion. In the event that any provision of this BAA is determined by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this BAA will remain in full force and effect. The respective rights and obligations of Business Associate under Sections 2.7, 5, and 6 of this BAA shall survive the termination of this BAA.
  7. Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA and the HITECH Act. In the event of an inconsistency between the provisions of this BAA and one or more mandatory provisions of HTPAA or the HITECH Act, the HIPAA or HITECH provisions shall control. Where provisions of this BAA are different than those mandated by HIPAA and the HITECH Act, but are nonetheless permitted, the provisions of this BAA shall control.
  8. Third-Party Beneficiaries. This BAA is intended for the benefit of Business Associate and Covered Entity only. Nothing express or implied is intended to confer or create, nor be interpreted to confer or create, any rights, remedies, obligations, or liabilities to or for any third party.
  9. Status of Business Associate as Independent Contractor. The Parties acknowledge that Business Associate is an independent contractor and not an agent of Covered Entity.
  10. Notification. To the extent notice is required to be provided under any provision in this BAA, notice shall be provided to each respective Party as follows:
    1. Covered Entity:
      STAR MTM, LLC dba CLINICAL SUPPORT SERVICES
      701 Seneca Street, Suite 205
      Buffalo, New York 14210
      Attn: James Notaro
      (716) 541-0273
    2. Business Associate:
Business Associate Address(Required)
IN WITNESS WHEREOF, The Parties have each caused this BAA to be executed by an authorized representative, as of the date first written above.

COVERED ENTITY: STAR MTM dba CLINICAL SUPPORT SERVICES
Name: KIMBERLY MILLER
Title: Director of Compliance and Administration
Date: 7/12/2021

BUSINESS ASSOCIATE:
MM slash DD slash YYYY

Compliance Attestation

I hereby attest that (the “Organization), and all of its downstream entities, if any, that are involved in the provision of health or administrative services for Clinical Support Services:

1.Provide effective Fraud, Waste and Abuse Training and compliance training to all Organization and downstream entity board members, officers, employees, temporary employees and volunteers within ninety (90) calendar days of appointment, hire or contracting, as applicable, and at least annually thereafter as a condition of appointment, employment or contracting. The Organization and its downstream entities currently use (Select all that apply):
Fraud, Waste and Abuse Training
2.Administer specialized compliance training to Organization and downstream entity board members, employees, temporary employees and volunteers: (i) based on their job function within the first ninety (90) days of hire and at least annually thereafter as a condition of appointment, employment or contracting; (ii) when requirements change or (iii) when such personal work in an area previously found to be non-compliant with program requirements or implicated in past misconduct.

3.Have established and publicized compliance policies and procedures, standards of conduct and compliance reference material that meet the requirements outlined in 42 CFR §422.503(b)(4)(vi)(A) and 42 CFR §423.504(b)(4)(vi)(A) which information, and any updates thereto, are distributed to all Organization and downstream entity board members, officers, employees, temporary employees and volunteers within ninety (90) days of appointment, hire or contracting, as applicable, and at least annually thereafter. Evidence of receipt of such compliance by such persons is obtained and retained by the Organization.

4.Review all Organization and downstream entity board members, officers, potential and actual employees, temporary employees and volunteers against the (Health and Human Services (HHS, (Office of Inspector General) OIG List of Excluded Individuals & Entities list, (General Services Administration) SAM List and the (Office of Foreign Assets Control) OFAC Sanctions List Search (hereinafter “Lists”) upon appointment, hire or contracting, as applicable, and monthly thereafter. Further, in the event that the Organization or downstream entity becomes aware that any of the foregoing persons or entities are included on these Lists, the Organization will notify Clinical Support Services, within five (5) calendar days, the relationship with the listed person/entity will be terminated as it relates to Clinical Support Services and appropriate correction action will be taken

5.Screen the Organization and its subcontractors’ governing bodies for conflicts of interest as defined in state and federal law upon hire or contracting and annually thereafter.

6.Will report suspected fraud, waste and abuse, as well as all other forms of non-compliance, as it relates to Clinical Support Services.

7.Understand that a violation of any laws, regulations or Clinical Support Services policies and procedures (if applicable) are grounds for disciplinary action, up to and including termination of Organization’s contractual status.

8.Are aware that persons reporting suspected fraud, waste and abuse and other non-compliance are protected from retaliation and/or retribution under the False Claims Act and other applicable laws prohibiting retaliation and/or retribution.

9.Retain documented evidence of compliance with the above, including training and exclusion screening (i.e. sign-in sheets, certificates, attestations, OIG, SAM, OFAC search results, etc.) for at least ten (10) years and provide such documentation to Clinical Support Services upon request.

10.All Pharmacists completing CMRs have a valid state Pharmacist License.

11.Does not conduct any offshore activities in any country that is not one of the fifty United States or one of the United States Territories. The individual signing below is knowledgeable about and authorized to attest to the foregoing matters on behalf of the Organization.
MM slash DD slash YYYY

Employer Identification Number

Accepted file types: jpg, png, pdf, Max. file size: 64 MB.
Close