01/19/2011 Agreement BOCCBUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ( "Agreement ") is entered into between the Board of
County Commissioners, Monroe County Florida and the Board of Governors of Fire and
Ambulance District 1 (collectively, "Covered Entity and Advanced Data Processing Inc. DBA
ADPI- Intermedix Corporation ( "Business Associate "), effective as of December 1, 2010 (the
"Effective Date ").
WHEREAS, Covered Entity and Business Associate have entered into, or plan to enter
into, an agreement or other documented arrangement (the "Underlying Agreement "), pursuant to
which Business Associate may provide services for Covered Entity that require Business
Associate to access, create and use Protected Health Information ( "PHI ") that is confidential
under state and/or federal law; and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and
provide for the security of PHI disclosed by Covered Entity to Business Associate, or collected
or created by Business Associate pursuant to the Underlying Agreement, in compliance with the
Health Insurance Portability and Accountability Act of 1996, Public Law 104 -191 ( "HIPAA "),
and the regulations promulgated there under, including, without limitation, the regulations
codified at 45 CFR Parts 160 and 164 ( "HIPAA Regulations "); and the Health Information
Technology for Economic and Clinical Health Act, as incorporated in the American Recovery
and Reinvestment Act of 2009, and its implementing regulations and guidance issued by the
Secretary of the Department of Health and Human Services (the "Secretary ") (the "HITECH
Act "), and other applicable state and federal laws, all as amended from time to time; and
WHEREAS, the HIPAA Regulations require Covered Entity to enter into an agreement
with Business Associate meeting certain requirements with respect to the Use and Disclosure of
PHI, which are met by this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein and the
exchange of information pursuant to this Agreement, the parties agree as follows:
Definitions
Capitalized terms used herein without definition shall have the meanings ascribed
to them in the HIPAA Regulations or the HITECH Act, as applicable unless otherwise defined
herein.
2. Obligations of Business Associate
a. Permitted Uses and Disclosures Business Associate shall only Use or
Disclose PHI for the purposes of (i) performing Business Associate's obligations under the
Underlying Agreement and as permitted by this Agreement; or (ii) as permitted or required by
law; or (iii) as otherwise permitted by this Agreement. Further, Business Associate shall not Use
or Disclose PHI in any manner that would constitute a violation of the HIPAA Regulations or the
HITECH Act if so used by Covered Entity, except that Business Associate may Use PHI (i) for
the proper management and administration of Business Associate; (ii) to carry out the legal
responsibilities of Business Associate. Business Associate may Disclose PHI for the proper
management and administration of Business Associate, to carry out its legal responsibilities or
for payment purposes as specified in 45 CFR § 164.506 (c)(1) and (3), including but not limited
to Disclosure to a business associate on behalf of a covered entity or health care provider for
payment purposes of such covered entity or health care provider, with the expectation that such
parties will provide reciprocal assistance to Covered Entity, provided that with respect to any
such Disclosure either: (i) the Disclosure is Required by Law; or (ii) for permitted Disclosures
when required by law, Business Associate shall obtain a written agreement from the person to
whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not
use and further disclose such PHI except as Required by Law and for the purpose(s) for which it
was Disclosed by Business Associate to such person, and that such person will notify Business
Associate of any instances of which it is aware in which the confidentiality of the PHI has been
breached.
b. Appropriate afeeuards Business Associate shall implement
administrative, physical, and technical safeguards that (i) reasonably and appropriately protect
the confidentially, integrity, and availability of electronic PHI that it creates, receives, maintains
or transmits on behalf of Covered Entity, and (ii) prevent the Use or Disclosure of PHI other than
as contemplated by the Underlying Agreement and this Agreement.
C. Compliance with Security Provisions Business Associate shall: (i)
implement and maintain administrative safeguards as required by 45 CFR § 164.308, physical
safeguards as required by 45 CFR § 164.310 and technical safeguards as required by 45 CFR
§ 164.312; (ii) implement and document reasonable and appropriate policies and procedures as
required by 45 CFR § 164.316; and (iii) be in compliance with all requirements of the HITECH
Act related to security and applicable as if Business Associate were a "covered entity," as such
term is defined in HIPAA.
d. Compliance with Privacy Provisions Business Associate shall only Use
and Disclose PHI in compliance with each applicable requirement of 45 CFR § 164.504(e).
Business Associate shall comply with all requirements of the HITECH Act related to privacy and
applicable as if Business Associate were a "covered entity," as such term is defined in HIPAA.
e. Duty to Mitigate Business Associate agrees to mitigate, to the extent
practicable and mandated by law, any harmful effect that is known to Business Associate of a
Use or Disclosure of PHI by Business Associate in violation of the requirements of this
Agreement.
f. Encrvption To facilitate Business Associate's compliance with this
Agreement and to assure adequate data security, Covered Entity agrees that all PHI provided or
transmitted to Business Associate pursuant to the Underlying Agreement shall be provided or
transmitted in a manner which renders such PHI Unusable, Unreadable or Indecipherable to
Unauthorized Individuals, through the use of a technology or methodology specified by the
Secretary in the guidance issued under section 13402(h)(2) of the HITECH Act on the HHS Web
site. Covered Entity acknowledges that failure to do so could contribute to or permit a Breach
requiring patient notification under the HITECH Act and further agrees that Business Associate
shall have no liability for any Breach caused by such failure.
3. Re on rtina.
a. Security Incidents and /or Unauthorized Use or Disclosure Business
Associate shall report to Covered Entity a successful Security Incident or any Use and/or
Disclosure of PHI other than as provided for by this Agreement or permitted by applicable law
within a reasonable time of becoming aware of such Security Incident and/or unauthorized Use
or Disclosure (but not later than ten (10) days thereafter), in accordance with the notice
provisions set forth herein. Business Associate shall take (i) prompt action to cure any such
deficiencies as reasonably requested by Covered Entity, and (ii) any action pertaining to such
Security Incident and/or unauthorized Use or Disclosure required by applicable federal and state
laws and regulations. If such successful Security Incident or unauthorized Use or Disclosure
results in a Breach as deemed in the HITECH Act, then Covered Entity shall comply with the
requirements of Section 3.b below.
b. Breach of Unsecured PHI The provisions of this Section 3.b are effective
with respect to the Discovery of a Breach of Unsecured PHI occurring on or after September 23,
2009. With respect to any unauthorized acquisition, access, Use or Disclosure of Covered
Entity's PHI by Business Associate, its agents or subcontractors, Business Associate shall (i)
investigate such unauthorized acquisition, access, Use or Disclosure; (ii) determine whether such
unauthorized acquisition, access, Use or Disclosure constitutes a reportable Breach under the
HITECH Act; and (iii) document and retain its findings under clauses (i) and (ii). If the Business
Associate Discovers that a reportable Breach has occurred, Business Associate shall notify
Covered Entity of such reportable Breach in writing within three (30) days of the date Business
Associate Discovers such Breach. Business Associate shall be deemed to have discovered a
Breach as of the first day that the Breach is either known to Business Associate or any of its
employees, officers or agents, other than the person who committed the Breach, or by exercising
reasonable diligence should have been known to Business Associate or any of its employees,
officers or agents, other than the person who committed the Breach. To the extent the
information is available to Business Associate, Business Associate's written notice shall include
the information required by 45 CFR §164.410. Business Associate shall promptly supplement
the written report with additional information regarding the Breach as it obtains such
information. Business Associate shall cooperate with Covered Entity in meeting the Covered
Entity's obligations under the HITECH Act with respect to such Breach.
4. Business Associate's Agents To the extent that Business Associate uses one or
more subcontractors or agents to provide services under the Underlying Agreement, and such
subcontractors or agents receive or have access to PHI, Business Associate shall sign an
agreement with such subcontractors or agents containing substantially the same provisions as this
Agreement (the "SubcontrActors Agreement ").
Rights of Individuals.
a. Access to PHI Within ten (10) days of receipt of a request by Covered
Entity, Business Associate shall make PHI maintained in a Designated Record Set available to
Covered Entity or, as directed by Covered Entity, to an individual to enable Covered Entity to
fulfill its obligations under 45 CFR § 164.524. Subject to Section 5.b below, (i) in the event that
any individual requests access to PHI directly from Business Associate in connection with a
routine billing inquiry, Business Associate shall directly respond to such request in compliance
with 45 CFR § 164.524; and (ii) in the event such request appears to be for a purpose other than a
routine billing inquiry, Business Associate shall forward a copy of such request to Covered
Entity and shall fully cooperate with Covered Entity in responding to such request. In either
case, a denial of access to requested PHI shall not be made without the prior written consent of
Covered Entity.
b. Access to Electronic Health Records If Business Associate is deemed to
use or maintain an Electronic Health Record on behalf of Covered Entity with respect to PHI,
then, to the extent an individual has the right to request a copy of the PHI maintained in such
Electronic Health Record pursuant to 45 CFR § 164.524 and makes such a request to Business
Associate, Business Associate shall provide such individual with a copy of the information
contained in such Electronic Health Record in an electronic format and, if the individual so
chooses, transmit such copy directly to an entity or person designated by the individual.
Business Associate may charge a fee to the individual for providing a copy of such information,
but such fee may not exceed the Business Associate's labor costs in responding to the request for
the copy. The provisions of 45 CFR § 164.524, including the exceptions to the requirement to
provide a copy of PHI, shall otherwise apply and Business Associate shall comply therewith as if
Business Associate were the "covered entity," as such term is defined in HIPAA. At Covered
Entity's request, Business Associate shall provide Covered Entity with a copy of an individual's
PHI maintained in an Electronic Health Record in an electronic format and in a time and manner
designated by Covered Entity in order for Covered Entity to comply with 45 CFR § 164.524, as
amended by the HITECH Act.
C. Amendment of PHI Business Associate agrees to make any
amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to
pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in the time
and manner designated by Covered Entity.
d. Accounting Rights This Section 5.d is subject to Section 5.e below.
Business Associate shall make available to Covered Entity, in response to a request from an
individual, information required for an accounting of disclosures of PHI with respect to the
individual, in accordance with 45 CFR §164.528, incorporating exceptions to such accounting
designated under such regulation. Such accounting is limited to disclosures that were made in the
six (6) years prior to the request and shall not include any disclosures that were made prior to the
compliance date of the HIPAA Regulations. Business Associate shall provide such information
as is necessary to provide an accounting within ten (10) days of Covered Entity's request. Such
accounting must be provided without cost to the individual or to Covered Entity if it is the first
accounting requested by an individual within any twelve (12) month period; however, a
reasonable, cost -based fee may be charged for subsequent accountings if Business Associate
informs the Covered Entity and the Covered Entity informs the individual in advance of the fee,
and the individual is afforded an opportunity to withdraw or modify the request. Such accounting
obligations shall survive termination of this Agreement and shall continue as long as Business
Associate maintains PHI.
e. Accounting of Disclosures of Electronic Health Records The provisions
of this Section 5.e shall be effective on the date specified in the HITECH Act. If Business
Associate is deemed to use or maintain an Electronic Health Record on behalf of Covered Entity,
then, in addition to complying with the requirements set forth in Section 5.d above, Business
Associate shall maintain an accounting of any Disclosures made through such Electronic Health
Record for Treatment, Payment and Health Care Operations, as applicable. Such accounting
shall comply with the requirements of the HITECH Act. Upon request by Covered Entity,
Business Associate shall provide such accounting to Covered Entity in the time and manner
specified by Covered Entity and in compliance with the HITECH Act. Alternatively, if Covered
Entity responds to an individual's request for an accounting of Disclosures made through an
Electronic Health Record by providing the requesting individual with a list of all business
associates acting on behalf of Covered Entity, then Business Associate shall provide such
accounting directly to the requesting individual in the time and manner specified by the HITECH
Act.
f. Agreement to Restrict Disclosure If Covered Entity is required to comply
with a restriction on the Disclosure of PHI pursuant to Section 13405 of the HITECH Act, then
Covered Entity shall, to the extent necessary to comply with such restriction, provide written
notice to Business Associate of the name of the individual requesting the restriction and the PHI
affected thereby. Business Associate shall, upon receipt of such notification, not Disclose the
identified PHI to any health plan for the purposes of carrying out Payment or Health Care
Operations, except as otherwise required by law. Covered Entity shall also notify Business
Associate of any other restriction to the Use or Disclosure of PHI that Covered Entity has agreed
to in accordance with 45 CFR § 164.522.
6. Remuneration and Marketing.
a. Limitations on Use of PHI for Marketing P urmoses Business Associate
shall not Use or Disclose PHI for the purpose of making a communication about a product or
service that encourages recipients of the communication to purchase or use the product or
service, unless such communication: (1) complies with the requirements of subparagraph (i), (ii)
or (iii) of paragraph (1) of the definition of marketing contained in 45 CFR § 164.501, and (2)
complies with the requirements of subparagraphs (A), (B) or (C) of Section 13406(a)(2) of the
HITECH Act, and implementing regulations or guidance that may be issued or amended from
time to time. Covered Entity agrees to assist Business Associate in determining if the foregoing
requirements are met with respect to any such marketing communication.
7. Governmental Access to Records Business Associate shall make its internal
practices, books and records relating to the Use and Disclosure of PHI available to the Secretary
for purposes of determining Covered Entity's compliance with the HIPAA Regulations and the
HITECH Act. Except to the extent prohibited by law, Business Associate agrees to notify
Covered Entity of all requests served upon Business Associate for information or documentation
by or on behalf of the Secretary. Business Associate shall provide to Covered Entity a copy of
any PHI that Business Associate provides to the Secretary concurrently with providing such PHI
to the Secretary.
8. Minimum Necessary To the extent required by the HITECH Act, Business
Associate shall limit its Use, Disclosure or request of PHI to the Limited Data Set or, if needed,
to the minimum necessary to accomplish the intended Use, Disclosure or request, respectively.
Effective on the date the Secretary issues guidance on what constitutes "minimum necessary" for
purposes of the HIPAA Regulations, Business Associate shall limit its Use, Disclosure or request
of PHI to only the minimum necessary as set forth in such guidance.
9. State Privacv Laws Business Associate shall comply with state laws to extent
that. such state privacy laws are not preempted by HIPAA or the HITECH Act.
10. Termination
a. Breach by Business Associate If Covered Entity knows of a pattern of
activity or practice of Business Associate that constitutes a material breach or violation of
Business Associate's obligations under this Agreement, then Covered Entity shall promptly
notify Business Associate. With respect to such breach or violation, Covered Entity shall (i) take
reasonable steps to cure such breach or end such violation, if possible; or (ii) if such steps are
either not possible or are unsuccessful, upon written notice to Business Associate, terminate its
relationship with Business Associate; or (iii) if such termination is not feasible, report the
Business Associate's breach or violation to the Secretary.
b. Breach by Covered Entity If Business Associate knows of a pattern of
activity or practice of Covered Entity that constitutes a material breach or violation of Covered
Entity's obligations under this Agreement, then Business Associate shall promptly notify
Covered Entity. With respect to such breach or violation, Business Associate shall (i) take
reasonable steps to cure such breach or end such violation, if possible; or (ii) if such steps are
either not possible or are unsuccessful, upon written notice to Covered Entity, terminate its
relationship with Covered Entity; or (iii) if such termination is not feasible, report the Covered
Entity's breach or violation to the Secretary.
C. Effect of Termination Upon termination of this Agreement for any
reason, Business Associate shall either return or destroy all PHI, as requested by Covered Entity,
that Business Associate or its agents or subcontractors still maintain in any form, and shall retain
no copies of such PHI. If Covered Entity requests that Business Associate return PHI, such PHI
shall be returned in a mutually agreed upon format and timeframe. If Business Associate
reasonably determines that return or destruction is not feasible, Business Associate shall continue
to extend the protections of this Agreement to such PHI, and limit further uses and disclosures of
such PHI to those purposes that make the return or destruction of such PHI not feasible. If
Business Associate is asked to destroy the PHI, Business Associate shall destroy PHI in a
manner that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals
as specified in the HITECH Act.
11. Amendment The parties acknowledge that state and federal laws relating to data
security and privacy are rapidly evolving and that amendment of this Agreement may be required
to ensure compliance with such developments. The parties specifically agree to take such action
as is necessary to implement any new or modified standards or requirements of HIPAA, the
HIPAA Regulations, the HITECH Act and other applicable laws relating to the security or
confidentially of PHI. Upon the request of Covered Entity, Business Associate agrees to
promptly enter into negotiation concerning the terms of an amendment to this Agreement
incorporating any such changes.
12. No Third Party Beneficiaries Nothing express or implied in this Agreement is
intended to confer, nor shall anything herein confer, upon any person other than Covered Entity,
Business Associate and their respective successors or assigns, any rights, remedies, obligations,
or liabilities whatsoever.
13. Effect on Underl ing Agreement In the event of any conflict between this
Agreement and the Underlying Agreement, the terms of this Agreement shall control.
14. Survival The provisions of this Agreement shall survive the termination or
expiration of the Underlying Agreement.
15. Interpretation This Agreement shall be interpreted as broadly as necessary to
implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act. The parties
agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies
and is consistent with such laws.
16. Governing Law This Agreement shall be construed in accordance with the laws
of the State of Florida.
17. Notices All notices required or permitted under this Agreement shall be in
writing and sent to the other party as directed below or as otherwise directed by either party,
from time to time, by written notice to the other. All such notices shall be deemed validly given
upon receipt of such notice by certified mail, postage prepaid, facsimile transmission, e-mail or
personal or courier delivery:
If to Covered Entity: Monroe County Board of County C ommissioners
Monroe Coun1y Board of Governors
490 63 Street Ocean
Marathon, F133050
Attn: Camille Dubroff
Telephone no: 305- 289 -6010
Facsimile no: 305- 289 -6013
If to Business Associate: Advanced Data Processing Inc,
DBA ADPI- Intermedix Corporation
6451 N. Federal Highway, Suite 1002
Ft. Lauderdale, F133308
Attn: Joe McCloskey, Vice President, Compliance Officer
Telephone no: 954- 308 -8714
Facsimile no: 305 -521 -0785
S WHEREOF, the parties hereto have duly executed this as of the Effective
L. KOLHAGE, CLERK
Clerk
BOARD OF COUNTY COMMISSIONERS
OF
MONROE COUN , FLORIDA
By:
ay r
BOARD OF GOVERNORS OF
FIRE AND AMBULANCE DIST R CT 1,
OF MONRO O
By: _
Mayor /Chairman
MON OE COUNTY AT OR EY
A PI30V AS O O
YNTHIA L. HALL
ASSISTANT COUNTY ATTORNEY
Date_ 12- 91 0-
Advanced Data Processing, Inc.
(DBA PI -Irate ned' c Co ratio
Print Name and Title
Date:
Approved by MONROE COUNTY on Tah� ar , 2011, Item #
x
G 1p
o
a
Y I
CO