Loading...
01/19/2011 Agreement BOG1 BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( "Agreement ") is entered into between the Board of County Commissioners, Monroe County, Florida and the Board of Governors of Fire and Ambulance District 1 (collectively, "Covered Entity ") and Advanced Data Processing Inc. DBA ADPI- Intermedix Corporation ( "Business Associate "), effective as of December 1, 2010 (the "Effective Date "). WHEREAS, Covered Entity and Business Associate have entered into, or plan to enter into, an agreement or other documented arrangement (the "Underlying Agreement "), pursuant to which Business Associate may provide services for Covered Entity that require Business Associate to access, create and use Protected Health Information ( "PHI ") that is confidential under state and/or federal law; and WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed by Covered Entity to Business Associate, or collected or created by Business Associate pursuant to the Underlying Agreement, in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104 -191 ( "HIPAA "), and the regulations promulgated there under, including, without limitation, the regulations codified at 45 CFR Parts 160 and 164 ( "HIPAA Regulations "); and the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued by the Secretary of the Department of Health and Human Services (the "Secretary ") (the "HITECH Act "), and other applicable state and federal laws, all as amended from time to time; and WHEREAS, the HIPAA Regulations require Covered Entity to enter into an agreement with Business Associate meeting certain requirements with respect to the Use and Disclosure of PHI, which are met by this Agreement. NOW, THEREFORE, in consideration of the mutual promises contained herein and the exchange of information pursuant to this Agreement, the parties agree as follows: 1. Definitions Capitalized terms used herein without definition shall have the meanings ascribed to them in the HIPAA Regulations or the HITECH Act, as applicable unless otherwise defined herein. 2. Obligations of Business Associate a. Permitted Uses and Disclosures Business Associate shall only Use or Disclose PHI for the purposes of (i) performing Business Associate's obligations under the Underlying Agreement and as permitted by this Agreement; or (ii) as permitted or required by law; or (iii) as otherwise permitted by this Agreement. Further, Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of the HIPAA Regulations or the HITECH Act if so used by Covered Entity, except that Business Associate may Use PHI (i) for the proper management and administration of Business Associate; (ii) to carry out the legal responsibilities of Business Associate. Business Associate may Disclose PHI for the proper management and administration of Business Associate, to carry out its legal responsibilities or for payment purposes as specified in 45 CFR § 164.506 (c)(1) and (3), including but not limited to Disclosure to a business associate on behalf of a covered entity or health care provider for payment purposes of such covered entity or health care provider, with the expectation that such parties will provide reciprocal assistance to Covered Entity, provided that with respect to any such Disclosure either: (i) the Disclosure is Required by Law; or (ii) for permitted Disclosures when required by law, Business Associate shall obtain a written agreement from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not use and further disclose such PHI except as Required by Law and for the purpose(s) for which it was Disclosed by Business Associate to such person, and that such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached. b. Appropriate safeguards Business Associate shall implement administrative, physical, and technical safeguards that (i) reasonably and appropriately protect the confidentially, integrity, and availability of electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity, and (ii) prevent the Use or Disclosure of PHI other than as contemplated by the Underlying Agreement and this Agreement. C. Compliance with Security Provisions Business Associate shall: (i) implement and maintain administrative safeguards as required by 45 CFR § 164.308, physical safeguards as required by 45 CFR § 164.310 and technical safeguards as required by 45 CFR § 164.312; (ii) implement and document reasonable and appropriate policies and procedures as required by 45 CFR § 164.316; and (iii) be in compliance with all requirements of the HITECH Act related to security and applicable as if Business Associate were a "covered entity," as such term is defined in HIPAA. d. Compliance with Privacy Provisions Business Associate shall only Use and Disclose PHI in compliance with each applicable requirement of 45 CFR § 164.504(e). Business Associate shall comply with all requirements of the HITECH Act related to privacy and applicable as if Business Associate were a "covered entity," as such term is defined in HIPAA. e. Duty to Mitigate Business Associate agrees to mitigate, to the extent practicable and mandated by law, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this Agreement. f. nc ion. To facilitate Business Associate's compliance with this Agreement and to assure adequate data security, Covered Entity agrees that all PHI provided or transmitted to Business Associate pursuant to the Underlying Agreement shall be provided or transmitted in a manner which renders such PHI Unusable, Unreadable or Indecipherable to Unauthorized Individuals, through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of the HITECH Act on the HHS Web site. Covered Entity acknowledges that failure to do so could contribute to or permit a Breach requiring patient notification under the HITECH Act and further agrees that Business Associate shall have no liability for any Breach caused by such failure. 3. Reporting a. Security Incidents and/or Unauthorized Use or Disclosure Business Associate shall report to Covered Entity a successful Security Incident or any Use and/or Disclosure of PHI other than as provided for by this Agreement or permitted by applicable law within a reasonable time of becoming aware of such Security Incident and/or unauthorized Use or Disclosure (but not later than ten (10) days thereafter), in accordance with the notice provisions set forth herein. Business Associate shall take (i) prompt action to cure any such deficiencies as reasonably requested by Covered Entity, and (ii) any action pertaining to such Security Incident and/or unauthorized Use or Disclosure required by applicable federal and state laws and regulations. If such successful Security Incident or unauthorized Use or Disclosure results in a Breach as deemed in the HITECH Act, then Covered Entity shall comply with the requirements of Section 3.b below. b. Breach of Unsecured PHI The provisions of this Section 3.b are effective with respect to the Discovery of a Breach of Unsecured PHI occurring on or after September 23, 2009. With respect to any unauthorized acquisition, access, Use or Disclosure of Covered Entity's PHI by Business Associate, its agents or subcontractors, Business Associate shall (i) investigate such unauthorized acquisition, access, Use or Disclosure; (ii) determine whether such unauthorized acquisition, access, Use or Disclosure constitutes a reportable Breach under the HITECH Act; and (iii) document and retain its findings under clauses (i) and (ii). If the Business Associate Discovers that a reportable Breach has occurred, Business Associate shall notify Covered Entity of such reportable Breach in writing within three (30) days of the date Business Associate Discovers such Breach. Business Associate shall be deemed to have discovered a Breach as of the first day that the Breach is either known to Business Associate or any of its employees, officers or agents, other than the person who committed the Breach, or by exercising reasonable diligence should have been known to Business Associate or any of its employees, officers or agents, other than the person who committed the Breach. To the extent the information is available to Business Associate, Business Associate's written notice shall include the information required by 45 CFR §164.410. Business Associate shall promptly supplement the written report with additional information regarding the Breach as it obtains such information. Business Associate shall cooperate with Covered Entity in meeting the Covered Entity's obligations under the HITECH Act with respect to such Breach. 4. Business Associate's Age To the extent that Business Associate uses one or more subcontractors or agents to provide services under the Underlying Agreement, and such subcontractors or agents receive or have access to PHI, Business Associate shall sign an agreement with such subcontractors or agents containing substantially the same provisions as this Agreement (the "Subcontractors Agreement"). Rights of Individuals. a. Access to PHI Within ten (10) days of receipt of a request by Covered Entity, Business Associate shall make PHI maintained in a Designated Record Set available to Covered Entity or, as directed by Covered Entity, to an individual to enable Covered Entity to fulfill its obligations under 45 CFR § 164.524. Subject to Section 5.b below, (i) in the event that any individual requests access to PHI directly from Business Associate in connection with a routine billing inquiry, Business Associate shall directly respond to such request in compliance with 45 CFR § 164.524; and (ii) in the event such request appears to be for a purpose other than a routine billing inquiry, Business Associate shall forward a copy of such request to Covered Entity and shall fully cooperate with Covered Entity in responding to such request. In either case, a denial of access to requested PHI shall not be made without the prior written consent of Covered Entity. b. Access to Electronic Health Records If Business Associate is deemed to use or maintain an Electronic Health Record on behalf of Covered Entity with respect to PHI, then, to the extent an individual has the right to request a copy of the PHI maintained in such Electronic Health Record pursuant to 45 CFR § 164.524 and makes such a request to Business Associate, Business Associate shall provide such individual with a copy of the information contained in such Electronic Health Record in an electronic format and, if the individual so chooses, transmit such copy directly to an entity or person designated by the individual. Business Associate may charge a fee to the individual for providing a copy of such information, but such fee may not exceed the Business Associate's labor costs in responding to the request for the copy. The provisions of 45 CFR § 164.524, including the exceptions to the requirement to provide a copy of PHI, shall otherwise apply and Business Associate shall comply therewith as if Business Associate were the "covered entity," as such term is defined in HIPAA. At Covered Entity's request, Business Associate shall provide Covered Entity with a copy of an individual's PHI maintained in an Electronic Health Record in an electronic format and in a time and manner designated by Covered Entity in order for Covered Entity to comply with 45 CFR § 164.524, as amended by the HITECH Act. C. Amendment of PHI Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. d. Accounting Rights This Section 5.d is subject to Section 5.e below. Business Associate shall make available to Covered Entity, in response to a request from an individual, information required for an accounting of disclosures of PHI with respect to the individual, in accordance with 45 CFR §164.528, incorporating exceptions to such accounting designated under such regulation. Such accounting is limited to disclosures that were made in the six (6) years prior to the request and shall not include any disclosures that were made prior to the compliance date of the HIPAA Regulations. Business Associate shall provide such information as is necessary to provide an accounting within ten (10) days of Covered Entity's request. Such accounting must be provided without cost to the individual or to Covered Entity if it is the first accounting requested by an individual within any twelve (12) month period; however, a reasonable, cost -based fee may be charged for subsequent accountings if Business Associate informs the Covered Entity and the Covered Entity informs the individual in advance of the fee, and the individual is afforded an opportunity to withdraw or modify the request. Such accounting obligations shall survive termination of this Agreement and shall continue as long as Business Associate maintains PHI. e. Accounting of Disclosures of Electronic Health Records The provisions of this Section 5.e shall be effective on the date specified in the HITECH Act. If Business Associate is deemed to use or maintain an Electronic Health Record on behalf of Covered Entity, then, in addition to complying with the requirements set forth in Section 5.d above, Business Associate shall maintain an accounting of any Disclosures made through such Electronic Health Record for Treatment, Payment and Health Care Operations, as applicable. Such accounting shall comply with the requirements of the HITECH Act. Upon request by Covered Entity, Business Associate shall provide such accounting to Covered Entity in the time and manner specified by Covered Entity and in compliance with the HITECH Act. Alternatively, if Covered Entity responds to an individual's request for an accounting of Disclosures made through an Electronic Health Record by providing the requesting individual with a list of all business associates acting on behalf of Covered Entity, then Business Associate shall provide such accounting directly to the requesting individual in the time and manner specified by the HITECH Act. f. Aereement to Restrict Disclosure If Covered Entity is required to comply with a restriction on the Disclosure of PHI pursuant to Section 13405 of the HITECH Act, then Covered Entity shall, to the extent necessary to comply with such restriction, provide written notice to Business Associate of the name of the individual requesting the restriction and the PHI affected thereby. Business Associate shall, upon receipt of such notification, not Disclose the identified PHI to any health plan for the purposes of carrying out Payment or Health Care Operations, except as otherwise required by law. Covered Entity shall also notify Business Associate of any other restriction to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522. 6. Remuneration and Marketine. a. Limitations on Use of PHI for Marketine Purposes Business Associate shall not Use or Disclose PHI for the purpose of making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless such communication: (1) complies with the requirements of subparagraph (i), (ii) or (iii) of paragraph (1) of the definition of marketing contained in 45 CFR § 164.501, and (2) complies with the requirements of subparagraphs (A), (B) or (C) of Section 13406(a)(2) of the HITECH Act, and implementing regulations or guidance that may be issued or amended from time to time. Covered Entity agrees to assist Business Associate in determining if the foregoing requirements are met with respect to any such marketing communication. 7. Governmental Access to Records Business Associate shall make its internal practices, books and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Regulations and the HITECH Act. Except to the extent prohibited by law, Business Associate agrees to notify Covered Entity of all requests served upon Business Associate for information or documentation by or on behalf of the Secretary. Business Associate shall provide to Covered Entity a copy of any PHI that Business Associate provides to the Secretary concurrently with providing such PHI to the Secretary. 8. Minimum Necessary To the extent required by the HITECH Act, Business Associate shall limit its Use, Disclosure or request of PHI to the Limited Data Set or, if needed, to the minimum necessary to accomplish the intended Use, Disclosure or request, respectively. Effective on the date the Secretary issues guidance on what constitutes "minimum necessary" for purposes of the HIPAA Regulations, Business Associate shall limit its Use, Disclosure or request of PHI to only the minimum necessary as set forth in such guidance. 9. State Privacy Laws Business Associate shall comply with state laws to extent that. such state privacy laws are not preempted by HIPAA or the HITECH Act. 10. Termination a. Breach by Business Associate If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of Business Associate's obligations under this Agreement, then Covered Entity shall promptly notify Business Associate. With respect to such breach or violation, Covered Entity shall (i) take reasonable steps to cure such breach or end such violation, if possible; or (ii) if such steps are either not possible or are unsuccessful, upon written notice to Business Associate, terminate its relationship with Business Associate; or (iii) if such termination is not feasible, report the Business Associate's breach or violation to the Secretary. b. Breach by Covered Entity If Business Associate knows of a pattern of activity or practice of Covered Entity that constitutes a material breach or violation of Covered Entity's obligations under this Agreement, then Business Associate shall promptly notify Covered Entity. With respect to such breach or violation, Business Associate shall (i) take reasonable steps to cure such breach or end such violation, if possible; or (ii) if such steps are either not possible or are unsuccessful, upon written notice to Covered Entity, terminate its relationship with Covered Entity, or (iii) if such termination is not feasible, report the Covered Entity's breach or violation to the Secretary. C. Effect of Termination Upon termination of this Agreement for any reason, Business Associate shall either return or destroy all PHI, as requested by Covered Entity, that Business Associate or its agents or subcontractors still maintain in any form, and shall retain no copies of such PHI. If Covered Entity requests that Business Associate return PHI, such PHI shall be returned in a mutually agreed upon format and timeframe. If Business Associate reasonably determines that return or destruction is not feasible, Business Associate shall continue to extend the protections of this Agreement to such PHI, and limit further uses and disclosures of such PHI to those purposes that make the return or destruction of such PHI not feasible. If Business Associate is asked to destroy the PHI, Business Associate shall destroy PHI in a manner that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals as specified in the HITECH Act. 11. Amendment The parties acknowledge that state and federal laws relating to data security and privacy are rapidly evolving and that amendment of this Agreement may be required to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement any new or modified standards or requirements of HIPAA, the HIPAA Regulations, the HITECH Act and other applicable laws relating to the security or confidentially of PHI. Upon the request of Covered Entity, Business Associate agrees to promptly enter into negotiation concerning the terms of an amendment to this Agreement incorporating any such changes. 12. No Third Party Beneficiaries Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. 13. Effect on Underlying_Agreement In the event of any conflict between this Agreement and the Underlying Agreement, the terms of this Agreement shall control. 14. Survival The provisions of this Agreement shall survive the termination or expiration of the Underlying Agreement. 15. Interpretation This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with such laws. 16. Governing Law This Agreement shall be construed in accordance with the laws of the State of Florida. 17. Notices All notices required or permitted under this Agreement shall be in writing and sent to the other party as directed below or as otherwise directed by either party, from time to time, by written notice to the other. All such notices shall be deemed validly given upon receipt of such notice by certified mail, postage prepaid, facsimile transmission, e-mail or personal or courier delivery: If to Covered Entity: Monroe County Board of Count Commissioners Monroe County Board of Governors 490 63` Street Ocean Marathon, Fl 33050 Attn: Camille Dubroff Telephone no: 305- 289 -6010 Facsimile no: 305- 289 -6013 If to Business Associate: Advanced Data Processing Inc, DBA ADPI- Intermedix Corporation 6451 N. Federal Highway, Suite 1002 Ft. Lauderdale, F133308 Attn: Joe McCloskey, Vice President, Compliance Officer Telephone no: 954- 308 -8714 Facsimile no: 305 -521 -0785 WHEREOF, the parties hereto have duly executed this as of the Effective It i1 ATT ,L. KOLHAGE, CLERK M Clerk BOARD OF COUNTY COMMISSIONERS OF MONROE COUNTY, FLORIDA By: ay r BOARD OF GOVERNORS OF FIRE AND AMBULANCE DISTRICT 1, OF MONRO , ORI B y : Mayor /Chairman MONROE COUNTY ATTORNEY �RV RM: CYNTHIA L. HALL ASST TANT OUNTY /A TTORNEY !date_._ /& R1 R010 Advanced Data Processing, Inc. (DBA I-Inte yanedix Co ratio ) G-; l Si �e Print Name and Title Date: / L /o N --1 © O Approved by MONROE COUNTY on 30,ua q , 2011, Item # r-n C) �' E p O