Item G2B OARD of GOVERNORS
FIRE AND AMBULANCE DISTRICT I
AGENDA ITEM SUMMARY
Meeting Date: January 1 2011 Division: Emergency Services
Bulk Item: Yes X No Department: Fire Rescue
Staff C ontact Person: Camille Dubr
AGENDA ITEM WORDING: ,Approval of Business Associate Agreement with Advanced Data
Processing Inc. DBA ADPI-- Intermedix Corporation consistent with the standards set forth in
regulations and administrative guidance with respect to the Health Insurance Portability and
Accountability Act of 1 996, Public Law 104-1 HIPAA , including as amended by the Health
Information Technology for Economic and Clinical health Act as set forth in Title XII Division A. and
Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (HITECH Act).
ITEM BACKGROUND: Under the Health Information and Portability and Accountability Act
( HIP AA privacy and security standards, business associates must comply with certain minimum
requirements. Business associates include administrative service providers, producers and other third
parties that provide services to health plans.
The Health Information Tec neology for Economic and Clinical Health Act ITC Act) was signed
into law as part of the American Recover and Reinvestment Act ARRA . The Act requires business
associates to notify covered entities of any breach of unsecured protected health information and
requires compliance with new security privacy and security standards that apply to electronic protected
health information under the HIPAA Security Rule.
P REVIOUS R EVANT BOG ACTION: None
CONTRACT/AGREEMENT CHANGES: G S: Nev Business Associate Agreement.
STAFF RECOMMENDATIONS: The Business Associate Agreement confirms that the contracted
party is in compliance with the newly enacted HIT CH Act and it is therefore recommended that the
B OG approve this item.
TOTAL COST: ILIA INDMECT COST: NIA BUDGETED: Yes No
DIFFERENTIAL of LOCAL PREFERENCE NIA
COST To COUNTY: SOURCE of FUNDS:
REVENUE PRODUCING: UCING: Yes No AMOUNT PER MONTH Year
APPROVED Y: County� OMB/Purchasing OMB/Purchasing Risk Management
D OCUMENTATION: Included X Not Required
D ISPOSITION: AGEN A IT 1
Revised 7
MONROE COUNTY BOARD OF GOVERNORS
OF FIRE AND AMBUALNCE DI STIRJCT 1
CONTRACT SUMMARY
Contract 'wi th. Ad vanced D ata Contract #
Processing Inc, DBA
A P1- Intern edix Corp.
Effective Date:
Expiration D ate:
l:AL
Contract Purposeeseription:
New Business Associate Ag reement with Advanced Data Proce sirs Inc. DBA .DPI:
Intearmedix �o
I Contract Manager: Camille Dubroff 6010
(Name)
for BOCC meeting on 1/19/2011
06/01/201
05/31 /2013 -- - - - --
Emergency Services /stop 14
(Department /Stop #)
.Agenda Deadline: 114120
CONTRACT ACT COSTS
Total Dollar Val ue o Contract; rond collcins Current Year Portion:
4 .00% of air collections and
$ 11.00 per Medicaid Account
Account Codes:
Budgeted? Ye E No F Pine and Ambulance Dist 1: 13001-530- Ground
Fine & Forfeiture: . 11001- 5 30-340 Air
County Match:
Estimated Ongoing Costs: —
(Not included in dollar value above
ADDITIONAL COSTS
/ y r For:
g, maintenance, uti lities, janitorial, salaries, etc.)
CONTRACT REVIEW
Changes Date Out
Date In Needed v r
Division Director �a-w/./ Yes[:] No�
Risk Management ��d� Yes[:] Na[D
O.M.B. /P i�rchasing IZ -Z2 - 10 Yes El No El � �ic���'�� /a 83 i e
Count Attorney �a � I� Yes❑ No[�'
Y Y � _24f
Comments:
B Form .devised 2/27/01 MCP
BU SINESS A SSOCIATE GRE MEN '
This Business Associate Agreement ("Agreement"') is entered into between the Board of
Coup t Comrrmissioners Monroe County, Florida and the Board of Governors of Fire and
Amb Distr _1 lectivel� " ntit and Advanced Data rocessin Inc. DBA
.��. �.
ADPI -Inter edi Corporation "Business Associate""), effective as of December 1, 2010 (the
"'Effective Date ".
WHEREAS, Covered Entity and Business Associate have entered into, or plan to eater
into, an agreement or other documented arrangement (the "Underlying ying Agreement'), pursuant to
which Business Associate may provide services for Covered Entity that require Business
Associate to access, create and use Protected Health Infonnat on ("PHI") I" that is confidential
under state and/or federal law; and
AREAS, Covered Entity and Business Associate intend to protect the privacy and
provide for the security of PHI disclosed by Co v e red Entity t o Business Associate, or collected
or created by Business Associate pursuant to the Underlying Agreement, in compliance with the
Health Insurance Portability and Accountability Act of 1 996, Public Law 104 " AA" ,
and the regulations promulgated there under, including, without limitation, the regulations
codified at 45 CFR farts 160 and 1 " IBAA Regulations and the Health Information - Technology for Economic and Clinical Health Act, as incorporated in the American Recovery
and Reinvestment Act of 2009, and its implementing regulations and guidance issued by the
Secretary of the Department of Health and Human Services (the "'Secretary" (th " IT C
Act'), and other applicable state and federal laws, all as amended from time to time; and
wRS, the HIAA Regulations require Covered Entity to eater in to an agreement
with Business Associate meeting certain requirements with respect to the Use and Disclosure o
III, which are met by this Agreement.
NOS', THEREFORE, in consideration of the mutual promises contained herein and the
exchange of information pursuant to this Agreement, the parties agree as follows:
1. Definitions.'
Capitalized terms used herein without definition shall have the meanings ascribed
to there in the HI A..A Regulations or the HITECH Act, as applicable unless otherwise defined
h erein.
2. Obligations of Business Associate
a. Permitted Uses and Disclosures. Business Associate shall only Use or
Disclose PHI for the purposes of i performing Business Associate's obligations under the
Underlying Agreement and as permitted by this Agreement; or (ii) as permitted or required b
law; or (iii) as otherwise permitted by this Agreement. Further, Business Associate shall not Use
or Disclose PHI in any manner that would constitute a violation of the HI A.A Regulations or the
I' BC I Act if so used by Covered Entity, except that Business Associate may Use PHI i for
the prop ma nagement and administra o Business Associate- ( ii) to carry out th e legal
responsibilities of Business Associate. Business Associate may Disclose PHI for the proper
management an a dministration of Business Associate, t o carry out its l egal responsibilities or
for payment purposes a s specified in 45 C � 164.506 (c)(1) and (3), including but not limited
to Disclosure to a business associate on behalf of a covered entity or health care provider for
payment purposes of such covered entity or health care p rovider, with the expectation that such
parties will provide reciprocal assistance to Covered Entity, provided that with respect to an
such Disclosure either: i the Disclosure is Required by Law; or ( ii) for pern tted Disclosures
when required by law, Business Associate shall obtain a Witten agreement from the person to
whom the is to be Disclosed that such person will hold the PHI in confidence and will not
use and further disclose such PHI except as Required by Law and for the doses for which it
was Disclosed by Business Associate to such person, and that such person ' will notify Business
Associate of any instances of which it is aware in which the confidentiality of the PHI has been
breached.
b. Aip aoriate . . LafegLi ards. Business Associate shall -
E mp
lement
administrative, physical, and tc ui l 'saf eguar ds that i reasonably and app protect
the confidentially, integrity, and availability of electronic PHI that it creates, receives, maintains
or transmits on behalf of Covered ,entity, and (ii) the Use or Disclosure of PHI other than
as contemplated by the Underlying Agreement and this Agreement.
C. Comp liance with Securily Provisions, Business .Associate shall: i - _
hn lement and maintain administrative safeguards as required by 45 CFR § 164.3 phy sical
safeguards as required by 45 CFR § 164.310 and technical safeguards as required by 45 C FR
164.312; (ii) implement and document reasonable and appropriate policies and procedures as
required by 45 CFR § 164.316; and (iii) be in compliance with all requirements of the III" CH
Act related to security and applicable as if Business Associate w ere a "Acovered entity," as such
teen is deed in HIPAA.
d. Cony liance with Privacy Provisions. Business Associate shall only Use
and Disclose PHI in compliance with each applicable requirement of 45 CFA. § 164.504(e).
Business Associate shall comply with all requirements of the HI TECH Act related to privacy and
applicable as if Business Associate were a "covered entity," as such teen is defined in HIPAA.
e. to Miti ate. Business Associate agrees to miti ate to the extent
practicable and mandated by law, any harmful effect that is known to Business .Associate of a
Use or Disclosure ure of PHI by Business Associate - in violation of the requirements of this
Agreement.
f. EncrYntion To facilitate Business Associate's compliance plianc with this
A greement and to assure adequate data security, Covered Entity agrees that all PHI Provided or
transmitted to Business Associate pursuant to the Underlying Agreement shall be provided or
transmitted min a manner which renders such PHI Unusable, Unreadable or Indecipherable to
Unauthorized Individuals, through the use of a technology or methodology specified by the
Secretary in the guidance issued under section 13402(h)(2) of the HIT ECH Act on the HHS web
site. Covered Entity acknowledges that failure to so could contribute to or permit a breach
requiring patient notification under the HITECH Act and further agrees that Business Associate
shall have no liability for any Breach caused by such failure.
3. Eeporting.
a. Securily Incidents and Unauthori Use or Disclosure. Business
Associate shall report to Covered Entity a successful Security Incident or any Use and/or
Disclosure of PHI other than as provided for by this Agreement or petted by applicable law
within a reasonabl time of becoming aware of such Security Incident and/or unauthorized Use
or Disclosure (hut not later than tern 10 days thereafter), in accordance with the notice
provisions set forth herein. sines .ssociate shall to o i) prompt action to cure any such
deficiencies ncies as reasonably requested Covered Entity, and i any action ertainin to such
Secun*ty Incident and/or unauthorized Use or Disclosure required by applicable federal and state
laws and regulations. If such successful Security Incident or unauthorized Use or Disclosure
results in a Breach as defmed in the HITECH Act, then Covered Entity shall comply with the
requirements of Section 3.h below.
h. Breach of Unsecured PHI. The provisions of this Section 3,b are effective
with respect to the Discovery of a Breach of Unsecured PHI occun on or after September 23,
200 9. with respect to any unauthorized acquisition, access, Use or Disclosure of Covered
Entity's PHI by Business Associate, its agents or subcontractors, Business Associate shall i
investigate such unauthorized acquisition, access, Use or Disclosure; (ii) detemu' e whether such
unauthorized acquisition, access, Use or Disclosure constitutes a reportable Breach under the
HITEC Act; and (iii) document and retain its findings under clauses i and ( 11). If the Business
Associate Discovers that a. reportable Breach has occurred,, Business Associate shall notify
Covered Entity of such reportable Breach in writing within three clays of the slate Business
Associate Discovers such Breach. Business Associate shall be deemed to have discovered a
Breach as of the first day that the Breach is either known wn to Business Associate or any of its
employees, officers or agents, other than the person who committed the Breach,, or by exercising
reasonable diligence should have been known to Business Associate or any of its employees,
officers dr agents, other than the person who committed the Breach. To the extent the
information is available to Business ,Associate, Business Associate's written notice shall include
the infonnation required by 45 CFR §164.410. Business Associate shall promptly supplement
the M*tten report with additional ixiforrnation regarding the Breach as it obtains such
inforn.ation, business Associate shall cooperate with Covered Entity in meeting the" Covered
Entity's obligations under the H CH Act with respect - to such Breach.
4. Business Associate's Agents. To the extent that Business Associate uses one or
more subcontractors or agents to provide services under the Underlying Agreement, and such
subcontractors or agents receive or have access to PHI, Business Associate shall sign an
agreement with such subcontractors or agents containing substantially the same provisions as this
Agreement (the `'Subcontractors A.gr c enf ).
5 . Rights of Individuals.
a. Access to PHI. Within tern 10 flays of receipt of a request by Covered
Entity, Business Associate shah male PHI maintained M a Designated Record Set available to
Covered Entity or, as directed by Covered Entity, to an individual to enable Covered Entity to
fulf"nll its obligations under 45 CFR § 164.524. Subject to Section 5.b below, i in the event that
any individual requests access to PHI directly from Business Associate in connection with a
routine billing inquiry, Business Associate shall directly respond to such request in compliance
with 45 CFR § 1 64.524; and (ii) in the event such re quest a pp ears to be f or a p ose other than a
routine billing inquiry, Business Associate shall for a copy of such request to Covered
Entity and shall fully cooperate with Covered Entity in responding to such request. In either
case, a de al of access to requested PHI shall not be made without the prior Witten consent of
Covered Entity.
b. Access to lectro.nic . Health Records. If Business Associate is deemed to
use or maintain an Electronic Health Record on behalf of Covered Entity with respect to PHI,
they,, to the extent an individual has the right to request a copy of the PHI maintained �n such
E lectronic Health Record pursuant. to CFR § 164.524 and makes such a request to Business
Associate, Business Associate shall provide such individual with a copy of the information
contained in such Electronic Health Record in an electronic format and, if the individual so
chooses, transmit such copy directly to an entity or person designated by the individual.
Business Associate may charge a fee to the individual for providing a copy of such information,
but such fee .may not exceed the Business Associate's Tabor costs -in responding to the request for
the copy. The provisions of 45 CFR § 164.524, including the exceptions to the requirement to
provide a copy o PHI, shall otherwise apply and Business Associate shall comply therewith as if
Business Associate were the "covered entity," as such term i defined in P A. At Covered
Entity's request, Business Associate shall provide Covered Entity w ith a copy of an individual's
PHI maintained in an Electronic Health Record in an electronic format and in a time and manner
designated by Covered Entity in order for Covered Entity to comply with 45 CFR § 164.524, as
amended by the HITECH Act.
C. A mendment of. PHI. Business Associate agrees to male any
amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to
pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in the time
and manner designated by Covered Entity.
d. Accounting Ri hts. This Section 5.d is sun ject to Section 5.e below.
Business Associate shall make available to Covered Entity, in response to a request from an
individual, information required for an accounting of disclosures of PHI with respect to the
individual,, in accordance with 45 C R §164.528,, incorporating exceptions to such accounting
designated under such regulation. Such accounting is limited to disclosures that w ere made in the
six years prior to the request and shall not include any disclosures that were made prior to the
compliance date of the HEPAA Regulations. Business Associate shall provide such information
as is necessary to provide an accounting within ten (1 0) days of Covered .entity's request. Such
accounting rust be provided without cost to the individual or to Covered Entity if it is the first
accounting requested by an individual within any twelve 1 month period; however, a
reasonable, cost -based fee may be charged for subsequent accountings if Business Associate
informs the Covered Entity and the Covered Entity informs the individual in advance of'the fee,
and the individual is afforded an opportunity to withdraw or modify the request. Such accounting
obligations shall survive termination of this Agreement and shall' continue as long as Business
Associate maintains PHI.
C . Accounting of Disclosures of Electronic Health Records. The p rovisions
of this Section 5.e shall be effe tive on the date specified in the HITECH Act, If Business
Associate is deemed to use or maintain an Electronic Health Record on behalf of Covered Entity,
then, in addition to complying with the requirements set forth in Section 5 above, Business
Associate shall rnaintaf a n accounting of any Disclosures made through such Electronic Health
Record for Treatment, Payment and Health Care operations, as applicable. Such accounting
shall comply with the requirements of the H ITECH Act. Upon request by Covered Entity,
Business Associate shah provide such accounting to Covered Entity is the time and manner
specified by 'Covered Entity and in compliance with the ITEC Act. Alternatively, if Covered
Entity responds to an individual's request for an accounting of Disclosures made through an
Electronic Health Record by providing the requesting ind ividual with a fist of all business
associates acting o n behalf of Covered Entity, then Business Associate shah provide such
accounting directly to the requesting individual in the time and manner specified by the HITEC
Act.
. Ameement to Restrict is,.,�.. closure If Covered Entity is required to comply
with a restriction on the Disclosure of HI pursuant to Section 13405 o f the HITECH Act, then
Covered Entity shall, to the extent accessary to comply with such restriction, provide written
notice to Business Associate of the name o f the individual req uesting the restriction and the PM - K
affected thereby. Business Associate shah, upon receipt of such notification, not Disclose the
i dentified PHI to any health - Ian for the purposes of carrying out Payment or Health Care
Operations, except as otherwise required by law. Covered Entity shall also notify Business
Associate of any other restriction to the Use or Disclosure of PHI that Covered Entity has agreed
to in accordance with CR § 164.522.
6 . Remuneration and llrlar eti .
a. Limitations on Use of PHI for Marketina Pu Dees. Business Associate
shall not Use or Disclose PHI for the purpose of making a communication about a product or
service that encourages recipients of the communication to purchase or use the product or
service, unless such corn uhication: 1 complies with the requirements of subparagraph i , ii
or (iii*) of paragraph 1 of the definition o marketing contained in 45 CFR § 164.501; and ( 2 )
complies with the requirements of subparagraphs ., or C of Section 13406a of the
HITEC I Act, and implementing regulations or guidance that may be issued or amended from
time to time. C overe d Entity a grees to assist B us mness Associate in deter inning if the foregoing
requirement are met - with respect to any such marketing com umeation.
7 . Govenunental . Access to Records. Business Associate shall make its internal
practices, books and records relating to the Use and Disclosure of PHI available to the Secretar
for purposes of determining Covered Entity's compliance with the HIPAA Regulations and the
HITECH Act. Except to the extent prohibited by law, Business Associate agrees to notify
Covered Entity of all requests served upon Business Associate for information or documentation
by or on behalf of the Secretary. Business Associate shall provide to Covered Entity a copy of
any PHI that Business Associate provides to the Secretary concurrently with providing such PHI
to the Secretary,
8. Minimum Necessa . To the extent required by the HITECH Act, Business
Associate shall limit its Use,, disclosure or request of PHI to the Limited Data Set or, if needed,
to the minimum necessary to accomplish the intended Use, Disclosure or request, respectively.
Effective on the date the Secretary issues guidance on what constitutes "minimum ecessar " for
purposes of the HIP AA Regulations, Business Associate shall limit its Use, Disclosure or request
of PHI to only the m i nurn necessary as set forth in such guidance.
State Privacy Laws. Business Associate shall comply with state laws to extent
that-such state privacy laws are not preempted by HIPAA or the HITECH Act.
10. Termination.
a. Breach. by. Business Associate. If Covered Entity knows of a pattern of
activity or practice of Business Associate that constitutes a mate al breach or violation of
Business Asso iate's obligations under this Agreement, then Covered Entity shall promptly
notify Business Associate. With respect to such breach or violation, Covered Entity shall i take
reasonable steps to cure such breach or end such violation, if possible; or (ii) if such steps are
either not possible or are unsueeessf 1, upon wntten notice to Business Associate, terminate its
relationship with Business Associate; or (iii) if such termination is not feasible, report the
Business Associate's breach or violation to the Secretary.
b. Breach bv Covered. Entity. If Business Associate knows of a Patten of
activity or practice of Covered Entity that constitutes a rnateal breach or violation of .hovered
Entity's obligations under this Agreement, then Business Associate shall promptly notify
Covered E ntity. With respect to such breach or violation, Business Associate shall i take
reasonable steps to cure such breach or end such violation, if possible; or ii if such steps are
either not possible or are unsuccessful, upon - written notice to C overed Entity, terminate its
relationship with Covered Entity; or (iii) if such termination is not feasible, report the Covered
Entity's breach or violation to the Secretary.
G. Effect. of 'Termination. Upon termination of this Ageenient for any
reason, Business Associate shall either return or destroy all PHI, as requested by Covered Entity,
that Business Associate or its agents or subcontractors still maintain in any form, and shall retain
no copies of such PHI. If Covered Entity requests that Business Associate return PHI, such PHI
shall be reed in a mutually agreed upon format and tirneframe. If Business Associate
reasonably determines that return or destruction is not feasible, Business Associate shall continue
to extend the protections of this Agreement to such PHI, and limit further uses and disclosures of
such PHI to those purposes that name the return or destruction of such PHI not feasible. If
Business Associate is asked to destroy the PHI, Business Associate shall destroy PHI in a
manner that renders the PHI unusable, unreadable or indecipherable to unauthorized individual
a s specified Mn the H T CH Act.
11. Amendment. The parties acknowledge that state and federal laws relating to data
security and privacy are rapidly evolving and that amendment ent of this Agreement may be required
to ensure compliance with such developments. The parti specifically agree to take such action
as is necessary to implement any new or modified standards or re uir men 't s o I AA, the
� A Regulations, the 1TEC Act and other applicable laws relating to the secun*ty or
confidentially of PHI. Upon the request of overed Entity, Business Associate agrees to
promptly enter into negotiation concerning the terns of an amendment to this Agreement
incorporating any such changes.
12. No Third Paqy Beneficiaries. Nothing express or i plicd Mn this Agreement is
intended to confer, nor shall anything herein confer, upon any person other than Co ercd Entity,
usiness Associate and their respective successors or assigns, any rights, remedies, obligations,
or liabilities whatsoever.
1 Effect on Underhing Apreement. In the event of any conflict between this
Agreement and the Und erlying Agreement, the terns of this Agreement shall control.
14. Survival. The provisions of this Agreement shall survive the t nnin tion or
expiration of the Underlying Agreement.
15. mretation This Agreement shall be interpreted as broadly as necessary to
implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act. The parties
agree that any ambiguity Mn this Agreement shall he resolved in favor o a meaning that complies
and is consistent with such laws.
16. Govern,ing . -Law This Agreement shall be construed in accordance with the laws
of the State of 'loda.
17. Notices. All notices required or permitted under this Agreement shall be in
writing and sent to the other party as directed below or as otherwise directed by either per,
from time to time, by written notice to the other. All such notices shall be deemed validly given
upon receipt o such notice by certified nail, postage prepaid, facshnile transmission, e or
personal or courier delivery:
If to Covered E ntity-, Monroe Countv Board of C un Conn- issioners
Monroe Coup . Board of Governors
490 6 P Street O cean
Marathon F1 330
A Camille D ubroff
Telephone 305 - 289 -6010
Facsimile no: 305-289-601 3
If to Business Associate: Advanced Data Processing Inc,
DBA ADPI -Intennedix Corporation
6451 N. Federal Highway, Suite 1002
`t. Lauderdal F 1
Ate: Joe McCloskey, Vice President, Compliance Officer
Telephone no: 954-308-871
1
Facsiumile no: 305.521- -0785
IN WITNESS 'HEREOF, the pal ` es hereto have duly executed this as of the e ti
Date. ve
(SEAL) .BOARD OF COUNTY COMMISSIONERS
OF
ATTEST: DANNY L. KOLHAGE, CLERK M C FL
By: ..� `
Deputy Clerk
Mayor
BOARD OF GOVERNORS OF
FIRE AND AMBULANCE DISTRICT 1,
F MONROE COUNTY, FLORIDA
B y :
IayrChairlan
Advanced Data Processing, Inc.
(DBA I -Iite
el x Corp rat
S i ture
Print Name and Tit
MO,� COUNTY ATTORNEY
L R,PRLVE-1D1 S P ""�RM : D ate. If - llel
CYNTHIAL. HALL
ASS TNT UN N
D
Approved by M COUNTY o , 20 1 , Item #