2nd Amendment 09/17/2013 � � .
ya/y
. L, , .. itte.
7 fj/� d+",�/e 405 r
,, .'
A
0
�" �� • ;� CLERK OF CIRCUIT COURT-&.-COMPTROLLERS.-[�.
MONROE COUNTY,FLORIDA
%r a
DATE: September 16, 2013
TO: Sheryl Graham, Director
Social Services
FROM: Vitia Fernandez, D.C.
015
At the September 17, 2013, Board of County Commissioner's meeting the .Board granted
approval and authorized execution of the following items:
Item B11 . Amendment #0002 toletifida7Department of Children and Families Standard Grant
Agreement #KPZ06,,Emmergenc-y Solutions Grant (ESG) between the State of Florida, Department,of
Children and Families and Monroe County Board of County Commissioners (Social Services/In Home
Services).
Item B12 . Amendment #0001 to Florida Department of:Children and Families Standard Grant
Agreement #KG069, Community Care for Disabled Adults (CCDA).between the State of Florida,
Department•of Children and Families and Monroe County. Board of County Commissioners (Social
Services/In Home Services).
Enclosed are six (6) duplicate originals executed on behalf of Monroe County,for your handling.
Please be sure to return two fully executed duplicate originals as soon as possible. Should you have any
questions,please feel free to contact me.
cc: County Attorney (w/o documents)
Finance
File I
500 Whitehead Street Suite 101,PO Box 1980,Key West,FL 33040 Phone:305-295-3130 Fax:305-295-3663
3117 Overseas Highway,Marathon,FL 33050 Phone:305-289-6027 Fax:305-289-6025
88820 Overseas Highway,Plantation Key,FL 33070 Phone:852-7145 Fax:305-852-7146
aL9L)(s 0f c�
•
ORIGINAL Grant Agreement KPZ06
Amendment# 0002
THIS AMENDMENT, entered into between the State of Florida, Department of Children and Families,
hereinafter referred to as the "Department," and Monroe County, hereinafter referred to as the
"Recipient," amends Grant Agreement KPZ06.
Amendment#0001, effective June 27, 2013, added funds to the grant agreement.
The purpose of Amendment #0002 is to add a special provision incorporating into Grant Agreement
KPZ06 those provisions required by 45 CFR s.164.504(e) and thus adds Attachment VII to the grant
agreement. As a result, the Grant Agreement is amended, and Attachment VII is therefore added to this
grant agreement.
1. Page 3, Standard Grant Agreement, Section I, paragraph 0, Health Insurance Portability and
Accountability Act, is hereby amended to read:
O. Health Insurance Portability and Accountability Act
In compliance with 45 CFR s.164.504(e), the Recipient shall comply with the provisions of
Attachment VII, to this Grant Agreement, governing the safeguarding, use and disclosure of
Protected Health Information created, received, maintained, or transmitted by the Recipient or its
subcontractors incidental to Recipient's performance of this Grant Agreement. The provisions of
the foregoing Attachment supersede all other provisions of this grant agreement regarding
HIPAA compliance.
2. Page 5, Standard Grant Agreement, Section II, Paragraph F, Modification, Amendment, and
Entirety of the Agreement, is hereby amended to read:
F. Modification, Amendment and Entirety of the Agreement
This agreement may only be modified or amended in writing with such modifications or
amendments duly signed by both parties. This agreement and its attachments, I, II, III, IV, V, VI
and VII, and any referenced exhibits, together with any documents incorporated by reference,
constitute the entirety of the agreement. There are no other terms or conditions other than those
contained herein. This agreement supersedes all previous communication and representations
between the parties or their representatives.
3. Page 5, Standard Grant Agreement, above the signature block, amends the total number of
pages in the contract due to the addition of Attachment VII as follows:
"IN WITNESS THEREOF, the parties have caused this fifty-one (51) page agreement to be executed
below."
4. Pages 47-51, Attachment VII, are hereby inserted and attached hereto.
This amendment shall begin on September 20, 2013 or the date on which the amendment has been
signed by both parties, whichever is later.
All provisions of the grant agreement and any attachments thereto in conflict with this amendment shall
be and are hereby changed to conform to this amendment.
1 KPZ06
Grant Agreement KPZ06
Amendment#0002
All provisions of the grant agreement not in conflict with this amendment are still in effect and are to be
performed at the level specified in the grant agreement.
This amendment is hereby made a part of the contract.
IN WITNESS THEREOF, the parties hereto have caused this seven (7) page amendment to be
executed by their officials'thereunto duly authorized.
PROVIDER: STATE OF FLORIDA
MONROE COUNTY, DEPARTMENT OF CHILDREN AND
FAMILIES
SIGNED SIGNED
BY: )0-e--- BY: /`r
11
NAME: George Neuaent NAME: Gilda P. Ferradaz
TITLE: Mayor TITLE: Interim Regional Managing Director
DATE: O Ci- 1"1-a013 DATE: 9 '(9`l
.��`�, c�etii Number: 59-6000749
1,,
1z � �'
,
_ '� AC 3,i tliUN,CLE'K
r
oi
APPROVED AS TO FORM
ND LEGAL SUFFICIENCY
,..,Th 4)11 V5
Allegal Counsel 1 'Date
in
er — _.
Cr— o— r__• E UNTY S
C7 —.7 't— �0 O D AS fe; •.a -41
III CZ) -J cr_ O J. R CADO
_�' —"' ASSISTANT COUNTY ATT RNE
N 1 Zta
Date —
2 KPZ06
.
ATTACHMENT VII
This Attachment contains the terms and conditions governing the Provider's access to and use
of Protected Health Information and provides the permissible uses and disclosures of protected
health information by the Provider, also called "Business Associate."
Section 1. Definitions
1.1 Catch-all definitions:
The following terms used in this Attachment shall have the same meaning as those
terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set,
Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy
Practices, Protected Health Information, Required by Law, Security Incident,
Subcontractor, Unsecured Protected Health Information, and Use.
1.2 Specific definitions:
1.2.1 "Business Associate" shall generally have the same meaning as the term
"business associate" at 45 CFR 160.103, and for purposes of this Attachment
shall specifically refer to the Provider.
1.2.2 "Covered Entity" shall generally have the same meaning as the term "covered
entity" at 45 CFR 160.103, and for purposes of this Attachment shall refer to
the Department.
1.2.3. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and
Enforcement Rules at 45 CFR Part 160 and Part 164.
1.2.4. "Subcontractor" shall generally have the same meaning as the term
"subcontractor" at 45 CFR § 160.103 and is defined as an individual to whom a
business associate delegates a function , activity, service , other than in the
capacity of a member of the workforce of such business associate.
Section 2. Obligations and Activities of Business Associate
2.1 Business Associate agrees to:
2.1.1 Not use or disclose protected health information other than as permitted or
required by this Attachment or as required by law;
2.1.2 Use appropriate administrative safeguards as set forth at 45 CFR § 164.308,
physical safeguards as set forth at 45 CFR § 164.310, and technical
safeguards as set forth at 45 CFR § 164.312; including, policies and
procedures regarding the protection of PHI and/or ePHI set forth at 45 CFR §
164.316 and the provisions of training on such policies and procedures to
applicable employees, independent contractors, and volunteers, that
reasonably and appropriately protect the confidentiality, integrity, and
availability of the PHI and/or ePHI that the Provider creates, receives,
maintains or transmits on behalf of the Department;
2.1.3 Acknowledge that (a) the foregoing safeguards, policies and procedures
requirements shall apply to the Business Associate in the same manner that
such requirements apply to the Department, and (b) the Business Associate's
and their Subcontractors are directly liable under the civil and criminal
47 KPZ06
enforcement provisions set forth at Section 13404 of the HITECH Act and
section 45 CFR § 164.500 and 164.502(E) of the Privacy Rule (42 U.S.C.
1320d-5 and 1320d-6), as amended, for failure to comply with the safeguards,
policies and procedures requirements and any guidance issued by the
Secretary of Health and Human Services with respect to such requirements;
2.1.4 Report to covered entity any use or disclosure of protected health information
not provided for by this Attachment of which it becomes aware, including
breaches of unsecured protected health information as required at 45 CFR
164.410, and any security incident of which it becomes aware;
2.1.5 Notify the Department's Security Officer, Privacy Officer and the Contract
Manager as soon as possible, but no later than five (5) business days following
the determination of any breach or potential breach of personal and confidential
departmental data;
2.1.6 Notify the Privacy Officer and Contract Manager within (24) hours of notification
by the US Department of Health and Human Services of any investigations,
compliance reviews or inquiries by the US Department of Health and Human
Services concerning violations of HIPAA (Privacy, Security Breach).
2.1.7 Provide any additional information requested by the Department for purposes
of investigating and responding to a breach;
2.1.8 Provide at Business Associate's own cost notice to affected parties no later
than 45 days following the determination of any potential breach of personal or
confidential departmental data as provided in section 817.5681, F.S.;
2.1.9 Implement at Business Associate's own cost measures deemed appropriate by
the Department to avoid or mitigate potential injury to any person due to a
breach or potential breach of personal and confidential departmental data;
2.1.10 Take immediate steps to limit or avoid the recurrence of any security breach
and take any other action pertaining to such unauthorized access or disclosure
required by applicable federal and state laws and regulations regardless of any
actions taken by the Department ;
2.1.11 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable,
ensure that any subcontractors that create, receive, maintain, or transmit
protected health information on behalf of the business associate agree to the
same restrictions, conditions, and requirements that apply to the business
associate with respect to such information. Business Associate's must attain
satisfactory assurance in the form of a written contract or other written
agreement with their business associate's or subcontractor's that meets the
applicable requirements of 164.504(e)(2) that the Business Associate or
Subcontractor will appropriately safeguard the information. For prior contracts
or other arrangements, the provider shall provide written certification that its
implementation complies with the terms of 45 CFR 164.532(d);
2.1.12 Make available protected health information in a designated record set to
covered entity as necessary to satisfy covered entity's obligations under 45
CFR 164.524;
2.1.13 Make any amendment(s) to protected health information in a designated record
set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526,
or take other measures as necessary to satisfy covered entity's obligations
under 45 CFR 164.526;
2.1.14 Maintain and make available the information required to provide an accounting
of disclosures to the covered entity as necessary to satisfy covered entity's
obligations under 45 CFR 164.528;
48 KPZ06
2.1.15 To the extent the business associate is to carry out one or more of covered
entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the
requirements of Subpart E that apply to the covered entity in the performance
of such obligation(s); and
2.1.16 Make its internal practices, books, and records available to the Secretary of the
U.S. Department of Health and Human Services for purposes of determining
compliance with the HIPAA Rules.
Section 3. Permitted Uses and Disclosures by Business Associate
3.1 The Business associate may only use or disclose protected health information covered
under this Attachment as listed below:
3.1.1 The Business Associate may use and disclose the Department's PHI and/or
ePHI received or created by Business Associate (or its agents and
subcontractors) in performing its obligations pursuant to this Attachment.
3.1.2 The Business Associate may use the Department's PHI and/or ePHI received
or created by Business Associate (or its agents and subcontractors) for archival
purposes.
3.1.3 The Business Associate may use PHI and/or ePHI created or received in its
capacity as a Business Associate of the Department for the proper
management and administration of the Business Associate, if such use is
necessary (a) for the proper management and administration of Business
Associate or(b) to carry out the legal responsibilities of Business Associate.
3.1.4 The Business Associate may disclose PHI and/or ePHI created or received in
its capacity as a Business Associate of the Department for the proper
management and administration of the Business Associate if(a) the disclosure
is required by law or (b) the Business Associate (1) obtains reasonable
assurances from the person to whom the PHI and/or ePHI is disclosed that it
will be held confidentially and used or further disclosed only as required by law
or for the purpose for which it was disclosed to the person and (2) the person
agrees to notify the Business Associate of any instances of which it becomes
aware in which the confidentiality and security of the PHI and/or ePHI has been
breached.
3.1.5 The Business Associate may aggregate the PHI and/or ePHI created or
received pursuant this Attachment with the PHI and/or ePHI of other covered
entities that Business Associate has in its possession through its capacity as a
Business Associate of such covered entities for the purpose of providing the
Department of Children and Families with data analyses relating to the health
care operations of the Department (as defined in 45 C.F.R. §164.501).
3.1.6 The Business Associate may de-identify any and all PHI and/or ePHI received
or created pursuant to this Attachment, provided that the de-identification
process conforms to the requirements of 45 CFR § 164.514(b).
3.1.7 Follow guidance in the HIPAA Rule regarding marketing, fundraising and
research located at Sections 45 CFR § 164.501, 45 CFR § 164.508 and 45
CFR § 164.514.
49 KPZ06
Section 4. Provisions for Covered Entity to Inform Business Associate of Privacy
Practices and Restrictions
4.1 Covered entity shall notify business associate of any limitation(s) in the notice of privacy
practices of covered entity under 45 CFR 164.520, to the extent that such limitation may
affect business associate's use or disclosure of protected health information.
4.2 Covered entity shall notify business associate of any changes in, or revocation of, the
permission by an individual to use or disclose his or her protected health information, to
the extent that such changes may affect business associate's use or disclosure of
protected health information.
4.3 . Covered entity shall notify business associate of any restriction on the use or disclosure
of protected health information that covered entity has agreed to or is required to abide
by under 45 CFR 164.522, to the extent that such restriction may affect business
associate's use or disclosure of protected health information.
Section 5. Termination
5.1 Termination for Cause
5.1.1 Upon the Department's knowledge of a material breach by the Business
Associate, the Department shall either:
5.1.1.1 Provide an opportunity for the Business Associate to cure the breach
or end the violation and terminate the Agreement or discontinue
access to PHI if the Business Associate does not cure the breach or
end the violation within the time specified by the Department of
Children and Families;
5.1.1.2 Immediately terminate this Agreement or discontinue access to PHI if
the Business Associate has breached a material term of this
Attachment and does not end the violation; or
5.1.1.3 If neither termination nor cure is feasible, the Department shall report
the violation to the Secretary of the Department of Health and Human
Services.
5.2 Obligations of Business Associate Upon Termination
5.2.1 Upon termination of this Attachment for any reason, business associate, with
respect to protected health information received from covered entity, or
created, maintained, or received by business associate on behalf of covered
entity, shall:
5.2.1.1 Retain only that protected health information which is necessary for
Business Associate to continue its proper management and
administration or to carry out its legal responsibilities;
5.2.1.2 Return to covered entity, or other entity as specified by the
Department or, if permission is granted by the Department, destroy
the remaining protected health information that the Business
Associate still maintains in any form;
5.2.1.3 Continue to use appropriate safeguards and comply with Subpart C of
45 CFR Part 164 with respect to electronic protected health
50 KPZ06
.
information to prevent use or disclosure of the protected health
information, other than as provided for in this Section, for as long as
Business Associate retains the protected health information;
5.2.1.4 Not use or disclose the protected health information retained by
Business Associate other than for the purposes for which such
protected health information was retained and subject to the same
conditions set out at paragraphs 3.1.3 and 3.1.4 above under
"Permitted Uses and Disclosures By Business Associate" which
applied prior to termination; and
5.2.1.5 Return to covered entity, or other entity as specified by the
Department or, if permission is granted by the Department, destroy
the protected health information retained by business associate when
it is no longer needed by business associate for its proper
management and administration or to carry out its legal
responsibilities.
5.2.1.6 The obligations of business associate under this Section shall survive
the termination of this Attachment.
Section 6. Miscellaneous
6.1 A regulatory reference in this Attachment to a section in the HIPAA Rules means the
section as in effect or as amended.
6.2 The Parties agree to take such action as is necessary to amend this Attachment from
time to time as is necessary for compliance with the requirements of the HIPAA Rules
and any other applicable law.
6.3 Any ambiguity in this Attachment shall be interpreted to permit compliance with the
HIPAA Rules.
51 KPZ06