The URL can be used to link to this page

1st Amendment 09/17/2013AMY HEAVILIN, CPA CLERK OF CIRCUIT COURT & COMPTROLLER Naxxoe cauxTr, FLORIDA DATE: September 16, 2013 TO: Sheryl Graham, Director Social Services FROM: Vitia Fernandez, D. At the September 17, 2013, Board of County' Commissioner's meeting the Board granted - r approval and authorized execution of the following items: Item B11 Amendment #0002 to Florida Department of Children and Families Standard Grant Agreement #KPZ06, Emergency Solutions Grant (ESG) between the State of Florida, Department of Children and Families.and Monroe County Board of County Commissioners (Social Services /In Home Services). Item B12 Amendment #0001 to Florida Department of Children and Families Standard Grant Agreement #KG069, Community Care for Disabled Adults (CODA) between the State of Florida, Department of Children and Families and Monroe County Board of County Commissioners (Social Services /In Home Services). Enclosed are six (6) duplicate originals executed on behalf of Monroe County, for your handling. Please be sure to return two fully executed duplicate originals as soon as possible. Should you have any questions, please feel free to contact me. cc: County Attorney (wilo documents) Finance File ✓ 500 Whitehead Street Suite 101, PO Box 1980, Key West, FL 33040 Phone: 305 -295 -3130 Fax: 305 -295 -3663 3117 Overseas Highway, Marathon, FL 33050 Phone: 305 -289 -6027 Fax: 305 -289 -6025 88820 Overseas Highway, Plantation ►(ey, FL 33070 Phone: 852 -7145 Fax: 305- 852 -7146 � T TAT T ORIGINAL Contract No. KG069 Amendment # 0001 THIS AMENDMENT, entered into between the State of Florida, Department of Children and Families, hereinafter referred to as the "Department," and Monroe County, hereinafter referred to as the "Provider," amends Contract No. KG069. The purpose of Amendment # 0001 is to add a special provision incorporating into Contract No. KG069 those provisions required by 45 CFR s.164.504(e). 1. Page 1, Standard Contract, Section 4, Contract Document, is hereby amended to read: 4. Contract Document The Provider shall provide services in accordance with the terms and conditions specified in this contract including its attachments I, II & III and Exhibits A, B, C & D , and any exhibits reference in said attachments, together with any documents incorporated by reference, which contain all the terms and conditions agreed upon by the parties. The definitions found in the Standard Contract Definitions, located at http : / /www.dcf.state.fl.us /admin/ contracts / docs /GlossaryofContractTerms.pdf are incorporated into and made a part of this contract. The PUR 1000 Form (10/06 version) is hereby incorporated into and made a part of this contract. Sections 1.d., 2 -4, 6, 8 -13, 20, 23, 27, and 31 of the PUR 1000 Form are not applicable to this contract. In the event of any conflict between the PUR 1000 Form and any other terms or conditions of this contract, such other terms or conditions shall take precedence over the PUR 1000 Form. 2. Page 8, Standard Contract, above the signature block, amends the total number of pages in the contract due to the addition of Attachment III as follows: "IN WITNESS THEREOF, the parties hereto have caused this thirty -seven (37) page contract to be executed by their undersigned official as duly authorized." 3. Page 24, Attachment I, Section D., Special Provisions, is hereby amended to add the following paragraph D.5.: 5. Health Insurance Portability and Accountability Act In compliance with 45 CFR s.164.504(e), the Provider shall comply with the provisions of Attachment III, to this Contract, governing the safeguarding, use and disclosure of Protected Health Information created, received, maintained, or transmitted by the Provider or its subcontractors incidental to Provider's performance of this Contract. The provisions of the foregoing Attachment supersede all other provisions of Attachment I regarding HIPAA compliance. 4. Pages 33 -37, Attachment III, are hereby inserted and attached hereto. This amendment shall begin on September 20. 2013 or the date on which the amendment has been signed by both parties, whichever is later. All provisions of the contract and any attachments thereto in conflict with this amendment shall be and are hereby changed to conform to this amendment. All provisions of the contract not in conflict with this amendment are still in effect and are to be performed at the level specified in the contract. KG069 Contract No. KG069 Amendment # 0001 This amendment is hereby made a part of the contract. IN WITNESS THEREOF, the parties hereto have caused this seven (7) oaee amendment to be executed by their officials' thereunto duly authorized. STATE OF FLORIDA DEPARTMENT OF CHILDREN AND FAMILIES SIGNED SIGNED NAME: George Negant NAME: Gilda P. Ferradaz PROVIDER: MONROE COUNTY TITLE: Mayor DATE: )q - I g - a013 ID Number: 59- 6000749 TITLE: Interim Regional Managing Director DATE: 4 — d _1-3 APPROVED AS TO FORM AND SUFFICIENCY Regional "dal Counsel Date o 2 KGO69 ^' 77, -4 Q _ J _ c7 •= o 2 KGO69 ATTACHMENT 111 This Attachment contains the terms and conditions governing the Provider's access to and use of Protected Health Information and provides the permissible uses and disclosures of protected health information by the Provider, also called "Business Associate." Section 1. Definitions 1.1 Catch -all definitions: The following terms used in this Attachment shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. 1.2 Specific definitions: 1.2.1 "Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR 160.103, and for purposes of this Attachment shall specifically refer to the Provider. 1.2.2 "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, and for purposes of this Attachment shall refer to the Department. 1.2.3. " HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. 1.2.4. "Subcontractor" shall generally have the same meaning as the term "subcontractor" at 45 CFR § 160.103 and is defined as an individual to whom a business associate delegates a function , activity, service , other than in the capacity of a member of the workforce of such business associate. Section 2. Obligations and Activities of Business Associate 2.1 Business Associate agrees to: 2.1.1 Not use or disclose protected health information other than as permitted or required by this Attachment or as required by law; 2.1.2 Use appropriate administrative safeguards as set forth at 45 CFR § 164.308, physical safeguards as set forth at 45 CFR § 164.310, and technical safeguards as set forth at 45 CFR § 164.312; including, policies and procedures regarding the protection of PHI and /or ePHI set forth at 45 CFR § 164.316 and the provisions of training on such policies and procedures to applicable employees, independent contractors, and volunteers, that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and /or ePHI that the Provider creates, receives, maintains or transmits on behalf of the Department; 2.1.3 Acknowledge that (a) the foregoing safeguards, policies and procedures requirements shall apply to the Business Associate in the same manner that such requirements apply to the Department, and (b) the Business Associate's and their Subcontractors are directly liable under the civil and criminal 33 KG069 enforcement provisions set forth at Section 13404 of the HITECH Act and section 45 CFR § 164.500 and 164.502(E) of the Privacy Rule (42 U.S.C. 1320d -5 and 1320d -6), as amended, for failure to comply with the safeguards, policies and procedures requirements and any guidance issued by the Secretary of Health and Human Services with respect to such requirements; 2.1.4 Report to covered entity any use or disclosure of protected health information not provided for by this Attachment of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware; 2.1.5 Notify the Department's Security Officer, Privacy Officer and the Contract Manager as soon as possible, but no later than five (5) business days following the determination of any breach or potential breach of personal and confidential departmental data; 2.1.6 Notify the Privacy Officer and Contract Manager within (24) hours of notification by the US Department of Health and Human Services of any investigations, compliance reviews or inquiries by the US Department of Health and Human Services concerning violations of HIPAA (Privacy, Security Breach). 2.1.7 Provide any additional information requested by the Department for purposes of investigating and responding to a breach; 2.1.8 Provide at Business Associate's own cost notice to affected parties no later than 45 days following the determination of any potential breach of personal or confidential departmental data as provided in section 817.5681, F.S.; 2.1.9 Implement at Business Associate's own cost measures deemed appropriate by the Department to avoid or mitigate potential injury to any person due to a breach or potential breach of personal and confidential departmental data; 2.1.10 Take immediate steps to limit or avoid the recurrence of any security breach and take any other action pertaining to such unauthorized access or disclosure required by applicable federal and state laws and regulations regardless of any actions taken by the Department; 2.1.11 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information. Business Associate's must attain satisfactory assurance in the form of a written contract or other written agreement with their business associate's or subcontractor's that meets the applicable requirements of 164.504(e)(2) that the Business Associate or Subcontractor will appropriately safeguard the information. For prior contracts or other arrangements, the provider shall provide written certification that its implementation complies with the terms of 45 CFR 164.532(d); 2.1.12 Make available protected health information in a designated record set to covered entity as necessary to satisfy covered entity's obligations under 45 CFR 164.524; 2.1.13 Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity's obligations under 45 CFR 164.526; 2.1.14 Maintain and make available the information required to provide an accounting of disclosures to the covered entity as necessary to satisfy covered entity's obligations under 45 CFR 164.528; 34 KG069 2.1.15 To the extent the business associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and 2.1.16 Make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules. Section 3. Permitted Uses and Disclosures by Business Associate 3.1 The Business associate may only use or disclose protected health information covered under this Attachment as listed below: 3.1.1 The Business Associate may use and disclose the Department's PHI and /or ePHI received or created by Business Associate (or its agents and subcontractors) in performing its obligations pursuant to this Attachment. 3.1.2 The Business Associate may use the Department's PHI and /or ePHI received or created by Business Associate (or its agents and subcontractors) for archival purposes. 3.1.3 The Business Associate may use PHI and /or ePHI created or received in its capacity as a Business Associate of the Department for the proper management and administration of the Business Associate, if such use is necessary (a) for the proper management and administration of Business Associate or (b) to carry out the legal responsibilities of Business Associate. 3.1.4 The Business Associate may disclose PHI and /or ePHI created or received in its capacity as a Business Associate of the Department for the proper management and administration of the Business Associate if (a) the disclosure is required by law or (b) the Business Associate (1) obtains reasonable assurances from the person to whom the PHI and /or ePHI is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person and (2) the person agrees to notify the Business Associate of any instances of which it becomes aware in which the confidentiality and security of the PHI and /or ePHI has been breached. 3.1.5 The Business Associate may aggregate the PHI and /or ePHI created or received pursuant this Attachment with the PHI and /or ePHI of other covered entities that Business Associate has in its possession through its capacity as a Business Associate of such covered entities for the purpose of providing the Department of Children and Families with data analyses relating to the health care operations of the Department (as defined in 45 C.F.R. §164.501). 3.1.6 The Business Associate may de- identify any and all PHI and /or ePHI received or created pursuant to this Attachment, provided that the de- identification process conforms to the requirements of 45 CFR § 164.514(b). 3.1.7 Follow guidance in the HIPAA Rule regarding marketing, fundraising and research located at Sections 45 CFR § 164.501, 45 CFR § 164.508 and 45 CFR § 164.514. 35 KG069 Section 4. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions 4.1 Covered entity shall notify business associate of any limitation(s) in the notice of privacy practices of covered entity under 45 CFR 164.520, to the extent that such limitation may affect business associate's use or disclosure of protected health information. 4.2 Covered entity shall notify business associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect business associate's use or disclosure of protected health information. 4.3 Covered entity shall notify business associate of any restriction on the use or disclosure of protected health information that covered entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect business associate's use or disclosure of protected health information. Section 5. Termination 5.1 Termination for Cause 5.1.1 Upon the Department's knowledge of a material breach by the Business Associate, the Department shall either: 5.1.1.1 Provide an opportunity for the Business Associate to cure the breach or end the violation and terminate the Agreement or discontinue access to PHI if the Business Associate does not cure the breach or end the violation within the time specified by the Department of Children and Families; 5.1.1.2 Immediately terminate this Agreement or discontinue access to PHI if the Business Associate has breached a material term of this Attachment and does not end the violation; or 5.1.1.3 If neither termination nor cure is feasible, the Department shall report the violation to the Secretary of the Department of Health and Human Services. 5.2 Obligations of Business Associate Upon Termination 5.2.1 Upon termination of this Attachment for any reason, business associate, with respect to protected health information received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, shall: 5.2.1.1 Retain only that protected health information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; 5.2.1.2 Return to covered entity, or other entity as specified by the Department or, if permission is granted by the Department, destroy the remaining protected health information that the Business Associate still maintains in any form; 5.2.1.3 Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health 36 KG069 information to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as Business Associate retains the protected health information; 5.2.1.4 Not use or disclose the protected health information retained by Business Associate other than for the purposes for which such protected health information was retained and subject to the same conditions set out at paragraphs 3.1.3 and 3.1.4 above under "Permitted Uses and Disclosures By Business Associate" which applied prior to termination; and 5.2.1.5 Return to covered entity, or other entity as specified by the Department or, if permission is granted by the Department, destroy the protected health information retained by business associate when it is no longer needed by business associate for its proper management and administration or to carry out its legal responsibilities. 5.2.1.6 The obligations of business associate under this Section shall survive the termination of this Attachment. Section 6. Miscellaneous 6.1 A regulatory reference in this Attachment to a section in the HIPAA Rules means the section as in effect or as amended. 6.2 The Parties agree to take such action as is necessary to amend this Attachment from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. 6.3 Any ambiguity in this Attachment shall be interpreted to permit compliance with the HIPAA Rules. 37 KG069