08/21/2013 Agreement •
%., y w" . AMY NEAVILIN, CPA
r CLERK OF CIRCUIT COURT & COMPTROLLER
K.
MONROE COUNTY,FLORIDA
DATE: September 20, 2013
TO: Chief James Callahan
ATTN: Holly Pfiester
FROM: Vitia Fernandez, D.C.
At the August 21, 2013, Board of County Commissioner's meeting the Board granted approval
and authorized execution of Item B21 Business Associate Agreements between the Board of County
Commissioners of Monroe County and I) Big Coppitt Volunteer Fire Dept. Inc. 2) Sugarloaf Key
Volunteer Fire Dept. Inc. 3) Big Pine Key Volunteer Fire Dept. Inc. 4) Layton Volunteer Fire Dept.
Inc. and 5) Tavernier Volunteer Fire Dept. Inc. outlining national privacy standards with respect to use,
-- - -- -- --disclosure,-exchange, and security of protected health information, and the role of each agency with
regard to compliance; and authorization for Fire Chief J. Callahan to execute the Business Associate
Agreements.
Attached is the electronic copy of the above-mentioned for your handling. Should you have any
questions,please feel free to contact our office.
cc: County Attorney (electronic copy)
Finance (electronic copy)
File
...a.-- ....,,•.,» 500 Whitehead Street Suite 101,PO Box 1980,Key West,FL 33040 Phone:305-295-3130 Fax 305-295-3663
3117 Overseas Highway,Marathon,FL 33050 Phone:305-289-6027 Fax 305-289-6025
88820 Overseas Highway,Plantation Key,FL 33070 Phone:852-7145 Fax 305-852-7146
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into between the Monroe
County Board of County Commissioners ("Covered Entity") and Big Coppitt Volunteer Fire
Department,Inc.("Business Associate"),effective as of • 2013 (the"Effective Date").
WHEREAS, Covered Entity and Business Associate are parties to an agreement (the
"Underlying Agreement"), pursuant to which Business Associate uses Protected Health
Information ("PHI") that is confidential under state and/or federal law to perform some service
or function on behalf of the Covered Entity; and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and
provide for the security of PHI disclosed by Covered Entity to Business Associate, in compliance
with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191
("HIPAA"), and the regulations promulgated there under, including, without limitation, the
regulations codified at 45 CFR Parts 160 and 164 ("HIPAA Regulations"); and the Health
Information Technology for Economic and Clinical Health Act, as incorporated in the American
Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued
by the Secretary of the Department of Health and Human Services (the "Secretary") (the
"HITECH Act"), and other applicable state and federal laws, all as amended from time to time;
and
WHEREAS, the HIPAA Regulations require Covered Entity to enter into an agreement
-------with Business Associate meeting certain requirements with respect to the Use and Disclosure of
PHI,which are met by this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein and the
exchange of information pursuant to this Agreement,the parties agree as follows:
1. Definitions.
Capitalized terms used herein without definition shall have the meanings ascribed
to them in the H1PAA Regulations or the HITECH Act, as applicable unless otherwise defined
herein.
2. Obligations and Activities of Business Associate. Business Associate agrees to:
a. Not use or disclose PHI other than as permitted or required by the
Agreement or by law;
b. Use appropriate safeguards, and comply with Subpart C of 45 CFR part
164 with respect to electronic protected health information,to prevent use and disclosure of PHI;
c. Report to Covered Entity any use or disclosure of PHI of which it
becomes aware, including but not limited to breaches of unsecured PHI as required by 45 VFR
164.410, and any security incident of which it becomes aware. Such reports shall be made
within forty-eight(48)hours' of the Business Associate's discovery of the breach;
d. In accordance with 45 CFR 164.502(e)(I)(ii) and 164.308(6)2), the
Business Associate shall take all necessary steps in order to ensure that any subcontractors that
create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same
restrictions, conditions, and requirements that apply to the Business Associate with respect to
such information. As part of this,the Business Associate will take the following steps:
Within thirty (30)days of execution of this Agreement(the
"Anniversary Date"),the Business Associate will put on training sessions for each
of its employees and volunteers. The training sessions will be developed by and
given to Business Associate by the Covered Entity;
ii. As new volunteers and/or employees are hired by the Business
Associate,each new volunteer or employee will be required to attend the same
training session prior to being allowed to volunteer with or work for the Business
Associate;
iii. Annually thereafter,on the Anniversary Date,the Business
Associate will ensure that all volunteers and/or employees re-attend a mandatory
training session;
iv. The Business Associate will collect a written document signed and
dated by each volunteer and employee,attesting to the fact that the individual has
viewed the training sessions("Completion Certificate"). Business Associate will
----- -- deliver the Completion Certificates to Monroe County Fire Rescue within one(I)
week of the individual's attendance at the training session.
v. Any volunteer or employee who has failed to complete the HIPAA
training or re-training class(a)upon joining the department,(b) within 30 days of
execution of the Agreement, and/or(c)by the Anniversary Date will not be
allowed to run calls or participate in any other activities of the Business
Associates. Proof of completion will solely be determined by delivery of the
Completion Certificate to Monroe County Fire Rescue;
vi. No reimbursements will be paid to any volunteers and/or
employees (recruits or existing)if their HIPAA certification is out of date;
e. Take other measures as necessary in order to satisfy the Covered Entity's
obligations under 45 CFR 164.526;
f. Maintain and make available the information required to provide an
accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity's
obligations under 45 CFR 164.528; and
g. Make its internal practices,books and records available to the Secretary
for purposes of determining compliance with the HIPAA Regulations.
3. Permitted Uses and Disclosures by Business Associates.
2
a. Business Associate may only use or disclose PHI as necessary to perform
the services set forth in the Underlying Agreement or by law.
b. Any such use or disclosure must be consistent and in accordance with the
Covered Entity's minimum necessary policies and procedures, including but not limited to
Standard Operating Procedures issued by Monroe County Fire Rescue,particularly SOPs 700.13
and 700.14, as they may be amended from time to time.
c. Business Associate may not use or disclose PHI in a manner would violate
Subpart E of 45 CFR part 164 if done by the Covered Entity.
4. Reporting.
a. Security Incidents and/or Unauthorized Use or Disclosure. Business
Associate shall report to Covered Entity a Security Incident, a Breach, or any Use and/or
Disclosure of PHI other than as provided for by this Agreement or permitted by applicable law
within forty-eight (48) hours of becoming aware of such Security Incident and/or unauthorized
Use or Disclosure in accordance with the notice provisions set forth herein. Business Associate
shall take (i) prompt action to cure any such deficiencies as reasonably requested by Covered
Entity, and (ii) any action pertaining to such Security Incident and/or unauthorized Use or
Disclosure required by applicable federal and state laws and regulations.
b. To the extent the information is available to Business Associate, Business
Associate's written notice shall include the information required by 45 CFR §I64.410. Business
Associate shall promptly supplement the written report with additional information regarding the
Breach as it obtains such information. Business Associate shall cooperate with Covered Entity
in meeting the Covered Entity's obligations under the HITECH Act with respect to such Breach.
5. Business Associate's Agents. To the extent that Business Associate uses one or
more subcontractors or agents to provide services under the Underlying Agreement, and such
subcontractors or agents receive or have access to PHI, Business Associate shall sign an
agreement with such subcontractors or agents containing substantially the same provisions as this
Agreement(the"Subcontractors Agreement").
6. Governmental Access to Records. Business Associate shall make its internal
practices, books and records relating to the Use and Disclosure of PHI available to the Secretary
for purposes of determining Covered Entity's compliance and Business Associate's compliance
with the HIPAA Regulations and the HITECH Act. Except to the extent prohibited by law,
Business Associate agrees to notify Covered Entity of all requests served upon Business
Associate for information or documentation by or on behalf of the Secretary. Business Associate
shall provide to Covered Entity a copy of any PHI that Business Associate provides to the
Secretary concurrently with providing such PHI to the Secretary.
7. Minimum Necessary. To the extent required by the HITECH Act, Business
Associate shall limit its Use, Disclosure or request of PHI to the Limited Data Set or, if needed,
to the minimum necessary to accomplish the intended Use,Disclosure or request,respectively.
3
8. State Privacy Laws. Business Associate shall comply with state laws to extent
that such state privacy laws are not preempted by HIPAA or the HITECH Act.
9. Term and Termination.
a. Term. This Agreement shall be effective as of the date listed above and
shall continue until the agreement is terminated for cause by the Covered Entity.
b. Termination for Cause. Business Associate authorizes termination of this
Agreement by the Covered Entity, of Covered Entity determines that the Business Associate has
violated a material term of this Agreement and the Business Associate has not taken steps to cure
the breach within the time frame listed by the Covered Entity. However, the duty to provide
governmental access to records outlined in paragraph (6), above, shall survive the termination of
this Agreement.
c. Obligations of Business Associate After Termination. Upon termination
of this Agreement for any reason, Business Associate shall either return or destroy all PHI, as
requested by Covered Entity, that Business Associate or its agents or subcontractors still
maintain in any form, and shall retain no copies of such PHI. The obligations of this section
shall survive termination of the Agreement.
10. Amendment. The parties acknowledge that state and federal laws relating to data
security and privacy are rapidly evolving and that amendment of this Agreement may be required
to ensure compliance with such developments. The parties specifically agree to take such action
as is necessary to implement any new or modified standards or requirements of HIPAA, the
HIPAA Regulations, the HITECH Act and other applicable laws relating to the security or
confidentially of PHI.
I I. Effect on Underlying Agreement. In the event of any conflict between this
Agreement and the Underlying Agreement,the terms of this Agreement shall control.
12. Survival. The provisions of this Agreement shall survive the termination or
expiration of the Underlying Agreement.
13. Interpretation. This Agreement shall be interpreted as broadly as necessary to
implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act The parties
agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies
and is consistent with such laws.
14. Governing Law. This Agreement shall be construed in accordance with the laws
of the State of Florida.
15. Authority. The person signing on behalf of the Business Associate is lawfully
authorized by his or her Board of Directors to sign on behalf of the corporation.
16. Notices. All notices required or permitted under this Agreement shall be in
writing and sent to the other party as directed below or as otherwise directed by either party,
from time to time,by written notice to the other. All such notices shall be deemed validly given
4
upon receipt of such notice by certified mail, postage prepaid, facsimile transmission, e-mail or
personal or courier delivery:
If to Covered Entity: James K. Callahan,Fire Chief
Monroe County Fire Rescue
490 63'a Street
Marathon, FL 33050
Telephone no: (305)289-6088
Facsimile no: (305) 289-6007
If to Business Associate: [add volunteer fire department contact info]
MAN (.. C'oNOEL-LP. Pae z,w s
15 En-tc.+, o -D<. .
KEY Wc.ar1 F- 340 V0
[The balance of this page intentionally left blank.]
IN WITNESS WHEREOF,the parties hereto have duly executed this as of the Effective
Date.
[COVE' !' ENTITY! [BUSI SS ASSOCIATE]
By: I lh By: e?-0. .t --
,off . ame: s :si" i Nam : rA.., G.ao e-..r,4
` •,.-� ✓/I7.IN' Title: 4e€.oar.r
. � Ag NO ,ae`: . a1 _ Date: G AV,..,;VT OOi'3
W
AM L. HEAVILIN iLERK
B�
Deputy Clerk 1
MO ROE COUNTY ATTORNEY
PR VED TfU FQ,IIiM:
CYNTHIA L. HALL
ASSI TANT COUNTY ATTORNEY
Date An1- ?-013
r'L
N
O 1
U
W 0-
c C
OO
5
C. W -=
J m C
— c
N