The URL can be used to link to this page

04/20/2016 AgreementAMY REAVILIN, CPA CLERK OF CIRCUIT COURT &COMPTROLLER MONROE COUNTY, FLORIDA DATE: July 19, 2016 TO: Bob Shillinger, County Attorney ATTN.- Cynthia Hall, Assistant County Attorney FROM: Cheryl Robertson Executive Aide to the Clerk of Court & Comptroller Cl/- At the April 20, 2016 Board of County Commissioner's meeting the Board granted approval and authorized execution of Item C 10 Approval of Business Associate Agreement with Interisk Corporation, as required by HIPAA, to cover handling of protected health information. cc: County Attorney (electronic copy) Finance (electronic copy) File v/ 500 Whitehead Street Suite 101, PO Box 1980, Key West, FL 33040 Phone: 305-295-3130 Fax: 305-295-3663 3117 Overseas Highway, Marathon, FL 33050 Phone: 305-289-6027 Fax: 305-289-6025 88820 Overseas Highway, Plantation Key, FL 33070 Phone: 852-7145 Fax: 305-852-7146 Business Associate Agreement This BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is entered into by and between Monroe County Board of County Commissioners (hereinafter the "County"), in its capacity as the administrator of its self -insured workers' compensation program, and Interisk Corporation (hereinafter the "Business Associate), as of the latest of the execution dates set forth below in Section VI I. I. General Provisions A. Purpose. Business Associate has been retained by County to perform certain plan -related functions, activities, or services, including consulting, (collectively, "Services") on behalf of its County in connection with the County's self - insured workers' compensation program. From time to time, these Services will require the County to share protected health information regarding a workers' compensation claimant with the Business Associate. The terms and provisions of this Agreement are incorporated in and shall supersede any conflicting or inconsistent terms and provisions of any other agreement, including without limitation the Service Agreement, to which Business Associate and County are parties, including all exhibits or other attachments thereto and all documents incorporated therein by reference. This Agreement is intended to ensure that the Business Associate will establish and implement appropriate privacy and security safeguards with respect to "Protected Health Information" (as defined below) that the Business Associate may create, receive, use, or disclose in connection with the Services to be provided by Business Associate to County or Plan Sponsor, consistent with the standards set forth in regulations and administrative guidance with respect to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA"), including as amended by the Health Information Technology for Economic and Clinical Health Act as set forth in Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 ("HITECH Act"). B. Effective Date. The provisions of this Agreement shall take effect on April 15, 2016. C. Definitions. Capitalized terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy and Security Rules. Other defined terms include: 1. "Breach" shall have the meaning given such term in 45 C.F.R. §164.402. 2. "Designated Record Set" shall have the meaning given such term in 45 C.F.R. §164.501. 3. "Electronic Protected Health Information" shall have the same meaning as the term "electronic protected health information" in 45 C.F.R. §160.103. 4. "Individual" shall have the same meaning given such term under 45 C.F.R. §160.103, and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g). 5. "Privacy Rules" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, subparts A and E. 6. "Protected Health Information" (or "PHI") shall have the meaning given to such term in 45 C.F.R. §160.103, limited to the information created or received by Business Associate from or on behalf of County. 7. "Required By Law" shall have the same meaning given to such term in 45 C.F.R. §164.103. Page 1 of 9 8. "Secretary" shall mean the Secretary of the United States Department of Health and Human Services ("HHS") or his designee. 9. "Security Incident" shall have the same meaning given to such term in 45 C.F.R. §164.304. 10. Health Information at 45 C.F.R. Part 160 and Part 164, subpart C. 11. "Unsecured Protected Health Information" shall have the same meaning given to such term in 45 C.F.R. §164.402. 12. Security Rules means final regulations issued by the Secretary governing the security of electronic PHI by covered entities contained in 45 C.F.R. parts 160, 162 and 164. II. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE A. Scope of Use and Disclosure of Protected Health Information. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement or as Required By Law. B. Safeguard Against Misuse of Information. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Furthermore, Business Associate will implement administrative, physical, and technical safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the County as required by the Security Rules. To the extent practicable, Business Associate will secure all Protected Health Information by technological means that render such information unusable, unreadable, or indecipherable to unauthorized individuals and in accordance with any applicable guidance issued by the Department of Health and Human Services under Section 13402 of the HITECH Act. C. Duty to Mitigate. Business Associate agrees to cure or mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this Agreement, D. Reporting of Violations. Business Associate agrees to notify the County, in writing, of any use or disclosure of the PHI not provided for by this Agreement, any Security Incident, and any Breach of County's Unsecured Protected Health Information. This notification will be made within thirty (30) business days after the discovery of the use, disclosure, Security Incident, or Breach. In the event of a Breach, if a delay is requested by law enforcement under 45 C.F.R. §164.412, Business Associate may delay notifying the County for the applicable timeframe. This notification will include, to the extent possible, the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired used or disclosed during the Breach. Business Associate will also provide the County with any other available information that the County is required to include in its notification to the individual under C.F.R. §164.404(c) at the time of the initial notification or promptly thereafter as the information becomes available. E. Use or Disclosure to Subcontractors. Business Associate shall ensure that any subcontractor or agent to whom it provides PHI received from, or created or received by Business Associate on behalf of, County agrees to implement reasonable and appropriate safeguards to protect the County's PHI. In turn, Business Associate agrees to ensure that any such subcontractor or agent agrees, in writing, to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate shall provide copies of such agreements to Plan Sponsor upon request. F. Access, Amendment, and Accounting Responsibilities. In a mutually agreeable time and manner, the Business Associate agrees to provide access to the PHI that it maintains in Designated Record Sets to the County, or to the Individual to whom the PHI relates in accordance with 45 C.F.R. §164.524. Business Associate shall have the right to Page 2 of 9 charge the Individual a reasonable, cost -based fee, as permitted by 45 C.F.R. §164.524. The Business Associate further agrees to document any disclosures of PHI if requested by the County in accordance with 45 C.F.R. §164.528, and to provide such documentation to the County as it may request from time to time. Furthermore, at the request of the County, the Business Associate agrees to make amendments to PHI that it maintains in a Designated Record Set as directed by the County and to incorporate any amendments to PHI in accordance with 45 C.F.R. §164.526. Business Associate assumes no obligation to coordinate the provision of PHI maintained by other business associates of the County. Notwithstanding the foregoing, the County will not request that the Business Associate use or disclose PHI in any manner that would not be permissible under the Privacy rule if such disclosure or use were done by the County itself. G. Electronic Data Interchange. Inasmuch as Business Associate transmits or receives Transactions (as that term is defined in 45 C.F.R. §160.103) on behalf of County, Business Associate shall comply with any applicable provisions of the Electronic Data Interchange Requirement (as set forth in 45 C.F.R. parts 160 and 162) and shall ensure that any subcontractors or agents that assist Business Associate in conducting Transactions on behalf of County agree in writing to comply with the Electronic Data Interchange Requirements. H. Availability of Books and Records. For purposes of the Secretary determining the County's compliance with the Privacy Rules, Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of the County available (i) to the County in a mutually agreeable time and manner, or (ii) to the Secretary in the manner designated by the Secretary. I. HITECH Act Business Associate Agreement Requirements. The parties intended for this Agreement to satisfy the requirements of sections 13401 (a) and 13404 (a) of the HITECH Act that specified security and privacy provisions requirements be incorporated into business associate agreements. This Agreement shall be interpreted in a manner consistent with this intention. III. OBLIGATIONS AND ACTIVITIES OF COUNTY A. Obligations of County. County shall inform Business Associate with respect to the following privacy practices and restriction: 1. County shall provide Business Associate with a copy of the notice of privacy practices that County approves/produces and has distributed in accordance with 45 C.F.R. §164.520, as well as any changes to such notice. Furthermore, County shall specifically notify Business Associate of any limitation(s) in its notice of privacy practices to the extent that such limitation(s) may affect Business Associate's use or disclosure of PHI. 2. County shall provide Business Associate with any changes in, or revocation of, permission by Individual to use or disclose PHI, if such changes affect Business Associate's permitted or required uses or disclosures as set forth in this Agreement or the Service Agreement. 3. County shall notify Business Associate within five (5) business days of any restriction to the use or disclosure of PHI requested by an Individual in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI. In turn, due to the wide variety of services and clients of Business Associate, Business Associate has limited capacity to comply with special privacy restrictions requested by Individuals. Accordingly, County agrees that it will only accommodate such requests to the extent required by 45 C.F.R. §164.522(b)(1)(ii). 4. County shall notify Business Associate in advance of the time and manner in which Business Associate must comply with requests by County with respect to any of the obligations and activities of Business Associate set forth above in Section ll, and in all events such times and manners shall be reasonable. Page 3 of 9 5. The parties acknowledge and agree that the Privacy Rules allow County to permit Business Associate to disclose or provide access to PHI to Plan Sponsor only after Plan Sponsor has amended its plan documents to provide for the permitted and required uses and disclosures of PHI and to require Plan Sponsor to provide a certification to County that certain required provisions have been incorporated into County's plan documentation before County may disclose, either directly or through a business associate any PHI to Plan Sponsor. County hereby warrants and represents that County's plan documentation has been or will be amended and that County has or will have received such certification from Plan Sponsor no later than the Effective Date of this Agreement. 6. Business Associate acknowledges and agrees that the Privacy Rules allow County to permit Business Associate to disclose or provide access to PHI to only those employees or other persons (including third parties) under the control of Plan Sponsor who are described by name or position in County's plan documentation as the persons who are given access to PHI solely to carry out plan administration functions that Plan Sponsor performs for County. Accordingly, notwithstanding any other terms and conditions of this Agreement, to the extent that the fulfillment of its obligations under this Agreement requires Business Associate to disclose or provide access to PHI to Plan Sponsor or any employees or other persons (including third parties) under the control of Plan Sponsor, Business Associate shall make such disclosure of or provide such access to PHI on as follows: a) Business Associate shall disclose or make available PHI at the direction or County to only the following employees or other persons (including third parties) identified in County's plan documentation and under the control of Plan Sponsor solely for the purpose of carrying out the plan administration functions that Plan Sponsor performs for County (list each person by position): Benefits Manager Benefits Manager Designee Claims Processors County agrees to promptly notify Business Associate in writing of changes to the above list. Business Associate is authorized to rely on the information provided by County. b) It is acknowledged and agreed that the Privacy Rules require County to maintain policies and procedures to ensure that any PHI that it uses, requests, or discloses be no more that the minimum necessary to accomplish the intended purposes. County hereby warrants and represents that any requests for Plan Sponsor will be for no more than the minimum amount necessary for the intended purpose. c) Business Associate shall provide PHI to other business associates who assist in administering County and are authorized by County to receive such information for the purpose of facilitating plan administration. Such parties may include, but are not limited to, consultants, brokers, auditors, successor administrators or insurers, and stop -loss carriers. County shall enter into and maintain a written agreement with each agent and subcontractor or other third party to which it directs Business Associate to disclose PHI under which such agent, subcontractor, or other third party is legally bound by the same restrictions with respect to PHI that apply to Business Associate pursuant to this Agreement. B. Permissible Requests by County. County shall not request Business Associate to use, disclose, or handle PHI in any manner that would not be permissible under the Privacy and Security Rules if done by the County, except for the data aggregation or management and administrative activities of the Business Associate. IV. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE A. General Use and Disclosure Provisions. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, County or Plan Page 4 of 9 Sponsor as specified in this Agreement, provided that such use or disclosure would not violate the Privacy and Security Rules if done by County, or the minimum necessary policies and procedures of the County. B. Specific Use and Disclosure Provisions. Business Associate will make reasonable efforts to use, disclose, and to request only the minimum amount of the County's PHI necessary to accomplish the intended purpose of the use, disclosure or request, except that Business Associate will not be required to comply with this minimum necessary limitation if neither Business Associate nor the County is required to limit its use, disclosure or request to the minimum necessary. Business Associate and the County acknowledge that the phrase "minimum necessary" shall be interpreted in accordance with the HITECH Act. 2. Except as otherwise limited in this Agreement or in the Service Agreement, specific examples of permitted use or disclosure of PHI by Business Associate on behalf of, or to provide Services to, County and Plan Sponsors may include, but are not limited to: a) To enroll or disenroll participants and beneficiaries in and/or confirm or not confirm enrollment (as determined by the plan administrator of County) of participants and beneficiaries for coverage under County. (Note that only enrollment/disenrollment information may be used by Business Associate to provide these services to Plan Sponsor unless Plan Sponsor satisfies its obligations under Section II.A.6). b) To assist Plan Sponsor with respect to certain specific plan administration functions, such as claims processing, quality assurance, auditing of the County, medical review, precertification, and coordination with carve -out health plans (such as vision and dental). For purposes of this section, claims processing shall include investigating, auditing, and otherwise administering and facilitating the payment of County claims from the payers of such claims (including, but not limited to, providing assistance to participants and beneficiaries, the coordination or benefits, determination of cost sharing amounts, and subrogation of health benefit claims), and obtaining payment on behalf of Plan Sponsor under a contract for stop - loss or reinsurance being utilized with respect to County, (Note that Plan Sponsor must satisfy its obligations under Section III.A.6 before Business Associate can provide these services to Plan Sponsor.) c) To assist County and Plan Sponsor with respect to activities relating to the creation, modification, termination, renewal, or replacement of a contract of health insurance or health benefits, and the ceding, securing, or placing of a contract for stop -loss or reinsurance of risk relating to health care claims. (Note that Summary Health Information may be used to provide these services, even if Plan Sponsor has not satisfied its obligations under Section III.A.6.) 3. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. §164.5020)(1). 4. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out any present or future legal responsibilities of the Business Associate. Page 5 of 9 Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services to County as permitted by 42 C.F.R. §164.504(e)(2)(i)(B). C. Applicability. This Agreement applies with respect to any aspect of the Services Agreement that involves the use or disclosure of PHI but only to the extent that the services or transactions of Business Associate are not exempt from HIPAA pursuant to 1179 of the Social Security Act (42 U.S.C. §1320d-8). V. TERM AND TERMINATION A. Term. The term of this Agreement shall commence as of the Effective Date set forth above in Section I.B., and shall terminate when all of the PHI provided by County Entity to Business Associate, or created or received by Business Associate on behalf of County, is destroyed or returned to County, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions of this Section. B. Termination for Cause. Upon County's knowledge of a material breach by Business Associate, County (or, Plan Sponsor, on behalf of County) shall either: 1. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement and the Service Agreement if Business Associate does not cure the breach or end the violation within the time specified by County or Plan Sponsor; 2. Immediately terminate this Agreement and the Service Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or 3. If neither termination nor cure is feasible, County or Plan Sponsor shall report the violation to the Secretary. C. Effect of Termination. Upon termination of the Agreement, for any reason, Business Associate shall return all PHI received from County, or created or received by Business Associate on behalf of County. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain copies of the PHI. If Business Associate has determined that destroying the PHI is infeasible, it shall provide County an explanation of the conditions that make destruction infeasible. If County and Business Associate mutually agree that destruction of the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. VI. MISCELLANEOUS A. Regulatory References. A reference in this Agreement to a section in the Privacy and Security Rules means the section as in effect or as amended and for which compliance is required. B. Governing Law. This Agreement shall be construed and enforced according to HIPAA, and any applicable state law to the extent not preempted by HIPAA or other federal law. C. Complete Integration. This Agreement constitutes the entire agreement between the parties and supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written, unless Page 6 of 9 expressly incorporated herein, related to the subject matter of the Agreement. Unless expressly provided otherwise herein, this Agreement may not be modified unless in writing signed by the duly authorized representatives of both parties. If any provision or part thereof is found to be invalid, the remaining provisions shall remain in full force and effect. D. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for County and Plan Sponsor to comply with the requirements of the Privacy and Security Rules, the Health Insurance Portability and Accountability Act, Public Law 104-191, and the HITECH Act. E. Interpretation. The parties hereto acknowledge and agree that both (i) the rule of construction to the effect that any ambiguities are resolved against the drafting party, and (ii) the terms and provisions of this Agreement, will be construed fairly as to all parties hereto an not in favor of or against a party, regardless of which party was generally responsible for the preparation of this Agreement. Moreover, any ambiguity in this Agreement shall be resolved in favor of a meaning that permits County to comply with the Privacy and Security Rules. In the event of an inconsistency between the provisions of this Agreement and the Privacy and Security Rules, as may be amended from time to time, because of interpretations by HHS, a court, or another regulatory agency with authority over the Parties, the interpretation of HHS, such other court or regulatory agency shall prevail. In the event provisions of this Agreement differ from those mandated by the Privacy and Security Rules but are nonetheless permitted by such rules, the provisions of this Agreement shall control. F. Severability. The parties intend this Agreement to be enforced as written, However, (i) if any portion or provision of this Agreement will to any extent be declared illegal or unenforceable by a duly authorized court having jurisdiction, then the remainder of this Agreement, or the application of such portion or provision in circumstances other than those as to which it is so declared illegal or unenforceable, will not affected thereby, and each portion and provision or this Agreement will a valid and enforceable to the fullest extent permitted by law; and (ii) if any provision, or part thereof, is held to be unenforceable because of the duration or such provision, the County and the Business Associate agree that the court making such determination will have the power to reduce the duration of such provision, and/or to delete specific words and phrases, and in its reduced form such prevision will then be enforceable and will be enforced. G. Successors and Assigns. This Agreement will inure to the benefit of and be binding upon the successors and assigns of County and Business Associate, However, this Agreement is not assignable by either party without the prior written consent of the other party, except that Business Associate may assign or transfer this Agreement to any entity owned or under common control with Business Associate. H. No Third Party Beneficiaries. Business Associate and County agree that nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Business Associate, County, and Plan Sponsor, and their respective successors or assigns, any rights, remedies, or obligations or liabilities whatsoever. I. Headings and Captions. The headings and captions of the various subdivisions of this Agreement are for convenience of reference only and will in no way modify, or affect the meaning or construction of any of the terms or provisions thereof. Page 7 of 9 J. No Waiver of Rights, Powers, and Remedies. No failure or delay by a party hereto in exercising any right, power or remedy under this Agreement, and no course of dealing between the parties hereto, will operate as a waiver of any such right, power or remedy of the party. No single or partial exercise of any right, power or remedy under this Agreement by a party hereto, nor any abandonment or discontinuance of steps to enforce any such right, power or remedy, will preclude such party from any other or further exercise thereof or the exercise of any other right, power or remedy hereunder, The election of any remedy by a party hereto will not constitute a waiver of the right of such party to pursue other available remedies. No notice to or demand on a party not expressly required under this Agreement will entitle the party receiving such notice or demand to any other or further notice or demand in similar or other circumstances or constitute a waiver of the rights of the party giving such notice or demand in similar or other circumstances or constitute a waiver of the rights of the party giving such notice or demand to any other or further action in any circumstances without such notice or demand. The terms and provisions of this Agreement may be waived, or consent for the departure there from granted, only by written document executed by the party entitled to the constitute a waiver or consent with respect to any other terms or provisions of this Agreement, whether or not similar. Each such waiver or constitute a continuing waiver or consent. K. Indemnification. Business Associate shall indemnify and hold harmless County from and against any and all loss, damage, or expense (including claims of damage or liability) asserted against County by third parties and arising out of (i) the use or disclosure of PHI by Business Associate or its agents or subcontractors other than as provided in this Agreement, or (ii) a breach of Business Associate's representations contained in this Agreement. To the extent allowed by Section 768.28, Florida Statutes, County shall indemnify and hold harmless Business Associate from and against any and all loss, damage, or expense (including claims of damage or liability) asserted against Business Associate by third parties and arising out of (i) the use or disclosure of PHI by County or its agents or subcontractors other than as provided in this Agreement, or (ii) a breach of County's representations contained in this Agreement. L. Notice. All notices, requests, consents, and other communications hereunder will be in writing, and in accordance with the Notice provision of the referenced Administrative Services Adoption Agreement. M. Survival. The respective rights and obligations of Business Associate under V.C. and VI.K of this Agreement shall survive the termination of this Agreement. N. Counterparts. This Agreement may be executed in two or more counterparts, each of which may be deemed an original. Page 8 of 9 VII. ACKNOWLEDGEMENT AND SIGNATURES The parties acknowledge that they have read this agreement, understand it, and agree to be bound by its terms. Accordin 1 , in witness whereof, this Agreement is executed by the parties, by their duly authorized s of the date set forth above. , Clerk Clerk )-/ /(.0 Page 9 of 9 BOARD OF COUNTY I ER OF MONROE COUN , By: Heather Carruthers, Mayor/Chairperson Date: 7 / 9 / INTERISK ATION By: u� Printed Na Title: I_` Date: Zip N +� x rn a --n MON OE COUNTY ATTORNEY A ROVED AS T FO YNTHIA L. HALL ORNEY ASSIS ANT C 0U"STY AT ,