Item C06BOARD of COUNTY COMMISSIONERS
AGENDA ITEM SUMMARY
Meeting Date: January 1.9, 2011 Division: Emergency Services
Bulk Item: Yes X No Department: Fire Fescue
Staff Contact Verson: Camille Dubroff
AGENDA. ITEM WORDING: Approval of Business Associate Agreement with Advanced Data
Processing Inc. IBA ADP -I terme iix Corporation consistent with the standards set forth i
regulations and administrative guidance with respect to the Health Insurance Portability and
Accountability Act of 1996, Public Law 1 -1 I PAA , including as amended by the Health
Information Technology for Economic and Clinical Health Act as set forth in Title X11 Division A and
Title IV of Division B of the American Recovery and Reinvestment Act of 20 (HITECH Act).
ITEM BACKGROUND: Under the Health Information and Portability .n i Accountability Act
(HIPAA)privacy and security standards, business associates must comply with certain minimum
requirements. Business associates include administrative service providers, producers and other third
parties that provide services to health plans.
The Health Information Technology :for Economic and. Clinical Health Act IIITECH Act) was signed
into law as part of the American Recover and Reinvestment Act (ARRA). The Act requires business
associates to notify covered entities of any breach of unsecured protected health information and
requires compliance with new security privacy and security standards that apply to electronic protected
health information under the HIPAA Security Rule.
PREVIOUS RELEVANT BOCC ACTION: None
CONTRACT/AGREEMENT CHANGES: New Business Associate Agreement.
STAFF RE CMMEN ATIONS: The .business Associate Agreement confirms that the contracted
paw is in compliance with the newly enacted HITECH Act and it is therefore recommended. that the
CC approve this item. "I
TOTAL COST: N/A INDIRECT COST: N/A -BUDGETED: Yes No
DIFFERENTIAL of LOCAL PREFERENCE ILIA
COST TO COUNTY: SOURCE of FUNDS:
REVENUEPRODUCING: des N AMOUNT PER MONTH Year
4
APPROVED Y: County AttyyM Purch sing Disk Management
DOCUMENTATION: Included X Not Required
DISPOSITION: OSITION: AGENDA ITEM
Revised07/09
MONROE COUNTY BOARD of COUNTY COMMISSIONERS
CONTRACT SUMMARY
Contract with: Advanced Data a Contract.
Processing Inc. DBA
.DPI-Interrdix Corp.
Effective Date:
Expiration Date:
0 1 20 1 o
05/31/2013
Contract Purpose/Description:
New Business ,Associate Agreement with Advanced Data Proeessin Inc. DBA ADPI-
Intermedix Cori,
I Contract Manager: Camille Dubraff 6010
(Name)
for BOCC meeting on 1/1 2 11
� L.)
Emergency Services /Stop 14
(Department/Stop #)
Agenda Deadline: 1 4 2011
CONTRACT COST
Total Dollar Value of Contract: 5.5% of ground collections Current Year Portion:
.00% of air collections and
11.00 per Medicaid Account
Account Codes:
Budgeted? Y sM No F-1 Fire and Ambulance fist 1; 13 001-530-340 Ground
Fine & Forfeiture: 11001-530-340 Air
County Mate:
Estimated ongoing Costs: $_
(Not included in dollar value above
ADDITIONAL COSTS
/yr For:
. maintenan c,e, uti -itie S, j an itoria1, salaries, etc.
CONTRACT REVIEW
Changes Dare Out
Date In Needed i er
Division Director Yes[] No
Risk Management Yes[:] No I a -dZ --I
S�
O.M.BJ�i c-hasing �CYes❑ No[�j � �� J�- L1()
' r
County Attorney ����� Yes[] No
Comments:
OMB Form Revised 2/27/01 MCP #2
BUSINESS ASSOCIAAGREEMENT
This Business Associate Agreement "Agreement" is entered into between the Board of
County Commissioners, Monroe County,Florida and the Board of Governors of Fire and
Ambulance. District 1 (collectively, "Covered Bntftylpl and Advanced Data Process.ing Inc. IBA
I PI- Int rmediCo oration "Business Associate"), effective as of December 1
1 (the
"'Effective Date"').
WHEREAS, Covered Entity and Business Associate have entered into, or plan to eater
into, an agreement or other documented arrangement (the "'Underlying Agreement''), pursuant to
which Business Associate may provide services for Covered Entity that require Business
Associate to access, create and use Protected Health Information ("PHI") that is confidential
under state and/or federal law; and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and
provide for the security of PHI disclosed by Covered Entity to Business Associate, or collected
or created by Business Associate pursuant to the Underlying Agreement, in compliance with the
Health Insurance Portability and Accountability Act of 1996, Public Law 1 -191 " IIB ." ,
and the regulations promulgated there under, including, without limitation, the regulations
codified at 45 CFR Parts 160 and 1 "I IPAA Regulations"); and the Health hdorr. ation -�-
Technology for Economic and Clinical Health Act, as incorporated in the American Recover
and Reinvestment Act of 2009, and its implementing regulations and guidance issued Y the
Secretary of the Department of Health and Human Services (the "'Secretary") (the " I EC
Act"'), and other applicable state and federal lavers, all as amended from time to time; and
VVHREAS, the HIPAA Regulations require Covered Entity to enter into an agreement
with Business Associate meeting certain requirements with respect to the Use and Disclosure of
PHI, which are met by this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein and the
exchange of information pursuant to this Agreement, the parties agree as follows:
1, Definitions. .
Capitalized teams used herein without definition shall have the meanings ascribed
to therm in the HIPAA. Regulations or the HITECH Act, as applicable unless otherwise defined
herein.
2. OblWations of Business .Associate.
a. Permitted Uses and Disclosures. Business Associate shall only Use or
Disclose PHI for the purposes of i performing Business Associate's obligations under the
Underlying Agreement and as permitted by this Agreement; or ii as .permitted or required by
laver; or(iii) otherwise permitted by this Agreement. Further, Business Associate shall not Use
or Disclose os PHI in any manner that would constitute a violation of the HEPAA Regulations or the
HITECH Act if so used by Covered Entity, except that Business Associate may Use PHI i for
the proper management and administration of Business Associate; ii to carry out the legal
responsibilities of Business Associate. Business Associate may Disclose PHI for the proper
• • s r r r • F r
management and administration of Business Associate, to carry out its legal responsibilities or
for payment purposes as specified in 45 C 1 � 164.506 c 1 and (3). including but not limited
to Disclosure to a business associate on behalf of a covered entity or health care provider for
payment purposes of such covered entity or health care provider, with the expectation that such
parties will provide reciprocal assistance to Covered Entity, provided that with respect to any
y
such Disclosure either:(i)the Disclosure is Required by .aw; or ii `or permitted Disclosures
when required by law, Business Associate shall obtain a written agreement from the person to
whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not
use and further disclose such. PHI except as Required by Laver and f r the purposes for which it
was Disclosed by Business Associate to such person, and that such person will notify Business
Associate of any instances of which it is aware in which the confidentiality of the PHI has been
breached.
b.AmLqpn*ate... Safe and . Business Associate shall * le rent
administrative, physical, and t h ai a1 guards that i reasonably and appropriatelyprotect
the confidentially, integrity, and availability of electronic PHI that it creates, receives, maintains
or transmits on behalf of Covered Entity, and ii prevent the Use or Disclosure of PHI other than
as contemplated by the Underlying Agreement and this Agreement.
c. eo n liance with Secun'ly Provisions. Business Associate shall;(i)-�
implement and maintain administrative safeguards as required by 4 1� 1 § 164.308,physical
p y
safeguards as required by 4CR § 164.310 and technical safeguards as required by 45 C1
164.312- (ii)- lement and document reasonable and appropriate policies and procedures as
required by 45 CFR § 164.316; and iii be in compliance witli all requirements of the HITECH
Act related to security and applicable as if Business Associate were a"covered entity,' as such
terms, is defined in HIPAA.
d. tom liance with Privacy rovision . Business Associate shall only Use
and Disclose PHI in compliance with each applicable requirement of 45 CFR § 164.504(e).
Business Associate shall comply with all requirements of the HITECH Act related to privacy and
applicable as if Business Associate were a "covered entity," as such term is defined in HfPAA.
e. Du to Miti ate. Business Associate agrees to mitigate, to the extent
Practicable and mandated by law,, any harmful eff ct that is known to Business Associate of a
Use or Disclosure of PHI by Business Associate - in violation of the requirements of this
Agreement.
f. ,. n. To facilitate Business Associate's compliance with this
Agreement and to assure adequate data security, Covered Entity agrees that all PHI provided or
transmitted to Business Associate pursuant to the Underlying Agreement shall be provided or
transmitted in a: manner which renders such PHI Unusable, Unreadable or Indecipherable to
Unauthorized Individuals, through the use of a technology or methodology specified by the
Secretary in the guidance. issued under section 13402(h2 of the HITECH Act on the I HS web
site. p Covered Entity acknowledges that failure to do so could contribute to or emit a Breach
requiring patient notification under the HITECH .Act and further agrees that Business Associate
shall have no liability for any Breach caused by such failure.
. Eeporting.
. Securi Incidents and/or Unauthorized Use or . Disclosure. - Business
Associate shall report to Covered Entity a successful Security Incident or any Use and/or
Disclosure of other than as provided for by this Agreement or permitted by applicable law
within a reasonable time of becon ng aware of such Security Incident and/or unauthorized Use
or Disclosure (but not later than ten 1 days thereafter), in accordance with the notice
provisions set forth herein. Business Associate shall take prompt action to cure an
such
deficiencies as reasonably requested by Covered Entity, and ii any action pertaining to such
Security Incident and/or unauthorized Use or Disclosure required by applicable federal and state
laws and regulations. If such successful Security Incident or unauthorized Use or Disclosure
results in a Breach as def coed in the FUTECH Act, then Covered Entity shall comply with the
requirements of Section 3.b below.
b. Breach of Unsecured PHI. The provisions of this Section 3.b are effective
with respect to the Discovery of a Breach of Unsecured PHI occurring on or after September 23,
.4+oor � r p
With respect to any unauthorized acquisition, access, Use or Disclosure of Covered
Entity's III by Business Associate, its agents or subcontractors, Business Associate shall i _
investigate such unauthorized acquisition, access, Use or Disclosure; ii determine whether such
unauthorized acquisition,, access, Use or Disclosure constitutes a reportable Breach under the
HITEC I Act; and n1 document and retain its findings under clauses i and ii . If the Business
Associate Discovers that a. reportable Breach has occurred, Business Associate shall notify
Covered Entity ofsuch reportable Bread Ming wig three days of the date Business
Associate Discovers such Breach. Business Associate shall be deemed to have discovered a
Breach as of the first day that the Breach is either known to Business Associate or any of its
employees, officers or agents, other than the person who committed the Breach, or by exercising
reasonable diligence should have been known to Business Associate or any of its employees,
officers or agents, other than the person who committed the Breach. To the extent the
information is available to Business Associate, Business Associate's written notice shall include
the information required by 45 CFR § l 4.41 o. Business Associate shall promptly supplement
the 'Mitten report with additional information regarding the Breach as it obtains such
infon nation. Business Associate shall cooperate with Covered Entity in meeting th ' 'hovered
Entity's obligations under the E' CH Act with respect to such Breach.
4. Business Associate's Agents. To the extent that Business Associate uses one or
more subcontractors or agents to provide services under the Underlying Agreement, and such
subcontractors or agents receive or have access to PHI, Business Associate shall sign an
agreement with such subcontractors or agents containing substantially the same provisions as this
Agreement (the "Subcontractors Agreement").
5. Rights of Individuals.
a. Access to PHI. within ten l o days of receipt of a request by Covered
Entity, Business Associate shall make PI rnaintaired in a Designated Record Set available to
Covered Entity or, as directed by Covered Entity, to an individual to enable Covered Entity to
fr /fill its obligations under 45 CFR § 164.524. Subject to Section 5.b below, i in the event that
am individual requests access to PHI directly from. Business Associate iu connection with a
routine billing inquiry, Business Associate shall directly respond to such request in compliance
with 45 C R § 1 .52 ; and ii in the event such request appears to he for a purpose other than
routine billing inquiry, Business Associate shall forward a copy of such request to Covered
Entity and shall fully cooperate with Covered Entity in responding to such request. In either
case, a denial of access to requested PHI shall not be made without the prior Witten consent of
Covered Entity.
b. Access to Electronic Health Records. If Business .Associate is deemed to
use or maintain an Electronic Health Record on behaf of Covered Entity with respect to PHI,
then, to the extent an individual has the right to request a copy of the PHI maintained in such
Electronic Health Record pursuant to 45 C R § 164.524 and makes such a request to Business
Associate, Business Associate shall provide such individual with a copy of the information
contained in such Electronic Health Record in an electronic format and, if the individual so
chooses, transmit such copy directly to an entity or person designated by the individual.
Business Associate may charge a fee to the individual for providing a copy of such information'
but such fee .may not exceed the Business Associate's labor costs in responding to the request for
the copy. The provisions of 45 CR § 16.52, including the exceptions to the requirement to
provide a copy of P, shall otherwise apply and Business Associate shall comply therewith as if
Business Associate were the "covered entity," as such terra is defined in HE'AA. At Covered --
Entity's request, Business Associate shall provide Covered Entity with a copy of an in i idual's
PHI maintained in an Electronic Health Record in an electronic format and in a time and manner
designated by Covered Entity in order for Covered Entity to comply with 45 CFR § 164.524, as
amended by the HITECH Act.
C. Amendment of: PHI. Business Associate agrees to make any
amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to
pursuant to 45 CFR § 164.526 at the request of Covered Entity or an ludividual, and in the time
and manner designated by Covered Entity,
d. Accountine Ri6ts. This Section 5.d is subject to Section 5.e below.
Busffiess Associate shall make available to Covered Entity, in response to a request from an
individual, information required for an accounting of disclosures of PHI with res ct to the
individual, in accordance with 45 CFI. §164.528, incorporating exceptions to such accounting
designated under such. regulation. Such accounting is Ifini d to disclosures that were made in the
six 6 gears prior to the request and shall not include any disclosures that were made prior to the
compliance date of the HIPAA Regulations. Business Associate shall provide such information
as is necessary to provide an accounting within ten 10 days of Covered Entity's request. Such
accounting must he provided without cost to the individual or to Covered Entity if it is the first
accounting requested by an individual within any twelve i month period; however, a
reasonable, cost -based fee may he charged for subsequent accountings if Business Associate
informs the Covered Entity and the Covered Entity inform.s the individual in advance of'fe fee,
and the individual is afforded an opportunity to withdraw or modify the request. Such accounting
obligations shall survive termination of this Agreement and shall' continue as long as Business
Associate maintains PHI.
e. Accountine of ]disclosures of Electronic Health Records. The provisions
of this Section 5.e shall be e fe tive on the date specified in the HITECH Act. If Business
Associate is deemed to use or maintain an Electronic Health Record on behalf of Covered Entity,
then, m addition to complying with the requirements set forth in Section 5.d above,, Business
Associate shall maintain an accounting of any Disclosures made through such Electronic Health
Record for Treatment, Payment and Health Care operations, as applicable. Such accounting
shall comply with the requirements of the HITECH Act. Upon request by Covered Entity,
Business Associate shall provide such accounting to Covered Entity in the time and manner
specified by Covered Entity and in compliance with the HITECH Act. Alternatively, if Covered
Entity responds to an individu l's request for an accounting of Disclosures made through an
Electronic Health Record by providing the requesting incividal with a list -of all business
associates acting on behalf of Covered Entity, then Business Associate shall provide such
accounting directly to the requesting individual in the time and manner specified by the HITEC
Act.
Bement to Restrict Iisclosrure. If Covered Entity is required to comply
with a restriction on the Disclosure of P I pursuant to Section 13405 of the HITECH Act, then
Covered Entity shall, to the extent necessary to comply with such restriction, provide written
notice to 1 u mess .Associate of the name of the individual requesting the restriction and the pH
affected thereby. Business Associate shall, upon receipt of such notification, not Disclose the
identified PHI to any health plan for the purposes of carrying out Payment or Health Care
Operations, except as otherwise required by law. Covered Entity shall also notify Business
Associate of any other restriction to the Use or Disclosure of PHI that Covered Entity has agreed
to accordance with. 45 CFR § 164.522.
. Remuneration and Marketin
a. Limitations on Use of PHI for Marketina Purgoses. Business .Associate
shall not Use or Disclose PHI for the purpose of pal ing a communication about a product or
service that encourages recipients of the communication to purchase or use the product or
service, unless such com aurucation.: 1 complies with the requirements of subparagraph i , ii
or iii of paragraph I of the defmition of marketing contained in 45 CFR § 1 . 01; and 2
complies with the requirements of subparagraphs A, or C of Section. 1 a2 of the
HITECH Act, and implementing regulations or guidance that may be issued or amended From
time to time. Covered Entity agrees to assist Business .Associate in determining if the foregoing
requirerrments are met with respect to any such marketing communication.
. Go emmental Access to Records. Business Associate shall make its internal
practices, books and records relating to the Use and Disclosure of PHI available to the Secretary
for purposes of determining Covered Entity's compliance with the HIPAA Regulations and the
HITECH Act. Except to the extent prohibited by law, Business Associate agrees to notify
Covered Entity of all requests seared upon. Business Associate for information or documentation
by or on behalf of the Secretary. Business Associate shall provide to Covered Entity a copy of
any PHI that Business Associate provides to the Secretary concurrently with providing such PHI
to the Secretary.
. Minimum I ecessa To the extent required by the HITECH Act, Business
Associate shall limit its Use, Disclosure or request of PHI to the Limited Data Set or, if needed,
to the minimum necessary to accomplish the intended Use, Disclosure or request, respectively.
Effective on the date the Secretary issues guidance on what constitutes "minimum necessary)# for
poses of the HIPAA Regulations, Business Associate shall limit its Use, Disclosure or request
of PHI to only the � um necessary as set forth in such guidance.
. State Privacy Laws. Business Associate shall comply with state laws to extent
that. such state privacy laws are not preempted by HIpAA or the MTECH Act,
10. Tem nation.
a. Breach Business Associate. If Covered Entity Imo ors of a pattern of
activity or practice of Business .Associate that constitutes a material breach or violation of
Business Associate's obligations -under this Agreement, then Covered Entity shall promptly
notify Business Associate, with respect to such breach or violation, Covered Entity shall r take
reasonable steps to cure such breach or end such violation, if possible; or 1i if such steps are
either not possible or are unsuccessful, upon written notice to Business Associate, terminate its
relationship with Business Associate; or iii if such termination is not feasible, report the
Business Associate's breach or violation to the Secretary.
b. Breach by, Covered Entity. I Busin,less s ociate knows of a pattern, of
activity or practice of Covered Entity that constitutes a material breach or violation of,Co er-ed
Entity's -o ligations under this Agreement, -then Business dissociate shall promptlynotify
Covered Entity. with respect to such breach or violation, Business Associate shall i tape
reasonable steps to cure such breach or end such violation, if possible; or ii if such steps are
either not possible or are unsuccessful, upon written notice to Covered Entity, terminate its
relationship with Covered Entity; or iii if such termination is not feasible, report the Covered
Entity's. breach or violation to the Secretary.
C. Effect of Term nation. Upon termination of this Agreement for any
reason, Business Associate shall either return or destroy all PHI, as requested by Covered Entity,
that Business Associate or its agents or subcontractors still maintain in any form, and shall retain
no copies of such PHI. If Covered Entity requests that Business Associate return PHI, such PHI
shall be returned in a mutually agreed upon format and timeframe. If Business Associate
reasonably determines that return, or destruction, is not feasible, Busivaess Associate shall continue
to extend the protections of this Agreement to such PHI, and limit further uses and disclosures of
such PHI to those purposes that make the return or destruction of such PHI not feasible. If
Business Associate is asked to destroy the PHI, Business Associate shall destroy II in
manner that renders the PHI unusable, unreadable or indeciaherale to unauthorized individuals
as specified in the HITECH Act.
11. Amendment: The parties acknowledge that state and federal lavers relating to data
security and privacy are rapidly evolving and that amendment of this Agreement may be required
to ensure compliance with such developments. The parties specifically agree to talk such action
s is necessary to implement any new or modified standards or requirements of HIPAA, the
HIPAA Regulations, the HITECH Act and other applicable laws relating to the security or
confidentially of PHI. Upon the request of Covered Entity, Business Associate agrees to
promptly enter into negotiation concerning the terns of an amendment to this Agreement
incorporating any such changes.
12. No Third PgM Beneficiaries, Nothing express or implied in this Agreement is
intended to confer, nor shall anything herein confer, upon any person other- than Covered Entity,
Business ,associate and their respective successors or assigns, any rights, remedies, obligations,
or liabilities whatsoever,
13. Effect on Undff13jng-.Ajzreement. In the event of any conflict between this --
Agreement and the Underlying Agreement, the tens of this Agreement shall control. w
1 Survival. The provisions of this Agreement shall survive the termination or
expiration of the Underlying Agreement.
15. ante retation. This Agreement shall be interpreted as broadly as necessary to
implement and comply with HIPAA, the A.A Regulations and the HITECH Act. The parties
agree that any ambiguity Mn this Agreement shall be resolved in favor of a meaning that complies
and is consistent with such laws.
16. Goveming Law. This Agreement shall be construed in accordance with the laws
of the Mate of Florida.
17. Notices. All notices required or permitted under this Ageement shall be in
writing and sent to the other party as directed below or as otherwise directed by either party,
from time to time, by written notice to the other. All such notices shall be deemed validly given
upon receipt of such notice by certified wail, postage prepaid, facsimile t=srnis ion, e-mail or
personal or courier delivery:
If to Covered Entity: Monroe Conn Board of CO= Commissioners
Monroe Coon Board of Governors
90 "a Street Ocean
Marathon, Fl..33050..
Attn: Camille I ubrof
[}y{�! ,/
I��}INMYYYr�YY�I I I I IIIII II u�WiiY,YY•Y•Y�I�I,I,I,I,I,I,ItirYiYYIY,YY�Y�I�1,1,1,1.n1,1,1,.�l�l,nl,l,l,I.r�on�WiYiYYYiYY
010
Telephone no. I. 2 I uY 6 I,I,I,I.I,I.I.I,I,I,I,�\rYryYyy�pplgq,l,..�
PliliPlilililPIIPOIYrirYYF
acsirnlle no: 0 -2 9-- 01
+rr 14l Yi4iii.��l��lyllh4�Y�YlY �I�lYi4ll��� ■IlT�IIIIi*INhYIYY•M1�
If to Business Associate: Advanced Data processing Inc,
I BA ADPI-Intermedix Corporation
1 N. Federal Highway, Suite 100
't. Lauderdale, F1 33308
Ain: ,doe McCloskey, Vice President, Compliance Officer
Telephone no: 954-308-8714
Facsimile no: 305-521-0785
IN W TNES S WF�' RE , the parties hereto have duly executed this as of the Effective
Date.
(SEAL) BOARD OF COUNTY COMMISSIONERS
OF
ATTEST.- DANNY L. KOLHAGE, CLERK MONROE COUNTY, FLORIDA
By:
ep t r Cler By. -
MN 0 E COUNTY ATTORNEY
A P,A 0 V FAD ASRA
9:YNTHIAr. HALL
ASSISTANT COUNTY ATTORNEY
Date. - � � a0to
Mayor
BOARD OF GOVERNORS OF
IRE AND AMBULANCE DISTRICT IV
F MONROE COUNTY, FLORA
y:
Mayor/Chairman
Advanced Data Processing, Inc.
(DBA-Int ed*x Co ratio
Si
o-14 W'r c -
Print lame and Title
Date: 12-
Approved by M NRE COUNTY on , 20111 Item