Item B21 BOARD OF COUNTY COMMISSIONERS
AGENDA ITEM SUMMARY
Meeting Date: August 21, 2013 Division: Emergency Services
Bulk Item: Yes X No Department: Fire Rescue
Staff Contact Person: Deputy Chief Gary Boswell 289-6011
AGENDA ITEM WORDING: Approval of Business Associate Agreements between the Board of County
Commissioners of Monroe County and 1) Big Coppitt Volunteer Fire Dept. Inc. 2) Sugarloaf Key Volunteer
Fire Dept. Inc. 3) Big Pine Key Volunteer Fire Dept. Inc. 4) Layton Volunteer Fire Dept. Inc. and 5) Tavernier
Volunteer Fire Dept. Inc. outlining national privacy standards with respect to use, disclosure, exchange, and
security of protected health information, and the role of each agency with regard to compliance; and
authorization for Fire Chief J. Callahan to execute the Business Associate Agreements,
ITEM BACKGROUND: The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
mandates national privacy standards for the creation, use, disclosure, and retention of patient identifiable health
information. These standards require health care providers and organizations, and their business associates, to
develop and follow procedures to ensure the protection and confidential handling of protected health
information, and to ensure that only the minimum health information necessary to conduct business is to be
used or shared. The Health Information Technology for Economic and Clinical Health Act(HITECH) later
expanded and strengthened federal enforcement of HIPAA and other privacy laws by increasing penalties for
violations and providing greater resources for enforcement and oversight. As a provider of emergency medical
services, Monroe County Fire Rescue (MCFR) is mandated by HIPAA and HITECH to comply with those
standards. The volunteer fire department corporations are also required to comply with these standards because
their members regularly exchange protected patient information with County firefighters or have access to the
PHI (Protected Health Information). MCFR is required by HIPAA and HITECH to enter into a Business
Associate Agreement with any person or organization that provides services on our behalf when those services
involve the disclosure or exchange of PHI. Responding volunteer fire department members regularly exchange
protected patient information with County firefighters, and by doing so, act as agents of their individual
volunteer fire departments. These exchanges necessitate a business associate agreement between Monroe
County and the volunteer corporations.
PREVIOUS RELEVANT BOCC ACTION: NA
CONTRACT/AGREEMENT CHANGES: N/A
STAFF RECOMMENDATIONS: Approval
TOTAL COST: NA BUDGETED: Yes NA No
COST TO COUNTY: NA SOURCE OF FUNDS:
REVENUE PRODUCING: Yes _ No_LX AMOUNT PER MONTH Year
'IT
APPROVED BY: County Atty 6�'/" 0�bPur&ing Risk Management
DOCUMENTATION: Included X Not Required
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into between the Monroe
County Board of County Commissioners ("Covered Entity") and Big Coppitt Volunteer Fire
Department,Inc.("Business Associate"),effective as of__-- 2013 (the"Effective Date").
WHEREAS, Covered Entity and Business Associate are parties to an agreement (the
"Underlying Agreement"), pursuant to which Business Associate uses Protected Health
Information ("PHI") that is confidential under state and/or federal law to perform some service
or function on behalf of the Covered Entity;and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and
provide for the security of PHI disclosed by Covered Entity to Business Associate, in compliance
with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191
("HIPAA"), and the regulations promulgated there under, including, without limitation, the
regulations codified at 45 CFR Parts 160 and 164 ("HIPAA Regulations"); and the Health
Information Technology for Economic and Clinical Health Act, as incorporated in the American
Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued
by the Secretary of the Department of Health and Human Services (the "Secretary") (the
"HITECH Act"), and other applicable state and federal laws, all as amended from time to time;
and
WHEREAS, the HIPAA Regulations require Covered Entity to enter into an agreement
with Business Associate meeting certain requirements with respect to the Use and Disclosure of
.PHI,which are met by this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein and the
exchange of information pursuant to this Agreement,the parties agree as follows:
1. Definitions.
Capitalized terms used herein without definition shall have the meanings ascribed
to them in the HIPAA Regulations or the HITECH Act, as applicable unless otherwise defined
herein.
2. Obligations and Activities of Business Associate. Business Associate agrees to:
a. Not use or disclose PHI other than as permitted or required by the
Agreement or by law;
b. Use appropriate safeguards, and comply with Subpart C of 45 CFR part
164 with respect to electronic protected health information,to prevent use and disclosure of PHI;
C. Report to Covered Entity any use or disclosure of PHI of which it
becomes aware, including but not limited to breaches of unsecured PHI as required by 45 VFR
164.410, and any security incident of which it becomes aware. Such reports shall be made
within forty-eight(48)hours' of the Business Associate's discovery of the breach;
d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)2), the
Business Associate shall take all necessary steps in order to ensure that any subcontractors that
create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same
restrictions, conditions, and requirements that apply to the Business Associate with respect to
such information. As part of this,the Business Associate will take the following steps:
i. Within thirty (30)days of execution of this Agreement(the
"Anniversary Date"),the Business Associate will put on training sessions for each
of its employees and volunteers. The training sessions will be developed by and
given to Business Associate by the Covered Entity;
ii. As new volunteers and/or employees are hired by the Business
Associate, each new volunteer or employee will be required to attend the same
training session prior to being allowed to volunteer with or work for the Business
Associate;
iii. Annually thereafter,on the Anniversary Date,the Business
Associate will ensure that all volunteers and/or employees re-attend a mandatory
training session;
iv. The Business Associate will collect a written document signed and
dated by each volunteer and employee,attesting to the fact that the individual has
viewed the training sessions("Completion Certificate"). Business Associate will
deliver the Completion Certificates to Monroe County Fire Rescue within one(1)
week of the individual's attendance at the training session.
V. Any volunteer or employee who has failed to complete the HIPAA
training or re-training class(a)upon joining the department,(b)within 30 days of
execution of the Agreement, and/or(c)by the Anniversary Date will not be
allowed to run calls or participate in any other activities of the Business
Associates. Proof of completion will solely be determined by delivery of the
Completion Certificate to Monroe County Fire Rescue;
vi. No reimbursements will be paid to any volunteers and/or
employees(recruits or existing) if their HIPAA certification is out of date;
e. Take other measures as necessary in order to satisfy the Covered Entity's
obligations under 45 CFR 164.526;
f. Maintain and make available the information required to provide an
accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity's
obligations under 45 CFR 164.528; and
g. Make its internal practices,books and records available to the Secretary
for purposes of determining compliance with the HIPAA Regulations.
3. Permitted Uses and Disclosures by Business Associates.
2
a. Business Associate may only use or disclose PHI as necessary to perform
the services set forth in the Underlying Agreement or by law.
b. Any such use or disclosure must be consistent and in accordance with the
Covered Entity's minimum necessary policies and procedures, including but not limited to
Standard Operating Procedures issued by Monroe County Fire Rescue,particularly SOPs 700.13
and 700.14, as they may be amended from time to time.
C. Business Associate may not use or disclose PHI in a manner would violate
Subpart E of 45 CFR part 164 if done by the Covered Entity.
4. Retorting.
a. Security Incidents and/or Unauthorized Use or Disclosure. Business
Associate shall report to Covered Entity a Security Incident, a Breach, or any Use and/or
Disclosure of PHI other than as provided for by this Agreement or permitted by applicable law
within forty-eight (48) hours of becoming aware of such Security Incident and/or unauthorized
Use or Disclosure in accordance with the notice provisions set forth herein. Business Associate
shall take (i) prompt action to cure any such deficiencies as reasonably requested by Covered
Entity, and (ii) any action pertaining to such Security Incident and/or unauthorized Use or
Disclosure required by applicable federal and state laws and regulations.
b. To the extent the information is available to Business Associate, Business
Associate's written notice shall include the information required by 45 CFR §164.410. Business
Associate shall promptly supplement the written report with additional information regarding the
Breach as it obtains such information. Business Associate shall cooperate with Covered Entity
in meeting the Covered Entity's obligations under the HITECH Act with respect to such Breach.
5. Business Associate's Agents. To the extent that Business Associate uses one or
more subcontractors or agents to provide services under the Underlying Agreement, and such
subcontractors or agents receive or have access to PHI, Business Associate shall sign an
agreement with such subcontractors or agents containing substantially the same provisions as this
Agreement(the"Subcontractors Agreement").
6. Governmental Access to Records. Business Associate shall make its internal
practices, books and records relating to the Use and Disclosure of PHI available to the Secretary
for purposes of determining Covered Entity's compliance and Business Associate's compliance
with the HIPAA Regulations and the HITECH Act. Except to the extent prohibited by law,
Business Associate agrees to notify Covered Entity of all requests served upon Business
Associate for information or documentation by or on behalf of the Secretary. Business Associate
shall provide to Covered Entity a copy of any PHI that Business Associate provides to the
Secretary concurrently with providing such PHI to the Secretary.
7. Minimum Necessary. To the extent required by the HITECH Act, Business
Associate shall limit its Use, Disclosure or request of PHI to the Limited Data Set or, if needed,
to the minimum necessary to accomplish the intended Use,Disclosure or request,respectively.
3
8. State Privacy Laws. Business Associate shall comply with state laws to extent
that such state privacy laws are not preempted by HIPAA or the HITECH Act.
9. Term and Termination.
a. Term. This Agreement shall be effective as of the date listed above and
shall continue until the agreement is terminated for cause by the Covered Entity.
b. Termination for Cause. Business Associate authorizes termination of this
Agreement by the Covered Entity, of Covered Entity determines that the Business Associate has
violated a material term of this Agreement and the Business Associate has not taken steps to cure
the breach within the time frame listed by the Covered Entity. However, the duty to provide
governmental access to records outlined in paragraph (6), above, shall survive the termination of
this Agreement.
C. Obligations of Business Associate After Termination. Upon termination
of this Agreement for any reason, Business Associate shall either return or destroy all PHI, as
requested by Covered Entity, that Business Associate or its agents or subcontractors still
maintain in any form, and shall retain no copies of such PHI. The obligations of this section
shall survive termination of the Agreement.
10. Amendment. The parties acknowledge that state and federal laws relating to data
security and privacy are rapidly evolving and that amendment of this Agreement may be required
to ensure compliance with such developments. The parties specifically agree to take such action
as is necessary to implement any new or modified standards or requirements of HIPAA, the
HIPAA Regulations, the HITECH Act and other applicable laws relating to the security or
confidentially of PHI.
11. Effect on Underlying Agreement. In the event of any conflict between this
Agreement and the Underlying Agreement,the terms of this Agreement shall control.
12. Survival. The provisions of this Agreement shall survive the termination or
expiration of the Underlying Agreement.
13. Interpretation. This Agreement shall be interpreted as broadly as necessary to
implement and comply with HIPAA,the HIPAA Regulations and the HITECH Act. The parties
agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies
and is consistent with such laws.
14. Governing Law. This Agreement shall be construed in accordance with the laws
of the State of Florida.
15. Authori . The person signing on behalf of the Business Associate is lawfully
authorized by his or her Board of Directors to sign on behalf of the corporation.
16. Notices. All notices required or permitted under this Agreement shall be in
writing and sent to the other party as directed below or as otherwise directed by either party,
from time to time, by written notice to the other. All such notices shall be deemed validly given
4
upon receipt of such notice by certified mail, postage prepaid, facsimile transmission, e-mail or
personal or courier delivery:
If to Covered Entity: James K.Callahan,Fire Chief
Monroe County Fire Rescue
490 63`' Street
Marathon, FL 33050
Telephone no: (305)289-6088
Facsimile no: (305) 289-6007
I f to Business Associate: [add volunteer fire department contact info]
(&AIA C 0 on+O9-lxR , aeS1SGhN1
Av LMECArLO De.
My W&sr Ft- 3%0q0
[The balance of this page intentionally left blank.]
IN WITNESS WHEREOF,the parties hereto have duly executed this as of the Effective
Date.
[COVERED ENTITY] [BUS SS ASSOCIATE]
By: _ By:
Name: Nam :
Title: Title: Qo_ Ica e+ry
Date: Date: f,, A._,c�,zkx j i
[SEAL]
ATTEST: AMY L.HEAVILIN,CLERK
By:
Deputy Clerk
MO ROE COUNTY ATTORNEY
PR VED�S T�FM-
CYNTHIA L. HALL
ASSI TANT COUNTY ATTORNEY
Date a—
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into between the Monroe
County Board of County Commissioners ("Covered Entity") and Sugarloaf Key Volunteer Fire
Department, Inc.("Business Associate"),effective as of ,2013 (the"Effective Date').
WHEREAS, Covered Entity and Business Associate are parties to an agreement (the
"Underlying Agreement"), pursuant to which Business Associate uses Protected Health
Information ("PHI") that is confidential under state and/or federal law to perform some service
or function on behalf of the Covered Entity;and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and
provide for the security of PHI disclosed by Covered Entity to Business Associate, in compliance
with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191
("HIPAA"), and the regulations promulgated there under, including, without limitation, the
regulations codified at 45 CFR Parts 160 and 164 ("HIPAA Regulations"); and the Health
Information Technology for Economic and Clinical Health Act, as incorporated in the American
Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued
by the Secretary of the Department of Health and Human Services (the "Secretary") (the
"HITECH Act"), and other applicable state and federal laws, all as amended from time to time;
and
WHEREAS, the HIPAA Regulations require Covered Entity to enter into an agreement
with Business Associate meeting certain requirements with respect to the Use and Disclosure of
PHI,which are met by this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein and the
exchange of information pursuant to this Agreement,the parties agree as follows:
1. Definitions.
Capitalized terms used herein without definition shall have the meanings ascribed
to them in the HIPAA Regulations or the HITECH Act, as applicable unless otherwise defined
herein.
2. Obligations and Activities of Business Associate. Business Associate agrees to:
a. Not use or disclose PHI other than as permitted or required by the
Agreement or by law;
b. Use appropriate safeguards, and comply with Subpart C of 45 CFR part
164 with respect to electronic protected health information,to prevent use and disclosure of PHI;
C. Report to Covered Entity any use or disclosure of PHI of which it
becomes aware, including but not limited to breaches of unsecured PHI as required by 45 VFR
164.410, and any security incident of which it becomes aware. Such reports shall be made
within forty-eight(48)hours' of the Business Associate's discovery of the breach;
d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)2), the
Business Associate shall take all necessary steps in order to ensure that any subcontractors that
create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same
restrictions, conditions, and requirements that apply to the Business Associate with respect to
such information. As part of this,the Business Associate will take the following steps:
i. Within thirty (30)days of execution of this Agreement(the
"Anniversary Date"),the Business Associate will put on training sessions for each
of its employees and volunteers. The training sessions will be developed by and
given to Business Associate by the Covered Entity;
ii. As new volunteers and/or employees are hired by the Business
Associate,each new volunteer or employee will be required to attend the same
training session prior to being allowed to volunteer with or work for the Business
Associate;
iii. Annually thereafter,on the Anniversary Date,the Business
Associate will ensure that all volunteers and/or employees re-attend a mandatory
training session;
iv. The Business Associate will collect a written document signed and
dated by each volunteer and employee,attesting to the fact that the individual has
viewed the training sessions("Completion Certificate"). Business Associate will
deliver the Completion Certificates to Monroe County Fire Rescue within one(1)
week of the individual's attendance at the training session.
V. Any volunteer or employee who has failed to complete the HIPAA
training or re-training class(a)upon joining the department,(b)within 30 days of
execution of the Agreement,and/or(c) by the Anniversary Date will not be
allowed to run calls or participate in any other activities of the Business
Associates. Proof of completion will solely be determined by delivery of the
Completion Certificate to Monroe County Fire Rescue;
vi. No reimbursements will be paid to any volunteers and/or
employees(recruits or existing) if their HIPAA certification is out of date;
e. Take other measures as necessary in order to satisfy the Covered Entity's
obligations under 45 CFR 164.526;
f. Maintain and make available the information required to provide an
accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity's
obligations under 45 CFR 164.528; and
g. Make its internal practices,books and records available to the Secretary
for purposes of determining compliance with the HIPAA Regulations.
3. Permitted Uses and Disclosures by Business Associates.
2
a. Business Associate may only use or disclose PHI as necessary to perform
the services set forth in the Underlying Agreement or by law.
b. Any such use or disclosure must be consistent and in accordance with the
Covered Entity's minimum necessary policies and procedures, including but not limited to
Standard Operating Procedures issued by Monroe County Fire Rescue, particularly SOPS 700.13
and 700.14,as they may be amended from time to time.
C. Business Associate may not use or disclose PHI in a manner would violate
Subpart E of 45 CFR part 164 if done by the Covered Entity.
4. Reporting.
a. Security Incidents and/or Unauthorized Use or Disclosure. Business
Associate shall report to Covered Entity a Security Incident, a Breach, or any Use and/or
Disclosure of PHI other than as provided for by this Agreement or permitted by applicable law
within forty-eight (48) hours of becoming aware of such Security Incident and/or unauthorized
Use or Disclosure in accordance with the notice provisions set forth herein. Business Associate
shall take (i) prompt action to cure any such deficiencies as reasonably requested by Covered
Entity, and (ii) any action pertaining to such Security Incident and/or unauthorized Use or
Disclosure required by applicable federal and state laws and regulations.
b. To the extent the information is available to Business Associate, Business
Associate's written notice shall include the information required by 45 CFR §164.410. Business
Associate shall promptly supplement the written report with additional information regarding the
Breach as it obtains such information. Business Associate shall cooperate with Covered Entity
in meeting the Covered Entity's obligations under the HITECH Act with respect to such Breach.
5. Business Associate's Agents. To the extent that Business Associate uses one or
more subcontractors or agents to provide services under the Underlying Agreement, and such
subcontractors or agents receive or have access to PHI, Business Associate shall sign an
agreement with such subcontractors or agents containing substantially the same provisions as this
Agreement(the"Subcontractors Agreement").
6. Governmental Access to Records. Business Associate shall make its internal
practices, books and records relating to the Use and Disclosure of PHI available to the Secretary
for purposes of determining Covered Entity's compliance and Business Associate's compliance
with the HIPAA Regulations and the HITECH Act. Except to the extent prohibited by law,
Business Associate agrees to notify Covered Entity of all requests served upon Business
Associate for information or documentation by or on behalf of the Secretary. Business Associate
shall provide to Covered Entity a copy of any PHI that Business Associate provides to the
Secretary concurrently with providing such PHI to the Secretary.
7. Minimum Necessary. To the extent required by the HITECH Act, Business
Associate shall limit its Use, Disclosure or request of PHI to the Limited Data Set or, if needed,
to the minimum necessary to accomplish the intended Use,Disclosure or request,respectively.
3
8. State Privapy Laws. Business Associate shall comply with state laws to extent
that such state privacy laws are not preempted by HIPAA or the HITECH Act.
9. Term and Termination.
a. Term. This Agreement shall be effective as of the date listed above and
shall continue until the agreement is terminated for cause by the Covered Entity.
b. Termination for Cause. Business Associate authorizes termination of this
Agreement by the Covered Entity, of Covered Entity determines that the Business Associate has
violated a material term of this Agreement and the Business Associate has not taken steps to cure
the breach within the time frame listed by the Covered Entity. However, the duty to provide
governmental access to records outlined in paragraph (6), above, shall survive the termination of
this Agreement.
C. Obligations of Business Associate After Termination. Upon termination
of this Agreement for any reason, Business Associate shall either return or destroy all PHI, as
requested by Covered Entity, that Business Associate or its agents or subcontractors still
maintain in any form, and shall retain no copies of such PHI. The obligations of this section
shall survive termination of the Agreement.
10. Amendment. The parties acknowledge that state and federal laws relating to data
security and privacy are rapidly evolving and that amendment of this Agreement may be required
to ensure compliance with such developments. The parties specifically agree to take such action
as is necessary to implement any new or modified standards or requirements of HIPAA, the
HIPAA Regulations, the HITECH Act and other applicable laws relating to the security or
confidentially of PHI.
H. Effect on Underlying Agreement. In the event of any conflict between this
Agreement and the Underlying Agreement,the terms of this Agreement shall control.
12. Survival. The provisions of this Agreement shall survive the termination or
expiration of the Underlying Agreement.
13. Interpretation. This Agreement shall be interpreted as broadly as necessary to
implement and comply with HIPAA,the HIPAA Regulations and the HITECH Act. The parties
agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies
and is consistent with such laws.
14. Governing Law. This Agreement shall be construed in accordance with the laws
of the State of Florida.
15. Authority. The person signing on behalf of the Business Associate is lawfully
authorized by his or her Board of Directors to sign on behalf of the corporation.
16. Notices. All notices required or permitted under this Agreement shall be in
writing and sent to the other party as directed below or as otherwise directed by either party,
from time to time,by written notice to the other. All such notices shall be deemed validly given
4
upon receipt of such notice by certified mail, postage prepaid, facsimile transmission, e-mail or
personal or courier delivery:
If to Covered Entity: James K. Callahan,Fire Chief
Monroe County Fire Rescue
490 63`d Street
Marathon,FL 33050
Telephone no: (305)289-6088
Facsimile no: (305)289-6007
If to Business Associate: [add volunteer fire department contact info]
NOMILUM 1`EET 101.FIRE DEM M11-
AF KEY,fl.33042
[The balance of this page intentionally left blank.]
IN WITNESS WHEREOF,the parties hereto have duly executed this as of the Effective
Date.
[COVERED ENTITY] [BUSINEISS ASSOFIATE] }
By: By;. n
�
Name: Name: 1,tev%� G t-ar �
Title: Title: P r es►' e�f
Date: Date: $ _I --.
[SEAL] . �._
ATTEST: AMY L.HEAVILIN, CLERK
By:
Deputy Clerk MONR E COUNTY ATTORNEY
AP 0VE AS T F M'
C NTIA L. ALL
ASSISTANTi-CH0UNTY ATTORNEY
�_0 I3
5
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into between the Monroe
County Board of County Commissioners ("Covered Entity") and Big Pine Key Volunteer Fire
Department,Inc.("Business Associate"),effective as of ,2013 (the"Effective Date").
WHEREAS, Covered Entity and Business Associate are parties to an agreement (the
"Underlying Agreement"), pursuant to which Business Associate uses Protected Health
Information ("PHI") that is confidential under state and/or federal law to perform some service
or function on behalf of the Covered Entity;and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and
provide for the security of PHI disclosed by Covered Entity to Business Associate, in compliance
with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191
("HIPAA"), and the regulations promulgated there under, including, without limitation, the
regulations codified at 45 CFR Parts 160 and 164 ("HIPAA Regulations"); and the Health
Information Technology for Economic and Clinical Health Act, as incorporated in the American
Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued
by the Secretary of the Department of Health and Human Services (the "Secretary") (the
"HITECH Act"), and other applicable state and federal laws, all as amended from time to time;
and
WHEREAS, the HIPAA Regulations require Covered Entity to enter into an agreement
with Business Associate meeting certain requirements with respect to the Use and Disclosure of
PHI,which are met by this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein and the
exchange of information pursuant to this Agreement,the parties agree as follows:
1. Definitions.
Capitalized terms used herein without definition shall have the meanings ascribed
to them in the HIPAA Regulations or the HITECH Act, as applicable unless otherwise defined
herein.
2. Obligations and Activities of Business Associate. Business Associate agrees to:
a. Not use or disclose PHI other than as permitted or required by the
Agreement or by law;
b. Use appropriate safeguards, and comply with Subpart C of 45 CFR part
164 with respect to electronic protected health information,to prevent use and disclosure of PHI;
C. Report to Covered Entity any use or disclosure of PHI of which it
becomes aware, including but not limited to breaches of unsecured PHI as required by 45 VFR
164.410, and any security incident of which it becomes aware. Such reports shall be made
within forty eight(48)hours' of the Business Associate's discovery of the breach;
d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)2), the
Business Associate shall take all necessary steps in order to ensure that any subcontractors that
create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same
restrictions, conditions, and requirements that apply to the Business Associate with respect to
such information. As part of this,the Business Associate will take the following steps:
i. Within thirty(30)days of execution of this Agreement(the
"Anniversary Date"),the Business Associate will put on training sessions for each
of its employees and volunteers. The training sessions will be developed by and
given to Business Associate by the Covered Entity;
ii. As new volunteers and/or employees are hired by the Business
Associate,each new volunteer or employee will be required to attend the same
training session prior to being allowed to volunteer with or work for the Business
Associate;
iii. Annually thereafter,on the Anniversary Date,the Business
Associate will ensure that all volunteers and/or employees re-attend a mandatory
training session;
iv. The Business Associate will collect a written document signed and
dated by each volunteer and employee,attesting to the fact that the individual has
viewed the training sessions("Completion Certificate"). Business Associate will
deliver the Completion Certificates to Monroe County Fire Rescue within one(1)
week of the individual's attendance at the training session.
V. Any volunteer or employee who has failed to complete the HIPAA
training or re-training class(a)upon joining the department,(b)within 30 days of
execution of the Agreement,and/or(c)by the Anniversary Date will not be
allowed to run calls or participate in any other activities of the Business
Associates. Proof of completion will solely be determined by delivery of the
Completion Certificate to Monroe County Fire Rescue;
vi. No reimbursements will be paid to any volunteers and/or
employees(recruits or existing) if their HIPAA certification is out of date;
e. Take other measures as necessary in order to satisfy the Covered Entity's
obligations under 45 CFR 164.526;
f. Maintain and make available the information required to provide an
accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity's
obligations under 45 CFR 164.528;and
g. Make its internal practices,books and records available to the Secretary
for purposes of determining compliance with the HIPAA Regulations.
3. Permitted Uses and Disclosures_by Business Associates.
2
a. Business Associate may only use or disclose PHI as necessary to perform
the services set forth in the Underlying Agreement or by law.
b. Any such use or disclosure must be consistent and in accordance with the
Covered Entity's minimum necessary policies and procedures, including but not limited to
Standard Operating Procedures issued by Monroe County Fire Rescue,particularly SOPs 700.13
and 700.14,as they may be amended from time to time.
C. Business Associate may not use or disclose PHI in a manner would violate
Subpart E of 45 CFR part 164 if done by the Covered Entity.
4. Reporting;
a. Security Incidents and/or Unauthorized Use or Disclosure. Business
Associate shall report to Covered Entity a Security Incident, a Breach, or any Use and/or
Disclosure of PHI other than as provided for by this Agreement or permitted by applicable law
within forty-eight(48) hours of becoming aware of such Security Incident and/or unauthorized
Use or Disclosure in accordance with the notice provisions set forth herein. Business Associate
shall take (i) prompt action to cure any such deficiencies as reasonably requested by Covered
Entity, and (ii) any action pertaining to such Security Incident and/or unauthorized Use or
Disclosure required by applicable federal and state laws and regulations.
b. To the extent the information is available to Business Associate, Business
Associate's written notice shall include the information required by 45 CFR §164.410. Business
Associate shall promptly supplement the written report with additional information regarding the
Breach as it obtains such information. Business Associate shall cooperate with Covered Entity
in meeting the Covered Entity's obligations under the HITECH Act with respect to such Breach.
5. Business Associate's Agents. To the extent that Business Associate uses one or
more subcontractors or agents to provide services under the Underlying Agreement, and such
subcontractors or agents receive or have access to PHI, Business Associate shall sign an
agreement with such subcontractors or agents containing substantially the same provisions as this
Agreement(the"Subcontractors Agreement").
6. Governmental Access to Records. Business Associate shall make its internal
practices,books and records relating to the Use and Disclosure of PHI available to the Secretary
for purposes of determining Covered Entity's compliance and Business Associate's compliance
with the HIPAA Regulations and the HITECH Act. Except to the extent prohibited by law,
Business Associate agrees to notify Covered Entity of all requests served upon Business
Associate for information or documentation by or on behalf of the Secretary. Business Associate
shall provide to Covered Entity a copy of any PHI that Business Associate provides to the
Secretary concurrently with providing such PHI to the Secretary.
7. Minimum Necessary. To the extent required by the HITECH Act, Business
Associate shall limit its Use, Disclosure or request of PHI to the Limited Data Set or, if needed,
to the minimum necessary to accomplish the intended Use,Disclosure or request,respectively.
.3
8. State Privacy Laws. Business Associate shall comply with state laws to extent
that such state privacy laws are not preempted by HIPAA or the HITECH Act.
9. Term and Termination.
a. Term. This Agreement shall be effective as of the date listed above and
shall continue until the agreement is terminated for cause by the Covered Entity.
b. Termination for Cause. Business Associate authorizes termination of this
Agreement by the Covered Entity, of Covered Entity determines that the Business Associate has
violated a material term of this Agreement and the Business Associate has not taken steps to cure
the breach within the time frame listed by the Covered Entity. However, the duty to provide
governmental access to records outlined in paragraph (6), above, shall survive the termination of
this Agreement.
C. Obligations of Business Associate After Termination. Upon termination
of this Agreement for any reason, Business Associate shall either return or destroy all PHI, as
requested by Covered Entity, that Business Associate or its agents or subcontractors still
maintain in any form, and shall retain no copies of such PHI. The obligations of this section
shall survive termination of the Agreement.
10. Amendment. The parties acknowledge that state and federal laws relating to data
security and privacy are rapidly evolving and that amendment of this Agreement may be required
to ensure compliance with such developments. The parties specifically agree to take such action
as is necessary to implement any new or modified standards or requirements of HIPAA, the
HIPAA Regulations, the HITECH Act and other applicable laws relating to the security or
confidentially of PHI.
11. Effect on Underlying_Agreement. In the event of any conflict between this
Agreement and the Underlying Agreement,the terms of this Agreement shall control.
12. Survival. The provisions of this Agreement shall survive the termination or
expiration of the Underlying Agreement.
13. Interpretation, This Agreement shall be interpreted as broadly as necessary to
implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act. The parties
agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies
and is consistent with such laws.
14. Governing Law. This Agreement shall be construed in accordance with the laws
of the State of Florida.
15. Authority. The person signing on behalf of the Business Associate is lawfully
authorized by his or her Board of Directors to sign on behalf of the corporation.
16. Notices. All notices required or permitted under this Agreement shall be in
writing and sent to the other party as directed below or as otherwise directed by either party,
from time to time, by written notice to the other. All such notices shall be deemed validly given
4
upon receipt of such notice by certified mail,postage prepaid, facsimile transmission, e-mail or
personal or courier delivery:
If to Covered Entity: James K.Callahan,Fire Chief
Monroe County Fire Rescue
490 63'Street
Marathon,FL 33050
Telephone no: (305)289-6088
Facsimile no: (305)289-6007
If to Business Associate: [add volunteer fire department contact info]
L 33o%A S -
[The balance of this page intentionally left blank.]
IN WITNESS WHEREOF,the parties hereto have duly executed this as of the Effective
Date.
[COVERED ENTITY] T
S - A
By: y:. a.
Name: - �a Na e: Vww jT k.,id
Title:_ Title:J 2r, o�]- �P rc�.
Date: Date;�'.a�,. ' - a.o t1
[SEAL] -1- z 3- S%
ATTEST: AMY L.HEAVILIN, CLERK
Deputy Clerk
MONROE COUNTY ATTORNEY
A ROV UAS TO O
YNTHIA ALL
ASSIS ANT COUNTY ATTORNEY
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into between the Monroe
County Board of County Commissioners ("Covered Entity") and Layton Volunteer Fire
Department, Inc.("Business Associate"),effective as of , 2013 (the"Effective Date").
WHEREAS, Covered Entity and Business Associate are parties to an agreement (the
"Underlying Agreement"), pursuant to which Business Associate uses Protected Health
Information ("PHI") that is confidential under state and/or federal law to perform some service
or function on behalf of the Covered Entity;and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and
provide for the security of PHI disclosed by Covered Entity to Business Associate, in compliance
with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191
("HIPAA"), and the regulations promulgated there under, including, without limitation, the
regulations codified at 45 CFR Parts 160 and 164 ("HIPAA Regulations"); and the Health
Information Technology for Economic and Clinical Health Act, as incorporated in the American
Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued
by the Secretary of the Department of Health and Human Services (the "Secretary") (the
"HITECH Act"), and other applicable state and federal laws, all as amended from time to time;
and
WHEREAS, the HIPAA Regulations require Covered Entity to enter into an agreement
with Business Associate meeting certain requirements with respect to the Use and Disclosure of
PHI,which are met by this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein and the
exchange of information pursuant to this Agreement,the parties agree as follows:
1. Definitions.
Capitalized terms used herein without definition shall have the meanings ascribed
to them in the HIPAA Regulations or the HITECH Act, as applicable unless otherwise defined
herein.
2. Obligations and Activities of Business Associate. Business Associate agrees to:
a. Not use or disclose PHI other than as permitted or required by the
Agreement or by law;
b. Use appropriate safeguards, and comply with Subpart C of 45 CFR part
164 with respect to electronic protected health information,to prevent use and disclosure of PHI;
C. Report to Covered Entity any use or disclosure of PHI of which it
becomes aware, including but not limited to breaches of unsecured PHI as required by 45 VFR
164.410, and any security incident of which it becomes aware. Such reports shall be made
within forty-eight(48)hours' of the Business Associate's discovery of the breach;
d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)2), the
Business Associate shall take all necessary steps in order to ensure that any subcontractors that
create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same
restrictions, conditions, and requirements that apply to the Business Associate with respect to
such information. As part of this, the Business Associate will take the following steps:
i. Within thirty (30)days of execution of this Agreement(the
"Anniversary Date"),the Business Associate will put on training sessions for each
of its employees and volunteers. The training sessions will be developed by and
given to Business Associate by the Covered Entity;
ii. As new volunteers and/or employees are hired by the Business
Associate,each new volunteer or employee will be required to attend the same
training session prior to being allowed to volunteer with or work for the Business
Associate;
iii. Annually thereafter, on the Anniversary Date,the Business
Associate will ensure that all volunteers and/or employees re-attend a mandatory
training session;
iv. The Business Associate will collect a written document signed and
dated by each volunteer and employee,attesting to the fact that the individual has
viewed the training sessions("Completion Certificate"). Business Associate will
deliver the Completion Certificates to Monroe County Fire Rescue within one(1)
week of the individual's attendance at the training session.
V. Any volunteer or employee who has failed to complete the HIPAA
training or re-training class(a)upon joining the department,(b)within 30 days of
execution of the Agreement,and/or(c)by the Anniversary Date will not be
allowed to run calls or participate in any other activities of the Business
Associates. Proof of completion will solely be determined by delivery of the
Completion Certificate to Monroe County Fire Rescue;
vi. No reimbursements will be paid to any volunteers and/or
employees (recruits or existing) if their HIPAA certification is out of date;
e. Take other measures as necessary in order to satisfy the Covered Entity's
obligations under 45 CFR 164.526;
f. Maintain and make available the information required to provide an
accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity's
obligations under 45 CFR 164.528;and
g. Make its internal practices,books and records available to the Secretary
for purposes of determining compliance with the HIPAA Regulations.
3. Permitted Uses and Disclosures by Business Associates.
2
a. Business Associate may only use or disclose PHI as necessary to perform
the services set forth in the Underlying Agreement or by law.
b. Any such use or disclosure must be consistent and in accordance with the
Covered Entity's minimum necessary policies and procedures, including but not limited to
Standard Operating Procedures issued by Monroe County Fire Rescue,particularly SOPs 700.13
and 700.14, as they may be amended from time to time.
C. Business Associate may not use or disclose PHI in a manner would violate
Subpart E of 45 CFR part 164 if done by the Covered Entity.
4. Reporting.
a. Security Incidents and/or Unauthorized Use or Disclosure. Business
Associate shall report to Covered Entity a Security Incident, a Breach, or any Use and/or
Disclosure of PHI other than as provided for by this Agreement or permitted by applicable law
within forty-eight (48) hours of becoming aware of such Security Incident and/or unauthorized
Use or Disclosure in accordance with the notice provisions set forth herein. Business Associate
shall take (i) prompt action to cure any such deficiencies as reasonably requested by Covered
Entity, and (ii) any action pertaining to such Security Incident and/or unauthorized Use or
Disclosure required by applicable federal and state laws and regulations.
b. To the extent the information is available to Business Associate, Business
Associate's written notice shall include the information required by 45 CFR §164.410. Business
Associate shall promptly supplement the written report with additional information regarding the
Breach as it obtains such information. Business Associate shall cooperate with Covered Entity
in meeting the Covered Entity's obligations under the HITECH Act with respect to such Breach.
5. Business Associate's Agents. To the extent that Business Associate uses one or
more subcontractors or agents to provide services under the Underlying Agreement, and such
subcontractors or agents receive or have access to PHI, Business Associate shall sign an
agreement with such subcontractors or agents containing substantially the same provisions as this
Agreement(the"Subcontractors Agreement").
6. Governmental Access to Records. Business Associate shall make its internal
practices, books and records relating to the Use and Disclosure of PHI available to the Secretary
for purposes of determining Covered Entity's compliance and Business Associate's compliance
with the HIPAA Regulations and the HITECH Act. Except to the extent prohibited by law,
Business Associate agrees to notify Covered Entity of all requests served upon Business
Associate for information or documentation by or on behalf of the Secretary. Business Associate
shall provide to Covered Entity a copy of any PHI that Business Associate provides to the
Secretary concurrently with providing such PHI to the Secretary.
7. Minimum Necessary. To the extent required by the HITECH Act, Business
Associate shall limit its Use, Disclosure or request of PHI to the Limited Data Set or, if needed,
to the minimum necessary to accomplish the intended Use, Disclosure or request,respectively.
8. State Privacy Laws. Business Associate shall comply with state laws to extent
that such state privacy laws are not preempted by HIPAA or the HITECH Act.
9. Term and Termination.
a. Term. This Agreement shall be effective as of the date listed above and
shall continue until the agreement is terminated for cause by the Covered Entity.
b. Termination for Cause. Business Associate authorizes termination of this
Agreement by the Covered Entity, of Covered Entity determines that the Business Associate has
violated a material term of this Agreement and the Business Associate has not taken steps to cure
the breach within the time frame listed by the Covered Entity. However, the duty to provide
governmental access to records outlined in paragraph (6), above,shall survive the termination of
this Agreement.
C. Obligations of Business Associate After Termination. Upon termination
of this Agreement for any reason, Business Associate shall either return or destroy all PHI, as
requested by Covered Entity, that Business Associate or its agents or subcontractors still
maintain in any form, and shall retain no copies of such PHI. The obligations of this section
shall survive termination of the Agreement.
10. Amendment. The parties acknowledge that state and federal laws relating to data
security and privacy are rapidly evolving and that amendment of this Agreement may be required
to ensure compliance with such developments. The parties specifically agree to take such action
as is necessary to implement any new or modified standards or requirements of HIPAA, the
HIPAA Regulations, the HITECH Act and other applicable laws relating to the security or
confidentially of PHI.
11. Effect on Underlying Agreement. In the event of any conflict between this
Agreement and the Underlying Agreement,the terms of this Agreement shall control.
12. Survival. The provisions of this Agreement shall survive the termination or
expiration of the Underlying Agreement.
13. InterRretation. This Agreement shall be interpreted as broadly as necessary to
implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act. The parties
agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies
and is consistent with such laws.
14. Governing Law. This Agreement shall be construed in accordance with the laws
of the State of Florida.
15. Authori . The person signing on behalf of the Business Associate is lawfully
authorized by his or her Board of Directors to sign on behalf of the corporation.
16. Notices. All notices required or permitted under this Agreement shall be in
writing and sent to the other party as directed below or as otherwise directed by either party,
from time to time, by written notice to the other. All such notices shall be deemed validly given
4
upon receipt of such notice by certified mail, postage prepaid, facsimile transmission, e-mail or
personal or courier delivery:
If to Covered Entity: James K. Callahan, Fire Chief
Monroe County Fire Rescue
490 63`d Street
Marathon, FL 33050
Telephone no: (305)289-6088
Facsimile no: (305)289-6007
If to Business Associate: [add volunteer fire department contact info]
&, vo l 11z-e b .
[The balance of this page intentionally left blank.]
IN WITNESS WHEREOF,the parties hereto have duly executed this as of the Effective
Date.
[COVERED ENTITY] [BUSINESS ASSOCIATE
By: _. �.. _. _._ -
By:
Name: Na
Title: - Title: /l�tz�tr^✓ —
Date: _ Date: ;z/2-3�/3
[SEAL]
ATTEST: AMY L.HEAVILIN,CLERK
3y: .. --
Dcputy Clerk
MON OE COUNTY ATTORNEY
A ROV D SAS O R
YNTHIA L. ALL
ASSISTANT COUNTY ATTORNEY
Date.__ _ — 3
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement') is entered into between the Monroe
County Board of County Commissioners ("Covered Entity") and Tavernier Volunteer Fire
Department, Inc. ("Business Associate" or "TVFD"), effective as of 52013
(the "Effective Date'). The sole purpose of this Agreement is to clarify the roles and
responsibilities of TVFD and the members of TVFD with respect to HIPAA and HITECH.
WHEREAS, Covered Entity and Business Associate are parties to an agreement (the
"Underlying Agreement"), pursuant to which Business Associate uses Protected Health
Information ("PHI") that is confidential under state and/or federal law to perform some service
or function on behalf of the Covered Entity;and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and
provide for the security of PHI disclosed by Covered Entity to Business Associate,in compliance
with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191
("HIPAA'j, and the regulations promulgated there under, including, without limitation, the
regulations codified at 45 CFR Parts 160 and 164 ("HIPAA Regulations"); and the Health
Information Technology for Economic and Clinical Health Act, as incorporated in the American
Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued
by the Secretary of the Department of Health and Human Services (the "Secretary") (the
"HITECH Act"), and other applicable state and federal laws, all as amended from time to time;
and
WHEREAS, the HIPAA Regulations require Covered Entity to enter into an agreement
with Business Associate meeting certain requirements with respect to the Use and Disclosure of
PHI,which are met by this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein and the
exchange of information pursuant to this Agreement,the parties agree as follows:
1. Definitions.
Capitalized terms used herein without definition shall have the meanings ascribed
to them in the HIPAA Regulations or the HITECH Act, as applicable unless otherwise defined
herein.
2. Obligations and Activities of Business Associate. Business Associate agrees to:
a. Not use or disclose PHI other than as permitted or required by the
Agreement or by law;
b. Use appropriate safeguards, and comply with Subpart C of 45 CFR part
164 with respect to electronic protected health information,to prevent use and disclosure of PHI;
C. Report to Covered Entity any use or disclosure of PHI of which it
becomes aware, including but not limited to breaches of unsecured PHI as required by 45 CFR
164.410, and any security incident of which it becomes aware. Such reports shall be made
within forty-eight(48)hours' of the Business Associate's discovery of the breach;
d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), the
Business Associate shall take all necessary steps in order to ensure that any subcontractors that
create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same
restrictions, conditions, and requirements that apply to the Business Associate with respect to
such information. As part of this,the Business Associate will take the following steps:
i. Within thirty(30)days of execution of this Agreement(the
"Anniversary Date"),the Business Associate will put on training sessions for each
of its employees and volunteers. The training sessions will be developed by and
given to Business Associate by the Covered Entity;
ii. As new volunteers and/or employees are hired by the Business
Associate,each new volunteer or employee will be required to attend the same
training session prior to being allowed to volunteer with or work for the Business
Associate;
iii. Annually thereafter,on the Anniversary Date,the Business
Associate will ensure that all volunteers and/or employees re-attend a mandatory
training session;
iv. The Business Associate will collect a written document signed and
dated by each volunteer and employee,attesting to the fact that the individual has
viewed the training sessions("Completion Certificate"). Business Associate will
deliver the Completion Certificates to Monroe County Fire Rescue within one(1)
week of the individual's attendance at the training session.
V. Any volunteer or employee who has failed to complete the fHPAA
training or re-training class(a)upon joining the department,(b)within 30 days of
execution of the Agreement,and/or(c)by the Anniversary Date will not be
allowed to run calls or participate in any other activities of the Business
Associates. Proof of completion will solely be determined by delivery of the
Completion Certificate to Monroe County Fire Rescue;
vi. No reimbursements will be paid to any volunteers and/or
employees(recruits or existing)if their HIPAA certification is out of date;
e. Take other measures as necessary in order to satisfy the Covered Entity's
obligations under 45 CFR 164.526;
f. Maintain and make available the information required to provide an
accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity's
obligations under 45 CFR 164.528;and
g. Make its internal practices,books and records available to the Secretary
for purposes of determining compliance with the HIPAA Regulations.
2
3. Permitted Uses and Disclosures by Business Associates.
a. Business Associate may only use or disclose PHI as necessary to perform
the services set forth in the Underlying Agreement or by law.
b. Any such use or disclosure must be consistent and in accordance with the
Covered Entity's minimum necessary policies and procedures,including but not limited to
Standard Operating Procedures issued by Monroe County Fire Rescue,particularly SOPS 700.13
and 700.14 as they may be amended from time to time and properly noticed to the President of
TVFD in accordance with paragraph 16 below.
C. Business Associate may not use or disclose PHI in a manner that would
violate Subpart E of 45 CFR part 164 if done by the Covered Entity.
4. Reporting.
a. Security Incidents and/or Unauthorized Use or Disclosure. Business
Associate shall report to Covered Entity a Security Incident, a Breach, or any Use and/or
Disclosure of PHI other than as provided for by this Agreement or permitted by applicable law
within forty-eight (48) hours of becoming aware of such Security Incident and/or unauthorized
Use or Disclosure in accordance with the notice provisions set forth herein. Business Associate
shall take (i) prompt action to cure any such deficiencies as reasonably requested by Covered
Entity, and (ii) any action pertaining to such Security Incident and/or unauthorized Use or
Disclosure required by applicable federal and state laws and regulations.
b. To the extent the information is available to Business Associate,Business
Associate's written notice shall include the information required by 45 CFR§164.410. Business
Associate shall promptly supplement the written report with additional information regarding the
Breach as it obtains such information. Business Associate shall cooperate with Covered Entity
in meeting the Covered Entity's obligations under the HITECH Act with respect to such Breach.
5. Business Associate's Agents. To the extent that Business Associate uses one or
more subcontractors or agents to provide services under the Underlying Agreement, and such
subcontractors or agents receive or have access to PHI, Business Associate shall sign an
agreement with such subcontractors or agents containing substantially the same provisions as this
Agreement(the"Subcontractors Agreement').
6. Governmental Access to Records. Business Associate shall make its internal
practices,books and records relating to the Use and Disclosure of PHI available to the Secretary
for purposes of determining Covered Entity's compliance and Business Associate's compliance
with the HIPAA Regulations and the HITECH Act. Except to the extent prohibited by law,
Business Associate agrees to notify Covered Entity of all requests served upon Business
Associate for information or documentation by or on behalf of the Secretary. Business Associate
shall provide to Covered Entity a copy of any PHI that Business Associate provides to the
Secretary concurrently with providing such PHI to the Secretary.
3
7. Minimum Necessary. To the extent required by the HITECH Act, Business
Associate shall limit its Use,Disclosure or request of PHI to the Limited Data Set or, if needed,
to the minimum necessary to accomplish the intended Use,Disclosure or request,respectively.
8. State Privacy Laws. Business Associate shall comply with state laws to the extent
that such state privacy laws are not preempted by HIPAA or the HITECH Act.
9. Term and Termination.
a. Term. This Agreement shall be effective as of the date listed above and
shall continue until the agreement is terminated for cause by the Covered Entity.
b. Termination for Cause. Business Associate authorizes termination of this
Agreement by the Covered Entity, if the Covered Entity determines that the Business Associate
has violated a material term of this Agreement and the Business Associate has not taken steps to
cure the breach within the time frame listed by the Covered Entity. However,the duty to provide
governmental access to records outlined in paragraph(6), above, shall survive the termination of
this Agreement.
C. Obligations of Business Associate After Termination. Upon termination
of this Agreement for any reason, Business Associate shall either return or destroy all PHI, as
requested by Covered Entity, that Business Associate or its agents or subcontractors still
maintain in any form, and shall retain no copies of such PHI. The obligations of this section
shall survive termination of the Agreement.
10. Amendment. The parties acknowledge that state and federal laws relating to data
security and privacy are rapidly evolving and that amendment of this Agreement may be required
to ensure compliance with such developments. The parties specifically agree to take such action
as is necessary to implement any new or modified standards or requirements of HIPAA, the
HIPAA Regulations, the HITECH Act and other applicable laws relating to the security or
confidentially of PHI.
11. Effect on UnderlyingAgeement. In the event of any conflict between this
Agreement and the Underlying Agreement,the terms of this Agreement shall control.
12. Survival. The provisions of this Agreement shall survive the termination or
expiration of the Underlying Agreement.
13. Interpretation. This Agreement shall be interpreted as broadly as necessary to
implement and comply with HIPAA,the HIPAA Regulations and the HITECH Act. The parties
agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies
and is consistent with such laws.
14. Governing Law. This Agreement shall be construed in accordance with the laws
of the State of Florida.
15. Authori . The person signing on behalf of the Business Associate is lawfully
authorized by his or her Board of Directors to sign on behalf of the corporation.
4
16. Notices All notices required or permitted under this Agreement shall be in
writing and sent to the other party as directed below or as otherwise directed by either party,
from time to time,by written notice to the other. All such notices shall be deemed validly given
upon receipt of such notice by certified mail, postage prepaid, facsimile transmission, e-mail or
personal or courier delivery:
If to Covered Entity: James K. Callahan,Fire Chief
Monroe County Fire Rescue
490 63'd Street
Marathon,FL 33040
Telephone no: (305)289-6088
Facsimile no: (305)289-6007
If to Business Associate: [add volunteer fire department contact info]
�• � - i Lzr h
_ I G2&Ae en
-
Date. r rL ,p C7
IN WITNESS WHEREOF,the parties hereto have duly executed this as of the Effective
[COVERED ENTITY] [BUSINESS AS OC TE]
By: By.
Name: Nam
Title:
Title: � C=
Date: Date
[SEAL]
ATTEST: AMY HEAVILIN,CLERK
By:
Deputy Clerk
MO OE COUNTY ATTORNEY
'=Aj TO FO
J)CYNTHIA L. HALL
ASSISTANT COUNTY ATTORNEY
Date - 7'- X 913
5