Loading...
08/21/2013 Agreement i• ` ¢ R - AMY HEAVILIN, CPA CLERK OF CIRCUIT COURT & COMPTROLLER -nrt. " MONROE COUNTY,FLORIDA =? .M K.,. DATE: September 20. 2013 TO: Chief James Callahan ATTN: Holly Pftester //� FROM: Vitia Fernandez, D.C. V At the August 21, 2013, Board of County Commissioner's meeting the Board granted approval and authorized execution of Item B21 Business Associate Agreements between the Board of County Commissioners of Monroe County and 1) Big Coppitt Volunteer Fire Dept. Inc. 2) Sugarloaf Key Volunteer Fire Dept. Inc. 3) Big Pine Key Volunteer Fire Dept. Inc. 4) Layton Volunteer Fire Dept. Inc. and 5) Tavernier Volunteer Fire Dept. Inc. outlining national privacy standards with respect to use, disclosure, exchange, and security of protected health information, and the role of each agency with regard to compliance; and authorization for Fire Chief J. Callahan to execute the Business Associate Agreements. Attached is the electronic copy of the above-mentioned for your handling. Should you have any questions,please feel free to contact our office. cc: County Attorney (electronic copy) Finance (electronic copy) File .w�....................»,,.. 500 Whitehead Street Suite 101,PO Box 1980,Key West,FL 33040 Phone:305-295-3130 Fax 305-295-3663 3117 Overseas Highway,Marathon,FL 33050 Phone:305-289-6027 Fax 305-289-6025 88820 Overseas Highway,Plantation Key,FL 33070 Phone:852-7145 Fax 305-852-7146 BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ("Agreement") is entered into between the Monroe County Board of County Commissioners ("Covered aFn�tity") and Layton Volunteer Fire Department, Inc.("Business Associate"),effective as of diy,p [.., 2013 (the"Effective Date"). WHEREAS, Covered Entity and Business Associate are parties to an agreement (the "Underlying Agreement"), pursuant to which Business Associate uses Protected Health Information ("PHI") that is confidential under state and/or federal law to perform some service or function on behalf of the Covered Entity;and WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed by Covered Entity to Business Associate, in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA"), and the regulations promulgated there under, including, without limitation, the regulations codified at 45 CFR Parts 160 and 164 ("HIPAA Regulations"); and the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued by the Secretary of the Department of Health and Human Services (the "Secretary") (the "HITECH Act"), and other applicable state and federal laws, all as amended from time to time; and WHEREAS, the HIPAA Regulations require Covered Entity to enter into an agreement with Business Associate meeting certain requirements with respect to the Use and Disclosure of PHI,which are met by this Agreement. NOW, THEREFORE, in consideration of the mutual promises contained herein and the exchange of information pursuant to this Agreement,the parties agree as follows: I. Definitions. Capitalized terms used herein without definition shall have the meanings ascribed to them in the HIPAA Regulations or the HITECH Act, as applicable unless otherwise defined herein. 2. Obligations and Activities of Business Associate. Business Associate agrees to: a. Not use or disclose PHI other than as permitted or required by the Agreement or by law; b. Use appropriate safeguards, and comply with Subpart C of 45 CFR part 164 with respect to electronic protected health information,to prevent use and disclosure of PHI; c. Report to Covered Entity any use or disclosure of PHI of which it becomes aware, including but not limited to breaches of unsecured PHI as required by 45 VFR 164.410, and any security incident of which it becomes aware. Such reports shall be made within forty-eight(48)hours' of the Business Associate's discovery of the breach; d. In accordance with 45 CFR 164.502(e)(I)(ii) and 164.308(6)2), the Business Associate shall take all necessary steps in order to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. As part of this,the Business Associate will take the following steps: Within thirty(30)days of execution of this Agreement(the "Anniversary Date"),the Business Associate will put on training sessions for each of its employees and volunteers. The training sessions will be developed by and given to Business Associate by the Covered Entity; ii. As new volunteers and/or employees are hired by the Business Associate, each new volunteer or employee will be required to attend the same training session prior to being allowed to volunteer with or work for the Business Associate; iii. Annually thereafter,on the Anniversary Date,the Business Associate will ensure that all volunteers and/or employees re-attend a mandatory training session; iv. The Business Associate will collect a written document signed and dated by each volunteer and employee, attesting to the fact that the individual has viewed the training sessions("Completion Certificate"). Business Associate will deliver the Completion Certificates to Monroe County Fire Rescue within one(I) week of the individual's attendance at the training session. v. Any volunteer or employee who has failed to complete the HIPAA training or re-training class(a)upon joining the department, (b)within 30 days of execution of the Agreement,and/or(c)by the Anniversary Date will not be allowed to run calls or participate in any other activities of the Business Associates. Proof of completion will solely be determined by delivery of the Completion Certificate to Monroe County Fire Rescue; vi. No reimbursements will be paid to any volunteers and/or employees (recruits or existing) if their HIPAA certification is out of date; e. Take other measures as necessary in order to satisfy the Covered Entity's obligations under 45 CFR 164,526; f. Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity's obligations under 45 CFR 164.528;and g. Make its internal practices, books and records available to the Secretary for purposes of determining compliance with the HIPAA Regulations. 3. Permitted Uses and Disclosures by Business Associates. 2 a. Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Underlying Agreement or by law. b. Any such use or disclosure must be consistent and in accordance with the Covered Entity's minimum necessary policies and procedures, including but not limited to Standard Operating Procedures issued by Monroe County Fire Rescue, particularly SOPs 700.13 and 700.14, as they may be amended from time to time. c. Business Associate may not use or disclose PHI in a manner would violate Subpart E of 45 CFR part 164 if done by the Covered Entity. 4. Reporting. a. Security Incidents and/or Unauthorized Use or Disclosure. Business Associate shall report to Covered Entity a Security Incident, a Breach, or any Use and/or Disclosure of PHI other than as provided for by this Agreement or permitted by applicable law within forty-eight (48) hours of becoming aware of such Security Incident and/or unauthorized Use or Disclosure in accordance with the notice provisions set forth herein. Business Associate shall take (i) prompt action to cure any such deficiencies as reasonably requested by Covered Entity, and (ii) any action pertaining to such Security Incident and/or unauthorized Use or Disclosure required by applicable federal and state laws and regulations. b. To the extent the information is available to Business Associate, Business Associate's written notice shall include the information required by 45 CFR §164.410. Business Associate shall promptly supplement the written report with additional information regarding the Breach as it obtains such information. Business Associate shall cooperate with Covered Entity in meeting the Covered Entity's obligations under the HITECH Act with respect to such Breach. 5. Business Associate's Agents. To the extent that Business Associate uses one or more subcontractors or agents to provide services under the Underlying Agreement, and such subcontractors or agents receive or have access to PHI, Business Associate shall sign an agreement with such subcontractors or agents containing substantially the same provisions as this Agreement(the"Subcontractors Agreement"). 6. Governmental Access to Records. Business Associate shall make its internal practices, books and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance and Business Associate's compliance with the HIPAA Regulations and the HITECH Act. Except to the extent prohibited by law, Business Associate agrees to notify Covered Entity of all requests served upon Business Associate for information or documentation by or on behalf of the Secretary. Business Associate shall provide to Covered Entity a copy of any PHI that Business Associate provides to the Secretary concurrently with providing such PHI to the Secretary. 7. Minimum Necessary. To the extent required by the HITECH Act, Business Associate shall limit its Use, Disclosure or request of PHI to the Limited Data Set or, if needed, to the minimum necessary to accomplish the intended Use, Disclosure or request,respectively. 3 8. State Privacy Laws. Business Associate shall comply with state laws to extent that such state privacy laws are not preempted by HIPAA or the HITECH Act. 9. Term and Termination. a. Term. This Agreement shall be effective as of the date listed above and shall continue until the agreement is terminated for cause by the Covered Entity. b. Termination for Cause. Business Associate authorizes termination of this Agreement by the Covered Entity, of Covered Entity determines that the Business Associate has violated a material term of this Agreement and the Business Associate has not taken steps to cure the breach within the time frame listed by the Covered Entity. However, the duty to provide governmental access to records outlined in paragraph (6), above, shall survive the termination of this Agreement. c. Obligations of Business Associate After Termination. Upon termination of this Agreement for any reason, Business Associate shall either return or destroy all PHI, as requested by Covered Entity, that Business Associate or its agents or subcontractors still maintain in any form, and shall retain no copies of such PHI. The obligations of this section shall survive termination of the Agreement. 10. Amendment. The parties acknowledge that state and federal laws relating to data security and privacy are rapidly evolving and that amendment of this Agreement may be required to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement any new or modified standards or requirements of HIPAA, the HIPAA Regulations, the HITECH Act and other applicable laws relating to the security or confidentially of PHI. I I. Effect on Underlying Agreement. In the event of any conflict between this Agreement and the Underlying Agreement,the terms of this Agreement shall control. 12. Survival. The provisions of this Agreement shall survive the termination or expiration of the Underlying Agreement. 13. Interpretation. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with such laws. 14. Governing Law. This Agreement shall be construed in accordance with the laws of the State of Florida. 15. Authority. The person signing on behalf of the Business Associate is lawfully authorized by his or her Board of Directors to sign on behalf of the corporation. 16. Notices. All notices required or permitted under this Agreement shall be in writing and sent to the other party as directed below or as otherwise directed by either party, from time to time, by written notice to the other. All such notices shall be deemed validly given 4 upon receipt of such notice by certified mail, postage prepaid, facsimile transmission, e-mail or personal or courier delivery: If to Covered Entity: James K. Callahan, Fire Chief Monroe County Fire Rescue 490 63rtl Street Marathon, FL 33050 Telephone no: (305)289-6088 Facsimile no: (305)289-6007 If to Business Associate: [add volunteer fire department contact info] 44- Tro.U/L(Jo/ 4pte �f iefin 3of CC '*t jes--L66y,31-G [The balance of this page intentionally left blank.] IN WITNESS WHEREOF,the parties hereto have duly executed this as of the Effective Date. [COVE'�'l ENTITY, �- 1sorb. (BUSINESS ASSOCIATE' 'P� �r2e �� ffiiA LC VT ?ia� Title: J22a.-a tw/j Date: 7Lj!r, n AM,�' L.HEAVILIN, LERK e y: G a Deputy Clerk K cm MO9UNTYATTORWEV w ADASDHIA L. MALL u_ ASSOUNTY ATTORNEY o w _;cam, Date . "3-- 9-0 Ls)! OD _,- , c ti r N 5