The URL can be used to link to this page

Item C21BOARD OF COUNTY COMMISSIONERS AGENDA ITEM SUMMARY Meeting Date: April 16, 2003- Division: Administrative Services Bulk Item: Yes X No Department: Group Insurance AGENDA ITEM WORDING: Approval of Business Associate Addendum with Mental Health Care Center of the Lower Keys, Inc., DB/A Care Center for Mental Health Agreement covers security of Protected Health Information (PHI) as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacv Rule effective April 13, 2003 ITEM BACKGROUND: The Health Insurance Portability and Accountabilitv Act of 1996 (HIPAA) Privacy Rule effective April 13, 2003 requires the entering of Business Associates Agreements with providers of health care services to regulate the use and disclosure of Protected Health Information (PHI). PREVIOUS RELAVENT BOCC ACTION: N/A CONTRACT/AGREEMENT CHANGES: New provisions covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). STAFF RECOMMENDATIONS: Approval TOTAL COST: None COST TO COUNTY: None BUDGETED: Yes No REVENUE PRODUCING: Yes _ No _ AMOUNT PER MONTH Year APPROVED BY: County Atty OMB/Purchasing � Risk Management (&&I DIVISION DIRECTOR APPROVAL: Sheila A. Barker DOCUMENTATION: Included To Follow Not Required DISPOSITION: AGENDA ITEM Revised 2/27/01 BUSINESS ASSOCIATE ADDENDUM THIS AGREEMENT, made and entered into this 16th day of April, 2003, by and between Monroe County Board of County Commissioners (hereinafter called "Covered Entity") and MENTAL HEALTH CARE CENTER OF THE LOWER KEYS, INC. D/B/A Care Center for Mental Health (hereinafter called "Business Associate"), is hereinafter set forth: 1. Definitions Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR §§ 160.103 and 164.501, as the same may be amended from time to time. (a) Business Associate. "Business Associate" shall mean Mental Health Care Center of the Lower Keys, Inc. D/B/A Care Center for Mental Health. (b) Covered Entity. "Covered Entity" shall mean Monroe County Board of " County Commissioners. (c) Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR§ 164.502(g). (d) Privacy Rules. "Privacy Rules" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E. (e) Protected Health Information. "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR § 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity. (f) Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.501. (g) Secretarv. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee. (h) Designated Record Set. "Designated Record Set" shall have the same meaning as the term "designated record set" in 45 CFR 164.501. II. Obligations and Activities of Business Associate (a) Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law. (b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement. (d) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. (e) Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524. (f) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.52 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. (g) Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. (h) Business Associate agrees to document such disclosures of Protected Health Information and information.related to such disclosures as would be required for Covered Entity to respond to request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. (i) Business Associate agrees to provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. III. Permitted Uses and Disclosures by Business Associate 2 (a) Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Employee Assistance Program Agreement by and between Monroe County Board of County Commissioners and Business Associate, provided that such use of disclosure would not violate the Privacy Rules if done by Covered Entity. (b) Covered Entity shall notify Business Associate in writing of any restriction to the use of disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522. (c) Disclose PHI in its possession to third parties for the purpose of its proper management and administration or to fulfill any of its present or future legal responsibilities provided that (i) the disclosures are required by law, as provided for in 45 C.F.R. 164.501, or (ii) Business Associate has received from the third party written assurances that the PHI will be held confidentially, that the PHI will only be used or further disclosed as required by law or for the purpose for which it was disclosed to the third party, and that the third party will notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached, as required under 45 C.F.R. 164.504 (e)(4). IV. Obligation of Covered Entity No later than the effective date of this Agreement, Covered Entity will provide Business Associate with a copy of the Plan Sponsor's certification that the health plan meets and will abide by all HIPAA requirements. With respect to the use and/or disclosure of PHI by Business Associate, the Covered Entity hereby agrees: (a) to use appropriate safeguards to maintain and ensure the confidentiality, privacy, and security of PHI transmitted to Business Associate pursuant to the Agreement, in accordance with the standards and requirements of HIPAA and the HIPAA Regulations, until such PHI is received by Business Associate. (b) to inform Business Associate of any changes in, or withdrawal of, the consent or authorization provided to the Covered Entity by individuals pursuant to 45 C.F.R. 164.506 or 164.508. (c) to notify Business Associate, in writing and in a timely manner, or any arrangements permitted or required of the Covered Entity under 45 C.F.R. Parts 160 and 164 that may impact in any manner the use and/or disclosure of PHI by the Business Associate under the agreement, including, but not limited to, restrictions on the use and/or disclosure of PHI as provided for in 45 C.F.R. 164.522 agreed to by the Covered Entity. (d) that Business Associate may make any use and/or disclosure of PHI permitted under 45 C.F.R. 164.512. 3 V. Term and Termination (a) Term. The Term of this Agreement shall be effective as of April 16, 2003, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section. (b) Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall provide a reasonable opportunity for Business Associate to cure the breach or end the violation. If such breach is not cured to the satisfaction of the Covered Entity and in a manner consistent with the requirements of HIPAA, this Agreement shall be terminated. (c) Effect of Termination. (1) Except as provided in paragraph (2) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information. (2) In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. VI. Miscellaneous (a) Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required. (b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act, Public Law 104-191. (c) Survival. The respective rights and obligations of Business Associate under Section V. © of this Agreement shall survive the termination of this Agreement. 0 (d) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule. IN WITNESS WHEREOF, this contract has been executive by the respective parties on the date and year first written above. COVERED ENTITY BUSINESS ASSOCIATE: By Plan Administrator Mental Health Care Center of the Lower Keys, Inc. By: By: Print Name: Print Name: Print Title: Print Title: APPROVED AS TOAFAND I AL SUFFMBYIV ANN A 5