HomeMy WebLinkAboutC-1955T moo- �o
` t C i9SS
HIPAA BUSINESS ASSOCIATE AGREEMENT
This Agreement ( "Agreement ") is entered into by and between Wittman Enterprises,
LLC ( "Business Associate ") and the City of Arcadia, a municipal corporation and charter city in
the State of California ( "Covered Entity ").
RECITALS
WHEREAS, Business Associate performs functions, activities, or services for, or on
behalf of Covered Entity, and Business Associate receives, has access to or creates Health
Information in order to perform such functions, activities or services;
WHEREAS, Covered Entity is subject to the Administrative Simplification requirements
of the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated
thereunder ( "HIPAA "), including but not limited to, the Standards for Privacy of Individually
Identifiable Health Information, 45 Code of Federal Regulations Parts 160 and 164; and
WHEREAS, HIPAA requires Covered Entity to enter into a contract with Business
Associate to provide for the protection of the privacy and security of Health Information, and
HIPAA prohibits the disclosure to or use of Health Information by Business Associate if such a
contract is not in place.
AGREEMENT
NOW, THEREFORE, in consideration of the foregoing, and for other good and
valuable consideration, the receipt and adequacy of which is hereby acknowledged, the parties
agree as follows:
ARTICLE I
DEFINITIONS
1.1 "Disclose" and "Disclosure" mean, with respect to Health Information, the
release, transfer, provision of access to, or divulging in any other manner of Health Information
outside Business Associate's internal operations or to other than its employees.
1.2 "Health Information" means information that (a) relates to the past, present or
future physical or mental health or condition of an individual; the provision of health care to an
individual, or the past, present or future payment for the provision of health care to an individual;
(b) identifies the individual (or for which there is a reasonable basis for believing that the
information can be used to identify the individual); and (c) is received by Business Associate
from or on behalf of Covered Entity, or is created by Business Associate, or is made accessible
to Business Associate by Covered Entity.
1.3 "Privacy Regulations" means the Standards for Privacy of Covered Individually
Identifiable Health Information, 45 Code of Federal Regulations Parts 160 and 164, promulgated
under HIPAA.
�W `%W
1.4 "Services" means the services provided by Business Associate pursuant to the
Underlying Agreement(s), or if no such agreement(s) are in effect, the services Business
Associate performs with respect to the Covered Entity.
1.5 "Underlying AgLeement" means the services agreement executed by the Covered
Entity and Business Associate, if any.
1.6 "Use" or "Uses" mean, with respect to Health Information, the sharing,
employment, application, utilization, examination or analysis of such Health Information within
Business Associate's internal operations.
ARTICLE II
OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Initial Effective Date of Performance. The obligations created under this
Agreement shall become effective on April 14, 2003.
2.2 Permitted Uses and Disclosures of Health Information. Business Associate is
authorized to and shall:
a. Use and Disclose Health Information as necessary to perform Services for,
or on behalf of Covered Entity:
b. Use Health Information to create aggregated or de- identified information
(in accordance with the requirements of the Privacy Regulations);
C. Use or Disclose Health Information (including aggregated or de- identified
information) as otherwise directed by Covered Entity provided that Covered Entity shall not
request Business Associate to Use or Disclose Health Information in a manner that would not be
permissible if done by Covered Entity.
Business Associate shall not Use Health Information for any other purpose, except that if
necessary, Business Associate may Use Health Information for the proper management and
administration of Business Associate or to carry out its legal responsibilities; provided that any
Use or Disclosure described herein will not violate the Privacy Regulations or California law if
done by Covered Entity. Except as otherwise limited in this Agreement, Business Associate may
Disclose Health Information for the proper management and administration of the Business
Associate, provided that with respect to any such Disclosure either (a) the Disclosure is required
by law (within the meaning of the Privacy Regulations) or (b) the Disclosure would not
otherwise violate California law and Business Associate obtains reasonable written assurances
from the person to whom the information is to be Disclosed that such person will hold the
information in confidence and will not Use or further Disclose such information except as
required by law or for the purpose(s) for which it was Disclosed by Business Associate to such
person, and that such person will notify Business Associate of any instances of which it is aware
in which the confidentiality of the information has been breached.
` kw 'NOO
2.3 Adequate Safeguards for Health Information. Business Associate warrants that it
shall implement and maintain appropriate safeguards to prevent the Use or Disclosure of Health
Information in any manner other than as permitted by this Agreement.
2.4 Miti ag tion. Business Associate agrees to mitigate, to the extent practicable, any
harmful effect that is known to Business Associate of a Use or Disclosure of Health Information
by Business Associate in violation of the requirements of this Agreement.
2.5 Reporting Non - Permitted Use or Disclosure. Business Associate shall report to
Covered Entity each Use or Disclosure that is made by Business Associate, its employees,
representatives, agents or subcontractors that is not specifically permitted by this Agreement of
which Business Associate becomes aware. The initial report shall be made by telephone call to
the Covered Entity within forty-eight (48) hours from the time the Business Associate becomes
aware of the non - permitted Use or Disclosure, followed by a written report to covered Entity no
later than five (5) days from the date the Business Associate becomes aware of the non - permitted
Use or Disclosure.
2.6 Availability of Internal Practices, Books and Records. Business Associate agrees
to make its internal practices, books and records relating to the Use and Disclosure of Health
Information available to the Secretary of the U.S. Department of Health and Human Services
( "Secretary "), for purposes of determining Covered Entity's compliance with the Privacy
Regulations.
2.7 Access to and Amendment of Health Information. Business Associate shall, to
the extent Covered Entity determines that any Health Information constitutes a "designated
record set" under the Privacy Regulations, (a) make the Health Information specified by Covered
Entity available to Covered Entity or to the individual(s) identified by Covered Entity as being
entitled to access and copy that Health Information, and (b) make any amendments to Health
Information that are requested by Covered Entity. Business Associate shall provide such access
and make such amendments within the time and in the manner specified by Covered Entity.
2.8 Accounting of Disclosures. Upon Covered Entity's request, Business Associate
shall provide to Covered Entity an accounting of each Disclosure of Health Information made by
Business Associate or its employees, agents, representatives or subcontractors as required by the
Privacy Regulations. For each Disclosure that requires an accounting under this Section 2.8,
Business Associate shall track the information required by the Privacy Regulations, and shall
securely maintain the information for six (6) years from the date of the Disclosure.
2.9 Use of Subcontractors and Ate. Business Associate shall require each of its
agents and subcontractors that receive Health Information from Business Associate to execute a
written agreement obligating the agent or subcontractor to comply with all the terms of this
Agreement with respect to such Health Information.
3
ARTICLE III
OBLIGATIONS OF COVERED ENTITY
3.1 Privacy Notice. Covered Entity shall notify Business Associate of any
limitation(s) in Covered Entity's notice of privacy practices to the extent such limitation(s) may
affect Business Associate's Use or Disclosure of Health Information.
ARTICLE IV
TERM AND TERMINATION
4.1 Term. Subject to the provisions of Sections 4.2 and 4.3, the term of this
Agreement shall be the term of the Underlying Agreement(s).
4.2 Termination for Cause. Upon Covered Entity's knowledge of a material breach
of this Agreement by the Business Associate, Covered Entity shall either:
a. notify Business Associate of the breach in writing, and provide an
opportunity to cure the breach or end the violation within ten (10) business days of such
notification; provided that if Business Associate fails to cure the breach or end the violation
within such time period to the satisfaction of Covered Entity, Covered Entity shall have the right
to immediately terminate this Agreement and the Underlying Agreement(s) upon written notice
to Business Associate;
b. upon written notice to Business Associate, immediately terminate this
Agreement and the Underlying Agreement(s) if Covered Entity determines that such breach
cannot be cured; or
C. if Covered Entity determines that neither termination nor cure is feasible,
the Covered Entity shall report the violation to the Secretary.
4.3 Termination for Breach of Section 5.2. Covered Entity may terminate the
Underlying Agreement(s) and this Agreement upon thirty (30) days written notice in the event
(a) Business Associate does not promptly enter into negotiations to amend this Agreement when
requested by Covered Entity pursuant to Section 5.2 or (b) Business Associate does not enter into
an amendment to this Agreement providing assurances regarding the safeguarding of Health
Information that the Covered Entity, in its sole discretion, deems sufficient to satisfy the
standards and requirements of HIPAA.
4.4 Disposition of Health Information Upon Termination or Expiration. Upon
termination or expiration of this Agreement, Business Associate shall either return or destroy, in
Covered Entity's sole discretion and in accordance with any instructions by Covered Entity, all
Health Information in the possession or control of Business Associate and its agents and
subcontractors. In such event, Business Associate shall retain no copies of such Health
Information. However, if the Business Associate determines that neither return nor destruction
of Health Information is feasible, Business Associate shall notify Covered Entity of the
conditions that make return or destruction infeasible, and may retain Health Information
4
`ago
provided that Business Associate (a) continues to comply with the provisions of this Agreement
for as long as it retains Health Information, and (b) further limits Uses and Disclosures of Health
Information to those purposes that make the return or destruction of Health Information
infeasible.
ARTICLE V
MISCELLANEOUS
5.1 Indemnification. Notwithstanding anything to the contrary in the Underlying
Agreement(s), at Business Associate's expense, Business Associate agrees to indemnify, defend
and hold harmless Covered Entity and Covered Entity's employees, directors, officers,
subcontractors or agents (the "Indemnities ") against all damages, losses, lost profits, fines,
penalties, costs or expenses (including reasonable attorneys' fees) and all liability to third parties
arising from any breach of this Agreement by Business Associate or its employees, directors,
officers, subcontractors, agents or other members of Business Associate's workforce. Business
Associate's obligation to indemnify the Indemnitees shall survive the expiration or termination
of this Agreement for any reason.
5.2 Amendment to Comply with Law. The parties acknowledge that state and federal
laws relating to electronic data security and privacy are rapidly evolving and that amendment of
this Agreement may be required to provide for procedures to ensure compliance with such
developments. The parties specifically agree to take such action as is necessary to implement the
standards and requirements of HIPAA and other applicable laws relating to the security or
confidentiality of Health Information. The parties understand and agree that Covered Entity
must receive satisfactory written assurance from Business Associate that Business Associate will
adequately safeguard all Health Information that it receives or creates on behalf of Covered
Entity. Upon Covered Entity's request, Business Associate agrees to promptly enter into
negotiations with Covered Entity, concerning the terms of any amendment to this Agreement
embodying written assurances consistent with the standards and requirements of HIPAA or other
applicable laws.
5.3 Relationship to Underlying Agreements) Provisions. In the event that a
provision of this Agreement is contrary to a provision of an Underlying Agreement(s), the
provision of this Agreement shall control. Otherwise, this Agreement shall be construed under,
and in accordance with, the terms of such Underlying Agreement(s), and shall be considered an
amendment of and supplement to such Underlying Agreement(s).
5.4 Modification of Agreement. No alteration, amendment, or modification of the
terms of this Agreement shall be valid or effective unless in writing and signed by Business
Associate and Covered Entity.
5.5 Non - Waiver. A failure of any party to enforce at any time any term, provision or
condition of this Agreement, or to exercise any right or option herein, shall in no way operate as
a waiver thereof, nor shall any single or partial exercise preclude any other right or option herein.
In no way whatsoever shall a waiver of any term, provision or condition of this Agreement be
5
valid unless in writing, signed by the waiving party, and only to the extent set forth in such
writing.
5.6 Agreement Drafted By All Parties. This Agreement is the result of arm's length
negotiations between the parties and shall be construed to have been drafted by all parties such
that any ambiguities in this Agreement shall not be construed against either party.
5.7 Severability. If any provision of this Agreement is found to be invalid or
unenforceable by any court, such provision shall be ineffective only to the extent that it is in
contravention of applicable laws without invalidating the remaining provisions hereof.
5.8 Section Headings. The section headings contained herein are for convenience in
reference and are not intended to define or limit the scope of any provision of this Agreement.
5.9 No Third Party Beneficiaries. There are no third party beneficiaries to this
Agreement.
5.10 Counterparts. This Agreement may be executed in one or more counterparts, each
of which shall be deemed an original, and will become effective and binding upon the parties as
of the effective date at such time as all the signatories hereto have signed a counterpart of this
Agreement.
5.11 Notices. Any notices required or permitted to be given hereunder by either party
to the other shall be given in writing: (1) by personal delivery; (2) by electronic facsimile with
confirmation sent by United States first class registered or certified mail, postage prepaid, return
receipt requested; (3) by bonded courier or by a nationally recognized overnight delivery service;
or (4) by United States first class registered or certified mail, postage prepaid, return receipt
requested, in each case, addressed to:
If to Business Associate:
Wittman Enterprises, LLC
21 Blue Sky Court
Sacramento, CA 95828
Attn: HIPAA Privacy Officer
If to Covered Entity:
Arcadia Fire Department
710 S. Santa Anita Avenue
Arcadia, California 91006
Attn: Compliance Officer
or to such other addresses as the parties may request in writing by notice given pursuant to this
Section 5.12. Notices shall be deemed received on the earliest of personal delivery; upon
delivery by electronic facsimile with confirmation from the transmitting machine that the
N.
transmission was completed; twenty -four (24) hours following deposit with a bonded courier or
overnight delivery service; or seventy -two (72) hours following deposit in the U.S. Mail as
required herein.
5.12 Applicable Law and Venue. This Agreement shall be governed by and construed
in accordance with the internal laws of the State of California (without regard to principles of
conflicts of laws). The parties agree that all actions or proceedings arising in connection with
this Agreement shall be tried and litigated exclusively in the state or federal (if permitted by law
and a party elects to file an action in federal court) courts located in Los Angeles County. This
choice of venue is intended by the parties to be mandatory and not permissive in nature, and to
preclude the possibility of litigation between the parties with respect to, or arising out of, this
Agreement in any jurisdiction other than that specified in this Section 5.12. Each party waives
any right it may have to assert the doctrine of forum non conveniens or similar doctrine or to
object to venue with respect to any proceeding brought in accordance with this Section 5.12.
5.13 Interpretation. Any ambiguity in this Agreement shall be resolved to permit
Covered Entity to comply with the Privacy Regulations.
IN WITNESS WHEREOF, the parties hereto have executed this Agreement effective as
of the date stated above.
COVERED ENTITY
CITY OF ARCADIA
Print Name: William R. Kelly
Title: City Manager
Dated: 4460
APPROVED AS TO FORM:
1. t
Steph n P. Deitsch
City Attorney
7
BUSINESS ASSOCIATE
By: 6c�
Print Name: lV1, -7?S7 •2-.)
Title: �� ����L�6'A'7
Dated:
RECOMMENDED BY:
I- /_2z
David Lugo, irefChief