Loading...
HomeMy WebLinkAboutC-1955T moo- �o ` t C i9SS HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement ( "Agreement ") is entered into by and between Wittman Enterprises, LLC ( "Business Associate ") and the City of Arcadia, a municipal corporation and charter city in the State of California ( "Covered Entity "). RECITALS WHEREAS, Business Associate performs functions, activities, or services for, or on behalf of Covered Entity, and Business Associate receives, has access to or creates Health Information in order to perform such functions, activities or services; WHEREAS, Covered Entity is subject to the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder ( "HIPAA "), including but not limited to, the Standards for Privacy of Individually Identifiable Health Information, 45 Code of Federal Regulations Parts 160 and 164; and WHEREAS, HIPAA requires Covered Entity to enter into a contract with Business Associate to provide for the protection of the privacy and security of Health Information, and HIPAA prohibits the disclosure to or use of Health Information by Business Associate if such a contract is not in place. AGREEMENT NOW, THEREFORE, in consideration of the foregoing, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the parties agree as follows: ARTICLE I DEFINITIONS 1.1 "Disclose" and "Disclosure" mean, with respect to Health Information, the release, transfer, provision of access to, or divulging in any other manner of Health Information outside Business Associate's internal operations or to other than its employees. 1.2 "Health Information" means information that (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) is received by Business Associate from or on behalf of Covered Entity, or is created by Business Associate, or is made accessible to Business Associate by Covered Entity. 1.3 "Privacy Regulations" means the Standards for Privacy of Covered Individually Identifiable Health Information, 45 Code of Federal Regulations Parts 160 and 164, promulgated under HIPAA. �W `%W 1.4 "Services" means the services provided by Business Associate pursuant to the Underlying Agreement(s), or if no such agreement(s) are in effect, the services Business Associate performs with respect to the Covered Entity. 1.5 "Underlying AgLeement" means the services agreement executed by the Covered Entity and Business Associate, if any. 1.6 "Use" or "Uses" mean, with respect to Health Information, the sharing, employment, application, utilization, examination or analysis of such Health Information within Business Associate's internal operations. ARTICLE II OBLIGATIONS OF BUSINESS ASSOCIATE 2.1 Initial Effective Date of Performance. The obligations created under this Agreement shall become effective on April 14, 2003. 2.2 Permitted Uses and Disclosures of Health Information. Business Associate is authorized to and shall: a. Use and Disclose Health Information as necessary to perform Services for, or on behalf of Covered Entity: b. Use Health Information to create aggregated or de- identified information (in accordance with the requirements of the Privacy Regulations); C. Use or Disclose Health Information (including aggregated or de- identified information) as otherwise directed by Covered Entity provided that Covered Entity shall not request Business Associate to Use or Disclose Health Information in a manner that would not be permissible if done by Covered Entity. Business Associate shall not Use Health Information for any other purpose, except that if necessary, Business Associate may Use Health Information for the proper management and administration of Business Associate or to carry out its legal responsibilities; provided that any Use or Disclosure described herein will not violate the Privacy Regulations or California law if done by Covered Entity. Except as otherwise limited in this Agreement, Business Associate may Disclose Health Information for the proper management and administration of the Business Associate, provided that with respect to any such Disclosure either (a) the Disclosure is required by law (within the meaning of the Privacy Regulations) or (b) the Disclosure would not otherwise violate California law and Business Associate obtains reasonable written assurances from the person to whom the information is to be Disclosed that such person will hold the information in confidence and will not Use or further Disclose such information except as required by law or for the purpose(s) for which it was Disclosed by Business Associate to such person, and that such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. ` kw 'NOO 2.3 Adequate Safeguards for Health Information. Business Associate warrants that it shall implement and maintain appropriate safeguards to prevent the Use or Disclosure of Health Information in any manner other than as permitted by this Agreement. 2.4 Miti ag tion. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of Health Information by Business Associate in violation of the requirements of this Agreement. 2.5 Reporting Non - Permitted Use or Disclosure. Business Associate shall report to Covered Entity each Use or Disclosure that is made by Business Associate, its employees, representatives, agents or subcontractors that is not specifically permitted by this Agreement of which Business Associate becomes aware. The initial report shall be made by telephone call to the Covered Entity within forty-eight (48) hours from the time the Business Associate becomes aware of the non - permitted Use or Disclosure, followed by a written report to covered Entity no later than five (5) days from the date the Business Associate becomes aware of the non - permitted Use or Disclosure. 2.6 Availability of Internal Practices, Books and Records. Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of Health Information available to the Secretary of the U.S. Department of Health and Human Services ( "Secretary "), for purposes of determining Covered Entity's compliance with the Privacy Regulations. 2.7 Access to and Amendment of Health Information. Business Associate shall, to the extent Covered Entity determines that any Health Information constitutes a "designated record set" under the Privacy Regulations, (a) make the Health Information specified by Covered Entity available to Covered Entity or to the individual(s) identified by Covered Entity as being entitled to access and copy that Health Information, and (b) make any amendments to Health Information that are requested by Covered Entity. Business Associate shall provide such access and make such amendments within the time and in the manner specified by Covered Entity. 2.8 Accounting of Disclosures. Upon Covered Entity's request, Business Associate shall provide to Covered Entity an accounting of each Disclosure of Health Information made by Business Associate or its employees, agents, representatives or subcontractors as required by the Privacy Regulations. For each Disclosure that requires an accounting under this Section 2.8, Business Associate shall track the information required by the Privacy Regulations, and shall securely maintain the information for six (6) years from the date of the Disclosure. 2.9 Use of Subcontractors and Ate. Business Associate shall require each of its agents and subcontractors that receive Health Information from Business Associate to execute a written agreement obligating the agent or subcontractor to comply with all the terms of this Agreement with respect to such Health Information. 3 ARTICLE III OBLIGATIONS OF COVERED ENTITY 3.1 Privacy Notice. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity's notice of privacy practices to the extent such limitation(s) may affect Business Associate's Use or Disclosure of Health Information. ARTICLE IV TERM AND TERMINATION 4.1 Term. Subject to the provisions of Sections 4.2 and 4.3, the term of this Agreement shall be the term of the Underlying Agreement(s). 4.2 Termination for Cause. Upon Covered Entity's knowledge of a material breach of this Agreement by the Business Associate, Covered Entity shall either: a. notify Business Associate of the breach in writing, and provide an opportunity to cure the breach or end the violation within ten (10) business days of such notification; provided that if Business Associate fails to cure the breach or end the violation within such time period to the satisfaction of Covered Entity, Covered Entity shall have the right to immediately terminate this Agreement and the Underlying Agreement(s) upon written notice to Business Associate; b. upon written notice to Business Associate, immediately terminate this Agreement and the Underlying Agreement(s) if Covered Entity determines that such breach cannot be cured; or C. if Covered Entity determines that neither termination nor cure is feasible, the Covered Entity shall report the violation to the Secretary. 4.3 Termination for Breach of Section 5.2. Covered Entity may terminate the Underlying Agreement(s) and this Agreement upon thirty (30) days written notice in the event (a) Business Associate does not promptly enter into negotiations to amend this Agreement when requested by Covered Entity pursuant to Section 5.2 or (b) Business Associate does not enter into an amendment to this Agreement providing assurances regarding the safeguarding of Health Information that the Covered Entity, in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA. 4.4 Disposition of Health Information Upon Termination or Expiration. Upon termination or expiration of this Agreement, Business Associate shall either return or destroy, in Covered Entity's sole discretion and in accordance with any instructions by Covered Entity, all Health Information in the possession or control of Business Associate and its agents and subcontractors. In such event, Business Associate shall retain no copies of such Health Information. However, if the Business Associate determines that neither return nor destruction of Health Information is feasible, Business Associate shall notify Covered Entity of the conditions that make return or destruction infeasible, and may retain Health Information 4 `ago provided that Business Associate (a) continues to comply with the provisions of this Agreement for as long as it retains Health Information, and (b) further limits Uses and Disclosures of Health Information to those purposes that make the return or destruction of Health Information infeasible. ARTICLE V MISCELLANEOUS 5.1 Indemnification. Notwithstanding anything to the contrary in the Underlying Agreement(s), at Business Associate's expense, Business Associate agrees to indemnify, defend and hold harmless Covered Entity and Covered Entity's employees, directors, officers, subcontractors or agents (the "Indemnities ") against all damages, losses, lost profits, fines, penalties, costs or expenses (including reasonable attorneys' fees) and all liability to third parties arising from any breach of this Agreement by Business Associate or its employees, directors, officers, subcontractors, agents or other members of Business Associate's workforce. Business Associate's obligation to indemnify the Indemnitees shall survive the expiration or termination of this Agreement for any reason. 5.2 Amendment to Comply with Law. The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA and other applicable laws relating to the security or confidentiality of Health Information. The parties understand and agree that Covered Entity must receive satisfactory written assurance from Business Associate that Business Associate will adequately safeguard all Health Information that it receives or creates on behalf of Covered Entity. Upon Covered Entity's request, Business Associate agrees to promptly enter into negotiations with Covered Entity, concerning the terms of any amendment to this Agreement embodying written assurances consistent with the standards and requirements of HIPAA or other applicable laws. 5.3 Relationship to Underlying Agreements) Provisions. In the event that a provision of this Agreement is contrary to a provision of an Underlying Agreement(s), the provision of this Agreement shall control. Otherwise, this Agreement shall be construed under, and in accordance with, the terms of such Underlying Agreement(s), and shall be considered an amendment of and supplement to such Underlying Agreement(s). 5.4 Modification of Agreement. No alteration, amendment, or modification of the terms of this Agreement shall be valid or effective unless in writing and signed by Business Associate and Covered Entity. 5.5 Non - Waiver. A failure of any party to enforce at any time any term, provision or condition of this Agreement, or to exercise any right or option herein, shall in no way operate as a waiver thereof, nor shall any single or partial exercise preclude any other right or option herein. In no way whatsoever shall a waiver of any term, provision or condition of this Agreement be 5 valid unless in writing, signed by the waiving party, and only to the extent set forth in such writing. 5.6 Agreement Drafted By All Parties. This Agreement is the result of arm's length negotiations between the parties and shall be construed to have been drafted by all parties such that any ambiguities in this Agreement shall not be construed against either party. 5.7 Severability. If any provision of this Agreement is found to be invalid or unenforceable by any court, such provision shall be ineffective only to the extent that it is in contravention of applicable laws without invalidating the remaining provisions hereof. 5.8 Section Headings. The section headings contained herein are for convenience in reference and are not intended to define or limit the scope of any provision of this Agreement. 5.9 No Third Party Beneficiaries. There are no third party beneficiaries to this Agreement. 5.10 Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, and will become effective and binding upon the parties as of the effective date at such time as all the signatories hereto have signed a counterpart of this Agreement. 5.11 Notices. Any notices required or permitted to be given hereunder by either party to the other shall be given in writing: (1) by personal delivery; (2) by electronic facsimile with confirmation sent by United States first class registered or certified mail, postage prepaid, return receipt requested; (3) by bonded courier or by a nationally recognized overnight delivery service; or (4) by United States first class registered or certified mail, postage prepaid, return receipt requested, in each case, addressed to: If to Business Associate: Wittman Enterprises, LLC 21 Blue Sky Court Sacramento, CA 95828 Attn: HIPAA Privacy Officer If to Covered Entity: Arcadia Fire Department 710 S. Santa Anita Avenue Arcadia, California 91006 Attn: Compliance Officer or to such other addresses as the parties may request in writing by notice given pursuant to this Section 5.12. Notices shall be deemed received on the earliest of personal delivery; upon delivery by electronic facsimile with confirmation from the transmitting machine that the N. transmission was completed; twenty -four (24) hours following deposit with a bonded courier or overnight delivery service; or seventy -two (72) hours following deposit in the U.S. Mail as required herein. 5.12 Applicable Law and Venue. This Agreement shall be governed by and construed in accordance with the internal laws of the State of California (without regard to principles of conflicts of laws). The parties agree that all actions or proceedings arising in connection with this Agreement shall be tried and litigated exclusively in the state or federal (if permitted by law and a party elects to file an action in federal court) courts located in Los Angeles County. This choice of venue is intended by the parties to be mandatory and not permissive in nature, and to preclude the possibility of litigation between the parties with respect to, or arising out of, this Agreement in any jurisdiction other than that specified in this Section 5.12. Each party waives any right it may have to assert the doctrine of forum non conveniens or similar doctrine or to object to venue with respect to any proceeding brought in accordance with this Section 5.12. 5.13 Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Regulations. IN WITNESS WHEREOF, the parties hereto have executed this Agreement effective as of the date stated above. COVERED ENTITY CITY OF ARCADIA Print Name: William R. Kelly Title: City Manager Dated: 4460 APPROVED AS TO FORM: 1. t Steph n P. Deitsch City Attorney 7 BUSINESS ASSOCIATE By: 6c� Print Name: lV1, -7?S7 •2-.­) Title: �� ����L�6'A'7 Dated: RECOMMENDED BY: I- /_2z David Lugo, irefChief