No preview available
HomeMy WebLinkAboutC14-472 HIPAA Business Associate Agreement • HIPAA BUSINESS ASSOCIATE AGREEMENT ro This HIPAA Business Associate Agreement ("Agreement") is effective as of� the "Agreement Effective Date"), by and between Invest in Kids, a Colorado nonprofit corporation, with an address of 1775 Sherman Street, Suite 2075 Denver, CO 80203 ("IIK" or "Business Associate") and Eagle County, Colorado ("Covered Entity"). RECITALS A. IIK provides program services to certain Colorado state agencies, some of which are Covered Entities under the Health Insurance Portability and Accountability Act ("HIPAA"). Such agencies may require IIK to create, receive, transmit, or maintain Protected Health Information ("PHI") on their behalf in the course of providing such services. Pursuant to the requirements of HIPAA, the Health Information Technology for Economic and Clinical Health ("HITECH") Act and the rules and regulations promulgated thereunder, IIK has entered into one or more Business Associate Agreements with such state agencies. B. Related to such program services, specifically the Nurse-Family Partnership, IIK may also create, receive, transmit, or maintain PHI on behalf of Covered Entity, and in such event, IIK may act as a Business Associate of Covered Entity. IIK acknowledges that when it acts as a Business Associate, it is obligated to comply with the HIPAA Privacy Rule, the HIPAA Security Rule, the Breach Notification Rule, the HITECH Act, and other laws and regulations pertaining to the access, use, disclosure, and management of such PHI. C. IIK and Covered Entity intend to protect the privacy and provide for the security of PHI created, received, transmitted, or maintained by IIK and Covered Entity, all in compliance with Applicable Laws. In consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows: Section 1. Definitions. Capitalized t-iris used in this Agreement and not otherwise defined herein shall have the meanings set forth in the Privacy and Security Rules, and the Breach Notification Rule, which definitions are incorporated in this Agreement by reference. a. "Applicable Law"means HIPAA, the HITECH Act, and all regulations issued thereunder, as well as applicable state law. b. "Breach" shall have the meaning given to such term in the HITECH Act (42 U.S.C. Section 17921) and 45 CFR § 164.402. c. "Breach Notification Rule" shall mean the breach notification regulations at 45 CFR Parts 160 and 164, Subpart D and 16 CFR Part 318. d. "Business Associate" shall have the same meaning as the term "Business associate" in 45 CFR Section 160.103 and for purposes of this Agreement refers to IIK. e. "Data Aggregation" shall have the meaning given to such term under the Privacy Rule, - 1 - 4839-8861-4176. including, but not limited to, 45 CFR Section 164.501. f. "Designated Record Set" shall have the same meaning as the term "designated record set" in 45 CFR Section 164.501. g. "Discovery" and "Discovered" shall have the meaning given to such terms in the HITECH Act, including but not limited to, 42 U.S.C. Section 13402 Notification in the Case of Breach, and the Breach Notification Rule. h. "Electronic Health Record" shall have the meaning given to such term in the HITECH Act, including,but not limited to, 42 U.S.C. Section 17921. i. "Electronic Protected Health Information" or`Electronic PHP' shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 CFR Sections 160.103, as applied to the information that IIK creates, receives, maintains, or transmits from or on behalf of Covered Entity. j. "Encrypt" or"Encryption" shall have the meaning given to such term in the HITECH Act, as from time to time interpreted by the Secretary in his or her implementing regulations. k. "Health Care Operations" shall have the meaning given to such term under the Privacy Rule, including,but not limited to, 45 CFR Section 164.501. 1. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191 and regulations promulgated thereunder. m. "HITECH Act" means the Health Information Technology for Economic Clinical Health Act, Public Law No. 111-005 and regulations promulgated thereunder. n. "Individual" shall have the same meaning as the term "individual" in 45 CFR Section 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR Section 164.502(g). o. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Parts 160 and 162 and Part 164, Subparts A and E. p. "Protected Health Information" or"PHI" shall have the same meaning as the term "protected health information" in 45 CFR Section 160.103, as applied to the information transmitted, created, received, or otherwise maintained by IIK from or on behalf of Covered Entity. q. "Required by Law" shall have the same meaning as the term "required by law" in 45 CFR Section 164.103. r. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee. s. "Security Incident' shall have the meaning given to such term under the Security Rule, including,but not limited to, 45 CFR Section 164.304. t. "Security Rule" shall mean the Security Standards at 45 CFR Parts 160 and 162 and Parts 164, Subparts A and C. u. "Unsecured PHP' shall have the meaning given to such term under the HITECH Act and any guidance issued pursuant to such Act including, but not limited to, 42 U.S.C. Section 17932(h) and 45 CFR Section 164.402. -2 - 4839-8861-4176. Section 2. Permitted Uses and Disclosures of PHI a. Uses and Disclosures of PHI. Except as otherwise limited in this Agreement, on behalf of Covered Entity, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity, only as necessary and appropriate to support the Nurse-Family Partnership. b. Permitted Uses of PHI by Business Associate. Except as otherwise limited in this Agreement, Business Associate may use PHI (i) for its proper management and administration, (ii) to carry out its legal responsibilities, and (iii) for Data Aggregation purposes for the Health Care Operations of Covered Entity. (See 45 CFR Sections 164.504(e)(2)(i), 164.504(e)(2)(ii), 164.504(e)(4)(i), and 164.504(e)(4)(ii)). c. Permitted Disclosures of PHI by Business Associate. Business Associate shall not disclose PHI except necessary and appropriate to support the Nurse-Family Partnership; provided, however, Business Associate shall not disclose PHI in any manner that would constitute a violation of Applicable Law if so disclosed by Covered Entity. If Business Associate intends to disclose PHI to a third party, prior to making any such disclosure, Business Associate shall first obtain, (i)reasonable written assurances from such third party that such PHI will be held confidential as provided pursuant to this Agreement and only disclosed as required by law or for the purposes for which it was disclosed to such third party, and (ii) a written agreement from such third party to notify Business Associate of any breaches of confidentiality of the PHI, consistent with this Agreement, to the extent it has obtained knowledge of such breach (42 U.S.C. Section 17932; 45 CFR Sections 164.504(e)(2) and 164.504(e)(4)). Section 3. Obligations of Business Associate. a. Appropriate Safeguards. Business Associate shall maintain a comprehensive written information privacy and security program and shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI, in accordance with 45 CFR Sections 164.308, 164.310, and 164.312. Business Associate shall comply with the policies, procedures, and documentation requirements of the HIPAA Security Rule, including but not limited to, 45 CFR Section 164.316 (42 U.S.C. Section 17931). Business Associate shall review, modify, and update documentation of its safeguards as needed to ensure continued provision of reasonable and appropriate protection of PHI. Business Associate shall make its policies, procedures, and documentation created pursuant to the Security Rule available to Covered Entity for inspection, upon reasonable request. Such documentation includes, but is not limited to, any risk analyses and risk management plans created pursuant to 45 CFR 164.308(a)(1)(ii). b. Reporting of Security Incidents and Unauthorized Access, Use, or Disclosure. Business Associate shall report to Covered Entity, in writing, any Security Incident regarding PHI, or any access, use, or disclosure of PHI not provided for by this Agreement, including any Breach of Unsecured PHI. Such reports shall be made by Business Associate to Covered Entity within five (5) business days following Business Associate's Discovery of such event. Business Associate shall take (i) prompt corrective action to cure any related deficiencies; and (ii) any action pertaining to an unauthorized disclosure as required by Applicable Law. In the event of a - 3 - 4839-8861-4176. Breach of Unsecured PHI, Business Associate shall not initiate notification to affected individuals without prior notification and approval of Covered Entity. Business Associate shall provide information to Covered Entity regarding any Breach of Unsecured PHI that includes the identification of each Individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, or disclosed during the Breach. c. Business Associate's Agents. Business Associate shall ensure that any agent, including a Subcontractor, to whom it provides PHI received from Covered Entity, or created or received or otherwise maintained by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI. (See 45 CFR Section 164.504(e)(2)(ii)(D); 45 CFR Section 164.308(b)). Business Associate shall implement and maintain sanctions against agents and Subcontractors that violate such restrictions and conditions and shall mitigate the effects of any such violation (See 45 CFR Sections 164.530(f) and 164.530(e)(1)). d. Mitigation. Business Associate shall promptly mitigate, to the extent practicable, any harmful effect that is known to Business Associate of(i) a Security Incident regarding PHI, or (ii) any use or disclosure of PHI by Business Associate in violation of this Agreement, Applicable Law, or Business Associate's own policies and procedures. e. Access to PHI. Business Associate shall provide access, at the request of Covered Entity, and in the reasonable time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under the Privacy Rule, including, but not limited to, 45 CFR Section 164.524. If Business Associate maintains an Electronic Health Record with respect to such Individual, Business Associate shall provide such information in electronic format to enable Covered Entity to fulfill its obligations under the HITECH Act, including, but not limited to, 42 US.C. Section 17935(e), and 45 CFR Section 164.524. f. Amendment of PHI. Business Associate shall make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR Section 164.526 at the request of an Individual, and in the reasonable time and manner designated by Covered Entity. If any Individual requests an amendment of PHI directly from Business Associate, or its agents or subcontractors, Business Associate shall notify Covered Entity in writing within five (5) business days of the request. Any approval or denial of amendment of PHI maintained by Business Associate or its agents or subcontractors shall be the responsibility of Covered Entity(45 CFR Section 164.504(e)(2)(ii)(F)). g. Documentation of Disclosures. Business Associate agrees to document such disclosures of PHI, and information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual, or by a Covered Entity on behalf of an Individual, for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. h. Accounting of Disclosures. Business Associate agrees to provide to Covered Entity, in the reasonable time and manner designated by Covered Entity, information collected in accordance with Section 3(f) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. In the event that the request for an accounting is delivered directly to Business Associate, its agents, or subcontractors; Business Associate shall forward such request to Covered Entity in writing, within five (5) business days of the receipt of the request. It shall be Business Associate's responsibility to prepare and deliver any such accounting requested to Covered Entity, and Covered Entity's responsibility to deliver such accounting to the requesting - 4 - 4839-8861-4176. Individual as appropriate. i. Minimum Necessary Standard. Business Associate, and its agents or subcontractors, shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure. (42 U.S.C. Section 17395(b); 45 CFR Section 164.514(d)(3)). Covered Entity and Business Associate each understand and agree that the definition of "minimum necessary" is in flux and each shall keep itself informed of guidance issued by the Secretary with respect to what constitutes"minimum necessary." j. Governmental Access to Records. Business Associate shall cooperate with the Secretary and make its internal practices, books, and records relating to the use and disclosure of PHI received from Covered Entity, or created by itself on behalf of Covered Entity, available to the Secretary for purposes of the Secretary determining Business Associate's or Covered Entity's compliance with the Privacy Rule and the Security Rule. Business Associate shall provide to Covered Entity a copy of any PHI that Business Associate provides to the Secretary concurrently with providing such PHI to the Secretary when the Secretary is investigating Covered Entity. k. Audits, Inspection, and Enforcement. Within ten (10) business days of a written request by Covered Entity, Business Associate and its agents or subcontractors shall allow Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies, and procedures relating to the use or disclosure of PHI pursuant to this Agreement for the purpose of determining whether Business Associate has complied with this Agreement; provided, however, that: (i) Business Associate and Covered Entity shall mutually agree in advance upon the scope, timing, and location of such an inspection; and (ii) Covered Entity shall protect the confidentiality of all confidential and proprietary information of Business Associate to which Covered Entity has access during the course of such inspection. The fact that Covered Entity inspects, or fails to inspect, or has the right to inspect, Business Associate's facilities, systems, books, records, agreements, policies, and procedures does not relieve Business Associate of its responsibility to comply with this Agreement, nor does Covered Entity's (i) failure to detect or (ii) detection, but failure to notify Business Associate or require Business Associate's remediation of any unsatisfactory practices, constitute acceptance of such practice or a waiver of Covered Entity's enforcement rights under this Agreement. To the extent that Covered Entity determines an examination is necessary in order to comply with Covered Entity's legal obligations pursuant to the HIPAA regulations relating to certification of its security practices, Covered Entity or its authorized agents or contractors, may, at Covered Entity's expense, examine Business Associate's facilities, systems, procedures, and records as may be necessary for such agents or contractors to certify to Covered Entity the extent to which Business Associate's security safeguards comply with the HIPAA regulations or this Agreement. 1. Data Ownership. Business Associate acknowledges that Business Associate has no ownership rights with respect to the PHI. m. Retention of PHI. Except upon termination as provided in Section 5(c) of this Agreement, Business Associate and its Subcontractors or agents shall retain all PHI throughout the term of this Agreement and shall continue to maintain the information required under Section 3(f) of this Agreement for a period of six(6) years. n. Business Associate's Insurance. Business Associate shall maintain insurance to cover loss of PHI data and claims based upon alleged violations of privacy rights through improper use or disclosure of PHI. - 5 - 4839-8861-4176. Section 4. Obligations of Covered Entity. a. Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in its applicable notice(s) of privacy practices, in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI. b. Notification of Changes Regarding Individual Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI. Business Associate will not respond directly to an Individual's request to restrict the use or disclosure of PHI or to send all communication of PHI to an alternate address. Business Associate shall notify Covered Entity in writing within five(5) days of any such request. c. Notification of Restrictions to Use or Disclosure of PHI. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI. d. Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Applicable Law if done by Covered Entity, except as permitted pursuant to the provisions of Sections 2(b) and 2(c) of this Agreement. Section 5. Term and Termination. a. Term. The term of this Agreement shall commence as of the Agreement Effective Date, and shall terminate when all of the PHI provided by or through Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with Section 5(c). b. Termination for Cause. (i) Material Breach by Business Associate. A breach by Business Associate of any provision of this Agreement, as determined by Covered Entity, shall constitute a material breach of this Agreement and shall provide grounds for immediate termination of this Agreement, notwithstanding any provision in this Agreement to the contrary. (ii) Judicial or Administrative Proceeding Affecting Business Associate. Covered Entity may terminate this Agreement, effective immediately, if(A) Business Associate is named as a defendant in a criminal proceeding for a violation of Applicable Law or (B) a finding or stipulation that the Business Associate has violated any standard or requirement of Applicable Law is made in any administrative or civil proceeding in which the party has been joined. c. Effect of Termination. (i) Except as provided in paragraph (ii) of this Section 5(c), upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, - 6 - 4839-8861-4176. and shall retain no copies of the PHI. This provision shall also apply to PHI that is in the possession of Subcontractors or agents of Business Associate. (ii) In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide, to Covered Entity, notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. If Business Associate elects to destroy the PHI, Business Associate shall certify in writing to Covered Entity that such PHI has been destroyed. Section 6. Injunctive Relief. Covered Entity shall have the right to injunctive and other equitable and legal relief against Business Associate or any of its Subcontractors or agents in the event of any use or disclosure of PHI in violation of this Agreement or Applicable Law. Section 7. No Waiver of Immunity. No term or condition of this Agreement shall be construed or interpreted as a waiver, express or implied, of any of the immunities, rights, benefits, protection, or other provisions of the Colorado Governmental Immunity Act, CRS 24-10-101 et seq. or the Federal Tort Claims Act, 28 U.S.C. 2671 et seq. as applicable, as now in effect or hereafter amended. Section 8. Regulatory References. A reference in this Agreement to a section in the Privacy Rule, the Security Rule, the Breach Notification Rule, or any other Applicable Law means the section as in effect or as amended, and for which compliance is required by Covered Entity and/or Business Associate. Section 9. Amendment. The parties agree to take such action to amend this Agreement from time to time as is necessary for Covered Entity and/or Business Associate to comply with the standards and requirements of Applicable Law. Covered Entity may terminate this Agreement upon thirty (30) days written notice in the event (i) Business Associate does not promptly enter into negotiations to amend this Agreement when requested by Covered Entity pursuant to this Section, or (ii) Business Associate does not enter into an amendment to this Agreement providing assurances regarding the safeguarding of PHI that Covered Entity, in its sole discretion, deems sufficient to satisfy the standards and requirements of the HIPAA regulations. Section 10. Survival. The respective rights and obligations of Covered Entity and of the Business Associate under Section 5(c) ("Effect of Termination") and 12 ("Third Party Beneficiaries") of this Agreement shall survive the termination of the Agreement. Section 11. Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself, and any subcontractors, employees, or agents assisting Business Associate in the performance of its obligations under this Agreement, available to - 7 - 4839-8861-4176. Covered Entity, or at Covered Entity's request, at no cost to Covered Entity, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against Covered Entity, its directors, officers or employees based upon a claimed violation of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule, or other laws relating to security and privacy, except where Business Associate or its subcontractor, employee or agent is a named adverse party. Section 12. Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity and Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever. Section 13. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with Applicable Law. IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement as of the Agreement Effective Date. Invest in Kids ("IIK") By: Print Name: Michelle Neal Title: Program Director,Nurse-Family Partnership Date: October 29, 2014 [Covered Entity] Eagle County, Colorado By: Print Name: Rachel Oys Title: Acting County Manager Date: 2ho - 8 - 4839-8861-4176.