No preview available
HomeMy WebLinkAboutC19-136 Leif Associates BAADocuSign Envelope ID: 48FB9586-FEE5-4484-9987-6AD40A50102C HIPAA BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT (this "Agreement") is effective as of 4/24/2019 , (the "Effective Date"), by and between Leif Associates, Inc., a Colorado corporation ("Leif') and Eagle County, Colorado, a body corporate and politic (the "County"). Recitals: WHEREAS, the parties have entered into a Confidentiality Agreement (the "Confidentiality Agreement") in order for Leif to perform a study for the Vail Valley Partnership (the "Partnership"), of which the County is a member, to determine the viability of establishing a local Health Care Purchasing Collaborative (the "Study") that involves the access, use and/or disclosure of Protected Health Information as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and its regulations, as amended by the Health Information Technology for Economic and Clinical Health Act of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, Title XIII (2009) (the "HITECH Act"; any reference herein to HIPAA shall include the HITECH Act amendments and any other amendments); and WHEREAS, both parties are subject to HIPAA, either as a Covered Entity or a Business Associate, and are required to agree to specific terms that govern the use and disclosure of Protected Health Information ("PHI") disclosed by County to Leif conjunction with the Confidentiality Agreement; and WHEREAS, the parties wish to enter into this Agreement in order to comply with HIPAA. Agreement NOW, THEREFORE, in consideration of the mutual promises and covenants set forth below, County and Leif agree as follows: 1. Definitions (a) General. Capitalized terms used, but not otherwise defined, in this Agreement shall have the meanings set forth in under the HIPAA Rules, including but not limited to 45 C.F.R. §§ 160.103, 164.103, 164.304, 164.401 and 164.501, as currently drafted and as subsequently updated, or revised. (b) Breach Notification Rule. 'Breach Notification Rule" shall mean the Notification in the Case of Breach of Unsecured Protected Health Information Rule as set forth in 45 C.F.R. Part 164, Subpart D. Additionally, it shall include the notification requirements pursuant to C.R.S. § 24-73-101 et seq. (c) HIPAA Rules. "HIPAA Rules" shall mean the EDI, Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160, 162 and 164. 1 DocuSign Envelope ID: 48FB9586-FEE5-4484-9987-6AD40A50102C (d) Privacy. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E. (e) Security Standards. "Security Standards" shall mean the Security Standards for Protection of PHI at 45 C.F.R. Part 164, Subpart C. 2. Obligations and Activities of Leif (a) Use or Disclosure of Information. Leif agrees not to use or further disclose PHI received from, or created for or on behalf of, County other than to perform the Study described in the Confidentiality Agreement, and as expressly permitted or required by this Agreement or as required by law. Leif shall not use, disclose, release, reveal, show, sell, rent, lease, loan, publish or otherwise grant access to PHI in any manner that is prohibited by law or regulation, or in any manner that would be a violation of any law or regulation if it were to have been done by County. (b) Mitigation. Leif agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Leif of a use or disclosure of PHI by Leif in violation of this Agreement. (c) Safeguards. Leif shall use appropriate administrative, technical and physical safeguards and comply with Subpart C of 45 C.F.R. Part 164 to protect the confidentiality of PHI received from COUNTY to prevent the use or disclosure of PHI other than as provided for in this Agreement. (d) Reporting. (i) Leif agrees to report to County any use or disclosure of PHI in violation of the applicable HIPAA Rules or this Agreement of which Leif becomes aware, including, without limitation, any impermissible or improper use, disclosure, Security Incident or Breach within forty-eight (48) hours of discovery of same. (ii) In the event of any such impermissible or improper use, disclosure, Security Incident, Breach, or other action as described above, Leif shall report the surrounding circumstances to County, and in the case of any Breach, the names of each individual whose Unsecured PHI has been, or is reasonably believed by Leif to have been, accessed, acquired, or disclosed as a result of such Breach and any other available information needed by County to enable it to comply with its notification obligations under the Breach Notification Rule. (iii) Leif agrees that if County determines or has a reasonable belief that Leif may have used, made a disclosure of or permitted access to PHI in a way that is not authorized by this Agreement, then County may in its sole discretion require Leif to: (a) promptly investigate and provide a written W DocuSign Envelope ID: 48FB9586-FEE5-4484-9987-6AD40A50102C report to County of Leif s determination regarding any alleged or actual unauthorized disclosure, access or use; (b) cease such practices immediately; (c) return to County or destroy all PHI; and (d) take any other action County deems appropriate. Leif shall assist County in developing and implementing a Breach response pursuant to HIPAA, C.R.S. § 24-73-101 et seq., and any other state or federal law. (iv) Leif shall specifically comply with all requirements in C.R.S. §§ 24-73- 101 et seq. (e) Subcontractors and Agents. Leif shall ensure that any agent or subcontractor to whom it provides PHI agrees to substantially the same or similar restrictions and conditions that apply to the Leif under this Agreement with respect to such PHI in its possession. (f) Mitigation. Leif shall promptly mitigate, to the extent practicable, any harmful effect that is known to Leif of a Security incident regarding PHI, or any use or disclosure of PHI by Leif in violation of this Agreement, applicable law, or Leif s own policies and procedures. (g) Access. Leif agrees to provide access, when requested by County, to PHI in such Designated Record Set in order to comply with the requirements under 45 C.F.R. § 164.524. Such access shall be provided by Leif in the time and manner reasonably requested by County or the Individual. (h) Amendment. When requested by County, Leif agrees to make any amendment(s) to PHI in such Designated Record Set that County or the Individual directs or agrees to pursuant to 45 C.F.R. § 164.526. Such amendments shall be made by Leif in the time and manner reasonably requested by County or the Individual. In the event Leif receives an amendment request directly from an Individual, Leif shall forward the request to County promptly upon receipt. (i) Audit and Inspection. Leif agrees to make its internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI, available to County or the Secretary or his or her designee for the limited purposes of the Secretary determining County's compliance with HIPAA, as requested by County or the Secretary. (j) Documentation of Disclosures/Accounting. Leif agrees to document any disclosures of PHI and any information related to such disclosures as would be required for County to respond to a request by an Individual for an accounting in accordance with 45 C.F.R. § 164.528, and upon request by County, to provide such information to County or to the Individual. In the event Leif receives an accounting request directly from an Individual, Leif shall forward the request to County immediately upon receipt. (k) Data Ownership. Leif acknowledges that it has no ownership rights with respect to PHI. 3 DocuSign Envelope ID: 48FB9586-FEE5-4484-9987-6AD40A50102C (1) LEIF Insurance. Leif shall maintain insurance to cover loss of PHI data and claims based upon alleged violation of privacy rights through the improper use or disclosure of PHI. (m) Compliance with Privacy. To the extent that County is a Covered Entity and Leif is performing an obligation of County under the Privacy Rule, Leif shall comply with the requirements of the Privacy Rule that apply to County in the performance of such obligation. (n) Other Laws. Leif understands that County is subject to state and federal laws in addition to HIPAA governing the privacy and security of PHI. Leif agrees to abide by all such laws, whether or not fully articulated herein, and to keep the PHI in the same manner and subject to the same standards as is required of County. 3. Permitted Uses and Disclosures (a) Services. Subject to the provisions of Section 4 below, and except as otherwise limited in this Agreement, Leif may use or disclose PHI to perform functions, activities, or services for, or on behalf of, County or Leif if such use or disclosure of PHI would not violate HIPAA or the HIPAA Rules. (b) Minimum Necessary. Leif shall utilize a Limited Data Set, if practicable, for all uses, disclosures or requests of PHI. Otherwise it shall limit the use, disclosure, or request of PHI, to the "minimum necessary," to accomplish the intended purpose of such use, disclosure, or request, in accordance with 45 C.F.R. § 164.514(d) and as interpreted by HHS as guidance. (c) Business Activities. Except as otherwise limited in this Agreement, Leif may use PHI for its proper management and administration of Leif or to meet its legal responsibilities. 4. Obligations of County (a) Restrictions. To the extent that such limitations may affect Leif s use or disclosure of PHI, County shall notify Leif of (i) any limitations in any applicable notice of privacy practices as required under 45 C.F.R. 164.520, as well as any changes to that notice, (ii) any changes in, or revocation of, permission by an Individual to use or disclose PHI, and (iii) any restriction to the use or disclosure of PHI agreed to in accordance with 45 C.F.R. 164.522. (b) Requests. County shall not request Leif to use or disclose PHI in any manner that would not be permissible under HIPAA if done by County. 5. Term and Termination (a) Term. This Agreement shall be effective as of the Effective Date and shall continue unless or until the Agreement is terminated in accordance with the provisions of Section 5(b), or the Agreement between the parties terminates. al DocuSign Envelope ID: 48FB9586-FEE5-4484-9987-6AD40A50102C (b) Termination for Cause. Upon County's knowledge of a material breach by Leif, County shall either (i) provide an opportunity for Leif to cure the breach or end the violation and, if Leif does not cure the breach or end the violation within the cure period specified in the Agreement or if none is specified, then within ten (10) days, terminate this Agreement and the Confidentiality Agreement; (ii) immediately terminate this Agreement and the Confidentiality Agreement if cure is not possible; or (iii) if neither termination nor cure are possible, County shall report the violation to the Secretary. (c) Effect of Termination. Upon termination of this Agreement or the Confidentiality Agreement for any reason, Leif shall extend the protections of this Agreement to all PHI received from County, for so long as Leif maintains such PHI. Leif shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI for so long as Leif maintains such PHI. 6. Miscellaneous (a) Survival. The respective rights and obligations of Leif under Sections 5(c) and 6 of this Agreement shall survive the termination of this Agreement. (b) Amendments. No amendment to this Agreement shall be effective unless it is in writing and signed and dated by the parties hereto or as required by law or regulations. The parties recognize that the Secretary may issue further amendments to the HIPAA Rules pursuant to the Secretary's authority under law. (c) Interpretation. Construction of this Agreement shall be resolved in favor of a meaning that permits both parties to comply with applicable law protecting the privacy, security and confidentiality of PHI, including but not limited to HIPAA and the HIPAA Rules. To the extent that any provisions of this Agreement conflict with the provisions of any other agreement or understanding between the parties, this Agreement shall control. (d) Other Federal and State Law. The parties agree to comply with other federal and state law as may apply to the Protected Health Information. In the event of a conflict between the requirements of such other law and the requirements stated herein, the applicable law under a conflict -of -law analysis, including the preemption analysis required under HIPAA, shall apply. (e) Waiver. No failure to exercise and no delay in exercising any right, remedy or power hereunder shall operate as a waiver thereof, nor shall any single or partial exercise of any right, remedy or power hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy or power provided herein or by law or in equity. (f) No Waiver of Immunity. No term or condition of this Agreement shall be construed or or interpreted as a waiver, express or implied, of any of the immunities, rights, benefits, protection or other provisions of the Colorado 5 DocuSign Envelope ID: 48FB9586-FEE5-4484-9987-6AD40A50102C Governmental Immunity Act, C.R.S. 24-10-101 et seg., or the Federal Tort Claims Act 28 U.S.C. 2671 et sea. as now in effect or hereafter amended. (g) Subpoena. In the event that Leif receives a subpoena for any PHI in Leif s possession, Leif shall immediately notify County and deliver a copy of the subpoena to County. Leif shall respond to the subpoena only in accordance with the Privacy Rule. (h) Indemnification. Leif shall indemnify and hold harmless County, and any of its officers, agents and employees against any losses, claims, damages or liabilities for which County may become subject to insofar as any such losses, claims, damages or liabilities arise out of, directly or indirectly, this Agreement, or are based upon any performance or nonperformance by Leif or any of its subcontractors hereunder; and Leif shall reimburse County for reasonable attorney fees and costs, legal and other expenses incurred by County in connection with investigating or defending any such loss, claim, damage, liability or action. This indemnification shall not apply to claims by third parties against the County to the extent that County is liable to such third party for such claims without regard to the involvement of Leif. This paragraph shall survive expiration or termination hereof. (i) No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended or shall be deemed to confer upon any person other than County, Leif, and their respective successors and assigns, as permitted pursuant to the Agreement, any rights, obligations, remedies or liabilities. (j) Notices. Any notice, demand or communication required, permitted or desired to be given hereunder shall be deemed effectively given when personally delivered or mailed by prepaid certified mail, return receipt requested, addressed as follows: If to LEIF: Leif Associates, Inc. Attn: Elizabeth Leif 1331 Seventeenth Street, Suite 350 Denver, CO 80202 Phone: (303) 294-0994 Fax: (303) 294-0979 ejleif@leif.net If to COUNTY: Eagle County Human Resources PO Box 850 Eagle CO 81631 Telephone: 970-328-8793 (k) Entire Agreement. This Agreement constitutes the entire agreement of the parties with respect to the subject matter hereof, and all prior and contemporaneous understandings, agreements and representations, whether oral or written, with respect to such matters are superseded. Con DocuSign Envelope ID: 48FB9586-FEE5-4484-9987-6AD40A50102C (1) Assi ng meet. No assignment of this Agreement or the rights and obligations hereunder shall be valid without the specific written consent of both parties hereto, provided, however, that this Agreement may be assigned by Leif to any successor entity operating Leif, and such assignment shall forever release Leif hereunder. (m) Binding Effect. ffect. This Agreement shall be binding upon the parties hereto and their respective heirs, executors, administrators, successors and permitted assigns. (n) Non -Exclusivity. Nothing in this Agreement shall be construed as limiting the right of either party to affiliate or contract with any other person or entity on either a limited or general basis while this Agreement is in effect. (o) Signatures. This Agreement may be executed in counterparts, each of which when so executed and delivered shall be deemed an original and all of which taken together shall constitute one instrument. This Agreement and any counterpart original may be executed and transmitted by facsimile. The facsimile signature shall be valid and acceptable for all purposes as if it were an original. (SIGNATURE PAGE FOLLOWS) 7 DocuSign Envelope ID: 48FB9586-FEE5-4484-9987-6AD40A50102C IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement as of the Effective Date. EAGLE COUNTY, COLORADO LEIF Signed by: DocuSigned by: Docu By: V (t By: � i/'AU , (A'(F E7639644A328424... C39490R 018743B... Title: County Manaqer Title: President Date: 4/24/2019 Date: 4/24/2019 M.