Press Alt + R to read the document text or Alt + P to download or print.

No preview available

The URL can be used to link to this page

Home My WebLink AboutC21-008 Eagle Valley Behavioral Health1 BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this “Agreement”) is effective as of January 1, 2021 by and between Eagle Valley Mental Health d/b/a Eagle Valley Behavioral Health, a Colorado non-profit corporation (hereinafter “Business Associate”) and Eagle County, Colorado, a body corporate and politic (hereinafter “Covered Entity”). W I T N E S S E T H: WHEREAS, Business Associate provides certain services to Covered Entity that requires Business Associate to have access to certain Protected Health Information (defined below), and, in connection with those services, Covered Entity may disclose to Business Associate, or Business Associate may create on Covered Entity’s behalf, Protected Health Information that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA,” found at Public Law 104-191), and certain privacy and security regulations promulgated by the U.S. Department of Health and Human Services to implement certain provisions of HIPAA and the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), as modified by the Final Omnibus Rule effective as of March 26, 2013 (collectively, the “HIPAA Regulations”) found at 45 C.F.R. Parts 160, 162 and 164; and WHEREAS, Covered Entity is a “covered entity,” as that term is defined in the HIPAA Regulations; and WHEREAS, Business Associate is a “business associate” of Covered Entity, as that term is defined in the HIPAA Regulations; and WHEREAS, pursuant to the HIPAA Regulations, all business associates of Covered Entity, as a condition of doing business with Covered Entity, must agree in writing to certain mandatory provisions regarding, among other things, the privacy and security of Protected Health Information; NOW THEREFORE, IN CONSIDERATION OF THE FOREGOING, and the mutual promises and covenants contain herein, the Parties agree as follows: Section 1. Definitions. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Regulations. “Breach” means the unauthorized acquisition, access, use, or disclosure of Protected Health Information, which compromises the security or privacy of such Protected Health Information, but does not include circumstances excluded from the definition of Breach as provided in 45 C.F.R. 164.402. “Data Aggregation” has the same meaning as the term “data aggregation” in 45 C.F.R. 164.501. “Designated Record Set” has the same meaning as the term “designated record set” in 45 C.F.R. 164.501. DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3 C21-008 2 “Electronic Protected Health Information” or “ePHI” has the same meaning as the term “electronic protected health information” in 45 C.F.R. 160.103, limited to information created, or received or transmitted by Business Associate from or on behalf of Covered Entity. “Individual” has the same meaning as the term “individual” in 45 C.F.R. 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g). “Limited Data Set” has the same meaning as the term “limited data set” in 45 C.F.R. 164.514(e)(2). “Notice of Privacy Practices” means a notice of privacy practices that complies with the standards set out in 45 C.F.R. 164.520. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. parts 160 and 164. “Protected Health Information” or “PHI” has the same meaning as the term protected health information” in 45 C.F.R. 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. Protected Health Information shall include Electronic Protected Health Information. “Required by Law” has the same meaning as the term “required by law” in 45 C.F.R. 164.103. “Secretary” means the Secretary of the U.S. Department of Health and Human Services or his designee. “Security Standards” means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. parts 160 and 164. Section 2. Obligations and Activities of Business Associate. (a) Specific Uses and Disclosures. Except as otherwise limited in this Agreement, Business Associate may receive, create, use, disclose, maintain, or transmit Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity provided that such use or disclosure would not violate the Privacy Rule or Security Standards if done by Covered Entity and as permitted herein. To the extent Business Associate is carrying out any obligation of Covered Entity with respect to the HIPAA Regulations, Business Associate shall comply with such requirements of the HIPAA Regulations that apply to Covered Entity in the performance of such obligations. Business Associate shall recognize that the HITECH Act of 2009 and the regulations thereunder (including 45 C.F.R. Sections 164.308, 164.310, 164.312, and 164.316), apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. (b) Administrative Uses and Disclosures. Except as otherwise limited in this Agreement, Business Associate may only use or disclose Protected Health Information for DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3 3 the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate provided the disclosures are Required by Law. Notwithstanding anything to the contrary set forth herein, Business Associate may use and or disclose the PHI only as follows: (i) Business Associate may use or disclose PHI as Required by Law; (ii) Business Associate may use or disclose PHI as necessary to carry out the Services set forth in the Worksite Wellness Services Agreement; (iii) Business Associate may use PHI in its possession for the proper management and administration of any of its subcontractors or to carry out its legal responsibilities; (iv) Business Associate may disclose PHI for the proper management and administration of any of its subcontractors or to carry out the legal responsibilities of any of its subcontractors, provided the disclosures are Required by Law, or subcontractor obtains written assurances from the person or entity to whom the information is disclosed that the information will remain confidential and be used or further disclosed as required by 45 C.F.R. § 164.504(e)(4) and § 164.314, and the person or entity notifies subcontractor in writing of any instances of which it is aware in which the confidentiality of the information has been breached or compromised; and (v) If specifically identified in the Worksite Wellness Services Agreement, Business Associate is authorized to provide data aggregation services relating to the Covered Entity or use the PHI for data aggregation purposes. (c) Data Aggregation. Business Associate may provide Data Aggregation services relating to the health care operations of Covered Entity. (d) Other Business Associates. As part of its providing functions, activities, and/or services to Covered Entity as identified in Section 2(a), Business Associate may disclose Protected Health Information, to other business associates of Covered Entity and may use and disclose Protected Health Information, received from other business associates of Covered Entity as if this information was received from, or originated with, Covered Entity. (e) Permitted Uses and Disclosures. Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by this Agreement, the Worksite Wellness Services Agreement, or as Required by Law. (f) Safeguards for Protection of Protected Health Information. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 to protect the confidentiality, integrity, and availability of and prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement, the Worksite Wellness Services Agreement, or as Required by Law. DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3 4 (g) Reporting of Unauthorized Uses or Disclosures. Business Associate agrees to report to Covered Entity, in writing any use or disclosure, including Breach, of the Protected Health Information not provided for by this Agreement or in the Worksite Wellness Services Agreement. All reports of unauthorized uses or disclosures, including Breaches, shall be made within three (3) business days of Business Associate discovering the unauthorized uses or disclosures, including Breaches, and shall include the information specified at 45 CFR § 164.410 (h) Content of Report of Breach. In the event of a Breach of Protected Health Information, Business Associate shall provide Covered Entity a written report, to include: (i) the identification of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach; (ii) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (iii) a description of the types of PHI that were involved in the Breach (i.e., full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information that were involved); (iv) any steps that Covered Entity or the Individual (impacted by the Breach) should take to protect himself or herself from potential harm resulting from the Breach; (v) a brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to the Individual, and to protect against further Breaches; and (vi) contact procedures for Covered Entity to ask Business Associate questions or learn additional information from Business Associate, which shall include a telephone number, an e-mail address, and postal address. (i) Mitigation of Unauthorized Uses or Disclosures. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate, or one of its agents or subcontractors, of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement or the HIPAA Regulations. Business Associate shall promptly reimburse Covered Entity all reasonable costs incurred by Covered Entity with respect to providing notification of and mitigating a Breach involving Business Associate, including but not limited to printing, postage costs and toll-free hotline costs. Attorney’s fees are not considered a reimbursable expense under this provision unless Business Associate retains the attorney and has the ability to supervise and control the attorney with full consent of the Covered Entity. (j) Agents and Subcontractors. Business Associate agrees to ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3 5 behalf of Business Associate or on behalf of Covered Entity, agrees to protect the PHI and such agents, including a subcontractor, is subject to the same restrictions and conditions as the Business Associate. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards and security measures to protect such Electronic Protected Health Information. (k) Authorized Access to Protected Health Information. Business Associate agrees to provide access, at the written request of Covered Entity, and in the time and manner (including, as applicable, in electronic format or electronic copies) reasonably designated by Covered Entity, to PHI in a Designated Record Set, to the Individual or to Covered Entity in order to allow Covered Entity to meet the requirements under 45 C.F.R. 164.524. (l) Accounting for Uses and Disclosures. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with: (i) the HIPAA Regulations accounting requirements as provided in 45 C.F.R. 164.528; and (ii) the accounting requirements as provided in the HITECH Act, as amended, in the event Covered Entity uses or maintains an electronic health record at any time during this term of this Agreement. Business Associate agrees to provide to Covered Entity information collected in accordance of this Section to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information. (m) Safeguards for Protection of Electronic Protected Health Information. Business Associate shall utilize appropriate and commercially reasonable administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of Electronic Protected Health Information maintained or transmitted on behalf of Covered Entity, other than as provided for by this Agreement. (n) Security Incidents. Business Associate agrees to report to Covered Entity, within a reasonable time from discovery, any security incident involving a breach of unsecure PHI of which Business Associate becomes aware. (o) General Privacy Rule and Security Standards Compliance. Business Associate acknowledges that Business Associate is Required by Law to comply with the HIPAA Security Standards in accordance with 45 C.F.R. 164.302 through 164.316 and the provisions of the HIPAA Privacy Rule in accordance with 45 C.F.R. 164.504(e) in the same manner that such sections apply to Covered Entity, with respect to compliance with the standards in 45 C.F.R. 164.502(e) and 45 C.F.R. 164.504(e). DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3 6 (p) Minimum Necessary Requirement. Business Associate shall comply with the minimum necessary requirement, in accordance with 45 C.F.R. 164.502(b) of the HIPAA Regulations, with respect to the use, disclosure, or request of Protected Health Information by limiting such Protected Health Information, to the extent applicable, to: (i) the Limited Data Set; or (ii) the minimum necessary to accomplish the intended purpose of such use, disclosure or request. (q) Data Ownership. Business Associate acknowledges that it has no ownership rights with respect to PHI. (r) Business Associate Insurance. Business Associate shall maintain insurance to cover loss of Protected Health Information data and claims based upon alleged violation of privacy rights through the improper use or disclosure of Protected Health Information. (s) Audits, Inspection, and Enforcement. Within ten (10) business days of a written request by Covered Entity, Business Associate and its agents or subcontractors shall allow Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies, and procedures relating to the use or disclosure of PHI pursuant to this Agreement for the purpose of determining whether Business Associate has complied with this Agreement; provided, however, that: (i) Business Associate and Covered Entity shall mutually agree in advance upon the scope, timing, and location of such an inspection; and (ii) Covered Entity shall protect the confidentiality of all confidential and proprietary information of Business Associate to which Covered Entity has access during the course of such inspection. The fact that Covered Entity inspects, or fails to inspect, or has the right to inspect, Business Associate's facilities, systems, books, records, agreements, policies, and procedures does not relieve Business Associate of its responsibility to comply with this Agreement, nor does Covered Entity's (i) failure to detect or (ii) detection, but failure to notify Business Associate or require Business Associate's remediation of any unsatisfactory practices, constitute acceptance of such practice or a waiver of Covered Entity's enforcement rights under this Agreement. The Covered Entity may request one (1) audit within a twelve (12) month period, unless extenuating circumstances require additional audit requests. Section 3. Obligations of Covered Entity. (a) Notice of Privacy Practices. Covered Entity shall provide Business Associate with its Notice of Privacy Practices, as well as any changes to such notice, if such changes affect Business Associate’s use or disclosure of PHI or ePHI. (b) Revocation of Permitted Use or Disclosure of Protected Health Information. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes affect Business Associate’s permitted or required uses and disclosures. DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3 7 (c) Restrictions on Use of Disclosure of Protected Health Information. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. (d) Requested Uses or Disclosures of Protected Health Information. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity and affirms that any request to use or disclose Protected Health Information meets the minimum necessary requirement. Except that Business Associate may use or disclose Protected Health Information for management, administrative, and legal activities of Business Associate and for Data Aggregation. Section 4. Term and Termination. (a) Term. Except as otherwise provided, this Agreement shall commence on the Effective Date and continue until all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity (except for any data maintained for Data Aggregation purposes or as otherwise allowed to be retained pursuant to the Worksite Wellness Services Agreement) or, if Business Associate believes that it is infeasible to return or destroy such Protected Health Information, the protections are extended to such information in accordance with the termination provisions in this Section. Business Associate shall provide to Covered Entity notification of the condition that makes return or destruction infeasible. To the extent that it is not feasible for Business Associate to return or destroy such Protected Health Information, the terms and provisions of this Agreement shall survive such termination or expiration and such Protected Health Information shall be used or disclosed solely as permitted by law for so long as Business Associate maintains such Protected Health Information. (b) Termination for Cause. Upon Covered Entity’s knowledge of an activity or practice of Business Associate that constitutes a material breach or violation of this Agreement by Business Associate, Covered Entity shall inform Business Associate in writing of such breach or violation within five business days of discovery and provide Business Associate an opportunity to cure the breach or violation within thirty (30) business days. Provided that Covered Entity gave Business Associate notice within five (5) business days of discovery of a material breach of this Agreement, and if Business Associate does not cure the breach or violation within thirty (30) business days, Covered Entity may immediately terminate this Agreement upon written notice to Business Associate. (c) Effect of Termination. (i) Except as provided in paragraph (ii) of this Section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3 8 or received by Business Associate on behalf of Covered Entity (except for any data maintained for Data Aggregation purposes or as otherwise allowed to be retained pursuant to the Worksite Wellness Services Agreement). This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information. (ii) In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. Section 5. Miscellaneous. (a) Amendment. Business Associate and Covered Entity agree to take such action as is reasonably necessary to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of the HIPAA Regulations and any amendment thereto. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed and agreed to by Business Associate and Covered Entity. (b) Indemnification. Business Associate shall indemnify and hold harmless Covered Entity, and any of its directors, officers, employees, and agents from and against any and all losses, claims, damages, actions, or liabilities arising out of, directly or indirectly, this agreement, or are based upon any performance or nonperformance by Business Associate, its directors, officers, employees, sub-contractors or agents hereunder; and Business Associate shall reimburse Covered Entity for reasonable attorney fees and costs legal and other expenses incurred by Covered Entity in connection with investigating or defending any such loss, claim, damage, liability or action. To the extent permitted by law, Covered Entity agrees to indemnify and hold harmless Business Associate, and its directors, officers, shareholders, employees and agents, from and against any and all claims, actions, or liabilities which may be asserted against them by third parties determined to have arisen out of, or in connection with, the tortious acts or omissions of Covered Entity, its directors, officers, employees, contractors or agents under this Agreement. The Parties agree to provide prompt written notice to the other Party of any claim or circumstance that likely will give rise to a request for indemnification. This indemnification shall not apply to claims by third parties against the Covered Entity to the extent that Covered Entity is liable to such third party for such claims without regard to the involvement of the Business Associate. This paragraph shall survive expiration or termination hereof. (c) Limitation of Liability. Except as otherwise dictated by this contract, Neither Business Associate (nor its contractors or subcontractors) nor Covered Entity will DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3 9 be responsible for special, indirect, incidental, punitive, consequential, or other similar damages, including but not limited to lost profits, that the other Party may incur or experience in connection with this Agreement, whether in contract, tort, or otherwise, however caused, even if such Party has been advised of the possibility of such damages. (d) Interpretation. In the event of an inconsistency between the provisions of this Agreement and the mandatory terms of the HIPAA Regulations, the HIPAA Regulations shall prevail. Where provisions of this Agreement are different from those mandated by the HIPAA Regulations, but are nonetheless permitted by law, the provisions of this Agreement shall control. (e) No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Business Associate and Covered Entity, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. (f) Notices. Any notices to be given hereunder shall be made via U.S. Mail or express courier, or hand delivery to the respective address given below, and/or email with return receipt at the information listed below. (g) Regulatory References. A reference in this Agreement to a section in the HIPAA Regulations means the section as in effect or as amended, and for which compliance is required. (h) Subpoenas. In the event that Business Associate or Covered Entity receives a subpoena or similar notice or request from any judicial, administrative or other Party in connection with this Agreement, including, but not limited to, any unauthorized use or disclosure of PHI in breach of this Agreement or in violation of the HIPAA Regulations, such Party shall notify the other Party as soon as practicable and forward a copy of such subpoena, notice or request to the other Party and afford the other Party an opportunity to exercise any rights it may have under the law. (i) Severability. If any one or more of the provisions contained in this Agreement should be held invalid, illegal or unenforceable in any respect, then the validity, legality and enforceability of the remaining provisions contained shall not in any way be affected or impaired thereby. The Parties shall endeavor in good-faith negotiations to replace the invalid, illegal or unenforceable provisions with valid provisions, the economic effect of which comes as close as possible to that of the invalid, illegal or unenforceable provisions. (j) Construction, Jurisdiction and Venue. This Agreement shall be governed by the laws of the State of Colorado and, in the event that any Party hereto shall bring a suit or cause of action in a court of law for construction, interpretation or enforcement of this Agreement, or for damages for any alleged breach of the terms or provisions of this Agreement, then venue for any such suit or cause of action shall lie exclusively in the Eagle County, Colorado. DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3 10 (k) Other Federal and State Law. The parties agree to comply with other federal and state law as may apply to the Protected Health Information. In the event of a conflict between the requirements of such other law and the requirements stated herein, the applicable law under a conflict-of-law analysis, including the preemption analysis required under HIPAA, shall apply. (l) Waiver. No failure to exercise and no delay in exercising any right, remedy or power hereunder shall operate as a waiver thereof, nor shall any single or partial exercise of any right, remedy or power hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy or power provided herein or by law or in equity. (m) No Waiver of Immunity. No term or condition of this Agreement shall be construed or interpreted as a waiver, express or implied, of any of the immunities, rights, benefits, protection or other provisions of the Colorado Governmental Immunity Act, C.R.S. § 24-10-101 et seq., or the Federal Tort Claims Act 28 U.S.C. 2671 et seq. as now in effect or hereafter amended. (n) Binding Effect. This Agreement shall be binding upon the parties hereto and their respective heirs, executors, administrators, successors and permitted assigns. (o) Signatures. This Agreement may be executed in counterparts, each of which when so executed and delivered shall be deemed an original and all of which taken together shall constitute one instrument. This Agreement and any counterpart original may be executed and transmitted by facsimile. The facsimile signature shall be valid and acceptable for all purposes as if it were an original. (p) Survival. The respective rights and obligations of Covered Entity and of the Business Associate under the effect of termination (Section 4) and third-party beneficiaries sections (Section 5(e)) of this Agreement shall survive the termination of this Agreement. DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3 11 IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf as of the Effective Date. BUSINESS ASSOCIATE: Eagle Valley Mental Health d/b/a Eagle Valley Behavioral Health, a Colorado non-profit corporation Chris Lindley Executive Director, Eagle Valley Behavioral Health PO Box 1529 Vail, CO 81658 Telephone: 303-435-5120 E-Mail: chris.lindley@vailhealth.org By Name ____________ Title ______ DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3 Chief Population Health Officer Chris Lindley 12 COVERED ENTITY: Eagle County, Colorado Attention: Human Resources 500 Broadway Post Office Box 850 Eagle, CO 81631 Telephone: 970-328-8790 Facsimile: 970-328-8799 E-Mail: echr@eaglecounty.us With a copy to: Eagle County Attorney 500 Broadway Post Office Box 850 Eagle, Co 81631 Telephone: 970-328-8685 Facsimile: 970-328-8699 E-Mail: atty@eaglecounty.us COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its COUNTY MANAGER By: ______________________________ Jeff Shroll, County Manager DocuSign Envelope ID: 71CBDFDE-CCB0-49A6-8DC4-572E639CD4F3