No preview available
HomeMy WebLinkAboutC22-336 Vail Health Services_BAAJanuary 2022 1 HIPAA BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT (the “Agreement”) is effective as of date of the Professional Services Agreement (the “Effective Date”) by and between Vail Health Services and all affiliated covered entities (Vail Health) and Eagle County (“Contractor”). Recitals: WHEREAS, the parties have entered into an agreement (the “Services Agreement”) in order for Contractor to provide certain services to Vail Health (“Services”) that involve the access, Use and/or Disclosure of PHI (as defined below) and such PHI will be protected in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and its regulations, as amended by the Health Information Technology for Economic and Clinical Health Act of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, Title XIII (2009) (the “HITECH Act”) and its implementing regulations and guidance issued by the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) (collectively, the “HIPAA Regulations”); and WHEREAS, both parties are subject to the HIPAA Regulations, either as a Covered Entity or a Business Associate, and as such, are required to agree to specific terms that govern the Use and Disclosure of PHI Disclosed by Vail Health to Contractor in conjunction with the Services Agreement; and WHEREAS, the parties wish to enter into this Agreement in order to comply with HIPAA. NOW, THEREFORE, in consideration of the mutual promises and covenants set forth below, VAIL HEALTH and Contractor agree as follows: 1. Definitions (a) General. Capitalized terms used, but not otherwise defined, in this Agreement shall have the meanings set forth in the HIPAA Regulations. (b) “Disclose” and “Disclosure” mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Business Associate or to other than members of its Workforce, as set forth in 45 C.F.R. § 160.103. (c) “Electronic PHI” or “e-PHI” means PHI that is transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103. (d) “Personal Information” shall have the meaning given to such term under Colo. Rev. Stat. § 6-1-716(1). (e) “Protected Health Information” and “PHI” mean any information, whether oral or recorded in any form or medium, provided by Vail Health to Contractor, that: (a)        January 2022 2 relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) shall have the meaning given to such term under 45 C.F.R. § 160.103. Protected Health Information includes e-PHI. (f) “Required by Law” shall have the meaning given to such term under 45 C.F.R. § 164.103. (g) “Unsecured PHI” shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402, and guidance issued pursuant to the HITECH Act including, but not limited to the guidance issued on April 17, 2009 and published in 74 Federal Register 19006 (April 27, 2009) by the Secretary. (h) “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within Business Associate’s internal operations, as set forth in 45 C.F.R. § 160.103. 2. Permitted Uses and Disclosures of Protected Health Information by Contractor (a) Use or Disclosure of Information. Contractor shall not Use, or Disclose Personal Information and/or PHI received, created, maintained, or transmitted for or on behalf of, Vail Health other than to perform the Services described in the Services Agreement, and as expressly permitted or required by this Agreement or as Required By Law. (b) Mitigation. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of PHI by Contractor in violation of this Agreement. (c) Safeguards. Contractor shall use appropriate administrative, technical and physical safeguards and comply with Subpart C of 45 CFR Part 164 to protect the confidentiality of PHI received from Vail Health to prevent the Use or Disclosure of PHI other than as provided for in this Agreement. (d) Reporting. (i) Contractor agrees to report to Vail Health any Use or Disclosure of personal information and or Unsecured PHI in violation of the applicable HIPAA Regulations and Colorado Data Breach Notification Law, including but not limited to C.R.S. 6-1-716(“Colorado Data Breach Notification Law”), or this Agreement of which Contractor becomes aware, including, without limitation, any impermissible or improper Use, Disclosure, Security Incident or Breach of Unsecured PHI within forty-eight (48) hours of discovery of same in accordance with Section 6(i), “Notices,” of this Agreement.        January 2022 3 (ii) Contractor shall provide a written report to Vail Health of such Breach without unreasonable delay but no later than five (5) business days after discovery of the Breach. Contractor shall be deemed to have discovered a Breach as of the first day that the Breach is either known to Contractor or any of its Workforce or agents, other than the person who committed the Breach, or by exercising reasonable diligence should have been known to Contractor or any of its Workforce or agents, other than the person who committed the Breach. To the extent the information is available to Contractor, Contractor’s written notice shall include the information required by 45 C.F.R. §164.410(c). Contractor shall promptly supplement the written report with additional information regarding the Breach as it obtains such information. Contractor shall cooperate with Vail Health in meeting Vail Health’s obligations with respect to such Breach. Vail Health shall have sole control over the timing and method of providing notification of such Breach to the affected individual(s), the Secretary and, if applicable, the media. Contractor shall reimburse Vail Health for its reasonable costs and expenses in providing the notification, including, but not limited to, any administrative costs associated with providing notice, printing and mailing costs, and costs of mitigating the harm (which may include the costs of obtaining credit monitoring services and identity theft insurance) for affected individuals whose PHI has or may have been compromised as a result of the Breach. (iii) Contractor agrees that if Vail Health determines or has a reasonable belief that Contractor may have Used, made a Disclosure of, or permitted access to PHI in a way that is not authorized by this Agreement, then Vail Health may in its sole discretion require Contractor to: (a) promptly investigate and provide a written report to Vail Health of Contractor’s determination regarding any alleged or actual unauthorized Disclosure, access or Use; (b) cease such practices immediately; (c) return to Vail Health or destroy all PHI; and (d) take any other action Vail Health deems appropriate, as required by law or deemed reasonable by both parties. (e) Subcontractors and Agents. Contractor shall ensure that any agent or subcontractor to whom it provides PHI agrees to the same restrictions and conditions that apply to the Contractor under this Agreement with respect to such PHI in its possession. (f) Access. Contractor agrees to provide access, when requested by Vail Health, to PHI in such Designated Record Set in order to comply with the requirements under 45 C.F.R. § 164.524. Such access shall be provided by Contractor in the time and manner reasonably requested by Vail Health or the Individual. (g) Amendment. When requested by Vail Health, Contractor agrees to make any amendment(s) to PHI in such Designated Record Set that Vail Health or the Individual directs or agrees to pursuant to 45 C.F.R. § 164.526. Such amendments shall be made by Contractor in the time and manner reasonably requested by Vail Health or the Individual. In the event Contractor receives an amendment request        January 2022 4 directly from an Individual, Contractor shall forward the request to Vail Health promptly upon receipt. (h) Audit and Inspection. Contractor agrees to make its internal practices, books, and records, including policies and procedures relating to the Use and Disclosure of PHI, available to Vail Health or the Secretary or his or her designee for the limited purposes of the Secretary determining Vail Health’s compliance with HIPAA, as requested by Vail Health or the Secretary. Additionally, Vail Health reserves the right to audit the Business Associate and information security controls and processes of any associated Service Providers and to perform relevant tests to ensure that it is compliant with applicable HIPAA information security and privacy requirements as well as the requirements within this contract. Business Associate will permit Vail Health to perform an information security audit, including an audit of technical, physical and administrative security of any applicable Service Provider premises applicable to the engagement and will cooperate and furnish all requested materials in a timely manner, within no more than three business days. (i) Documentation of Disclosures/Accounting. Contractor agrees to document any Disclosures of PHI and any information related to such Disclosures as would be required for Vail Health to respond to a request by an Individual for an accounting in accordance with 45 C.F.R. § 164.528, and upon request by Vail Health, to provide such information to Vail Health or to the Individual. In the event Contractor receives an accounting request directly from an Individual, Contractor shall forward the request to Vail Health immediately upon receipt. (j) Compliance with Privacy Rule. To the extent that Vail Health is a Covered Entity and Contractor is performing an obligation of Vail Health under the Privacy Rule, Contractor shall comply with the requirements of the Privacy Rule that apply to a Covered Entity in the performance of such obligation. (k) Other Laws. Contractor understands that Vail Health is subject to State and Federal laws in addition to HIPAA governing the privacy and security of PHI. Contractor agrees to abide by all such laws, whether or not fully articulated herein, and to keep the PHI in the same manner and subject to the same standards as is required of Vail Health. 3. Permitted Uses and Disclosures (a) Services. Subject to the provisions of Section 4 below, and except as otherwise limited in this Agreement, Contractor may Use or Disclose PHI to perform functions, activities, or services for, or on behalf of, Vail Health or Contractor if such Use or Disclosure of PHI would not violate HIPAA or the HIPAA Regulations. (b) Minimum Necessary. Contractor (and its Subcontractors) shall, to the extent practicable, limit its request, Use, or Disclosure of PHI to the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure, in        January 2022 5 accordance with 42 U.S.C. § 17935(b) and 45 C.F.R. § 164.502(b)(1) or any other guidance issued thereunder. (c) Business Activities. Except as otherwise limited in this Agreement, Contractor may Use and Disclose PHI for its proper management and administration of Contractor or to meet its legal responsibilities. 4. Obligations of Vail Health (a) Restrictions. To the extent that such limitations may affect Contractor’s Use or Disclosure of PHI, Vail Health shall notify Contractor of (i) any limitations in any applicable notice of privacy practices as required under 45 C.F.R. 164.520, as well as any changes to that notice, (ii) any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, and (iii) any restriction to the Use or Disclosure of PHI agreed to in accordance with 45 C.F.R. 164.522. (b) Requests. Vail Health shall not request Contractor to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by Vail Health. 5. Term and Termination (a) Term. This Agreement shall be effective as of the Effective Date and shall continue unless or until the Agreement is terminated in accordance with the provisions of Section 5(b), or the Agreement between the parties terminates. (b) Termination for Cause. Upon knowledge of a material breach by either party, either party shall either (i) provide an opportunity for the other party to cure the breach or end the violation and, if other party does not cure the breach or end the violation within the cure period specified in the Agreement or if none is specified, then within ten (10) days, terminate this Agreement and the Services Agreement; (ii) immediately terminate this Agreement and the Services Agreement if cure is not possible; or (iii) if neither termination nor cure are possible, either party shall report the violation to the Secretary. (c) Effect of Termination. (i) Upon termination of this Agreement or the Services Agreement for any reason, Contractor shall return or destroy all PHI received from Vail Health. Contractor shall retain no copies of the PHI in any form. Contractor shall promptly provide written confirmation of such destruction to Vail Health. (ii) Notwithstanding the foregoing, in the event that Contractor determines that returning or destroying the PHI is infeasible, Contractor shall provide to Vail Health notification of the conditions that make return or destruction infeasible. If the return or destruction of PHI is infeasible, Contractor shall extend the protections of this Agreement to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Contractor maintains such PHI.        January 2022 6 6. Miscellaneous (a) Survival. The respective rights and obligations of Contractor under 5(c) and 6(a) of this Agreement shall survive the termination of this Agreement. (b) Amendments. No amendment to this Agreement shall be effective unless it is in writing and signed and dated by the parties hereto or as required by law or regulations. The parties recognize that the Secretary may issue further amendments to the HIPAA Regulations pursuant to the Secretary’s authority under law. (c) Interpretation. Construction of this Agreement shall be resolved in favor of a meaning that permits both parties to comply with applicable law protecting the privacy, security and confidentiality of PHI, including but not limited to HIPAA and the HIPAA Regulations. To the extent that any provisions of this Agreement conflict with the provisions of any other agreement or understanding between the parties, this Agreement shall control. (d) Other Federal and State Law. The parties agree to comply with other federal and state law as may apply to the Protected Health Information. In the event of a conflict between the requirements of such other law and the requirements stated herein, the applicable law under a conflict-of-law analysis, including the preemption analysis required under HIPAA, shall apply. (e) Waiver. No failure to exercise and no delay in exercising any right, remedy or power hereunder shall operate as a waiver thereof, nor shall any single or partial exercise of any right, remedy or power hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy or power provided herein or by law or in equity. (f) Subpoena. In the event that Contractor receives a subpoena for any PHI in Contractor’s possession, Contractor shall immediately notify Vail Health and deliver a copy of the subpoena to Vail Health. Contractor shall respond to the subpoena only in accordance with the Privacy Rule. (g) Indemnification. Intentionally Omitted. (h) No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended or shall be deemed to confer upon any person other than Vail Health, Contractor, and their respective successors and assigns, as permitted pursuant to the Agreement, any rights, obligations, remedies or liabilities. (i) Notices. . Any notice required to be provided under the terms and provisions of this Agreement shall be in writing, and shall be deemed to be delivered when deposited in the United States mail, postage prepaid, certified mail, return receipt requested, or sent by national overnight courier service (e.g., Federal Express, UPS) and addressed to the respective party at the address set forth below, or at any such address(es) or person(s) as each may specify by written notice given to the other        January 2022 7 party in the manner specified herein. Notwithstanding the above, notices may also be provided by personal delivery and shall be effective upon actual receipt. If to CUSTOMER: Eagle County Attention: Heath Harmon 550 Broadway Post Office Box 660 Eagle, CO 81631 Telephone: 970-328-8818 E-Mail: Heath.Harmon@eaglecounty.us With a copy to: Eagle County Attorney 500 Broadway Post Office Box 850 Eagle, Co 81631 Telephone: 970-328-8685 E-Mail: atty@eaglecounty.us If to Vail Health: Compliance Officer P.O. Box 40,000 Vail, CO 81658 E-Mail: Privacy@vailhealth.org (j) Entire Agreement. This Agreement together with the Services Agreement constitutes the entire agreement of the parties with respect to the subject matter hereof, and all prior and contemporaneous understandings, agreements and representations, whether oral or written, with respect to such matters are superseded. (k) Assignment. No assignment of this Agreement or the rights and obligations hereunder shall be valid without the specific written consent of both parties hereto, provided, however, that this Agreement, in conjunction with an assignment of the Services Agreement to the same assignee, may be assigned by Vail Health to any successor entity operating Vail Health, and such assignment shall forever release Vail Health hereunder. (l) Binding Effect. This Agreement shall be binding upon the parties hereto and their respective heirs, executors, administrators, successors and permitted assigns. (m) Non-Exclusivity. Nothing in this Agreement shall be construed as limiting the right of either party to affiliate or contract with any other person or entity on either a limited or general basis while this Agreement is in effect.        January 2022 8 (n) Signatures. This Agreement may be executed in counterparts, each of which when so executed and delivered shall be deemed an original and all of which taken together shall constitute one instrument. This Agreement and any counterpart original may be executed and transmitted by facsimile. The facsimile signature shall be valid and acceptable for all purposes as if it were an original. IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement as of the Effective Date. Vail Health: ______________________________ By: __________________________ Title: ________________________ Date: _________________________ CONTRACTOR COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its COUNTY MANAGER By: ______________________________ Jeff Shroll, County Manager         $# #!  !"%