The URL can be used to link to this page

Home My WebLink AboutAgreement_General_10/13/2022_CPSM CPSM ASSOCIATE AGREEMENT Center for Public SaFey Management.it r A V SS C J O l.r This Business Associate Agreement (the "Agreement") is made by and between the Tequesta Fire Department (hereinafter referred to as "Covered Entity") and Center for Public Safety Management, LLC, (hereinafter referred to as "Business Associate"). Covered Entity and Business Associate shall collectively be known herein as the "Parties". I. GENERAL A. Covered Entity has a business relationship with Business Associate that is memorialized in a Contract with the Town of Jupiter, Florida (the "Underlying Agreement"), pursuant to which Business Associate may be considered a "business associate" of Covered Entity as defined in the Health Insurance Portability and Accountability Act of 1996, including all pertinent regulations (45 CFR Parts 160 and 164), issued by the U.S. Department of Health and Human Services, as either have been amended, from time to time, including Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), and including any and all Privacy, Security and Notice Rules or requirements (collectively, "HIPAA"); and B. The nature of the contractual relationship between Covered Entity and Business Associate may involve the exchange of Protected Health Information ("PHI") as that term is defined under HIPAA; and C. For good and lawful consideration as set forth in the Underlying Agreement, Covered Entity and Business Associate enter into this agreement for the purpose of ensuring compliance with the requirements of HIPAA; and D. This Agreement supersedes and replaces any and all Business Associate Agreements the Covered Entity and Business Associate may have entered into prior to the date hereof; and The above premises having been considered and incorporated by reference into the sections below, and with acknowledgment of the mutual promises and of other good and valuable consideration herein contained, the Parties, intending to be legally bound, hereby agree to enter into this Agreement in the manner described in this section and in the sections below: II. DEFINITIONS. A. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR §§ 160.103, 164.501, & 164.502(g) and shall include a person who qualifies as a personal representative in accordance with 45 CFR §§ 160.103, 164.501 & 164.502(g). B. Breach. "Breach" shall have the same meaning as the term "breach" in 45 CFR § 164.402. 1 CPSM TE AGREEMENT Cenrer for Public Salary Management,LLC C. Designated Record Set. "Designated Record Set" shall have the same meaning as the term "designated record set" in 45 CFR §164.501. D. Notice Rule. "Notice Rule" shall mean the provisions related to "Notification in the Case of Breach of Unsecured Protected Health Information" at 45 CFR Part 160 and Part 164, subpart D E. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E (see also HITECH Act§ 13404 and 13405, et seq). F. Protected Health Information. "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 CFR §§ 160.103 & 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity. G. Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR §§ 164.103 & 164.501. H. Secretary. "Secretary" shall mean the Secretary of the U.S. Department of Health and Human Services or his or her designee. I. Security Rule. "Security Rule" shall mean the provisions related to "Security Standards for the Protection of Electronic Protected Health Information" at 45 CFR Part 160, and 164, subparts A and C. J. Unsecured Protected Health Information. "Unsecured Protected Health Information" or "Unsecured PHI" shall mean PHI that is not secured using a technology or methodology specified by the Secretary in guidance, or as otherwise defined in §13402(h) of the HITECH Act. III. USE OR DISCLOSURE OF PHI BY BUSINESS ASSOCIATE, INCLUDING PRIVACY, SECURITY, AND NOTICE REQUIREMENTS A. Except as otherwise limited in this Agreement, or by privilege, protection or confidentiality under HIPAA, MCMRA, or other applicable law, Business Associate may use or disclose (including permitting acquisition or access to) Protected Health Information to perform management and administrative functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate HIPAA, including its Privacy, Security and Notice Rules. Moreover, the Privacy Rule, Notice Rule, and Security Rule provisions of HIPAA are expressly incorporated by reference into, and made a part of, this Agreement. B. Business Associate may use and disclose (including permitting acquisition or access to)PHI only if such use or disclosure complies with each applicable requirement of HIPAA, including 45 CFR§164.504(e). 7 CPSM ASSOCIATE AGREEMENT Cenrer for Public Safety Management.LLf C. Business Associate is directly responsible for full compliance with the relevant requirements of the Privacy Rule and Security Rule to the same extent as Covered Entity. D. Business Associate must not use or disclose (including permitting acquisition or access to) PHI other than as permitted or required by this Agreement, HIPAA, the MCMRA, or as Required By Law, and may do so only in a manner consistent with the Privacy Rule and Security Rule. As part of this, Business Associate must use appropriate safeguards to prevent use or disclosure of PHI that is not permitted by this Agreement or HIPAA. Furthermore, Business Associate must take reasonable precautions to protect PHI from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. E. Business Associate must implement and comply with administrative, physical, and technical safeguards in a manner consistent with the Security Rule that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. F. Business Associate must immediately notify Covered Entity, in a manner consistent with the Notice Rule, of any use or disclosure of PHI in violation of this Agreement (including permitting acquisition or access to PHI). G. In addition to its obligations in Section III.F., Business Associate must document and notify Covered Entity of a Breach of Unsecured PHI, regardless of size of the Breach or potential harm that may be caused as a result of the Breach. Business Associate's notification to Covered Entity hereunder shall: 1. Be made to Covered Entity without unreasonable delay and in no case later than 14 calendar days after the discovery of a Breach, except as otherwise provided by law. For purposes of clarity for this Section III.G.1, Business Associate must notify Covered Entity of an incident involving the acquisition, access, use or disclosure of PHI in a manner not permitted under 45 CFR Part E within 14 calendar days after it reasonably believes PHI has been the subject of a Breach, even if Business Associate has not conclusively determined within that time that the PHI has actually been the subject of a Breach as defined by HIPAA; 2. Include the names and addresses of the Individual(s) whose Unsecured PHI has been, or is reasonably believed to have been,the subject of a Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach; 3. Be in substantially the same form as Exhibit A hereto; and 4. Include a draft letter for the Covered Entity to utilize, in the event Covered Entity elects, in its sole discretion, to notify the Individual(s)that his or her Unsecured PHI 3 CPSM ASSOCIATE AGREEMENT -..._ Center for Public Safely Managemen,.LLC has been, or is reasonably believed to have been, the subject of a Breach that includes, to the extent possible: a) A brief description of what happened, including the date of the Breach, if known, and the date of the discovery of the Breach; b) A description of the types of Unsecured PHI that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, disability code, or other types of information that were involved): c) Any steps the affected Individual(s)should take to protect him or herself from potential harm resulting from the Breach; d) A brief description of what the Covered Entity and the Business Associate are doing to investigate the Breach, to mitigate losses, and to protect against any further Breach; and e) Contact procedures for an Individual(s) to ask questions or learn additional information,which must include a toll-free telephone number of Business Associate, along with an e-mail address, Web site, or postal address. H. In the event of an unauthorized use or disclosure of PHI or a Breach of Unsecured PHI, Business Associate must mitigate, to the extent practicable, any harmful effects of said disclosure that are known to it. Business Associate agrees to ensure that any agent, subcontractor, or employee, to whom it provides PHI received from, or created or received by, Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. J. To the extent applicable, Business Associate must provide access to Protected Health Information in a Designated Record Set at reasonable times, at the request of Covered Entity or, as directed by Covered Entity, to an Individual specified by Covered Entity in order to meet the requirements under 45 CFR §164.524. K. To the extent applicable, Business Associate must make any amendment(s)to PHI in a Designated Record Set that Covered Entity directs or agrees to, pursuant to 45 CFR §164.526, at the request of Covered Entity or an Individual. L. Business Associate must, upon request with reasonable notice, provide Covered Entity access to its premises for a review and demonstration of its internal practices and procedures for safeguarding PHI. 4 CPSMASSOCIATE AGREEMENT rP t, Center for Public Safety Management,LLC M. Business Associate must, upon request and with reasonable notice, furnish to Covered Entity security and privacy audit results, risk analyses, policies/procedures, details of previous breaches, and documentation of controls. N. Business Associate must document such disclosures of PHI and information related to such disclosures as would be required for a Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Business Associate must also maintain records indicating who has accessed PHI about an Individual in an electronic designated record set and information related to such access in accordance with 45 C.F.R. § 164.528. Should an Individual make a request to Covered Entity for an accounting of disclosures of his or her PHI pursuant to 45 C.F.R. §164.528, Business Associate must promptly provide Covered Entity with information in a format and manner sufficient to respond to the Individual's request. O. Business Associate must, upon request with reasonable notice, provide Covered Entity with an accounting of uses and disclosures of PHI that was provided to it by Covered Entity. P. Business Associate must make its internal practices, books, records,and any other material requested by the Secretary relating to the use, disclosure, and safeguarding of PHI received from Covered Entity available to the Secretary for the purpose of determining compliance with the Privacy Rule, Security Rule or Notice Rule. The aforementioned information must be made available to the Secretary in the manner and place as designated by the Secretary or the Secretary's duly appointed delegate. Under this Agreement, Business Associate must comply and cooperate with any request for documents or other information from the Secretary directed to Covered Entity that seeks documents or other information held or controlled by Business Associate. Q. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 42 C.F.R. §164.502(j)(1). R. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate or the Underlying Agreement, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required By Law or for the limited purpose for which it was disclosed to the person, and the person must agree to notify Business Associate of any instance of which it is aware in which the confidentiality of the information has been breached. S. Upon request of the Covered Entity, Business Associate must provide the Covered Entity with access to the Business Associate's written security policies and procedures required by HIPAA. T. Business Associate must, and is expected to, directly and independently fulfill all breach notification requirements under HIPAA. In the event of a breach under HIPAA, by Business Associate, the Covered Entity reserves the right, but is in no way obligated under this Agreement, to fulfill the breach notification requirements in lieu of Business Associate. ti Center for PubLc Safety Maragemem,LLC ASSOCIATE AGREEMENT U. Business Associate acknowledges that in receiving, storing, processing or otherwise dealing with any PHI, it is fully bound by 42 C.F.R. Part 2. Business Associate will resist in judicial proceedings or any efforts to obtain PHI except as provided in 42 C.F.R. Part 2. IV. TERM AND TERMINATION. A. Term. The Term of this Agreement shall be effective as of the effective date of the Underlying Agreement, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Article IV. B. Termination for Cause. Upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall: 1. Provide an opportunity for Business Associate to cure the breach or end the violation and, if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, have the right to terminate this Agreement and to terminate the Underlying Agreement and shall report the violation to the Secretary; 2. Have the right to immediately terminate this Agreement and the Underlying Agreement if Business Associate has breached a material term of this Agreement and cure is not possible, and shall report the violation to the Secretary; or 3. If neither termination nor cure is feasible, report the violation to the Secretary. 4. This Article IV, Term and Termination, Paragraph B, is in addition to the provisions set forth in Paragraph 27, Termination for Default of the General Conditions of Contract Between Town and Contractor, attached to the Underlying Agreement in which "Business Associate" is "Contractor" and "Covered Entity" is "Town" for purposes of this Agreement.; C. Effect of Termination. 1. Except as provided in this paragraph C, subparagraph 2, upon termination or cancellation of this Agreement, for any reason, Business Associate must return or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision applies to Protected Health Information that is in the possession of a subcontractor(s), employee(s), or agent(s) of Business Associate. Business Associate must not retain any copies of the Protected Health Information. CPSM AGREEMENT Center for Public Safety Management,LLC ASSOCIATE 2. If Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate must provide to Covered Entity written notification of the nature of the PHI and the conditions that make return or destruction infeasible. After written notification that return or destruction of Protected Health Information is infeasible, Business Associate must extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible,for so long as Business Associate maintains such Protected Health Information. Notwithstanding the foregoing, to the extent that it is not feasible to return or destroy such PHI, the terms and provisions of this Agreement shall survive termination of this Agreement with regard to such PHI. 3. Should Business Associate make an intentional or grossly negligent Breach of PHI in violation of this Agreement, the Underlying Agreement, or HIPAA, or an intentional or grossly negligent disclosure of information, Covered Entity has the right to immediately terminate any contract then in force between the Parties, including the Underlying Agreement. V. CONSIDERATION. Business Associate recognizes that the promises it has made in this Agreement shall, henceforth, be reasonably, justifiably and detrimentally relied upon by Covered Entity in choosing to continue or commence a business relationship with Business Associate. VI. REMEDIES IN EVENT OF BREACH. Business Associate hereby recognizes that irreparable harm will result to Covered Entity, and to the business of Covered Entity, in the event of breach by Business Associate of any of the covenants and assurances contained in this Agreement. As such, in the event of breach of any of the covenants and assurances contained in this Agreement, Covered Entity shall be entitled to enjoin and restrain Business Associate from any continued violation of this Agreement. Furthermore, in the event of breach of this Agreement by Business Associate, Covered Entity is entitled to reimbursement and indemnification from Business Associate for Covered Entity's reasonable attorneys'fees and expenses and costs that were reasonably incurred as a proximate result of Business Associate's breach. The remedies contained in this Article VI shall be in addition to (and not supersede) any action for damages and/or any other remedy Covered Entity may have for breach of any part of this Agreement. Furthermore, these provisions are in addition to the provisions set forth in Paragraph 18, Indemnification, of the General Conditions of Contract Between Town of Jupiter and Contractor, attached to the Underlying Agreement in which"Business Associate"is"Contractor"and "Covered Entity" is "County" for purposes of this Agreement. VII. MODIFICATION; AMENDMENT. This Agreement may be modified or amended only through a writing signed by the Parties and, thus, no oral modification or amendment hereof shall be permitted. The Parties agree to take such action as is necessary to amend this Agreement, from time to time, as is necessary for Covered Entity to comply with the requirements of HIPAA, including its Privacy, Security, and Notice Rules. VIII. INTERPRETATION OF THIS AGREEMENT IN RELATION TO OTHER AGREEMENTS BETWEEN THE PARTIES. Should there be any conflict between the language of this Agreement and any other contract entered into between the Parties (either previous or subsequent to the date of this Agreement), the language and provisions of this Agreement shall control and prevail 7 CPSM ASSOCIATE AGREEMENT unless the Parties specifically refer in a subsequent written agreement to this Agreement, by its title, date, and substance and specifically state that the provisions of the later written agreement shall control over this Agreement. In any event, any agreement between the Parties, including this Agreement, must be in full compliance with HIPAA, and any provision in an agreement that fails to comply with HIPAA will be deemed separable from the document, unenforceable, and of no effect. IX. COMPLIANCE WITH STATE LAW. The Business Associate acknowledges that by accepting the PHI from Covered Entity, it becomes a holder of medical records information under the law. If the HIPAA Privacy and Notice or Security Rules conflict regarding the degree of protection provided for protected health information, Business Associate shall comply with the more restrictive protection requirement. X. MISCELLANEOUS. A. Ambiguity. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with HIPAA. B. Regulatory References. A reference in this Agreement to a section in HIPAA means the section in effect, or as amended. C. Notice to Covered Entity. Any notice required under this Agreement to be given Covered Entity shall be made in writing to: Address: Village of Tequesta Fire Rescue 357 Tequesta Drive,Tequesta FL 33469 Phone: 561-768-0550 Attention: Zachary Wichert,HIPAA Compliance Officer Notice to Business Associate. Any notice required under this Agreement to be given Business Associate shall be made in writing to: Address: Center for Public Safety Management, LLC 475 K Street NW, Suite 702 Washington, DC 20001 Attention: Thomas Wieczorek Phone: 616-813-3782 D. Incorporation of Future Amendments. Other requirements applicable to Business Associates under HIPAA are incorporated by reference into this Agreement. E. Penalties for HIPAA Violation. In addition to that stated in this Agreement, Business Associate may be subject to civil and criminal penalties noted under HIPAA, including the same HIPAA civil and criminal penalties applicable to a Covered Entity. 8 CPSM CBMer(of Publ¢Safery ManagememllC ASSOCIATE AGREEMENT SIGNATURE PAGE FOLLOWS 9 CP S M ASSOCIATE AGREEME T Cen PubYc Sahry Managemen.L N IN WITNESS WHEREOF and acknowledging acceptance and agreement of the foregoing, the Parties affix their signatures hereto. Center for Public Safety Management, LLC Village of Tequesta Fire Department By: C�,._ By hum L . Titl :James B.Trube Name: Thomas J. Wieczorek Title: Director Date q/l 5 2-O 22- Date: 09/12/2022 By Tit . illage Manager Date CI IS) a� Approved as to form and legally by the Officer of the Vill a Attorney By Date 10 c ; ieiicPSM lu Pubi.Safety ASSOCIATE AGREEMENT EXHIBIT A FORM OF NOTIFICATION TO COVERED ENTITY OF BREACH OF UNSECURED PHI 11 NOTIFICATION TO SEQUESTA FIRE DEPARTMENT ABOUT A BREACH OF UNSECURED PROTECTED HEALTH INFORMATION This notification is made pursuant to Section III.G of the Business Associate Agreement between: • COVERED ENTITY,(the"Town of Jupiter")and • Center for Public Safety Management, LLC (Business Associate). Business Associate hereby notifies the County that there has been a breach of unsecured (unencrypted) protected health information (PHI) that Business Associate has used or has had access to under the terms of the Business Associate Agreement. Description of the breach: Date of the breach: Date of discovery of the breach: Does the breach involve 500 or more individuals?Yes/No If yes,do the people live in multiple states?Yes/No Number of individuals affected by the breach: Names and addresses of individuals affected by the breach: The types of unsecured PHI that were involved in the breach(such as full name,Social Security number,date of birth,home address, account number,or disability code): Description of what Business Associate is doing to investigate the breach, to mitigate losses, and to protect against any further breaches: Contact information to ask questions or learn additional information: Name: Dr.Dov Chelst Title: Director,Quantitative Analysis Address: 475 K Street NW, Suite 702,Washington,DC 20001 Email Address: dchelst(a,cpsm.us Phone Number: 732-236-4960 PUBLIC RECORDS. In accordance with Sec. 119.0701, Florida Statutes, CONTRACTOR must keep and maintain this Agreement and any other records associated therewith and that are associated with the performance of the work described in the Proposal or Bid. Upon request from the Village's custodian of public records, CONTRACTOR must provide the Village with copies of requested records, or allow such records to be inspected or copied, within a reasonable time in accordance with access and cost requirements of Chapter 119, Florida Statutes. A CONTRACTOR who fails to provide the public records to the Village, or fails to make them available for inspection or copying, within a reasonable time may be subject to attorney's fees and costs pursuant to Sec. 119.0701, Florida Statutes, and other penalties under Sec. 119.10, Florida Statutes. Further, CONTRACTOR shall ensure that any exempt or confidential records associated with this Agreement or associated with the performance of the work described in the Proposal or Bid are not disclosed except as authorized by law for the duration of the Agreement term, and following completion of the Agreement if the CONTRACTOR does not transfer the records to the Village. Finally, upon completion of the Agreement, CONTRACTOR shall transfer, at no cost to the Village, all public records in possession of the CONTRACTOR, or keep and maintain public records required by the Village. If the CONTRACTOR transfers all public records to the Village upon completion of the Agreement, the CONTRACTOR shall destroy any duplicate public records that are exempt or confidential and exempt from public records disclosure requirements. If the CONTRACTOR keeps and maintains public records upon completion of the Agreement, the CONTRACTOR shall meet all applicable requirements for retaining public records. Records that are stored electronically must be provided to the VILLAGE, upon request from the Village's custodian of public records, in a format that is compatible with the Village's information technology systems. IF CONTRACTOR HAS QUESTIONS REGARDING THE APPLICATION OF CHAPTER 119, FLORIDA STATUTES,TO CONTRACTOR'S DUTY TO PROVIDE PUBLIC RECORDS RELATING TO THIS AGREEMENT, PLEASE CONTACT THE VILLAGE CLERK, RECORDS CUSTODIAN FOR THE VILLAGE, AT (561) 768-0440, OR AT Imcwilliams@tequesta.org, OR AT 345 TEQUESTA DRIVE, TEQUESTA, FLORIDA 33469. Pursuant to Article XII of the Palm Beach County Charter, the Office of the Inspector General has jurisdiction to investigate municipal matters, review and audit municipal contracts and other transactions, and make reports and recommendations to municipal governing bodies based on such audits, reviews, or investigations. All parties doing business with the Village shall fully cooperate with the inspector general in the exercise of the inspector general's functions, authority, and power. The inspector general has the power to take sworn statements, require the production of records, and to audit, monitor, investigate and inspect the activities of the Village, as well as contractors and lobbyists of the Village in order to detect, deter, prevent, and eradicate fraud, waste, mismanagement, misconduct, and abuses. "The Village of Tequesta strives to be an inclusive environment. As such, it is the Village's policy to comply with the requirements of Title II of the American with Disabilities Act of 1990 ("ADA") by ensuring that the Contractor's [agreement/bid documents and specifications] are accessible to individuals with disabilities. To comply with the ADA, the Contractor shall provide a written statement indicating that all [ agreement /bid documents and specifications], from Contractor, including files, images,graphics,text, audio,video, and multimedia,shall be provided in a format that ultimately conforms to the Level AA Success Criteria and Conformance Requirements of the Web Content Accessibility Guidelines 2.0 (Dec. 11, 2008) ("WCAG 2.0 Level AA"), published by the World Wide Web Consortium ("W3C"), Web Accessibility Initiative ("WAI"), available at www.w3.org/TR/WCAG/."