The URL can be used to link to this page

Home My WebLink AboutAgreement_General_10/01/2016 (3) BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( "Agreement ") is entered into as of Oct 01, 2016 ( "Effective Date ") by and between The Village of Tequesta ( "Covered Entity") and New Directions Behavioral Health, L.L.C. (`Business Associate') (each "Party" and collectively the "Parties "). WHEREAS, the Parties are committed to compliance with the Health Insurance Portability and Accountability Act of 1996 ( "HIPAA'), the Health Information Technology and Clinical Health Act of 2009 ( "HITECIT'), all regulations promulgated thereunder, including but not -limited to Title 45, Parts 160 and 164 and any future regulations promulgated under either HIPAA or HITECH; and WHEREAS, the Business Associate will provide services to the Covered Entity that may involve the creation, receipt, use, transmission, maintenance, or disclosure of Protected Health Information (PHI); and WHEREAS, the Parties enter into this Agreement to protect the privacy and security of PHI disclosed to the Business Associate and to establish the terms and conditions for the use and disclosure of such PHI. RECITALS In consideration of the mutual promises set forth in this Agreement and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows: 1. Terms used but not otherwise defined in this Agreement will have the same meaning as the meaning ascribed to those terms in HIPAA, HITECH and their corresponding regulations. a. "Breach" shall have the meaning as set forth in 45 CFR 164.402. b. `Electronic Health Record" and "EHR" shall have the meaning as in § 13400(5) of HITECH, and any corresponding regulations, limited to records created or received by the Business Associate from or on behalf of the Covered Entity. C. "Electronic Protected Health Information" or "EPHI" shall have the meaning as set forth in 45 CFR 160.103, limited to the information created of received by the Business Associate from or on behalf of the Covered Entity. d. "Individual" shall have the meaning set forth in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). e. "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Parts 160 and 164, Subparts A and E. f. "Protected Health Information" or "PHI" shall have the meaning as set forth in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. g. "Security Incident" shall have the meaning as set forth in 45 CFR 164.304. h. "Secretary" shall mean the Secretary of the federal Department of Health and Human Services. i. "Security Rule" means the Security Standards and Implementation Specifications found at 45 CFR Parts 160 and 164, Subpart C. Page 1 of 6 j. "Standards for Electronic Transactions Rule" means the final regulations issued by the Department of Health and Human Services concerning standard transactions and code sets under the Administration Simplification provisions found at 45 CFR Parts 160 and 162. k. "Unsecured Protected Health Information" shall have the meaning as set forth in 45 CFR 164.402 and the guidance issued under § 13402(h)(2) of Public Law 111 -5. 2. Obligations of Business Associate. a. Business Associate shall directly comply with the requirements found at 45 CFR 64.504 of the Privacy Rule and the privacy provisions of HITECH. b. Business Associate shall directly comply with the administrative, technical and physical safeguards, documentation requirements and policies and procedures in accordance with the Security Rule. C. Permitted Uses and Disclosures. Business Associate may not use or disclose PHI received from or created on behalf of Covered Entity except as permitted by this Agreement or as required by law. Business Associate will limit all uses and disclosures of PHI to the minim amount necessary to accomplish the intended purpose of the use or disclosure. Business Associate may: i. Use or disclose PHI to perform services as specified under an effective Services Agreement duly executed by both Parties, provided that any use or disclosure would not violate the Privacy or Security Rule if disclosed by the Covered Entity. ii. Use PHI to provide data aggregation services related to the health care operations of the Covered Entity, as provided in 45 CFR § 164.504(2)(i)(B). d. Safeguards. Business Associate shall use appropriate safeguards, including but not limited to, policies, procedures, training and documentation requirements to prevent the unauthorized use or disclosure of Covered Entity's PHI as required by the Security Rule and § 13401 of HITECH. Business Associate shall maintain a comprehensive information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Business Associate's operations and the nature and scope of its activities. Business Associates shall provide a copy of and evidence of such safeguards to Covered Entity upon request. e. If Business Associate electronically transmits or receives PHI on behalf of the Covered Entity, Business Associate shall comply with the Standards for Electronic Transactions Rule to the extent required by law. Business Associate will require any employee, agent, subagent, contractor, or subcontractor that assists Business Associate in electronically transmitting or receiving PHI to agree in writing to comply with the Standards for Electronic Transactions Rule to the extent required by law. f. Business Associate's Agents. Business Associate shall require any employee, agent, subagent, contractor, subcontractor, or any other person who may have access to Covered Entity's PHI to agree in writing to the same terms and conditions that apply to Business Associate with respect to Covered Entity's PHI. If Business Associate becomes aware of a pattern of activity or practice by an employee, agent, sub - agent, or contractor that violates this Agreement, Business Associate agrees to take steps to cure the breach or end the violation. If Business Associate is unable to cure the breach or end the violation within a reasonable time, Business Associate is required to terminate its arrangement with that employee, agent, sub - agent, or contractor. Nothing in this paragraph removes Business Associate's responsibility to report the breach to Covered Entity as found in this Section. g. Business Associate shall provide Covered Entity, within a reasonable time, all information to enable Covered Entity to respond to, provide access to, provide a copy of and account for disclosures of PHI in accordance with 45 CFR § 164.528. Upon requested by Covered Entity, Business Associate shall produce an accounting of disclosures to an Individual consistent with HIPAA. Page 2 of 6 h. Business Associate shall provide Covered Entity, within a reasonable time, all information to enable Covered Entity respond to a request for access to PHI as provided in 45 CFR § 164.524 or to amend PHI in accordance with 45 CFR § 164.528. i. Business Associate shall notify Covered Entity of any request or demand by the Secretary or information related to the Covered Entity. Business Associate shall provide the Covered Entity with a copy of all information related to the Covered Entity that the Business Associate provides to the Secretary. j. If Business Associate receives a subpoena or similar request or notice from any judicial, administrative, or other regulatory body in connection with this Agreement, Business Associate will immediately notify Covered Entity and forward a_copy of such_subpoena,.request, or_notice.to_Covered-Entity .to enable Covered Entity to seek appropriate protections and exercise any rights it may have under law. k. Notification of Breach. Business Associate shall provide written notice to Covered Entity within a reasonable time after Business Associate discovers any unauthorized acquisition, access, use, or disclosure of PHI, or any successful Security Incident. The Business Associate shall be considered to have discovered an unauthorized acquisition, access, use, or disclosure of PHI, or successful Security Incident on the first day on which such Breach is known to Business Associate, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall include in the written notice the following: i. The date the unauthorized act occurred; ii. The date the unauthorized act was discovered by Business Associate; iii. The nature of the unauthorized acquisition, access, use, or disclosure, including to whom Covered Entity's PHI was disclosed; iv. The type of PHI involved; V. Who made the unauthorized use or disclosure and/or who received the unauthorized disclosure; vi. The steps Business Associate has taken or will take to mitigate harm from the unauthorized acquisition, use or disclosure; and vii. The corrective actions that Business Associate has taken or will take to prevent further unauthorized acts. 1. Covered Entity shall be responsible for dete the need for and directing the implementation of any notifications of the unauthorized acquisition, use or disclosure of PHI. Business Associate shall, at Covered Entity's direction, cooperate with or perform any additional investigation or assessment necessary related to the unauthorized acquisition, use, or disclosure of PHI. m. Notification of Security Incident. Business Associate shall report in writing to Covered Entity any successful Security Incident within a reasonable time after Business Associate becomes aware of such Security Incident, and shall submit any requested follow -up documentation to Covered Entity upon request. Business Associate shall include in the written notice: i. The date the Security Incident occurred; ii. The date the Security Incident was discovered by Business Associate; iii. The nature of the Security Incident; iv. The type of PHI involved; V. The steps Business Associate has taken or will take to mitigate harm from the Security Incident; and vi. The corrective actions that Business Associate has taken or will take to prevent further Security Incidents. Page 3 of 6 n. Covered Entity shall be responsible for dete the need for and directing the implementation of any notifications of the unauthorized acquisition, use or disclosure of PHI. Business Associate shall, at Covered Entity's direction, cooperate with or perform any additional investigation or assessment necessary related to the unauthorized acquisition, use, or disclosure of PHI. o. Business Associate shall include in the written notice required under this Section, to the extent known by Business Associate: i. The identity of the individuals whose PHI was involved in the unauthorized act or Security Incident; ii. Any information necessary to enable the Covered Entity to assess the risk of harm to those individuals; and iii. Any information necessary to enable the Covered Entity to determine whether the unauthorized act or Security Incident qualifies as a Breach under HITECH. p. Business Associate agrees to supplement the notice required under this Section with any new information that becomes available. Upon request, Covered Entity may have access to any additional information to enable Covered Entity to meet its obligations with respect to an unauthorized acquisition, use, or disclosure of PHI or Security Incident. q. Business Associate shall exercise due diligence to become aware of any unauthorized access, use, or disclosure of PHI and/or Security Incidents. r. Business Associate agrees to attempt to mitigate any harmful effect that is known or reasonably anticipated by Business Associate resulting from any unauthorized acquisition, access, use, or disclosure of PHI or Security Incident. S. Business Associate shall promptly remedy any violation of any term of this Agreement and shall certify the same to Covered Entity in writing. 3. Obligations of Covered Entity a. The Covered Entity will notify Business Associate of any facts or circumstances which affect Business Associate's access to, use, or disclosure of PHI is including: i. Any change in Covered Entity's notice of privacy practices; ii. Any change in, or withdrawal of, an authorization provided to Covered Entity pursuant to 45 CFR §164.522; and iii. Any restriction to Business Associate's use or disclosure of PHI in accordance with 45 CFR § 164.522. b. From time to time upon reasonable notice, Covered Entity (or its agent) may inspect the facilities, systems, books and records of Business Associate to monitor compliance with this Agreement. C. Covered Entity shall be responsible for determining the need for and directing the implementation of any notifications of the unauthorized acquisition, use or disclosure of PHI. Business Associate shall, at Covered Entity's direction, cooperate with or perform any additional investigation or assessment necessary related to the unauthorized acquisition, use, or disclosure of PHI. d. The fact that Covered Entity inspects, or fails to inspect, or has the right to inspect, Business Associate's facilities, systems, and procedures does not relieve Business Associate of its responsibility to comply with this Agreement, nor does Covered Entity's (i) failure to detect or (ii) upon detection, but failure to notify Business Associate or require Business Associate's remediation of any unsatisfactory practices constitute acceptance of such practice or a waiver of Covered Entity's enforcement rights under this Agreement. Page 4 of 6 4. Effective Date and Termination a. This Agreement is effective on the Effective Date, replaces and supersedes any prior Business Associate Agreement executed by the Parties. This Agreement supersedes any provision in any other Agreement executed by the Parties related to Business Associate's obligations concerning PHI with respect to the Privacy and Security Rule. b. This Agreement terminates on the date the Business Associate ceases to be obligated to perform the functions, activities, or services contemplated by this Agreement. 5. Termination a. This Agreement shall remain in full force and effect until termination of the business relationship of the parties contemplated by this Agreement. Any terms of this Agreement, which by their nature extend beyond the termination of the business relationship, shall remain in effect until fulfilled. b. A breach by Business Associate of any provision of this Agreement, as determined by Covered Entity, shall constitute a material breach of the Agreement and shall provide grounds for immediate termination of the Agreement. If termination of the Agreement is not feasible, the Covered Entity will report the breach to the Secretary to the extent required by law. C. Either Party may terminate the Agreement, effective immediately, if (i) the other Party is named as a defendant in a criminal proceeding for a violation of the Privacy Rule, the Security Rule, or HITECH; or (ii) a finding or stipulation that the other Party has violated the Privacy Rule, the Security Rule, or HITECH by any administrative or regulatory body, or civil proceeding. d. Upon termination of the Agreement, Business Associate shall return or destroy all Covered Entity's PHI in accordance with 45 CFR § 164.504(e)(2)(ii)(I). If Business Associate is required by law to retain a copy of such information, Business Associate will maintain the PHI for the requisite period required by law, after which Business Associate shall return or destroy Covered Entity's PHI. This provision extends to all PHI that may be in the possession of Business Associate's employees, agents, sub - agents, or contractors. 6. Integration a. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the Privacy Rule, the Security Rule, HITECH and the regulations promulgated thereunder. b. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the Privacy Rule, the Security Rule, HITECH and the regulations promulgated thereunder. C. A reference in this Agreement to a specific section in HIPAA, the Privacy Rule, the Security Rule, HITECH, or the regulations promulgated thereunder means that section as amended from time to time. Should future amendments referenced in this Agreement change the section designation, or transfer a substantive regulatory provision to a different sections, the section references herein will be deemed to be amended accordingly. d. The provisions of this Agreement are severable and if any provision is held or declared to be illegal, invalid, or unenforceable, the remainder of the provisions in this Agreement will continue in full force and effect. 7. Assignment and Amendment Page 5of6 a. This Agreement shall be binding on the Parties,their legal representatives, successors,heirs and assigns, provided however,that unless otherwise expressly stated in this Agreement,neither Party may assign any of its respective rights or delegate any of its respective obligations under this Agreement without the prior written consent of the other Party to this Agreement. b. Neither this Agreement,nor any provisions thereof,may be modified,amended, supplemented,or altered except by the written consent of the Parties. 8. Insurance Coverage a. During the term of this Agreement,Business Associate shall maintain liability insurance covering claims based on a violation of HIPAA and claims based on its obligations pursuant to this Agreement in an amount of not less than$1,000,000 per claim. 9. Governing Law a. The Parties agree and acknowledge that this Agreement, and the rights,remedies and obligations of the parties hereunder,will be governed and construed m accordance with the laws of the State of Florida. IN WITNESS WHEREOF,the Parties hereto have duly executed this Agreement as of the date set forth above. The Village of Tequesta New Directions Behavioral Health,L.L.C. _ ___ By: �"'..,.-. ..._.__. _ --� v --� By: Printed Name: m►ChQ�1 CO t,�,'t.�u Printed Name: Title: U�►_�t ��-�- Title: Dated: q—�'��p Dated: Page 6 of 6 PUBLIC RECORDS. In accordance with Sec. 119.0701, Florida Statutes, CONTRACTOR must keep and maintain this Agreement and any other records associated therewith and that are associated with the performance of the work described in the Proposal or Bid. Upon request from the Village's custodian of public records, CONTRACTOR must provide the Village with copies of requested records, or allow such records to be inspected or copied, within a reasonable time in accordance with access and cost requirements of Chapter 119, Florida Statutes. A CONTRACTOR who fails to provide the public records to the Village, or fails to make them available for inspection or copying, within a reasonable time may be subject to attorney's fees and costs pursuant to Sec. 119.0701, Florida Statutes, and other penalties under Sec. 119.10, Florida Statutes. Further, CONTRACTOR shall ensure that any exempt or confidential records associated with this Agreement or associated with the performance of the work described in the Proposal or Bid are not disclosed except as authorized by law for the duration of the Agreement term, and following completion of the Agreement if the CONTRACTOR does not transfer the records to the Village. Finally, upon completion of the Agreement, CONTRACTOR shall transfer, at no cost to the Village, all public records in possession of the CONTRACTOR, or keep and maintain public records required by the Village. If the CONTRACTOR transfers all public records to the Village upon completion of the Agreement, the CONTRACTOR shall destroy any duplicate public records that are exempt or confidential and exempt from public records disclosure requirements. If the CONTRACTOR keeps and maintains public records upon completion of the Agreement, the CONTRACTOR shall meet all applicable requirements for retaining public records. Records that are stored electronically must be provided to the VILLAGE, upon request from the Village's custodian of public records, in a format that is compatible with the Village's information technology systems. IF CONTRACTOR HAS QUESTIONS REGARDING THE APPLICATION OF CHAPTER 119, FLORIDA STATUTES, TO CONTRACTOR'S DUTY TO PROVIDE PUBLIC RECORDS RELATING TO THIS AGREEMENT, PLEASE CONTACT THE VILLAGE CLERK, RECORDS CUSTODIAN FOR THE VILLAGE, AT (561) 768-0685, OR AT Imcwilli�ms�itequest�.ar�, OR AT 345 TEQUESTA DRIVE, TEQUESTA, FLORIDA 33469. ,