The URL can be used to link to this page

Home My WebLink About2015-057• BUSINESS ASSOCIATE AGREEMENT 16" OS7 This Business Associate Agreement (the "Agreement") by and between Indian River County BOCC, ("Client"), and The Gehring Group, Inc. ("Gehring Group") is made and entered into effective August 15, 2014. RECITALS WHEREAS, Client is a "covered entity". as those terms are defined in 45 C.F.R. § 160.103; and WHEREAS, Gehring Group provides consulting services to Client; and WHEREAS, as a result of such functions, Client has identified Gehring Group as a "business associate," as defined in 45 C.F.R. § 160.103, of Client for purposes of the privacy and security requirements under the Health Insurance Portability and Accountability Act of 1996, (HIPAA) as amended by the Health Information Technology, for Economic and Clinical Health Act (HITECH) and the regulations issued thereunder; and WHEREAS, Gehring Group acknowledges that it is a business associate, as defined in 45 C.F.R. § 160.103, of Client that may create, use, or disclose Protected Health Information or Electronic Protected Health Information on behalf of Client; and WHEREAS, Client desires to obtain written assurances that Gehring Group will safeguard Protected Health Information or Electronic Protected Health Information created or received by or on behalf of Client. NOW, THEREFORE, the parties agree as follows: 1. DEFINITIONS 1.1 "Breach" shall have the meaning set forth in 45 C.F.R. §164.402. 1.2 "Data Aggregation" shall have the meaning as the term "data aggregation" in 45 C.F. R. § 164.501. 1.3 "Designated Record Set" shall mean a group of health-related records about an Individual as provided in 45 C.F.R. § 164.501. 1.4 "Electronic Health Record" shall mean an electronic record of health-related information with respect to an Individual that is created, gathered, managed and consulted by authorized healthcare clinicians and staff. 1.5 "Electronic Protected Health Information" or "Electronic PHI" means information that Gehring Group or its agent, including a subcontractor, creates, receives, maintains or transmits from or on behalf of Client that comes within paragraphs 1(i) or 1(ii) of the definition of "protected health information" at 45 C.F.R. § 160.103. Page l of 8 17535410v.1 1.6 "Genetic Information" shall have the meaning assigned to such term in 45 C.F.R. § 160.103. 1.7 "HIPAA" shall mean the health information privacy provisions under the Health Insurance Portability and Accountability Act of 1996, and regulations issued thereunder at 45 C.F.R. Parts 160 and 164, as amended by HITECH. 1.8 "HITECH" shall mean the Health Information Technology for Economic and Clinical Health Act and the regulations issued thereunder. 1.9 "Individual" shall mean a person who is the subject to the Protected Health Information of the Client, and shall include a person who qualifies as the Individual's personal representative in accordance with 45 C.F.R. § 164.502(g). 1.10 "Limited Data Set" shall have the meaning assigned to such term in 45 C.F.R. § 164.514(e)(2). 1.11 "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 C.F.R. § 160.103, limited to the information created or received by Gehring Group from or on behalf of Client. Genetic Information shall be considered PHI. 1.12 "Required by Law" shall mean a mandate contained in an applicable state, federal, or local law that compels Client (or business associates acting on behalf of Client) to make a use or disclosure of PHI that is enforceable in a court of law. 1.13 "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined at 45 C.F.R. § 164.304. However, certain low risk attempts to breach network security, such as the incidents listed below, shall not constitute a Security Incident under this Agreement, provided they do not penetrate the perimeter, do not result in an actual breach of security and remain within the normal incident level: pings on the firewall; port scans; attempts to log on to a system or enter a database with an invalid password or username; • denial -of -service attacks that do not result in a server being taken off-line; and • malware such as worms or viruses. 1.14 "Subcontractor" shall have the meaning as the term in 45 C.F.R. § 160.103. Page 2 of 8 17535410v 1 1.15 "Unsecured Protected Health Information" or "Unsecured PHI" shall have the meaning assigned to such term in 45 C.F.R. § 164.402 and guidance issued thereunder. 2. OBLIGATIONS OF THE PARTIES 2.1 Gehring Group shall safeguard all PHI and Electronic PHI created or received by Gehring Group on behalf of Client in accordance with HIPAA. Gehring Group shall implement administrative, physical and technical safeguards that prevent use or disclosure of the Electronic Protected Health Information other than as permitted by the Security Rules. Specifically, Gehring Group agrees to implement policies and procedures in accordance with 45 C.F.R. § 164.316 that: i. Prevent, detect, contain and correct security violations in accordance with the administrative safeguards set forth in 45 C.F.R. § 164.308; ii. Limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed in accordance with the physical safeguards set forth in 45 C.F.R. § 164.310; and iii. Allow access to electronic information systems that maintain Electronic PHI to only those persons or software programs that have been granted access rights in accordance with the technical safeguards set forth in 45 C.F.R. § 164.312. 2.2 Gehring Group shall not use or disclose PHI or Electronic PHI except as permitted or required by Article 3 of this Agreement or as Required by Law. Gehring Group shall notify Client of all requests for the disclosure of PHI and Electronic PHI from a law enforcement or government official, or pursuant to a subpoena, court or administrative order, or other legal request as soon as possible prior to making the requested disclosure. Gehring Group shall provide to Client all PHI and Electronic PHI necessary to respond to these requests as soon as possible, but no later than ten (10) business days following its receipt of a written request from Client. 2.3 Client shall provide to Gehring Group, and Gehring Group shall request from Client, disclose to its affiliates, subsidiaries, agents and subcontractors or other third parties, only a Limited Data Set or, if necessary or otherwise permitted by HHS regulations, the minimum PHI or Electronic PHI necessary to perform or fulfill a specific function required or permitted under the Agreement. "Minimum necessary" shall be interpreted in accordance with HITECH, and in any event shall not include any direct identifiers of individuals such as names, street addresses, phone numbers or social security numbers, except for a unique identifier assigned by Client as necessary for the strategic analysis. 2.4 Gehring Group shall comply with all granted restrictions on the use and/or disclosure of PHI, pursuant to 45 C.F.R. § 164.522(a), upon written notice from Client; provided, however, that Client shall not grant any restriction that affects Gehring Group's use or disclosure of PHI without first consulting with Gehring Group. Page 3 of 8 17535410v 1 2.5 Gehring Group shall comply with all granted requests for confidential communication of PHI, pursuant to 45 C.F.R. § 164.522(b), upon written notice from Client. 2.6 Gehring Group shall report to Client any use or disclosure of PHI not permitted by this Agreement of which Gehring Group becomes aware within fifteen (15) business days of its becoming aware, and will take such corrective action necessary, or as reasonably directed by Client, in order to prevent and minimize damage to any Individual and to prevent any further such occurrences. 2.7 Following the discovery of a Breach of Unsecured PHI, Gehring Group shall notify the Client without unreasonable delay and in no case no later than fifteen (15) days after discovery of the Breach. The notification shall include the identification of each Individual whose Unsecured PHI has been or is reasonably believed by Gehring Group to have been accessed, acquired, used or disclosed during the Breach. Gehring Group shall provide the Client with any other available information that the Client requires to notify affected individuals under the Privacy Rule. 2.8 Gehring Group shall make reasonable efforts to mitigate, to the extent practicable or as reasonably directed by Client, any harmful effect that is known to Gehring Group resulting from a breach of this Agreement or HIPAA that is directly caused by Gehring Group. 2.9 Gehring Group shall report to Client any Security Incident within five (5) business days of when it becomes aware of such Security Incident. Gehring Group shall mitigate to the extent practicable or as reasonably directed by Client any harmful effect that is known to Gehring Group of a Security Incident by Gehring Group. 2.10 Gehring Group shall ensure that any Subcontractor performing services for Client agrees in writing to the same restrictions and conditions that apply to Gehring Group with regard to its creation, use, and disclosure of PHI and Electronic PHI in accordance with 45 C.F.R. §§ 164.308(b)(2), 164.502(e)(1)(ii) and I64.504(e)(5). Gehring Group shall, upon written request from Client, provide a list of any Subcontractors with whom Gehring Group has contracted to perform services for Client. Gehring Group shall advise Client if any Subcontractor breaches its agreement with Gehring Group with respect to the disclosure or use of PHI or Electronic PHI. If Gehring Group knows of an activity or practice of its Subcontractor that constitutes a material breach or violation of the Subcontractor's duties and obligations under its agreement with the Subcontractor ("Subcontractor Material Breach"), Gehring Group shall cure the breach or provide a reasonable period for Subcontractor to cure the Subcontractor Material Breach; provided, however, that if Gehring Group cannot, or Subcontractor does not, cure the Subcontractor Material Breach within such period, Gehring Group shall terminate the agreement with Subcontractor, if feasible, at the end of such period. 2.11 Gehring Group shall, upon written request from Client, provide to Client a copy of any PHI or Electronic PHI in a Designated Record Set, as defined in 45 C.F.R. § 164.501, created or maintained by Gehring Group, and not also maintained by Client, within thirty (30) days of receipt of the request. Page 4 of 8 17535410v 1 2.12 Gehring Group shall, upon written request from Client, make any amendment to PHI in a Designated Record Set maintained by Gehring Group within thirty (30) days of receipt of the request unless Gehring Group can establish to Client's satisfaction that the PHI at issue is accurate and complete. 2.13 If an Individual's PHI is held in an Electronic Health Record, Gehring Group shall provide requested copies in electronic format to the individual or to an entity or person designated by the Individual, provided such designation is clearly and conspicuously made by the Individual or Client. 2.14 Gehring Group shall make its internal practices, written policies and procedures, books, records, and other documents relating to the use and disclosure of PHI and/or Electronic PHI created or maintained by Gehring Group on behalf of Client available to the Secretary of the Department of Health and Human Services, or his or her designee, for purposes of the Secretary determining Client's compliance with HIPAA. 2.15 Gehring Group shall make available the information required to provide an accounting of disclosures made on and after the Effective Date, as necessary for Client to comply with 45 C.F.R. § 164.528, within twenty (20) business days of receipt of the request. Gehring Group shall provide one such accounting within a twelve month period without charge, but may make a reasonable charge for any additional such accountings within the same twelve month period. 2.16 Gehring Group shall maintain all records, other than those records that are also maintained by Client, for six (6) years from the date created or last in effect, whichever is later, as necessary for Client to comply with 45 C.F.R. § 164.530(j)(2). 3. PERMITTED USES OF PHI 3.1 Gehring Group may use and disclose PHI and Electronic PHI as necessary to provide services to Client, subject to Section 2.3 of this Agreement and consistent with the requirements of HIPAA. 3.2 Gehring Group may use and disclose PHI and Electronic PHI as necessary for the proper management and administration of Gehring Group or to carry out Gehring Group's legal responsibilities, subject to Section 2.4 of this Agreement and consistent with the requirements of HIPAA; provided, however, that Gehring Group may disclose the PHI and Electronic PHI for such purposes only if: i. the disclosure is Required by Law, or ii. Gehring Group obtains reasonable assurances that the party to whom the PHI or Electronic PHI is disclosed (a) will protect the confidentiality of the PHI and Electronic PHI, (b) will not further disclose the PHI or Electronic PHI except as Required by Law or for the purposes for which it was disclosed to the other party, and (c) will report any improper use or disclosure of the PHI and/or Electronic PHI to Gehring Group. Page 5 of 8 17535410v 1 3.3 Except as otherwise limited in this Agreement, and to the extent provided for under this Agreement, Gehring Group may use PHI and Electronic PHI to provide Data Aggregation services to Client, as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B). 4. TERMINATION OF AGREEMENT 4.1 Except as described in Section 4.3, this Agreement shall continue in effect so long as Gehring Group provides service to Client involving maintaining, using or disclosing PHI or Electronic PHI, or otherwise retains a copy of PHI or Electronic PHI provided to Gehring Group by Client. 4.2 Client may terminate this Agreement at any time if Client discovers that Gehring Group has materially breached any provision of this Agreement. 4.3 If Gehring Group becomes aware of a pattern of activity or practice of the Client that constitutes a material breach or violation of the Client's duties and obligations under the Agreement, Gehring Group shall take reasonable steps and provide a period of thirty (30) calendar days for the Client to cure the material breach or violation. If the Client does not cure the material breach or violation within such 30 -day period, Gehring Group shall terminate the Agreement, if feasible, at the end of such 30 -day period. 4.4 Upon the expiration of Client's relationship with Gehring Group, and contingent upon the payment of all outstanding fees, Gehring Group shall return PHI and Electronic PHI to Client or Client's designated agent upon Client's request. If return of all PHI and Electronic PHI is not feasible, the provisions of this Agreement shall continue to apply to Gehring Group until such time as all PHI and Electronic PHI is either returned to Client or destroyed pursuant to Gehring Group's document retention policy, provided that Gehring Group shall limit further use of PHI and Electronic PHI only to those purposes that make the destruction or return of the PHI and Electronic PHI infeasible. Following the expiration of the relationship, Gehring Group agrees not to disclose PHI and Electronic PHI except to Client or as Required by Law. 5. NOTICES Whenever, under this Agreement, Gehring Group is required to give notice to Client, such notice shall be sent via First Class Mail to: Indian River County BOCC 1 800 27th Street Vero Beach, FL 32960 Attention: Privacy Officer Whenever, under this Agreement, Client is required to give notice to Gehring Group, such notice shall be sent via First Class Mail to: Katherine Bellantoni, Privacy Officer Gehring Group, Inc. 11505 Fairchild Gardens Ave. Page 6 of 8 17535410v 1 Suite 202 Palm Beach Gardens, FL 33410 6. INDEMNIFICATION Gehring Group agrees to indemnify Client, and any employees, directors, officers of Client (collectively "Client Indemnitees"), against all actual and direct losses resulting from or in connection with any breach of this Agreement by Gehring Group, or its partners, employees or other members of its workforce. Actual and direct losses shall include, but shall not be limited to, judgments, liabilities, fines, penalties, costs, and expenses (including reasonable attorneys' fees) which are imposed upon or incurred by Client Indemnitees by reason of any suit, claim, action, investigation, or demand by any Individual, government entity, or third party. This obligation to indemnify shall survive the termination of this Agreement. To the extent permitted by law, Client agrees to indemnify Gehring Group and any employees, directors, officers of Gehring Group (collectively "Gehring Group Indemnitees") against all actual and direct losses resulting from or in connection with any breach of this Agreement by Client, or any violation of HIPAA resulting from any improper use or disclosure of PHI and Electronic PHI pursuant to Client's direction. Actual and direct losses shall include, but shall not be limited to, judgments, liabilities, fines, penalties, costs, and expenses (including reasonable attorneys' fees) which are imposed upon or incurred by Gehring Group Indemnitees by reason of any suit, claim, action, investigation, or demand by any Individual, government entity, or third party. This obligation to indemnify shall survive the termination of this Agreement. 7. GOVERNING LAW This Agreement shall be governed by and interpreted in accordance with the laws of Florida. Jurisdiction and venue for any dispute relating to this Agreement shall rest exclusively with the state courts of Indian River County, Florida and the federal courts of the Southern District of Florida, as applicable. 8. AMENDMENT The parties agree to negotiate in good faith any amendments necessary to conform this Agreement to changes in applicable law. Gehring Group further agrees to promptly attempt to amend its agreements with its subcontractors and agents to conform to the terms of this Agreement. In the event Gehring Group is unable to amend this Agreement or its agreements with its subcontractors in a way that is sufficient to satisfy the requirements under HIPAA, Client may terminate this Agreement in accordance with Section 4 upon thirty (30) days written notice. 9. TERMS OF AGREEMENT GOVERN Any ambiguity in this Agreement shall be resolved in a way that permits compliance with HIPAA. In the event of a conflict between the terms of this Agreement and any other contract or agreement between Client and Gehring Group, this Agreement shall govern. Page 7 of 8 17535410v 1 10. REGULATORY REFERENCES A reference in this Agreement to a section in the Privacy Rules or Security Rules means the section as in effect or as amended, and for which compliance is required. IN WITNESS HEREOF, the parties have executed this Agreement by their respective duly authorized officers or representatives. CLIENT By:it r4J 8�o.dCounty AdminiGtratnr Date: _d /10/15 17535410v.1 GEHRING GROUP, INC. By: Title: Date: Page 8 of 8 APPROVED AS TO FORM AND LEGAL SUFFICIENCY BY DYLAN REINGOLD COUNTY ATTORNEY