HomeMy WebLinkAbout20133340.tiffRESOLUTION
RE: APPROVE MEMORANDUM OF UNDERSTANDING FOR THE SHARING OF MEDICAL
INFORMATION AND AUTHORIZE CHAIR TO SIGN - COLORADO ACCESS
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Board has been presented with a Non -Financial Memorandum of
Understanding for the Sharing of Medical Information between the County of Weld, State of
Colorado, by and through the Board of County Commissioners, on behalf of the Department of
Human Services, and Colorado Access, commencing upon execution of signature, with further
terms and conditions being as stated in said memorandum of understanding, and
WHEREAS, after review, the Board deems it advisable to approve said memorandum of
understanding, a copy of which is attached hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld
County, Colorado, that the Non -Financial Memorandum of Understanding for the Sharing of
Medical Information between the County of Weld, State of Colorado, by and through the Board of
County Commissioners, on behalf of the Department of Human Services, and Colorado Access,
be, and hereby is, approved.
BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized to
sign said memorandum of understanding.
The above and foregoing Resolution was, on motion duly made and seconded, adopted
by the following vote on the 9th day of December, A.D., 2013.
BOARD OF COUNTY COMMISSIONERS
WELD CO �;. , COLORADO
ATTEST:a,,5,..,.,.,ctU,�
Weld County Clerk to the Board
Deputy C
APPRO
un y Attorney
Iliam . Garcia Chair
Dou Ia/Radem her, P'ro-Tem
Sean P. Conway
Date of signature: DEC 1 9 2013
to-a%-tt
2013-3340
HR0084
MEMORANDUM
DATE: December 2, 2013
TO: William F. Garcia, Chair, Board of County Cornn issiclners
FROM: Judy A. Griego, Director, Human S? ices l pa me
RE:
Memorandum of Understanding between the Weld
County Department of Human Services and Colorado
Access
Enclosed for Board approval is a Memorandum of Understanding between the Department and
Colorado Access. This MOU was reviewed under the Board's Pass -Around Memorandum dated
November 21, 2013, and approved for placement on the Board's Agenda.
This MOU allows for the sharing of medical information about children in the custody of, or
receiving services from, the Department of Human Services.
Colorado Access has received a contract with the State to provide a number of health care related
services to persons in northern Colorado, including in Weld County. One of those services is to
connect persons listed in their database with primary care medical providers (PCMP), to ensure
that they are receiving appropriate medical care.
The Weld County Department of Human Services provides services to foster children, including
providing medical treatment appointments as appropriate. For those children who are in the legal
custody of the Department, this MOU will allow the Department to share medical information
with Colorado Access for the benefit of those foster children. Additionally, for those children
who receive some services but are not in the legal custody of the Department, County staff will
attempt to contact and receive written authorization to disclose medical information to Colorado
Access for the same purpose.
This agreement is necessary to ensure that the County and Colorado Access comply with HIPAA.
We do not anticipate that significant staff time will be necessary to fulfill our obligations, and
this is a non -financial MOU.
This Agreement shall commence on the Effective Date arid shall expire when all PHI provided
to, created or received by the Parties, each to the other, is destroyed or returned to the conveying
Party.
If you have any questions, give me a call at extension 6510.
2013-3340
COLORADO ACCESS
REGIONAL CARE COLLABORATIVE ORGANIZATION
Member Coordination Memorandum of Understanding
THIS Memorandum of Understanding (hereinafter referred to as the "Agreement") is entered
into by and between Colorado Access, a Colorado non-profit corporation ("Colorado Access") and the
Weld County Board of County Commissioners, on behalf of the Weld County Department of Human
Services, Child Welfare Division ("County"), with its principal place of business at 315 North 11th Avenue,
Greeley, CO 80631 (Colorado Access and County shall be referred to collectively herein as the
"Parties"). The Parties agree that this Agreement shall be effective as of November 20, 2013 ("Effective
Date").
WHEREAS, Colorado Access has entered into certain agreements with the Colorado Department
of Health Care Policy and Financing ("HCPF") to act as a Regional Care Collaborative Organization
("RCCO") for the Accountable Care Collaborative Program ("ACC Program") for RCCO Regions 2, 3 and 5,
which agreements shall be referred to hereinafter as the "RCCO Agreements," and;
WHEREAS, among other requirements, the RCCO Agreements provide for Colorado Access to
perform Integrated Care Coordination Services for ACC Program Members within the Colorado Access
RCCOs, provide the option for the ACC Program Members to choose a Primary Care Medical Provider
("PCMP"), and expressly require Colorado Access to contact Members who have not selected a PCMP
and to develop plans and strategies to contact Members whose telephone number or address are
incorrect, and;
WHEREAS, County provides aspects of service and/or care coordination to the populations who
qualify or may qualify for benefits under the ACC Program, and;
WHEREAS, both the RCCO and County are contractors of the State of Colorado ("the State"),
and receive Medicaid Members' protected health information ("PHI") from the State in order to carry
out or perform functions required by their State contracts, and;
WHEREAS, the Parties must exchange PHI in order to achieve the goals set forth in their
respective State contracts, and;
WHEREAS, the Contracts contemplate such exchange of PHI;
NOW, THEREFORE, in consideration of the foregoing and for other good and valuable
consideration, the sufficiency and receipt of which is hereby acknowledged, the Parties agree as follows:
I. DEFINITIONS
a. ACC Program shall mean the HCPF program designed to affordably optimize Member
health, functioning and self-sufficiency with the primary goals to improve Medicaid
Member Health outcomes and control Medicaid costs.
b. Business Associate shall have the meaning set forth in 45 C.F.R. § 160.103, and shall
refer to the relationship that the Parties will enter into as a result of the Business
Associate Agreement ("BAA") that they will execute and incorporate into the
Agreement.
c. Business Associate Agreement ("BAA") shall mean Exhibit A to this Agreement,
incorporated herein by reference.
d. Common Clients shall mean Members of the Colorado Access RCCO who are also active
clients of the County's Child Welfare program.
e. County shall mean the organization or Provider identified in the first paragraph of this
Agreement.
II.
a. Electronic Protected Health Information or a -PHI shall have the meaning set forth in 45
C.F.R. § 160.103, and generally shall mean PHI that is transmitted or maintained in any
electric media.
b. HITECH Act shall mean the Health Information Technology for Economic and Clinical
Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009,
Public Law 111-5.
c. Integrated Care Coordination shall mean ensuring that physical, behavioral, long-term
care, social and other services are continuous and comprehensive and the service
providers communicate with one another In order to effectively coordinate care and
provide services that are not duplicative of other services and that are mutually
reinforcing.
d. Member shall mean the individual Medicaid client or patient enrolled in HCPF's ACC
Program and assigned to Colorado Access as a RCCO.
e. PCMP shall mean a Primary Care Medical Provider who has entered into a contract with
both HCPF and Colorado Access, either directly or through a subcontract with a
Delegate, to provide Primary Care Case Management Services for ACC Program
Members consistent with HCPF's Medical Home Model Principals.
f. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health
Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as amended by the
HITECH Act and as may otherwise be amended from time to time.
g. Protected Health Information or PHI shall have the same meaning as the term
"protected health information" in 45 C.F.R. § 160.103, limited to the information
created or received by a Business Associate from or on behalf of the Covered Entity (the
State, in this case, or the RCCO, acting in accordance with its RCCO Agreements). The
term PHI, as used herein, shall be inclusive of ePHI.
h. Region(s) shall mean the ACC Program geographical area(s) containing specific counties
within the State of Colorado that is/are served by a RCCO, and specifically Regions 2, 3
and 5, which are the Regions for which Colorado Access serves as the Regional Care
Collaborative Organization.
i. Security Rule shall mean the Security Standards at 45 C.F.R. Parts 160 and 164, Subparts
A and C, as may be amended from time to time.
j. Unattributed shall mean a status for Members who are not formally connected to a
PCMP In the State's systems.
ill. OBLIGATIONS
a. County Obligations.
I. County will, upon request by Colorado Access, respond to requests for Member
PHI for Members who County and/or RCCO has determined may reside within
the Region(s) and participate in County's Child Welfare programs.
ii. For identified Common Clients who are Unattributed and also legally
represented by County (i.e. custody/guardianship), County shall assist in the
process of formally choosing/declaring a PCMP through Health Colorado (by
telephone or fax form).
For Common Clients who are their own legal representative, or are legally
represented by someone other than County, County will contact the child's legal
representative to request an authorization for the County to provide
information sufficient to help Colorado Access determine whether the child has
a PCMP.
County will execute the Business Associate Agreement ("BAA") with Colorado
Access, acting as the RCCO, attached hereto as Exhibit A and incorporated
herein by reference, and abide by Its terms at all times.
iv. County will assist Colorado Access in any further Common Client identification,
PCMP connection activities, or care/support coordination activities that
Colorado Access and County may, from time to time, determine.
v. County will treat all of its communications with Colorado Access, acting as the
RCCO, as confidential.
b. Colorado Access Obligations
i. Colorado Access, acting as the RCCO, requests that County provide Colorado
Access with PHI for individuals whom County and/or RCCO identifies as current
or potential RCCO Members.
ii. Colorado Access will provide County with the minimum necessary Member PHI
to allow County to verify the Member's eligibility for County Child Welfare
programs. The PHI may be delivered electronically or in paper format.
iii. In its requests to County for PHI, Colorado Access, acting as the RCCO, shall
always request the minimum necessary PHI to complete RCCO contractual
obligations.
iv. Colorado Access shall provide County with the minimum necessary PHI to verify
County program participation, contact the member for PCMP connection
activities and/or communications, as appropriate, and/or respond to Colorado
Access with PHI that may help Colorado Access connect to the member or the
member's representative.
v. Colorado Access, acting as the RCCO, will execute the Business Associate
Agreement ("BAA") with County, attached hereto as Exhibit A and incorporated
herein by reference, and abide by its terms at all times.
vi. Colorado Access will assist County in any further Common Client identification,
PCMP connection activities, or care/support coordination activities that
Colorado Access and County may, from time to time, determine.
IV. GENERAL TERMS
a. Term. This Agreement shall commence on the Effective Date and shall expire when all
PHI provided to, created or received by the Parties, each to the other, is destroyed or
returned to the conveying Party.
b. Termination of this Agreement With Cause._ The Parties may terminate this Agreement
due to a breach of its obligations under Its BAA, this Agreement and/or the Privacy Rule.
A breach shall require the breaching Party to treat such breach as if it was a breach of
their BAA and fulfill the obligations of their BAA for such breach.
c. Termination of this Agreement Without Cause. Either party may, at any time and for
any reason, terminate this Agreement by providing the other party with thirty (30) days
prior written notice of termination.
d. Applicable Law. This Agreement shall be governed by Colorado law.
e. No Third Party Rights. Except as expressly stated herein or in the Privacy Rule, the
Parties do not intend to create any rights to this Agreement in third parties.
f. Amendment. Upon enactment of any law or regulation affecting the use and/or
disclosure of PHI, an amendment to the Parties' individual State contracts affecting the
use and/or disclosure of PHI, the publication of any court decision relating to any such
law, or the publication of any interpretive policy, opinion or guidance of any
governmental agency charged with the enforcement of any such law or regulation, the
Parties may amend this Agreement to comply with such law, contractual amendment, or
regulation.
g. Survival. The respective rights and obligations of the Parties under the BAA above shall
survive the termination of the Agreement.
h. Interpretation. Any ambiguity In this Agreement shall be resolved to permit the Parties
to comply with their BAAs, the Privacy Rule and the Security Rule.
I Severability. In the event that any provision of this Agreement is held by a court of
competent jurisdiction to be valid or unenforceable, the remainder of the provisions of
this Agreement will remain in full force and effect.
J•
Counterparts. This Agreement may be executed in counterparts, each of which shall be
deemed to be an original and all of which together shall constitute a single document.
The Parties acknowledge and agree that the exchange of electronic or fax signatures will
have the same legal validity as the Parties' signatures would have if signed in hard copy
form.
k. Entire Agreement. This Agreement constitutes the entire agreement and
understanding between the Parties with respect to the subject matter hereof and
replaces in its entirety any prior discussions, negotiations, agreements or other
arrangements with respect to the subject matter, whether written or oral, all of which
are replaced by the terms of this Agreement. No amendment or modification of this
Agreement shall be valid and binding unless made in writing and signed by authorized
representatives of all Parties.
I. Notice. All notices pertaining to or required by this Agreement shall be in writing,
signed by an authorized representative of the notifying Party, and delivered by
registered, certified, or by an express/overnight delivery service and sent to the other
Party or Parties at the address(s) designated below:
RCCO CONTACT:
Name: Gretchen McGinnis
Title: Sr. V.P. Public Policy & Performance improvement
Address: 10065 E. Harvard Ave., Suite 600
Denver, CO 80231
Telephone Number: 720-944-5500
Fax Number: 303-369-0429
Email Address: Gretchen.mcginnis@coaccess.com
WELD COUNTY DEPARTMENT OF HUMAN SERVICES CONTACT:
Name: Heather Walker
Title: Division Head, Weld County DHS, Child Welfare
Address: 315 A. North 11th Avenue, Greeley, CO 80631
Telephone Number: 970-352-1551 x6218
Fax Number:
Email Address: WALKERHDAco.weld.co.us
IN WITNESS WHEREOF, each Party has caused this Agreement to be executed by its duly
authorized representative, as of the dates set forth below.
RCCO / BOARD OF a NTY COMMISSIONERS
WELD C , CORADO
By ff � William F. Garcia, Chair DEC 0 9 2013
Printed Name: ii Ce�iC,i+1Er� �� ��� M,S
Title& , q ? F-th1' ( V I iV-� AT1'
Weld County Clerk to the Boar
BY:
Deputy Clerk to the Board
Date: DEC 0 9 2013
Exhibit A
COLORADO ACCESS
BUSINESS ASSOCIATE AGREEMENT
This BUSINESS ASSOCIATE AGREEMENT ("Agreement") is made on this 20th day of November,
2013 ("Effective Date"), by Colorado Access, a Colorado non-profit corporation ("Colorado Access" or
"Covered Entity"), and Weld County Department of Human Services, Child Welfare ("Business
Associate") (together, the "Parties"),
WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and
Accountability Act of 1996 ("HIPAA"), Public Law 104-191, known as "the Administrative Simplification
provisions," direct the Department of Health and Human Services to develop standards to protect the
security, confidentiality and integrity of health information; and
WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and
Human Services has issued regulations modifying the Code of Federal Regulations ("C.F.R.") at Title 45,
Parts 160 and 164 (the "HIPAA Privacy Rule"); and
WHEREAS, the Parties acknowledge that effective March 26, 2013 45 C.F.R. §§ 164.308,
164.310, 164.312, 164.316, 164.504(e), and additional requirements of the Health Information
Technology for Economic and Clinical Health Act ("HITECH Act") and HIPAA that relate to security and
privacy, will apply to Business Associate and subcontractors (as defined below) in the same manner that
such sections apply to Covered Entity (as defined below); and
WHEREAS, the Parties have entered into one or more contracts for the provision of services
and/or products between them ("Arrangement"), and they acknowledge that Business Associate may
have access to Protected Health Information (as defined below) in fulfilling its responsibilities under
such Arrangement;
NOW, THEREFORE, in consideration of the Parties' continuing obligations under the
Arrangement, and for other good and valuable consideration, the receipt and sufficiency of which is
hereby acknowledged, the Parties hereby agree to the provisions of this Agreement in order to ensure
compliance with the requirements of HIPAA, its implementing regulations, the HITECH Act, and to
protect the interests of both Parties.
I. Definitions. The following terms shall have the meaning ascribed to them in this Section. Other
capitalized terms shall have the meaning ascribed to them in the context in which they first appear.
A, Breach shall have the same meaning as the term "breach" in Section 13400 of the
HITECH Act and shall include the unauthorized acquisition, access, use, or disclosure of PHI that
compromises the security or privacy of such information.
B. Business Associate shall have the meaning set forth in 45 C.F.R. § 160,103, and shall
mean the entity or individual identified as Business Associate in the first paragraph of this Agreement.
C. Covered Entity shall have the same meaning set forth in 45 C.F.R. § 160.103, and shall
mean Colorado Access.
D. Designated Record Set shall have the same meaning as the term "designated record
set" in 45 C,F.R, § 164.501.
E. Electronic Media shall have the meaning set forth in 45 C.F.R. § 160.103, and generally
shall mean:
1. Electronic storage material on which data is or may be recorded electronically,
includes, but is not limited to, devices in computers (hard drives) and any
removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or
digital memory card,
2. Transmission media used to exchange Information already in electronic storage
media. Transmission media include, but are not limited to, the Internet, extranet or Intranet,
leased lines, dial -up lines, private networks, and the physical movement of
removable/transportable electronic storage media.
G. Electronic Protected Health Information or ePHI shall have the meaning set forth in 45
C.F.R. § 160.103, and generally shall mean PHI that is transmitted or maintained In any electronic media.
G. HITECH Act means the Health Information Technology for Economic and Clinical Health
Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law 111-5.
H. HHS Privacy and Security Regulations shall mean 45 C.F.R. Parts 160 and 164.
Individual shall mean the person who is subject to the PHI, and shall include a person
who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
J. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health
Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as amended by the HITECH Act and as
may otherwise be amended from time to time.
K. Protected Health Information or PHI shall have the same meaning as the term
"protected health information" in 45 C.F.R. § 160.103, limited to the information created or received by
Business Associate from or on behalf of the Covered Entity. The term PHI as used herein shall be
inclusive of ePHI,
L. Required By Law shall have the same meaning as the term "required by law" in 45 C.F.R.
§ 164.103.
M, Secretary shall mean the Secretary of the Department of Health and Human Services
("Secretary" or "Secretary of HHS") and any other officer or employee of HHS to whom the authority
involved has been or is delegated.
N. Security Incident shall mean the attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or interference with system operations in an
information system. An attempted unauthorized access means any attempted unauthorized access that
prompts Business Associate to investigate the attempt, or review or change its current security
measures.
O. Security Rule shall mean the Security Standards at 45 C,F.R. Parts 160 and 164, Subparts
A and C, as may be amended from time to time.
P. Unsecured Protected Health Information or "Unsecured PHI" shall mean PHI that is not
secured through the use of a technology or methodology specified by the Secretary in guidance or as
otherwise defined in §13402(h) of the HITECH Act.
Q. Workforce means employees, volunteers, trainees, and other persons whose conduct,
in the performance of work for Business Associate or subcontractor, is under the direct control of such
Business Associate or subcontractor, whether or not they are paid by the Business Associate or
subcontractor or as otherwise defined in 45 CFR §160.103.
II. Obligations of Business Associate.
A. Maintain the Privacy and Security of PHI. When Business Associate possesses PHI, it is
necessary that Business Associate maintain the privacy and security of the PHI in compliance with this
Agreement. Business Associate must maintain the privacy and security of PHI in compliance with the
Privacy Rule, Security Rule, HITECH Act, and any future amendments to same as those regulations apply
directly to Business Associate.
B. Use or Disclosure of PHI. Business Associate shall not use and shall ensure that its
directors, officers, employees, subcontractors and agents do not use PHI in any manner other than as
permitted or required by this Agreement, as necessary to perform the services set forth In the
Arrangement or as Required By Law.
C. Safeguards against misuse of PHI. Business Associate shall implement administrative,
physical and technical safeguards that reasonably and appropriately protect the privacy security,
confidentiality, integrity and availability of any PHI that Business Associate creates, receives, maintains
or transmits on behalf of Covered Entity, Such safeguards shall include, without limitation, maintaining
applicable policies and procedures, conducting and documenting a security risk assessment, and training
Business Associate's employees who will have access to PHI in accordance with HIPAA/HITECH and the
implementing regulations. Business Associate shall require that any agent, including a subcontractor,
and/ or third party that is provided, creates, receives, maintains, or has access to PHI to agree in writing
to the same restrictions and conditions on the use and disclosure of PHI that apply to the Business
Associate pursuant to this Agreement.
D. Mitigation. In the event of an unauthorized use or disclosure of PHI, or a Breach of
Unsecured PHI, Business Associate agrees to mitigate, to the extent practicable, any harmful effects of
such disclosure(s) that are known to Business Associate or a subcontractor.
E. Notification and Reporting in the Case of a Breach.
1. Secured PHI. Business Associate shall notify Covered Entity within two (2)
business days of knowledge of a Breach, Security Incident, use or disclosure of secured PHI not
provided for by this Agreement. Business Associate shall be deemed to have knowledge of a
Breach if the Breach is known, or by exercising reasonable diligence would have been known by
an employee, officer, representative, subcontractor, or other agent of Business Associate. Such
notification shall include all elements required by Covered Entity to notify individuals in case of a
Breach.
2, Unsecured PHI. Without unreasonable delay and in no case later than two (2)
calendar days, Business Associate shall notify Covered Entity of a Breach of Unsecured PHI
following the first day on which Business Associate (or Business Associate's employee, officer,
subcontractor or agent) knows of such Breach or following the first day on which Business
Associate (or Business Associate's employee, office, subcontractor or agent) should have known
of such Breach. Business Associate's notification to Covered Entity shall comply with all required
provisions under §13402 of the HITECH Act, including but not limited to provisions relating to
timeliness, method and content of such notification.
F. Agreements by Third Parties. Business Associate shall enter into an agreement with
any agents and/or subcontractors to whom Business Associate provides PHI that is received from,
created, maintained by, or received by, Business Associate on behalf of Covered Entity. Such
agreements with agents and/or Subcontracts shall require agents and/or subcontractors to be bound by
the same restrictions, terms and conditions contained in this Agreement and will ensure that any agents
and/or subcontractors that create, receive, maintain, or transmit protected health information on behalf
of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the
Business Associate with respect to such information. Furthermore, agents and subcontractors shall
agree to implement reasonable and appropriate safeguards to protect PHI and shall agree to comply
with the applicable Privacy and Security Rules. Business Associate shall make such agreements with
subcontractor available for Covered Entity's inspection at Covered Entity's request.
G. Access to Information. In the event that Business Associate maintains PHI in a
Designated Record Set, Business Associate shall, within five (5) days of a request by Covered Entity for
access to PHI about an Individual, make available to Covered Entity such PHI for so long as such
information is maintained. In the event any Individual requests access to PHI directly from Business
Associate, Business Associate shall, within two (2) days of receiving such request, forward the same to
Covered Entity. Business Associate must provide Covered Entity access to PHI in electronic form or any
other reasonable format requested by Covered Entity or an Individual. Any denial of access to the PHI
request shall be the responsibility of Covered Entity.
H. Amendment of PHI. Business Associate agrees that, upon receipt from Covered Entity
of written notice regarding any amendment of the PHI in a Designated Record Set, Business Associate
will make such amendment to the record or attach such documents to the record as instructed by
Covered Entity. If Business Associate directly receives a request from an Individual for an amendment of
the Designated Record Set, Business Associate shall, within two (2) days of receiving such request,
forward the same to Covered Entity. If Business Associate is a "covered entity" as defined by the Privacy
Rule, it may follow its own amendment procedures for records It has created, provided such procedures
are in compliance with the Privacy Rule and State law. Business Associate shall support Covered Entity in
a manner that enables Covered Entity to meet its obligations under 45 C.F.R. Section 164326.
I. Accounting of Disclosures.
1. Business Associate agrees to implement an appropriate record keeping process to
document and track any disclosures of PHI by Business Associate, its agents, or its
subcontractors. Information related to such disclosures to respond to a request by an
Individual for an accounting in accordance with 45 C.F.R. § 164.528 shall be provided to
Covered Entity within five (5) business days of receipt of such request by Covered Entity In
such format as requested by Covered Entity.
2. At a minimum, Business Associate shall provide covered entity with the following
information: (a) the date of the disclosure; (b) the name of the entity or person who
received the PHI, and if known, the address of such entity or person; (c) a brief description
of the PHI disclosed; and (d) a brief statement of the purpose of such disclosure.
3. Business Associate will implement a process that allows for an accounting to be
collected and maintained by Business Associate and its agents and subcontractors for at
least six (6) years prior to the request.
4. In the event any Individual requests an accounting of disclosure of PHI directly from
Business Associate, Business Associate shall forward such request to Covered Entity within
two (2) business days.
5. Business Associate shall support Covered Entity in a manner that enables Covered Entity
to meet its obligations under 45 C.F.R. Section 164.528.
J. Access and Inspection. Business Associate agrees to make all internal practices, books,
records, policies, agreements, procedures, and/or compliance reports related to the use, disclosure,
security, and privacy of PHI available to Covered Entity or the Secretary for purposes of determining
both Covered Entity's and Business Associate's compliance with the Privacy Rule, Security Rule, and
HITECH Act. Business Associate further agrees to cooperate with any audits or compliance reviews
conducted by HHS. Business Associate shall provide to Covered Entity a copy of any PHI that Business
Associate provides to the Secretary concurrently with providing such PHI to the Secretary. The fact that
Covered Entity inspects, or fails to inspect, or has the right to inspect Business Associate's Internal
practices, books, records, policies, agreements, procedures, and/ or compliance reports does not relieve
Business Associate of its responsibility to comply with this Addendum and, nor does Covered Entity's (i)
failure to detect or (ii) detection, but failure to notify Associate or require Associate's remediation of any
unsatisfactory practices, constitute acceptance of such practice or a waiver of Covered Entity's
enforcement rights under the Agreement.
K. Training of Workforce. Business Associate will train their Workforce on the
requirements of HIPAA/HITECH. Business Associate will update training as necessary.
L. Minimum Necessary. Business Associate, its agents and subcontractors shall only
request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the
request, use or disclosure in accordance with Minimum Necessary requirements of the Privacy Rule,
including but not limited to, 45 C.F.R. Sections 164.502(b) and 164.514(d).
M. Retention of Protected Information. Except upon termination of the Agreement, as
provided in Section V of this Agreement, Associate and its agents or subcontractors shall retain all PHI
throughout the term of this Agreement and shall continue to maintain the information under Section
II.(I) for a period of six (6) years.
N. Business Associate's Insurance. Business Associate shall maintain casualty and liability
insurance to cover loss of PHI data and claims based upon alleged violations of privacy rights through
improper use or disclosure of PHI. Ail such policies shall meet or exceed the minimum insurance
requirements of the Arrangement (e.g., occurrence basis, combined single dollar limits, annual
aggregate dollar limits, additional insured status, and notice of cancellation).
O. Safeguards During Transmission. Business Associate shall use appropriate safeguards
to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Covered Entity
pursuant to the Arrangement, in accordance with the standards and requirements of the Privacy Rule,
until such PHI is received by Covered Entity.
P. Restrictions and Confidential Communications. Within ten (10) business days of notice
by Covered Entity of a restriction upon uses and disclosures or request for confidential communications.
pursuant to 45 C.F.R. Section 164.522, Business Associate shall restrict the use or disclosure of an
individual's PHI, provided Business Associate has agreed to such a restriction. Business Associate shall
not respond directly to an individual's requests to restrict the use or disclosure of PHI or to send all
communication of PHI to an alternate address, Business Associate will refer such requests to the
Covered Entity so the Covered Entity can coordinate and prepare a timely response to the requesting
individual and provide direction to the Business Associate.
Q. Certification. To the extent that Covered Entity determines an examination is necessary
in order to comply with Covered Entity's legal obligations pursuant to HIPAA relating to certification of
its security practices, Covered Entity or its authorized agents or contractors may, at Covered Entity's
expense, examine Business Associate's facilities, systems, procedures, and records as may be necessary
for Covered Entity or such agents or contractors to certify to Covered Entity the extent to which
Business Associate's security safeguards comply with HIPAA, the H1PAA regulations or this Agreement.
III. Permitted Uses and Disclosures of PHI. Except as otherwise limited in this Agreement, Business
Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of,
Covered Entity as specified in this Agreement, provided that such use or disclosure would not violate the
Privacy Rule if done by Covered Entity. Except as otherwise limited in this Agreement, PHI which is
received by Business Associate either for the proper management and administration of Business
Associate or to carry out the legal responsibilities of Business Associate may be disclosed, provided that:
(i) the disclosure is Required By Law; or (ii) prior to making any such disclosure, Business Associate
obtains written approval from Covered Entity; or (iii) prior to making any such disclosure, Business
Associate obtains reasonable assurances from the entity to whom the information will be disclosed that
it will be held confidential and used or further disclosed only as Required By Law or for the purpose for
which it was disclosed to the entity, and (iv) the third party agrees to immediately 'notify Business
Associate of any instances of which It is aware in which the confidentiality of the information has been
Breached. In addition, Business Associate agrees to comply with (i) Section 13405 of the HITECH Act
which allows the Individual to restrict certain specific disclosures to health plans, provides a more
restrictive definition of "minimum necessary," and prohibits the sale of PHI, including ePHI, and (ii)
Section 13406 which clarifies and increases the restrictions on the marketing of PHI and fundraising.
IV. Prohibition on Selling, Marketing or Re -identification of PHI. Business Associate shall not sell
PHI or use PHI for marketing purposes.
V. Term and Termination
A. Term. The term of this Agreement shall commence on the Effective Date and shall
expire when all PHI provided by Covered Entity to Business Associate, or created or received by Business
Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.
B. Termination.
1. Material Breach. In addition to any other provisions in the Arrangement regarding
breach, a breach by Business Associate of any provision of this Agreement, as determined solely
by Covered Entity, shall constitute a material breach of this Agreement and the Arrangement
and shall provide grounds for immediate termination of the Agreement and the Arrangement by
Covered Entity. if Covered Entity terminates under this Section Covered Entity shall have no
further liability to Business Associate. If the Arrangement contains no express provisions
regarding termination for cause, the following terms and conditions shall apply:
a. Default. If Associate refuses or fails to timely perform any of the provisions of
the Arrangement or Agreement, Covered Entity may notify Business Associate in writing
of the non-performance, and if not promptly corrected within the time specified,
Covered Entity may terminate the Arrangement and Agreement. Business Associate
shall continue performance of the Arrangement to the extent it is not terminated and
shall be liable for excess costs Incurred in procuring similar goods or services elsewhere.
b. Business Associate's Duties. Notwithstanding termination of the Arrangement
and Agreement, and subject to any directions from Covered Entity, Associate shall take
timely, reasonable and necessary action to protect and preserve property in the
possession of Business Associate in which Covered Entity has an interest.
c. Compensation. Payment for completed supplies delivered and accepted by
Covered Entity shall be at the Arrangement price. In the event of a material breach
under paragraph V(9)(1), Covered Entity may withhold amounts due Business Associate
as Covered Entity deems necessary to protect Covered Entity against loss from third
party claims of improper use or disclosure and to reimburse Covered Entity for the
excess costs incurred in procuring similar goods and services elsewhere.
d. Erroneous Termination for Default. If after such termination it is determined, for
any reason, that Business Associate was not in default, or that Business Associate's
action/inaction was excusable, Covered Entity shall have no liability to Business
Associate.
C. Reasonable Steps to Cure Breach. If Covered Entity knows of a pattern of activity or
practice of Business Associate that constitutes a material breach or violation of the Business Associate's
obligations under the provisions of this Agreement, or another agreement and does not terminate this
Agreement and the Arrangement pursuant to Section V(B)(1), then Covered Entity shall take reasonable
steps to cure such breach or end such violation, as applicable. if Covered Entity's efforts to cure such
breach or end such violation are unsuccessful, Covered Entity shall either (i) terminate the Agreement
and the Arrangement, if feasible or (ii) if termination of the Arrangement and Agreement is not feasible,
Covered shall report Business Associate's breach or violation to the Secretary of the Department of
Health and Human Services.
D. Judicial or Administrative Proceedings. Either party may terminate the Agreement and
Arrangement, effective immediately, if (i) the other party is named as a defendant in a criminal
proceeding for a violation of HIPAA, the HIPAA Regulations or other security or privacy laws or (ii) a
finding or stipulation that the other party has violated any standard or requirement of HIPAA, the HIPAA
Regulations or other security or privacy laws is made in any administrative or civil proceeding in which
the party has been joined.
E. Effects of Termination. Upon termination of this Agreement for any reason, Business
Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business
Associate on behalf of Covered Entity, This provision shall apply to PHI that is in the possession of
subcontractors or agents of Business Associate. Business Associate shall retain no copies of PHI. In the
event that Business Associate determines that returning or destroying the PHI is infeasible, Business
Associate shall provide to Covered Entity notification of the conditions that make return or destruction
infeasible. Upon determination by Covered Entity that return or destruction of PHI is infeasible,
Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and
disclosures of such PHI to only those purposes that make the return or destruction infeasible, for so long
as Business Associate maintains such PHI.
VI. Additional Provisions.
A. Applicable Law. This Agreement shall be deemed executed in the State of Colorado,
regardless of the domicile of Business Associate. It shall be construed and interpreted in accordance
with, and its performance governed by, the laws of the State of Colorado.
B. Indemnification and Liability. In the event of a Breach, negligence, gross negligence, or
willful misconduct by Business Associate, its agents, employees, or subcontractors, Business Associate
will, at its sole expense, indemnify, hold harmless and, at Covered Entity's written request, defend
Covered Entity and its Members, Plan Participants, affiliates, directors, officers, employees, agents,
independent contractors, and the State of Colorado, from and against any and all loss, cost, liability or
expense (including costs and reasonable fees of attorneys and other professionals) arising out of or in
connection with such Breach, negligence, gross negligence, or willful misconduct, including without
limitation costs associated with the notification of Individuals, media, and credit monitoring that are a
result of such Breach.
C. No Third Party Rights. Except as expressly stated herein or in the Privacy Rule, the
Parties to this Agreement do not intend to create any rights in any third parties. The obligations of
Business Associate under this Section shall survive the expiration, termination, or cancellation of this
Agreement, the Arrangement and/or the business relationship of the Parties, and shall continue to bind
Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein.
D. Agency. Business Associate is not an agent of Covered Entity. Covered Entity does not
control, supervise or instruct the Business Associate or any of its subcontractors. None of the provisions
of this Agreement are intended to create, nor will they be deemed to create, any relationship between
the Parties other than that of independent parties contracting with each other solely for the purposes of
implementing the provisions of this Agreement, or the Arrangement.
E. Injunctive Relief. Covered Entity shall have the right to injunctive and other equitable
and legal relief against Business Associate or any of its agents or subcontractors in the event of any use
or disclosure or PHI in violation of this Agreement or applicable law. Covered Entity may seek any legal
remedy, including an injunctive relief or specific performance, without bond, security or necessity of
demonstrating actual damages.
F. Limitation of Liability. Any limitation of Business Associate's liability in the
Arrangement shall be inapplicable to the terms and conditions of this Agreement.
G. Assistance in Litigation or Administrative Proceedings. Business Associate shall make
itself available, and any subcontractors, employees or agents assisting Business Associate in the
performance of its obligations under the Agreement and Arrangement, available to Covered Entity, at no
cost to Covered Entity, to testify as witnesses, or otherwise, in the event of litigation or administrative
proceedings being commenced against Covered Entity, its directors, officers, or employees based upon a
claimed violation of HIPAA, the Privacy Rule or other laws relating to security and privacy or PHI, except
where Business Associate or its subcontractor, employee or agent is a named adverse party.
H. Notice of Changes. Covered Entity shall provide Business Associate with a copy of its
notice of privacy practices produced in accordance with 45 C.F.R. Section 164.520, as well as any
subsequent changes or limitation(s) to such notice, to the extent such changes or limitation(s) may
affect Business Associate's use or disclosure of PHI. Covered Entity shall provide Business Associate with
any changes in, or revocation of, permission to use or disclose PHI, to the extent it may affect Business
Associate's permitted use or disclosure of PHI that Covered Entity has agreed to in accordance with 45
C.F.R. Section 164.522. Covered Entity may effectuate any and all such notices of non -private
information via posting on Covered Entity's website.
I. Amendment. Upon enactment of any law or regulation affecting the use and/or
disclosure of PHI, or the publication of any court decision relating to any such law, or the publication of
any interpretive policy, opinion or guidance of any governmental agency charged with the enforcement
of any such law or regulation, Covered Entity may, by written notice to Business Associate, amend this
Agreement to comply with such law or regulation. Upon the request of Covered Entity, the other party
agrees to promptly enter into negotiations concerning the terms of an amendment to this Agreement
embodying written assurances consistent with the standards and requirements of HIPAA, the Privacy
Rule or other applicable laws. Covered Entity may terminate the Arrangement upon thirty (30) days
written notice in the event that (i) Business Associate does not promptly enter into negotiations to
amend this Agreement when requested by Covered Entity pursuant to this Section or (ii) Business
Associate does not enter into an amendment to this Agreement providing assurances regarding the
safeguarding of PHI that Covered Entity, In Its sole discretion, deems sufficient to satisfy the standards
and requirements of HIPAA and the Privacy Rule.
J. Survival. The respective rights and obligations of Business Associate under Section II
shall survive the termination of this Agreement. The applicable rights of the Covered Entity shall survive
termination of this Agreement.
K. Disclaimer. Covered Entity makes no warranty or representation that compliance by
Business Associate with this Agreement, HIPAA or HIPAA regulations will be adequate or satisfactory for
Associate's own purposes. Business Associate is solely responsible for all decisions made by Business
Associate regarding the safeguarding of PHI.
L. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered
Entity to comply with the HHS Privacy and Security Regulations. The provisions of this Agreement shall
prevail over any provisions in the Arrangement that may conflict or appear inconsistent with any
provision in this Agreement.
M, Severability. In the event that any provision of this Agreement is held by a court of
competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this
Agreement will remain in full force and effect.
N. Counterparts. This Agreement and any amendments may be executed by electronic
signature and in multiple counterparts and may be delivered by fax or other electronic means, all of
which shall be deemed to be originals, and all of which shall constitute one document.
0. Entire Agreement. This Agreement constitutes the entire Business Associate
Agreement between the Parties with respect to its subject matter and supersedes all past and
contemporaneous business associate agreements or provisions, promises, and understandings, whether
oral or written, between the Parties that relate to Business Associate's obligation as a Business Associate
of Covered Entity.
The Parties have agreed to the terms of the above written Business Associate Agreement as of
the Effective Date set forth above.
On Behalf of:
RCCO:
Colorado Acces
By:•
ivy tIS
(Print Nam
� 1 } � l
Its . , �. • C co
(Title)
Date: ii 1 I csic3'() 13
BUSINESS ASSOCIATE:
ATTEST:
Weld County Clerk to the Boar
BY:
Deputy Clerk t "he Board
BOARD OF COUNTY COMMISSIONERS
WELD COUORADO
William F. Garcia, Chair
DEC 092013
&:2/ 33V1)
Hello