HomeMy WebLinkAbout20121277.tiff RESOLUTION
RE: APPROVE AMENDMENT#3 TO CONTRACT TO PERFORM FUNCTIONS OF A SINGLE
ENTRY POINT AGENCY FOR MEDICAID LONG TERM CARE AND AUTHORIZE CHAIR
TO SIGN
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS,the Board has been presented with Amendment#3 to the Contract to perform
the functions of a Single Entry Point Agency for Medicaid Long Term Care between the County of
Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on
behalf of the Department of Human Services,Area Agency on Aging, and the Colorado Department
of Health Care Policy and Financing, commencing upon full execution, with further terms and
conditions being as stated in said contract amendment, and
WHEREAS,after review,the Board deems it advisable to approve said contract amendment,
a copy of which is attached hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld
County, Colorado, that Amendment#3 to the Contract to perform the functions of a Single Entry
Point Agency for Medicaid Long Term Care between the County of Weld, State of Colorado, by and
through the Board of County Commissioners of Weld County, on behalf of the Department of Health
Care Policy and Financing, Area Agency on Aging, and the Colorado Department of Human
Services be, and hereby is, approved.
BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized to
sign said contract amendment.
The above and foregoing Resolution was, on motion duly made and seconded, adopted by
the following vote on the 21st day of May, A.D., 2012.
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
ATTEST: P -----
Sean P. c9
Weld County Clerk to the Board
illia F. Garcia, Pro-Tem
BY:
Deputy CI to the Boar 61 O c� Cill ati
ra Kirkmeye
Val k :
APP , ED AS T M: ®t_w���. cC
O11--
-� vidt. Long
6 rney � W
Dougla ademach
Date of signature: -13---1 a-
2012-1277
HR0083
MEMORANDUM
Vi 1861
DATE: May 17, 2012
TO: Sean P. Conway, Chair, Board of County Commiss'oners
12 O U N T Y FROM: Judy A. Griego, Director, Human ices) /I (
RE: Contract Amendment#3 to the Weld County Department of
Human Services' Area Agency on Aging Single Entry Point
Contract with the Colorado Health Care Policy and
Financing
Enclosed for Board approval is Contract Amendment #3 to the Area Agency on Aging Single
Entry Point Contract between the Department and the Colorado Health Care Policy and Financing.
This Contract Amendment was reviewed by Pass-around Memorandum dated May 7, 2012, and
approved for placement on the Board's Agenda.
The purpose of the Amendment is to revise HCBS client service provider updates and fact
sheet requirements, revise reporting requirements and update the HIPAA Business Associate
Addendum to meet current federal requirements.
No changes were made in the overall contract reimbursement. The effective date of this
Amendment is July 1, 2012.
If you have any questions, give me a call at extension 6510.
2012-1277
Department of Health Care Policy and Financing
Contract Routing Number
13-42517
CONTRACT AMENDMENT NO. 3
Original Contract Routing Number 3011-1322, CMS #20517
Amendment No. 1, 3011-9191, CMS# 30077
Option Letter No. 01, 3012-9074, CMS #33661
Option Letter No. 02, 3012-9202, CMS # 37282
Amendment No. 2, 3012-9228, CMS #37974
1. PARTIES
This Amendment to the above-referenced Original Contract (hereinafter called the "Contract") is
entered into by and between Weld County Department of Human Services, by and through the
Weld County Board of Commissioners, PO Box 1805, Greeley, Colorado 80632, (hereinafter
called "Contractor"), and the STATE OF COLORADO, acting by and through the Department
of Health Care Policy and Financing, 1570 Grant Street, Denver, Colorado 80203 (hereinafter
called "Department" or"State").
2. EFFECTIVE DATE AND ENFORCEABILITY
This Amendment shall not be effective or enforceable until it is approved and signed by the
Colorado State Controller or designee (hereinafter called the "Effective Date"). The Department
shall not be liable to pay or reimburse Contractor for any performance hereunder, including, but
not limited to, costs or expenses incurred, or be bound by any provision hereof prior to the
Effective Date.
3. FACTUAL RECITALS
The parties entered into the Contract to secure home and community-based waiver and long term
home health case management and associated utilization review services for applicants and
clients of Medicaid Long Term Care. The purpose of this Amendment is to revise HCBS client
service provider updates and fact sheet requirements, revise reporting requirements and update
the HIPAA Business Associate Addendum to meet current federal requirements.
4. CONSIDERATION
The Parties acknowledge that the mutual promises and covenants contained herein and other
good and valuable consideration are sufficient and adequate to support this Amendment.
5. LIMITS OF EFFECT
This Amendment is incorporated by reference into the Contract, and the Contract and all prior
amendments thereto, if any, remain in full force and effect except as specifically modified
herein.
aoia-7a77
6. MODIFICATIONS
The Contract and all prior amendments thereto, if any, are modified as follows:
A. Exhibit A, Statement of Work, Section 4, Contractor's Obligations, Subsection C, is
hereby deleted in its entirety and replaced with the following:
C. The Contractor shall perform the Case Management functions for eligible persons as
defined in the state statutes and regulations, including but not limited to
intake/screening/referral, assessment of client need using the Department-prescribed
form, determination of functional eligibility, development and implementation of a
Service Plan, on-going Case Management, monitoring of clients, reassessment and
case closure.
The Contractor shall initiate contact with each HCBS client's service providers for
updates on the client's condition and progress of treatment, updating the Service Plan
as necessary. The Contractor shall perform these reviews bi-annually, or as often as
required by the client's HCBS waiver or whenever there is a significant change in the
client's condition.
B. Exhibit A, Statement of Work, Section 4, Contractor's Obligations, Subsection D,
Paragraph 2, is hereby deleted in its entirety and replaced with the following:
2. Establishing a Resource Development committee to facilitate the development of
local resources to meet the long-term care needs of individuals who reside within the
Single Entry Point District. At least annually, committee updates shall be provided to
the Department.
Active, on-going participation by key management or administrative staff in area
provider or interest group meetings to discuss resource development issues are an
acceptable substitute as long as complete documentation of the discussions and
progress made in developing relevant solutions is forwarded to the Department at
least annually.
Annually, a report on Resource Development shall be provided to the Department on
a form and in a format provided by the Department. The annual report shall be
provided to the Department by July 31st each year for the prior State Fiscal Year's
activities.
C. Exhibit A, Statement of Work, Section 6, Training, Complaints, Appeals, Critical
Incidents and Administrative Oversight Requirements, is hereby deleted in its
entirety and replaced with the following:
6. TRAINING, COMPLAINTS, APPEALS, CRITICAL INCIDENTS AND
ADMINISTRATIVE OVERSIGHT REQUIREMENTS:
A. Training. The Contractor shall, at a minimum, train all case managers hired
since the effective date of this contract in the following areas prior to
independent case management assignment:
Page 2 of 5
1. Long Term Care Eligibility;
2. Intake and Referral;
3. ULTC 100.2 Assessment;
4. Service Plan Development;
5. Notices and Appeals;
6. BUS Documentation; and
7. Home Health.
The Contractor shall provide to the Department an electronic listing of all case
management staff hired since the effective date of this contract and an attendance
roster for each training area identified using the reporting template attached to
this contract as Exhibit D, Case Manager Training Report Template. This report
shall be due quarterly on the schedule identified in §8, Reporting — Notification,
of the Contract.
All new case management staff shall receive at a minimum basic training
and instruction in all of these areas as a prerequisite to independent placement.
Documentation of the successful completion of this basic training and
instruction shall be included on the Case Manager Training Report Template
provided as Exhibit D to this Contract.
B. Complaint Process:
1. The Contractor shall document complaints received by the agency;
2. The Contractor shall take appropriate action to address substantiated
complaints;
3. The Contractor shall respond to complaints received and document
actions taken to resolve and/or mitigate complaints to the extent possible;
and
4. The Contractor shall conduct quarterly complaint process trend analyses.
The Contractor shall submit to the Department, using the reporting template
attached to this contract as Exhibit E, Complaint Trends/Remedial Action
Report Template, a trend analysis and corrective action report indicating any
complaint-oriented trends observed since the effective date of this contract and
the remedial actions taken to address them. This report shall be due quarterly on
the schedule identified in §8, Reporting—Notification, of the Contract.
C. Appeals:
1. In reference to appeals initiated and closed during the contract period,
the Contractor shall have represented the Department and worked
towards obtaining a favorable decision;
2. The Contractor shall process appeals in accordance with schedules
published by the State of Colorado Office of Administrative Courts and
rules promulgated by the Department;
Page 3 of 5
3. The Contractor shall represent the Department in accordance with 10
C.C.R. 2505-10, Sections 8.057 et seq and 8.393 et seq; and
4. The Contractor shall submit all exceptions to the Office of Appeals
and include required information.
D. Critical Incident Reporting:
1. The Contractor shall document critical incidents in the Department-
prescribed system;
2. The Contractor shall take appropriate action to address substantiated
critical incidents;
3. For State Fiscal Year 2010-11 only, the Contractor shall perform critical
incident trend analyses at least quarterly. The Contractor shall submit to
the Department by the end of each quarter and using the reporting template
attached to this contract as Exhibit F, Critical Incident Trends/Remedial
Action Report Template, a trend analysis and corrective action report
indicating any concerning critical incident-oriented trends observed since
the effective date of this contract and the remedial actions taken to address
them.
E. Administrative Review Tool:
The Contractor shall submit to the Department the results of the application
of the tool attached to this contract as Exhibit B, Case Management Agency
(CMA) Administrative Review Tool. This report shall be due quarterly on the
schedule identified in §8, Reporting—Notification, of the Contract.
D. HIPAA Business Associate Addendum, Revised 10/15/07 is hereby deleted in its
entirety and replaced with the HIPAA Business Associate Addendum, Revised 7/10,
attached, and incorporated by reference into the Contract.
7. START DATE
This Amendment shall take effect on the later of its Effective Date or July 1, 2012.
8. ORDER OF PRECEDENCE
Except for the Special Provisions and the HIPAA Business Associates Addendum, in the event
of any conflict, inconsistency, variance, or contradiction between the provisions of this
Amendment and any of the provisions of the Contract, the provisions of this Amendment shall in
all respects supersede, govern, and control. The most recent version of the Special Provisions
incorporated into the Contract or any amendment shall always control other provisions in the
Contract or any amendments.
9. AVAILABLE FUNDS
Financial obligations of the state payable after the current fiscal year are contingent upon funds
for that purpose being appropriated, budgeted, or otherwise made available to the Department by
the federal government, state government and/or grantor.
Page 4 of 5
Contract Routing Number 13-42517
THE PARTIES HERETO HAVE EXECUTED THIS AMENDMENT
Persons signing for Contractor hereby swear and affirm that they are authorized to act on
Contractor's behalf and acknowledge that the State is relying on their representations to that
effect.
CONTRACTOR: STATE OF COLORADO:
Weld County Department of Human John W. Hickenlooper, Governor
Services by and through the Weld
County Board
of Commissioners
)12
By: c U By: rib-&
Signature of Authorized OfficC- Susan E. Birch, MBA, BSN, RN
Executive Director
Department of Health Care Policy and
Financing
Date: MAY 2 12012 Date:
Sean P. Conway, LEGAL REVIEW:
Printed Name of Authorized Officer John W. Suthers, Attorney General
Chair
Printed Title of Authorized Officer By: L)/ Pi
Date:
ALL CONTRACTS REQUIRE APPROVAL BY THE STATE CONTROLLER
CRS §24-30-202 requires the State Controller to approve all State Contracts. This Contract is not
valid until signed and dated below by the State Controller or delegate. Contractor is not
authorized to begin performance until such time. If Contractor begins performing prior thereto,
the State of Colorado is not obligated to pay Contractor for such performance or for any goods
and/or services provided hereunder.
ST 'E CONTR R:
id . cDermott, CPA
By:
Departme t of eal h Care 'obey and Financing
Date: / e.
Page 5 of 5
a9/&-/0? 7 7
HIPAA BUSINESS ASSOCIATE ADDENDUM
This Business Associate Addendum ("Addendum") is part of the Contract between the
State of Colorado, Department of Health Care Policy and Financing, and Weld County
Department of Human Services by and through the Weld County Board of Commissioners,
Contract Routing Number 3011-1322. For purposes of this Addendum, the State is referred to as
"Department", "Covered Entity" or"CE" and the Contractor is referred to as "Associate". Unless
the context clearly requires a distinction between the Contract document and this Addendum, all
references herein to "the Contract" or"this Contract" include this Addendum.
RECITALS
A. CE wishes to disclose certain information to Associate pursuant to the terms of the
Contract, some of which may constitute Protected Health Information ("PHI") (defined
below).
B. CE and Associate intend to protect the privacy and provide for the security of PHI
disclosed to Associate pursuant to this Contract in compliance with the Health Insurance
Portability and Accountability Act of 1996, 42 U.S.C. § 1320d— 1320d-8 ("HIPAA") as
amended by the American Recovery and Reinvestment Act of 2009 ("ARRA")/HITECH
Act (P.L. 111-005), and its implementing regulations promulgated by the U.S.
Department of Health and Human Services, 45 C.F.R. Parts 160, 162 and 164 (the
"Privacy Rule") and other applicable laws, as amended.
C. As part of the HIPAA regulations, the Privacy Rule requires CE to enter into a contract
containing specific requirements with Associate prior to disclosure of PHI, as set forth in,
but not limited to, Title 45, Sections 160.103, 164.502(e) and 164.504(c) of the Code of
Federal Regulations ("C.F.R.") and contained in this Addendum.
The parties agree as follows:
I. Definitions.
a. Except as otherwise defined herein, capitalized terms in this Addendum shall have
the definitions set forth in the HIPAA Privacy Rule at 45 C.F.R. Parts 160, 162 and 164, as
amended. In the event of any conflict between the mandatory provisions of the Privacy Rule and
the provisions of this Contract, the Privacy Rule shall control. Where the provisions of this
Contract differ from those mandated by the Privacy Rule, but are nonetheless permitted by the
Privacy Rule, the provisions of this Contract shall control.
b. "Protected Health Information" or "PHI" means any information, whether oral or
recorded in any form or medium: (i) that relates to the past, present or future physical or mental
condition of an individual; the provision of health care to an individual; or the past, present or
future payment for the provision of health care to an individual; and (ii) that identifies the
individual or with respect to which there is a reasonable basis to believe the information can be
IICPF HIPAA BA Page 1 of I Revised 7/10
used to identify the individual, and shall have the meaning given to such term under the Privacy
Rule, including, but not limited to, 45 C.F.R. Section 164.501.
c. "Protected Information" shall mean PHI provided by CE to Associate or created
or received by Associate on CE's behalf. To the extent Associate is a covered entity under
HIPAA and creates or obtains its own PHI for treatment, payment and health care operations,
Protected Information under this Contract does not include any PHI created or obtained by
Associate as a covered entity and Associate shall follow its own policies and procedures for
accounting, access and amendment of Associate's PHI.
2. Obligations of Associate.
a. Permitted Uses. Associate shall not use Protected Information except for the
purpose of performing Associate's obligations under this Contract and as permitted under this
Addendum. Further, Associate shall not use Protected Information in any manner that would
constitute a violation of the Privacy Rule if so used by CE, except that Associate may use
Protected Information: (i) for the proper management and administration of Associate; (ii) to
carry out the legal responsibilities of Associate; or (iii) for Data Aggregation purposes for the
Health Care Operations of CE. Additional provisions, if any, governing permitted uses of
Protected Information are set forth in Attachment A to this Addendum. Associate accepts full
responsibility for any penalties incurred as a result of Associate's breach of the Privacy Rule.
b. Permitted Disclosures. Associate shall not disclose Protected Information in any
manner that would constitute a violation of the Privacy Rule if disclosed by CE, except that
Associate may disclose Protected Information: (i) in a manner permitted pursuant to this
Contract; (ii) for the proper management and administration of Associate; (iii) as required by
law; (iv) for Data Aggregation purposes for the Health Care Operations of CE; or (v) to report
violations of law to appropriate federal or state authorities, consistent with 45 C.F.R. Section
164.502(j)(1). To the extent that Associate discloses Protected Information to a third party,
Associate must obtain, prior to making any such disclosure: (i) reasonable assurances from such
third party that such Protected Information will be held confidential as provided pursuant to this
Addendum and only disclosed as required by law or for the purposes for which it was disclosed
to such third party; and (ii) an agreement from such third party to notify Associate within two
business days of any breaches of confidentiality of the Protected Information, to the extent it has
obtained knowledge of such breach. Additional provisions, if any, governing permitted
disclosures of Protected Information are set forth in Attachment A.
c. Appropriate Safeguards. Associate shall implement appropriate safeguards as are
necessary to prevent the use or disclosure of Protected Information other than as permitted by
this Contract. Associate shall comply with the requirements of the Security Rules, 164.308,
164.310, 164.312, and 164.316. Associate shall maintain a comprehensive written information
privacy and security program that includes administrative, technical and physical safeguards
appropriate to the size and complexity of the Associate's operations and the nature and scope of
its activities.
HCPF HIPAA BA Page 1 of 1 Revised 7/10
d. Reporting of Improper Use or Disclosure. Associate shall report to CE in writing
any use or disclosure of Protected Information other than as provided for by this Contract within
five (5) business days of becoming aware of such use or disclosure.
e. Associate's Agents. If Associate uses one or more subcontractors or agents to
provide services under the Contract, and such subcontractors or agents receive or have access to
Protected Information, each subcontractor or agent shall sign an agreement with Associate
containing substantially the same provisions as this Addendum and further identifying CE as a
third party beneficiary with rights of enforcement and indemnification from such subcontractors
or agents in the event of any violation of such subcontractor or agent agreement. Associate shall
implement and maintain sanctions against agents and subcontractors that violate such restrictions
and conditions shall mitigate the effects of any such violation.
f. Access to Protected Information. Associate shall make Protected Information
maintained by Associate or its agents or subcontractors in Designated Record Sets available to
CE for inspection and copying within ten (10) business days of a request by CE to enable CE to
fulfill its obligations to permit individual access to PHI under the Privacy Rule, including, but
not limited to, 45 C.F.R. Section 164.524.
g. Amendment of PHI. Within ten (10) business days of receipt of a request from CE
for an amendment of Protected Information or a record about an individual contained in a
Designated Record Set, Associate or its agents or subcontractors shall make such Protected
Information available to CE for amendment and incorporate any such amendment to enable CE
to fulfill its obligations with respect to requests by individuals to amend their PHI under the
Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.526. If any individual requests
an amendment of Protected Information directly from Associate or its agents or subcontractors,
Associate must notify CE in writing within five (5) business days of receipt of the request. Any
denial of amendment of Protected Information maintained by Associate or its agents or
subcontractors shall be the responsibility of CE.
h. Accounting Rights. Within ten (10) business days of notice by CE of a request for
an accounting of disclosures of Protected Information, Associate and its agents or subcontractors
shall make available to CE the information required to provide an accounting of disclosures to
enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45
C.F.R. Section 164.528. As set forth in, and as limited by, 45 C.F.R. Section 164.528, Associate
shall not provide an accounting to CE of disclosures: (i) to carry out treatment, payment or
health care operations, as set forth in 45 C.F.R. Section 164.506; (ii) to individuals of Protected
Information about them as set forth in 45 C.F.R. Section 164.502; (iii) pursuant to an
authorization as provided in 45 C.F.R. Section 164.508; (iv) to persons involved in the
individual's care or other notification purposes as set forth in 45 C.F.R. Section 164.510; (v) for
national security or intelligence purposes as set forth in 45 C.F.R. Section 164.512(k)(2); (vi) to
correctional institutions or law enforcement officials as set forth in 45 C.F.R. Section
164,512(k)(5); (vii) incident to a use or disclosure otherwise permitted by the Privacy Rule; (viii)
as part of a limited data set under 45 C.F.R. Section 164.514(c); or (ix) disclosures prior to April
14, 2003. Associate agrees to implement a process that allows for an accounting to be collected
and maintained by Associate and its agents or subcontractors for at least six (6) years prior to the
HCPF HIPAA BA Page 1 of 1 Revised 7/10
request, but not before the compliance date of the Privacy Rule. At a minimum, such information
shall include: (i) the date of disclosure; (ii) the name of the entity or person who received
Protected Information and, if known, the address of the entity or person; (iii) a brief description
of Protected Information disclosed; and (iv) a brief statement of purpose of the disclosure that
reasonably informs the individual of the basis for the disclosure, or a copy of the individual's
authorization, or a copy of the written request for disclosure. In the event that the request for an
accounting is delivered directly to Associate or its agents or subcontractors, Associate shall
within five (5) business days of the receipt of the request forward it to CE in writing. It shall be
CE's responsibility to prepare and deliver any such accounting requested. Associate shall not
disclose any Protected Information except as set forth in Section 2(b) of this Addendum.
Governmental Access to Records. Associate shall make its internal practices,
books and records relating to the use and disclosure of Protected Information available to the
Secretary of the U.S. Department of Health and Human Services (the "Secretary"), in a time and
manner designated by the Secretary, for purposes of determining CE's compliance with the
Privacy Rule. Associate shall provide to CE a copy of any Protected Information that Associate
provides to the Secretary concurrently with providing such Protected Information to the
Secretary.
j. Minimum Necessary. Associate (and its agents or subcontractors) shall only
request, use and disclose the minimum amount of Protected Information necessary to accomplish
the purpose of the request, use or disclosure, in accordance with the Minimum Necessary
requirements of the Privacy Rule including, but not limited to, 45 C.F.R. Sections 164.502(6)
and 164.514(d).
k. Data Ownership. Associate acknowledges that Associate has no ownership rights
with respect to the Protected Information.
1. Retention of Protected Information. Except upon termination of the Contract as
provided in Section 4(d) of this Addendum, Associate and its agents or subcontractors shall
retain all Protected Information throughout the term of this Contract and shall continue to
maintain the information required under Section 2(h) of this Addendum for a period of six (6)
years.
M. Associate's Insurance. Associate shall maintain casualty and liability insurance to
cover loss of PHI data and claims based upon alleged violations of privacy rights through
improper use or disclosure of PHI. All such policies shall meet or exceed the minimum insurance
requirements of the Contract (e.g., occurrence basis, combined single dollar limits, annual
aggregate dollar limits, additional insured status and notice of cancellation).
n. Notification of Breach. During the term of this Contract, Associate shall notify
CE within two (2) business days of any suspected or actual breach of security, intrusion or
unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in
violation of any applicable federal or state laws or regulations. Such notice shall include the
identification of each individual whose unsecured PHI has been, or is reasonably believed to
have been accessed, acquired or disclosed during the breach. Associate shall take (i) prompt
IICPF HIPAA BA Page 1 of 1 Revised 7/10
corrective action to cure any such deficiencies and (ii) any action pertaining to such unauthorized
disclosure required by applicable federal and state laws and regulations.
o. Audits, Inspections and Enforcement. Within ten (10) business days of a written
request by CE, Associate and its agents or subcontractors shall allow CE to conduct a reasonable
inspection of the facilities, systems, books, records, agreements, policies and procedures relating
to the use or disclosure of Protected Information pursuant to this Addendum for the purpose of
determining whether Associate has complied with this Addendum; provided, however, that: (i)
Associate and CE shall mutually agree in advance upon the scope, timing and location of such an
inspection; (ii) CE shall protect the confidentiality of all confidential and proprietary information
of Associate to which CE has access during the course of such inspection; and (iii) CE shall
execute a nondisclosure agreement, upon terms mutually agreed upon by the parties, if requested
by Associate. The fact that CE inspects, or fails to inspect, or has the right to inspect, Associate's
facilities, systems, books, records, agreements, policies and procedures does not relieve
Associate of its responsibility to comply with this Addendum, nor does CE's (i) failure to detect
or (ii) detection, but failure to notify Associate or require Associate's remediation of any
unsatisfactory practices, constitute acceptance of such practice or a waiver of CE's enforcement
rights under the Contract.
p. Safeguards During Transmission. Associate shall be responsible for using
appropriate safeguards to maintain and ensure the confidentiality, privacy and security of
Protected Information transmitted to CE pursuant to the Contract, in accordance with the
standards and requirements of the Privacy Rule, until such Protected Information is received by
CE, and in accordance with any specifications set forth in Attachment A.
q. Restrictions and Confidential Communications. Within ten (10) business days of
notice by CE of a restriction upon uses or disclosures or request for confidential communications
pursuant to 45 C.F.R. Section 164.522, Associate will restrict the use or disclosure of an
individual's Protected Information, provided Associate has agreed to such a restriction.
Associate will not respond directly to an individual's requests to restrict the use or disclosure of
Protected Information or to send all communication of Protected Information to an alternate
address. Associate will refer such requests to the CE so that the CE can coordinate and prepare a
timely response to the requesting individual and provide direction to Associate.
3. Obligations of CE.
a. Safeguards During Transmission. CE shall be responsible for using appropriate
safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to
Associate pursuant to this Contract, in accordance with the standards and requirements of the
Privacy Rule, until such PHI is received by Associate, and in accordance with any specifications
set forth in Attachment A.
b. Notice of Changes. CE shall provide Associate with a copy of its notice of
privacy practices produced in accordance with 45 C.F.R. Section 164.520, as well as any
subsequent changes or limitation(s) to such notice, to the extent such changes or limitation(s)
may affect Associate's use or disclosure of Protected Information. CE shall provide Associate
IICPF HIPAA BA Page 1 of 1 Revised 7/10
with any changes in, or revocation of, permission to use or disclose Protected Information, to the
extent it may affect Associate's permitted use or disclosure of PHI, CE shall notify Associate of
any restriction on the use or disclosure of Protected Information that CE has agreed to in
accordance with 45 C.F.R. Section 164.522. CE may effectuate any and all such notices of non-
private information via posting on CE's web site. Associate shall review CE's designated web
site for notice of changes to CE's HIPAA privacy policies and practices on the last day of each
calendar quarter.
4. Termination.
a. Material Breach. In addition to any other provisions in the Contract regarding
breach, a breach by Associate of any provision of this Addendum, as determined by CE, shall
constitute a material breach of this Contract and shall provide grounds for immediate termination
of this Contract by CE pursuant to the provisions of the Contract covering termination for cause,
if any. If the Contract contains no express provisions regarding termination for cause, the
following terms and conditions shall apply:
(1) Default. If Associate refuses or fails to timely perform any of the
provisions of this Contract, CE may notify Associate in writing of the non-performance, and if
not promptly corrected within the time specified, CE may terminate this Contract. Associate
shall continue performance of this Contract to the extent it is not terminated and shall be liable
for excess costs incurred in procuring similar goods or services elsewhere.
(2) Associate's Duties. Notwithstanding termination of this Contract, and
subject to any directions from CE, Associate shall take timely, reasonable and necessary action
to protect and preserve property in the possession of Associate in which CE has an interest.
(3) Compensation. Payment for completed supplies delivered and accepted by
CE shall be at the Contract price. In the event of a material breach under paragraph 4(a), CE may
withhold amounts due Associate as CE deems necessary to protect CE against loss from third
party claims of improper use or disclosure and to reimburse CE for the excess costs incurred in
procuring similar goods and services elsewhere.
(4) Erroneous Termination for Default. If after such termination it is
determined, for any reason, that Associate was not in default, or that Associate's action/inaction
was excusable, such termination shall be treated as a termination for the public interest, and the
rights and obligations of the parties shall be the same as if this Contract had been terminated for
the public interest, as described in this Contract.
b. Reasonable Steps to Cure Breach. If CE knows of a pattern of activity or practice
of Associate that constitutes a material breach or violation of the Associate's obligations under
the provisions of this Addendum or another arrangement and does not terminate this Contract
pursuant to Section 4(a), then CE shall take reasonable steps to cure such breach or end such
violation, as applicable. If CE's efforts to cure such breach or end such violation are
unsuccessful, CE shall either (i) terminate the Contract, if feasible or (ii) if termination of this
HCPP HIPAA BA Page 1 of 1 Revised 7/10
Contract is not feasible, CE shall report Associate's breach or violation to the Secretary of the
Department of Health and Human Services.
c. Judicial or Administrative Proceedings. Either party may terminate the Contract,
effective immediately, if(i) the other party is named as a defendant in a criminal proceeding for
a violation of HIPAA, the HIPAA Regulations or other security or privacy laws or (ii) a finding
or stipulation that the other party has violated any standard or requirement of HIPAA, the
HIPAA Regulations or other security or privacy laws is made in any administrative or civil
proceeding in which the party has been joined.
d. Effect of Termination.
(I) Except as provided in paragraph (2) of this subsection, upon termination
of this Contract, for any reason, Associate shall return or destroy all Protected Information that
Associate or its agents or subcontractors still maintain in any form, and shall retain no copies of
such Protected Information that Associate or its agents or subcontractors still maintain in any
form, and shall retain no copies of such Protected information. If Associate elects to destroy the
PHI, Associate shall certify in writing to CE that such PHI has been destroyed.
(2) If Associate believes that returning or destroying the Protected
Information is not feasible, Associate shall promptly provide CE notice of the conditions making
return or destruction infeasible. Upon mutual agreement of CE and Associate that return or
destruction of Protected Information is infeasible, Associate shall continue to extend the
protections of Sections 2(a), 2(b), 2(c), 2(d) and 2(e) of this Addendum to such information, and
shall limit further use of such PHI to those purposes that make the return or destruction of such
PHI infeasible.
5. Injunctive Relief. CE shall have the right to injunctive and other equitable and legal relief
against Associate or any of its agents or subcontractors in the event of any use or disclosure of
Protected Information in violation of this Contract or applicable law.
6. No Waiver of Immunity. No term or condition of this Contract shall be construed or
interpreted as a waiver, express or implied, of any of the immunities, rights, benefits, protection,
or other provisions of the Colorado Governmental Immunity Act, CRS 24-10-100 et seq. or the
Federal Tort Claims Act, 28 U.S.C. 2671 et seq. as applicable, as now in effect or hereafter
amended.
7. Limitation of Liability. Any limitation of Associate's liability in the Contract shall be
inapplicable to the terms and conditions of this Addendum.
8. Disclaimer. CE makes no warranty or representation that compliance by Associate with
this Contract, HIPAA or HIPAA Regulations will be adequate or satisfactory for Associate's
own purposes. Associate is solely responsible for all decisions made by Associate regarding the
safeguarding of PHI.
HCPF HIPAA BA Page 1 of 1 Revised 7/10
9. Certification. To the extent that CE determines an examination is necessary in order to
comply with CE's legal obligations pursuant to HIPAA relating to certification of its security
practices, CE or its authorized agents or contractors may, at CE's expense, examine Associate's
facilities, systems, procedures and records as may be necessary for such agents or contractors to
certify to CE the extent to which Associate's security safeguards comply with HIPAA, the
HIPAA Regulations or this Addendum.
10. Amendment.
a. Amendment to Comply with Law. The parties acknowledge that state and federal
laws relating to data security and privacy are rapidly evolving and that amendment of this
Addcndum may be required to provide for procedures to ensure compliance with such
developments. The Parties specifically agree to take such action as is necessary to implement the
standards and requirements of HIPAA, the Privacy Rule, the Final HIPAA Security Regulations
at 68 Fed. Reg. 8334 (Feb 20, 2003), 45 C.F.R. § 164.314 and other applicable laws relating to
the security or privacy of PHI. The parties understand and agree that CE must receive
satisfactory written assurance from Associate that Associate will adequately safeguard all
Protected Information. Upon the request of either party, the other party agrees to promptly enter
into negotiations concerning the terms of an amendment to this Addendum embodying written
assurances consistent with the standards and requirements of I-HPAA, the Privacy Rule or other
applicable laws. CE may terminate this Contract upon thirty (30) days written notice in the event
(i) Associate does not promptly enter into negotiations to amend this Contract when requested by
CE pursuant to this Section or (ii) Associate does not enter into an amendment to this Contract
providing assurances regarding the safeguarding of PHI that CE, in its sole discretion, deems
sufficient to satisfy the standards and requirements of HIPAA and the Privacy Rule.
b. Amendment of Attachment A. Attachment A may be modified or amended by
mutual agreement of the parties in writing from time to time without formal amendment of this
Addendum.
11. Assistance in Litigation or Administrative Proceedings. Associate shall make itself, and
any subcontractors, employees or agents assisting Associate in the performance of its obligations
under the Contract, available to CE, at no cost to CE, up to a maximum of thirty (30) hours, to
testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being
commenced against CE, its directors, officers or employees based upon a claimed violation of
HIPAA, the Privacy Rule or other laws relating to security and privacy or PHI, except where
Associate or its subcontractor, employee or agent is a named adverse party.
12. No Third Party Beneficiaries. Nothing express or implied in this Contract is intended to
confer, nor shall anything herein confer, upon any person other than CE, Associate and their
respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
13. Interpretation and Order of Precedence. The provisions of this Addendum shall prevail
over any provisions in the Contract that may conflict or appear inconsistent with any provision in
this Addendum. Together, the Contract and This Addendum shall be interpreted as broadly as
necessary to implement and comply with HIPAA and the Privacy Rule. The parties agree that
HCPF HIPAA BA Page 1 of 1 Revised 7/10
any ambiguity in this Contract shall be resolved in favor of a meaning that complies and is
consistent with HIPAA and the Privacy Rule. This Contract supersedes and replaces any
previous separately executed HIPAA addendum between the parties.
14. Survival of Certain Contract Terms. Notwithstanding anything herein to the contrary,
Associate's obligations under Section 4(d) ("Effect of Termination") and Section 12 ("No Third
Party Beneficiaries") shall survive termination of this Contract and shall be enforceable by CE as
provided herein in the event of such failure to perform or comply by the Associate. This
Addendum shall remain in effect during the term of the Contract including any extensions.
15. Representatives and Notice.
a. Representatives. For the purpose of the Contract, the individuals identified
elsewhere in this Contract shall be the representatives of the respective parties. If no
representatives are identified in the Contract, the individuals listed below are hereby designated
as the parties' respective representatives for purposes of this Contract. Either party may from
time to time designate in writing new or substitute representatives.
b. Notices. All required notices shall be in writing and shall be hand delivered or
given by certified or registered mail to the representatives at the addresses set forth below.
State/Covered Entity Representative:
Name: W. Sean Bryan
Title: Contract Performance Management Unit Supervisor
Department: Department of Health Care Policy and Financing
Address: 1570 Grant Street, Denver, CO 80203
Contractor/Business Associate Representative:
Name: Eva Jewell
Title: Director
Company: Weld County Department of Human Services
Address: PO Box 1805, Greeley, CO 80632-1805
HCPF HIPAA BA Page 1 of 1 Revised 7/10
•
ATTACHMENT A
This Attachment sets forth additional terms to the H1PAA Business Associate
Addendum,which is part of the Contract,between the State of Colorado,Department of Health
Care Policy and Financing,and Weld County Department of Human Services by and through the
Weld County Board of Commissioners,Contract Routing Number 3011-1322("Contract")and is
effective as of the Effective Date(the "Attachment Effective Date"). This Attachment may be
amended from time to time as provided in Section 10(b)of the Addendum.
1. Additional Permitted Uses. In addition to those purposes set forth in Section 2(a)of the
Addendum,Associate may use Protected Information as follows:
No additional permitted uses.
2. Additional Permitted Disclosures. In addition to those purposes set forth in Section 2(b)
of the Addendum,Associate may disclose Protected Information as follows:
No additional permitted disclosures.
3. Subcontractor(s).The parties acknowledge that the following subcontractors or agents of
Associate shall receive Protected Information in the course of assisting Associate in the
performance of its obligations under this Contract:
None.
4. Receipt. Associate's receipt of Protected Information pursuant to this Contract shall be
deemed to occur as follows and Associate's obligations under the Addendum shall
commence with respect to such PHI upon such receipt:
Upon receipt of PHI from the Department.
5. Additional Restrictions on Use of Data. CE is a Business Associate of certain other
Covered Entities and,pursuant to such obligations of CE, Associate shall comply with
the following restrictions on the use and disclosure of Protected Information:
No additional restrictions on Use of Data.
6. Additional Terms.
No additional terms.
HCPF HIPAA BA,Attachment A Page 1 of 1 Revised 7/10
Hello