HomeMy WebLinkAbout20110743.tiff Cheryl Hoffman
From: Cheryl Hoffman
Sent: Tuesday,October 31,2023 10:17 AM
To: Cheryl Hoffman
Subject: FW:Contract Management#6622 is Expiring
16'1,0M - \h/1/64""—)
-
Original Message
From:NoReply@Weldgov.com<NoReply@Weldgov.com>
Sent:Tuesday,October 31,2023 7:05 AM
To:CM-HumanResources<CM-HumanResources@co.weld.co.us>
Subject:Contract Management#6622 is Expiring
Please be aware that Contract 6622\HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT,HIPPA is Expiring.
The Department is:HUMAN RESOURCES
The Expiration Date is:12/31/2023
Is the Contract Renewable?:NO
The Renewal date is:
The Contract Review date is:10/31/2023
The Contract Lead is:MRAIMER\mraimer@co.weld.co.us
Thank-you
1 �Coo�9
RESOLUTION
RE: APPROVE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
ACT (HIPAA) AGREEMENT AND AUTHORIZE CHAIR TO SIGN - MCGEE, HEARNE,
AND PAIZ, LLP
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Board has been presented with a Health Insurance Portability and
Accountability Act (HIPAA) Agreement between the County of Weld, State of Colorado, by and
through the Board of County Commissioners of Weld County, on behalf of the Department of
Human Resources, and McGee, Hearne, and Paiz, LLP, commencing August 25, 2010, with
further terms and conditions being as stated in said agrement, and
WHEREAS, after review, the Board deems it advisable to approve said agreement, a
copy of which is attached hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of
Weld County, Colorado, that the Health Insurance Portability and Accountability Act (HIPAA)
Agreement between the County of Weld, State of Colorado, by and through the Board of County
Commissioners of Weld County, on behalf of the Department of Human Resources, and
McGee, Hearne, and Paiz, LLP, be, and hereby is, approved.
BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized
to sign said agreement.
The above and foregoing Resolution was, on motion duly made and seconded, adopted
by the following vote on the 21st day of March, A.D., 2011, nunc pro tunc August 25, 2010.
BOARD OF COUNTY COMMISSIONERS
W LD COUNTY, •OLORADO
ATTEST: IE IL/\ , 4G, .� .
�:• arbara Kirkm= er Chair
Weld County Clerk to th ' tc
!! �'
1 r
i. �. �'1 Sean ray, Pro-Tem L
BY: C�,�
1
Deputy Clerk to the Bo IN ,x / f �.
Wi iam F. Garcia
1E -
APPROYb A M: F
�`-'' CA'V1 C
' '���L_ David E. Long
C
County Attorney ougl -kG c
s�'�Radema her
Date of signature: 14u
i Copj StJ imme/W. i2.
3 -aa-// CC, N (Pc, % R 2011-0743
q -i- / / PE0029
HIPAA Business Associate Agreement
By and Between
Weld County and McGee, Hearne & Paiz, LLP
WHEREAS, the County of Weld. State of Colorado, by and through the Board of Weld
County Commissioners ("Weld County") and McGee, Hearne & Paiz, LLP ("MHP") have
entered into an Agreement for Professional Services dated August 25, 2010, whereby MHP has
agreed to provide professional auditing services to Weld County ("the Auditing Services
Agreement"); and
WHEREAS, this Agreement supplements the Auditing Services Agreement and is
intended to comply with the requirements of the Health Insurance Portability and Accountability
Act of 1996, as amended; the applicable breach notification rules under Title XIII (D) of the
American Recovery and Reinvestment Act of 2009, as amended; and the Identity Theft Red Flag
Rules promulgated under the Fair and Accurate Credit Transaction Act of 2003, as amended.
NOW THEREFORE, in consideration of their mutual agreements, the parties agree as
follows:
1. Definitions.
a. `HHS Privacy Regulations" shall mean the privacy regulations promulgated under
HIPAA and published at 45 C.F.R., Sections 160 and 164.
b. "HHS Security Regulations" shall mean the security regulations promulgated under
HIPAA and published at 45 C.F.R., Sections 160, 162 and 164.
c. "Protected Health Information" shall mean any health information provided and/or
made available by MHP to Weld County, and has the same meaning as the term
"Protected Health Information" as defined by 45 C.F.R. 160.103.
d. Capitalized terms used but not otherwise defined shall have the same meaning as
those terms are defined in the HHS Privacy Regulations and/or the HHS Security
Regulations.
2. Weld County and MHP agree to comply with the privacy obligations applicable to them
under the Health Insurance Portability and Accountability Act of 1996 and the regulations
issued pursuant thereto, as amended ("HIPAA") to protect the privacy of Personal Health
Information ("PHI") as delivered, collected,processed, or obtained as a result of the
performance of their respective responsibilities under the Auditing Services Agreement.
3. Weld County and MHP agree to comply with the breach notification rules applicable to
them under Title XIII (D) of the American Recovery and Reinvestment Act of 2009, as
amended (`HIPAA II") to provide breach notification where appropriate of any breach
that occurs as a result of the performance of their respective responsibilities under the
Auditing Services Agreement.
1
2011-0743
4. Weld County and MHP agree to comply with the Identity Theft Red Flag Rules
promulgated under the Fair and Accurate Credit Transactions Act of 2003 ("Red Flag
Rules") applicable to them under 16 C.F.R. Part 681, as amended.
5. The Parties to this Agreement agree that the Effective Date of this Agreement shall be
August 25, 2010, and shall continue until such time that the Auditing Services Agreement
has been terminated and all PHI provided by Weld County to MHP is destroyed or
returned to Weld County as hereinafter set forth in paragraph 7.j.
6. Except as otherwise limited by this Agreement, Weld County and MHP agree that MHP
may use PHI or disclose PHI including, but not limited to, manually, verbally and through
electronic medium, which MHP obtains from Weld County and the additional
information, if any, that MHP develops therefrom, for the following purposes:
a. For the proper management and administration of the audit of Weld County's
financial systems, to permit MHP to carry out its legal responsibilities as a
Business Associate (ref. 45 C.F.R.164.504(e)(4)(i)(A-B), as amended), provided
that such use or disclosure of PHI would not violate the HHS Privacy Regulations
if done by Weld County, and:
1. The disclosure is required by law; or
2. MHP obtains reasonable assurances from the person to whom the information
is disclosed that it will be held confidentially and used or further disclosed only as
required by law or for the purposes for which it was disclosed to the person, the
person will use appropriate safeguards to prevent use or disclosure of information,
and the person immediately notifies MHP of any instance of which it is aware in
which the confidentiality of the information has been breached (ref 45 C.F.R.
164.504(e)(4)(ii), as amended).
b. For such other uses or purposes as may be required by law.
7. In connection with its obligations to comply with HIPAA, MHP agrees that it will:
a. Not use or further disclose PHI except as permitted under this Agreement or
required by law (ref 45 C.F.R.164.504(e)(2)(ii)(A), as amended);
b. Use appropriate safeguards to prevent use or disclosure of PHI except as
permitted by this Agreement(ref. 45 C.F.R.164.504(e)(2)(ii)(B), as amended). In
addition, MHP will implement administrative, physical and technical safeguards
that reasonably and appropriately protect the confidentiality, integrity and
availability of the electronic PHI that it creates, receives, maintains or transmits
on behalf of Weld County by the compliance date for the HHS Security
Regulations (ref 45 C.P.R. 164.314(a)(2)(i)(A), as amended);
2
c. To mitigate, to the extent practicable. any harmful effect that is known to MHP of
a use or disclosure of Pill by MHP in a manner contrary to this Agreement or the
HHS Privacy Regulations (ref. 45 C.F.R. 164.5300), as amended);
d. Report to Weld County within five (5) days of discovery, any use or disclosure of
PHI not provided for or allowed by this Agreement of which MHP has knowledge
(ref 45 C.F.R.164.504(e)(2)(ii)(C), as amended). In addition, MHP agrees that
after the compliance date for the FINS Security Regulations, MHP will report to
Weld County, within five (5) days of discovery, any Security Incident of which
MHP becomes aware (ref.45 C.F.R.164.314(a)(2)(i)(A), as amended);
e. Take appropriate action, including entering into a written agreement, to assure that
any agents or subcontractors to whom MHP provides Pill or who have access to
PHI through MHP agree to the same restrictions and conditions that apply to MHP
with respect to PHI as stated in this Agreement (ref. 45 C.F.R.
164.504(e)(2)(ii)(D), as amended);
Make PHI available to Weld County or as directed by Weld County to an
individual who has a right of access under HIPAA. This right of access shall
conform with and meet all of the requirements of 45 C.F.R. 164.524, including
substitution of the words "Business Associate" with "MHP" where appropriate
(ref 45 C.F.R. 164.504(e)(2)(ii)(F), as amended) ;
g. Make PHI available for amendment and to incorporate any amendments to PHI in
accordance with 45 C.F.R.164.526, including substitution of the words "Business
Associate"with `'MHP" where appropriate. (ref 45 C.F.R.164.504 (e)(2)(ii)(F), as
amended);
h. Make PHI available as required to provide an accounting of the uses or
disclosures of PHI received from, or created or received by MHP on behalf of
Weld County, available to the Secretary of the Department of Health and Human
Services or the Secretary's designee for purposes of determining compliance with
the HHS Privacy Regulations (ref 45 C.F.R.164.504 (e)(2)(ii)(H), as amended);
Make its internal practices, books and records relating to the use and disclosure of
PHI received from, or created or received by MHP on behalf of Weld County
available to Weld County and/or the Secretary of the Department of Health and
Human Services for compliance purposes (ref. 45 C.F.R.164.504(e)(2)(ii)(H), as
amended); and
j. At the termination of this Agreement, return or destroy all PHI created or received
by MI IP on behalf of Weld County. If return or destruction of the PHI is not
feasible, MHP agrees to notify Weld County in writing of the reasons why return
or destruction is not feasible, to extend the protections of this Agreement for as
long as necessary to protect the PHI and to limit any further use or disclosure to
the purposes that make return or destruction infeasible. If MHP elects to destroy
the PHI, it shall certify to Weld County that the information has been destroyed.
(ref. 45 C.F.R.164.504(e)(2)(ii)(1), as amended).
8. In connection with its obligations to comply with HIPAA, Weld County agrees that:
a. Weld County has the primary responsibility to retain all PHI that it has delivered
to MI IP and shall also be primarily responsible to respond and deliver such PHI to
those entitled to it under the provisions of HIPAA, and pursuant to the provisions
set forth in the Auditing Agreement;
b. Weld County will obtain any consent, authorization or permission that may be
required by HIPAA, applicable state laws and/or regulations prior to furnishing
MHP the PHI pertaining to an individual; and
c. Weld County will inform MHP of any PHI that is subject to any arrangements
permitted or required of Weld County under HIPAA that may materially impact in
any manner the use and/or disclosure of PHI by MHP including, but not limited
to, restrictions on the use and/or disclosure of PHI as provided for in HIPAA and
the regulations issued pursuant thereto and/or agreed to by Weld County.
9. In connection with the obligations of HIPAA II, MHP and Weld County agree that:
a. To the extent possible, all PHI will be provided and maintained in an encrypted
electronic form.
b. In the event that a breach occurs as defined in HIPAA II, the party responsible for
the breach shall also be responsible for the following:
1. Determining if the PHI involved in the breach was "unsecured" as that
term is defined in HIPAA II.
2. Determining whether the use or disclosure of the PHI violated the Privacy
Rule.
3. Determining whether the breach compromised the security or privacy of
the PHI, specifically, whether the breach posed a significant risk of
financial, reputational or other harm to the individual involved.
4. Determining whether any breach exception applies.
c. The party responsible for the breach will be responsible for the
investigation, risk assessment, and documentation of both.
d. The breaching party also agrees to notify the non-breaching party as soon
as practical of the breach.
4
e. If a breach is determined to have occurred. the party responsible for the
breach will also be responsible for providing all notifications as required by
HIPAA II.
10. In connection with the obligations of the Red Flag Rules, MHP and Weld County agree
that:
c. Each party agrees to ensure that its activities pursuant to this Agreement are
conducted in accordance with reasonable policies and procedures designed to
detect, prevent, and mitigate the risk of identity theft.
d. Both parties agree to have in place policies and procedures to detect relevant Red
Flags that may arise in the performance of services pursuant to this Agreement.
e. Each party agrees that it has received a copy of the Identity Theft Prevention
Program that has been put into place by the other party and that it will take
reasonable steps necessary to comply with the policies and procedures therein.
f. MHP will ensure that any agent or third party who performs services on its behalf
in connection with Weld County's covered accounts, including a subcontractor,
agrees to implement reasonable policies and procedures designed to detect.
prevent, and mitigate the risk of identity theft.
g. MHP agrees to alert Weld County of any Red Flag incident (as defined by the Red
Flag Rules) of which it becomes aware, and the steps it has taken to mitigate any
potential security compromise that may have occurred, and provide a report to
Weld County of any threat of identity theft as a result of the incident.
11. Notwithstanding any other provisions of this Agreement, upon Weld County's reasonable
determination that MHP has violated any material term or provision of this Business
Associate Agreement Attachment pertaining to MHP's obligations under HIPAA or
HIPAA II, or if MHP engages in conduct which would, if committed by Weld County,
result in a violation of HIPAA or HIPAA II by Weld County, Weld County shall provide
MIIP written notice of that violation and sufficient detail to enable MHP to understand
the specific nature of that violation and afford MHP a reasonable opportunity to cure the
violation: provided, however, that if MHP fails to cure the violation within a reasonable
time specified by Weld County, Weld County may terminate this Agreement. The
parties agree that Weld County has the right to immediately terminate the Auditing
Services Agreement if Weld County determines that MHP has violated a material term of
this Agreement (ref. 45 C.F.R.164.504(e)(2)(iii). as amended).
12. Both parties agree as follows:
a. To negotiate and amend this Business Associate Agreement Attachment. from
5
time to time, as necessary to comply with any amendment to any provision of
HIPAA or I IIPAA II or any applicable implementing regulations including, but
not limited to, any privacy regulation, which materially alters either party's or
both parties obligations under this Business Associate Agreement Attachment;
h. The terms of this Business Associate Agreement Attachment shall be construed in
light of any applicable interpretation or guidance on HIPAA or HIPAA II or any
applicable implementing regulations issued by the Department of Health and
Human Services or the Office of Civil Rights, from time to time;
c. Nothing contained in this Agreement, including this Business Associate
Agreement Attachment, shall confer upon any person or entity other than the
parties hereto and their respective successors or assigns, any rights, remedies,
obligations or liabilities whatsoever;
d. The respective rights and obligations set forth in paragraph 7.j. of this Agreement
shall survive termination of this Agreement and also of the Auditing Services
Agreement;
e. This Agreement may not be assigned without the prior written consent of the
non-assigning party, which consent shall not be unreasonably withheld;
f. Whenever this Agreement requires one party to give notice to the other party, such
notice shall be deemed given if notice is provided as set forth in the Auditing
Services Agreement; and
g. Any other provision of the Auditing Services Agreement that is directly
contradictory to one or more terms of this Business Associate Agreement
Attachment ("Contradictory Term") shall be superseded by the terms of this
Business Associate Agreement Attachment to the extent and only to the extent of
the contradiction, only for the purpose of MHP's compliance with HIPAA or
HIPAA II or any applicable implementing regulations and only to the extent that it
is reasonably impossible to comply with both the Contradictory Term and the
terms of the Auditing Services Agreement.
McGee Hearne & Paiz, LLC
6
By: Robert W. Dahill, Partner
j� COUNTY OF WELD. STATE OF COLORADO
ATTEST: iG'�^� {
y: Barbara J. Kir ever, Chair
, Board of County Commissioners
Deputy Clerk o the Boar $ a County of Weld MAR 2 12019
, ate
,18fi1 R1ti '
et
‘52L)//—C-)2 ,
Hello