HomeMy WebLinkAbout20060313.tiff RESOLUTION
RE: APPROVE AMENDED HIPAA BUSINESS ASSOCIATES STANDARD AGREEMENT
AND AUTHORIZE CHAIR TO SIGN
WHEREAS,the Board of County Commissioners of Weld County,Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, by Resolution the Board of County Commissioners approved the Health
Insurance Portability and Accountability Act(HIPAA)Compliance Plans for Weld County for various
departments, and
WHEREAS,included in said HI PAA Compliance Plans are copies of standard agreements
to be executed by Privacy Officers on behalf of Weld County for any Business Associate having
access to HIPAA protected information and doing business with Weld County, and
WHEREAS,the Board has been presented with an amendment to the Business Associate
Addendum to Existing Contracts, a copy of which is attached hereto and incorporated herein by
reference, and
WHEREAS,after review, the Board deems it advisable to approve said amendment.
NOW,THEREFORE,BE IT RESOLVED by the Board of County Commissioners of Weld
County,Colorado,that the amended Business Associate Addendum to Existing Contracts be,and
hereby is, approved.
The above and foregoing Resolution was,on motion duly made and seconded,adopted by
the following vote on the 30th day of January, A.D., 2006.
EL ♦ 'OARD OF CO NTY COMMISSIONERS
a
LD COU,y , COLORADO
ATTEST: #04iy
Chair
Weld County Clerk to the B (!) %if O4
M '
r�f1 1 /Van / �� ✓ David E. Long, Pro-Tem
BY:
4r1/4";
Duty C erk to the BO.d lel, I V/�
Willi H. Jerke
APP D AS T n. P
Robert . Masden
tt eY
lenn Vaad
Date of signature: 2/14/00
2006-0313
PE0024
o •
Business Associate Addendum to Existing Contracts
This Addendum is effective on April 14, 2003, and amends and is made part of
the Agreement by and between Weld County Dental, Vision and Flexible Spending
Plans ("Health Plan") and [Business Associate], ("Business Associate") dated
"Agreement."
Health Plan and Business Associate agree to modify the Agreement, to comply
with the Administrative Simplification requirements of the Health Insurance Portability
and Accountability Act of 1996 ("HIPAA"), as set forth in Title 45, Parts 160 and 164 of
the Code of Federal Regulations (the "CFR"). In the event of conflicting terms or
conditions, this Addendum shall supersede the Agreement.
1. Definitions. Capitalized terms not otherwise defined in the Agreement
shall have the meanings given to them in Title 45, Parts 160 and 164 of the CFR and are
incorporated herein by reference.
2. Use and Disclosure of Protected Health Information. Business Associate
shall use and/or disclose Protected Health Information ("PHI") only to the extent
necessary to satisfy Business Associate's obligations under the Agreement.
3. Prohibition on Unauthorized Use or Disclosure of PHI. Business Associate
shall not use or disclose any PHI received from or on behalf of Health Plan, except as
permitted or required by the Agreement, as required by law or as otherwise authorized in
writing by Health Plan. Business Associate shall comply with: (a) Title 45, Part 164 of
the CFR; (b) State laws, rules and regulations applicable to PHI not preempted pursuant
to Title 45, Part 160, Subpart B of the CFR or the Employee Retirement Income Security
Act of 1974 ("ERISA") as amended; and (c) Health Plan's health information privacy and
security policies and procedures.
4. Business Associate's Operations. Business Associate may use PHI it
creates or receives for or from Health Plan only to the extent necessary for Business
Associate's proper management and administration or to carry out Business Associate's
legal responsibilities. Business Associate may disclose such PHI as necessary for
Business Associate's proper management and administration or to carry out Business
Associate's legal responsibilities only if:
(a) The disclosure is required by law; or
2006-0313
Business Associate Addendum to Existing Contracts
(b) Business Associate obtains reasonable assurance, evidenced by
written contract, from any person or organization to which Business Associate shall
disclose such PHI that such person or organization shall:
(i) Hold such PHI in confidence and use or further disclose it
only for the purpose for which Business Associate disclosed it to the person or
organization or as required by law; and
(ii) Notify Business Associate (who shall in turn promptly notify
Health Plan) of any instance of which the person or organization becomes aware in
which the confidentiality of such PHI was breached.
5. Data Aggregation Services. Business Associate may use PHI to provide
Data Aggregation Services related to Health Plan's Health Care Operations.
6. PHI Safeguards. Business Associate shall develop, implement, maintain
and use appropriate administrative, technical and physical safeguards to prevent the
improper use or disclosure of any PHI received from or on behalf of Health Plan.
7. Electronic Health Information Security and Integrity. Business Associate
shall develop, implement, maintain and use appropriate administrative, technical and
physical security measures in compliance with Section 1173(d) of the Social Security
Act, Title 42, Section 1320d-2(d) of the United States Code and Title 45, Part 142 of the
CFR to preserve the integrity and confidentiality of all electronically maintained or
transmitted Health Information received from or on behalf of Health Plan pertaining to an
individual. Business Associate shall document and keep these security measures current.
8. Protection of Exchanged Information in Electronic Transactions. If
Business Associate conducts any Standard Transaction for or on behalf of Health Plan,
Business Associate shall comply, and shall require any subcontractor or agent conducting
such Standard Transaction to comply, with each applicable requirement of Title 45,
Part 162 of the CFR. Business Associate shall not enter into or permit its subcontractors
or agents to enter into any Trading Partner Agreement in connection with the conduct of
Standard Transactions for or on behalf of Health Plan that: (a) changes the definition,
Health Information condition or use of a Health Information element or segment in a
Standard; (b) adds any Health Information elements or segments to the maximum defined
Health Information set; (c) uses any code or Health Information elements that are either
marked "not used" in the Standard's Implementation Specification or are not in the
Standard's Implementation Specification(s); or (d) changes the meaning or intent of the
Standard's Implementation Specification(s).
Business Associate Addendum to Existing Contracts
9. Subcontractors and Agents. Business Associate shall require each of its
subcontractors or agents to whom Business Associate may provide PHI received from, or
created or received by Business Associate on behalf of Health Plan to agree to written
contractual provisions that impose at least the same obligations to protect such PHI as are
imposed on Business Associate by the Agreement.
10. Access to PHI. Business Associate shall provide access, at the request of
Health Plan, to PHI in a Designated Record Set, to Health Plan or, as directed by Health
Plan, to an individual to meet the requirements under Title 45, Part 164, Subpart E,
Section 164.524 of the CFR and applicable state law. Business Associate shall provide
access in the time and manner set forth in Health Plan's health information privacy and
security policies and procedures.
11. Amending PHI. Business Associate shall make any amendment(s) to PHI
in a Designated Record Set that Health Plan directs or agrees to pursuant to Title 45,
Part 164, Subpart E, Section 164.526 of the CFR at the request of Health Plan or an
Individual, and in the time and manner set forth in Health Plan's health information
privacy and security policies and procedures.
12. Accounting of Disclosures of PHI.
(a) Business Associate shall document such disclosures of PHI and
information related to such disclosures as would be required for Health Plan to respond to
a request by an Individual for an accounting of disclosures of PHI in accordance with
Title 45, Part 164, Subpart E, Section 164.528 of the CFR.
(b) Business Associate agrees to provide Health Plan or an individual, in
the time and manner set forth in Health Plan's health information privacy and security
policies and procedures, information collected in accordance with Section 11(a) above, to
permit Health Plan to respond to a request by an individual for an accounting of
disclosures of PHI in accordance with Title 45, Part 164, Subpart E, Section 164.528 of
the CFR.
13. Access to Books and Records. Business Associate shall make its internal
practices, books and records relating to the use and disclosure of PHI received from or on
behalf of Health Plan available to Health Plan and to DHHS or its designee for the
purpose of determining Health Plan's compliance with the Privacy Rule.
Business Associate Addendum to Existing Contracts
14. Reporting. Business Associate shall report to Health Plan any use or
disclosure of PHI not authorized by the Agreement, by law, or in writing by Health Plan.
Business Associate shall make the report to Health Plan's Privacy Official not less than
24 hours after Business Associate learns of such unauthorized use or disclosure.
Business Associate's report shall at least: (a) identify the nature of the unauthorized use
or disclosure; (b) identify the PHI used or disclosed; (c) identify who made the
unauthorized use or received the unauthorized disclosure; (d) identify what Business
Associate has done or shall do to mitigate any deleterious effect of the unauthorized use
or disclosure; (e) identify what corrective action Business Associate has taken or shall
take to prevent future similar unauthorized use or disclosure; and (f) provide such other
information, including a written report, as reasonably requested by Health Plan's Privacy
Official.
15. Mitigation. Business Associate agrees to mitigate, to the extent practicable,
any harmful effect that is known to Business Associate of a use or disclosure of PHI by
Business Associate in violation of the requirements of the Agreement.
16. Termination for Cause. Upon Health Plan's knowledge of a material breach
by Business Associate, Health Plan shall:
(a) Provide an opportunity for Business Associate to cure the breach or
end the violation and terminate if Business Associate does not cure the breach or end the
violation within the time specified by Health Plan.
(b) Immediately terminate the Agreement if Business Associate has
breached a material term of the Agreement and cure is not possible.
(c) If neither termination nor cure is feasible, Health Plan shall report
the violation to DHHS.
17. Return or Destruction of Health Information.
(a) Except as provided in Section 17(b) below, upon termination,
cancellation, expiration or other conclusion of the Agreement, Business Associate shall
return to Health Plan or destroy all PHI received from Health Plan, or created or received
by Business Associate on behalf of Health Plan. This provision shall apply to PHI that is
in the possession of subcontractors or agents of Business Associate. Business Associate
shall retain no copies of the PHI.
Business Associate Addendum to Existing Contracts
(b) In the event that Business Associate determines that returning or
destroying the PHI is infeasible, Business Associate shall provide to Health Plan
notification of the conditions that make return or destruction infeasible. Upon
verification by Health Plan that the return or destruction of PHI is infeasible, Business
Associate shall extend the protections of the Agreement to such PHI and limit further
uses and disclosure of PHI to those purposes that make the return or destruction
infeasible, for so long as Business Associate maintains such PHI.
18. Automatic Amendment. Upon the effective date of any amendment to the
regulations promulgated by HHS with respect to PHI, the Agreement shall automatically
amend such that the obligations imposed on Business Associate as a Business
Associate remain in compliance with such regulations.
19. To comply with HIPAA security requirements, the Business Associate
agrees to implement administrative, physical and technical safeguards that will
reasonably and appropriately protect the confidentiality, integrity and availability of the
electronic protected health information (ePHI) that it creates, receives, maintains, stores
or transmits on behalf of the Covered Entity. The Business Associate ensures that any
agent, including a subcontractor, to whom the Business Associate provides such
information, also agrees to implement reasonable and appropriate safeguards to protect
the ePHI that the agent crates, receives, stores and transmits on the Business
Associate's behalf. The Business Associate agrees to report to the Covered Entity any
security incident of which he becomes aware. The Covered Entity has the ability to
terminate the contract for HIPAA Security reasons - -for example, if the BA does not
implement appropriate safeguards or if the BA has a major security breach.
IN WITNESS WHEREOF, each of the undersigned has caused this Addendum to
be duly executed in its name and on its behalf effective as of
200
HEALTH PLAN BUSINESS ASSOCIATE
By: By:
Print Name: Print Name:
Title: Chair, Board of
Weld County Commissioners Print Title:
Date: Date:
Hello