HomeMy WebLinkAbout20030653.tiff RESOLUTION
RE: APPROVE ADDENDUM TO MEMORANDUM OF UNDERSTANDING FOR HEALTH
INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS
ASSOCIATE AGREEMENT AND AUTHORIZE CHAIR TO SIGN - CHILD HEALTH
ADVOCATES, OPERATED BY POLICY STUDIES, INC.
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Board has been presented with an Addendum to the Memorandum of
Understanding for the Health Insurance Portability and Accountability Act (HIPPA) Business
Associate Agreement between the County of Weld, State of Colorado, by and through the
Board of County Commissioners of Weld County, on behalf of the Weld County Department of
Public Health and Environment, and Child Health Advocates, operated by Policy Studies, Inc.,
commencing March 15, 2003, and ending June 30, 2003, with further terms and conditions
being as stated in said addendum, and
WHEREAS, after review, the Board deems it advisable to approve said addendum, a
copy of which is attached hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of
Weld County, Colorado, that the Addendum to the Memorandum of Understanding for the
Health Insurance Portability and Accountability Act (HIPPA) Business Associate Agreement
between the County of Weld, State of Colorado, by and through the Board of County
Commissioners of Weld County, on behalf of the Weld County Department of Public Health and
Environment, and Child Health Advocates, operated by Policy Studies, Inc., be, and hereby is,
approved.
BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized
to sign said addendum.
2003-0653
HL0030
(0 : NLC=2e
RE: ADDENDUM TO MEMORANDUM OF UNDERSTANDING FOR HEALTH INSURANCE
PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE AGREEMENT
PAGE 2
The above and foregoing Resolution was, on motion duly made and seconded, adopted
by the following vote on the 12th day of March, A.D., 2003.
BOARD OF COUNTY COMMISSIONERS
WE COUNTY, COLORADO
ATTEST:
David E. Long, Chair
Weld County Clerk to
obi
EXCUSED
c yt_ ' r, ♦I Robert D. Masden, Pro- em
BY: '�� ` co
Deputy Clerk to the sty- .11 Ht1 � ' EXCUSED DATE OF SIGNING (AYE)
M. J. Geile
APPROVE S TO FORM:
Willi�� H. Jerky
ou ttorney v
--
Date of signature: 3' °
Glenn Vaad
2003-0653
HL0030
Addendum to Memorandum of Understanding
HIPAA BUSINESS ASSOCIATE AGREEMENT
This Addendum ("Addendum") to the Memorandum of Understanding ("MOU") dated
, 2003, by and between Child Health Advocates, operated by Policy
Studies, Inc. ("PSI/CHA") and (Satellite
Eligibility Determination Site hereinafter referred to as "SED Site") is effective as of the
compliance date of the Privacy Rule (defined below).
RECITALS
The parties agree as follows:
A. Pursuant to the Health Insurance Portability and Accountability Act of 1996, Public
Law 104-191 ("HIPAA") and regulations promulgated thereunder by the U.S.
Department of Health and Human Services (the "HIPAA Regulations") and other
applicable laws, as amended, SED Site, through its MOU with PSUCHA, qualifies as
a Business Associate of PSI/CHA.
B. PSI/CHA wishes to disclose certain information to SED Site pursuant to the terms of
the MOU, some of which may constitute Protected Health Information
("PHI")(defined below).
C. PSI/CHA and SED Site intend to protect the privacy and provide for the security of
PHI disclosed to SED Site pursuant to the MOU in compliance with the HIPAA
Regulations.
D. As part of the HIPAA Regulations, the Privacy Rule (defined below) requires
PSI/CHA to enter into a contract containing specific requirements with SED Site
prior to the disclosure of PHI, as set forth in, but not limited to, Title 45, Sections
160.103, 164.502(e) and 164.504(e) of the Code of Federal Regulations ("CFR") and
contained in this Addendum.
E. Definitions:
1. Except as otherwise defined herein, capitalized terms in this Addendum
shall have the definitions set forth in the HIPAA Privacy Rule at 45
C.F.R. Parts 160 and 164, as amended("Privacy Rule"). In the event of
any conflict between the mandatory provisions of the Privacy Rule and
the provisions of this Addendum, the Privacy Rule shall control. Where
the provisions of this Addendum differ from those mandated by the
Privacy Rule, but are nonetheless permitted by the Privacy Rule, the
provisions of this Addendum shall control.
2. "Protected Health Information" or"PHI" means any information,
whether oral or recorded in any form or medium: (i) that relates to the
past,present or future physical or mental condition of an individual; the
provision of health care to an individual; or the past, present or future
2223-04'53
payment for the provision of health care to an individual; and(ii) that
identifies the individual or with respect to which there is a reasonable
basis to believe the information can be used to identify the individual,
and shall have the meaning given to such term under the Privacy Rule,
including, but not limited to, 45 C.F.R. Section 164.501.
3. "Protected Information" shall mean PHI provided by PSI/CHA to SED
Site or created or received by SED Site on PSI/CHA's behalf
F. Term. The term of this Addendum begins on the MOU Effective Date, as set forth in
the opening paragraph of this MOU, and runs through June 30, 2003.
G. Obligations of SED Site.
1. Permitted Uses. SED Site shall not use Protected Information except for
the purpose of performing SED Site's obligations under and as permitted
by the terms of the MOU. Further, SED Site shall not use Protected
Information in any manner that would constitute a violation of the
Privacy Rule if so used by PSUCHA.
2. Permitted Disclosures. SED Site shall not disclose Protected
Information in any manner that would constitute a violation of the
Privacy Rule if disclosed by PSUCHA.
3. Appropriate Safeguards. SED Site shall implement appropriate
safeguards as are necessary to prevent the use or disclosure of Protected
Information otherwise than as permitted by the MOU. Associate shall
maintain a comprehensive written information privacy and security
program that includes administrative, technical and physical safeguards
appropriate to the size and complexity of the SED Site's operations and
the nature and scope of its activities.
4. Reporting of Improper Use or Disclosure. SED Site shall report to
PSI/CHA in writing any use or disclosure of Protected Information other
• than as provided for by the MOU within five (5)business days of
becoming aware of such use or disclosure.
5. SED Site's Agents. If SED Site uses one or more subcontractors or
agents to provide services under the MOU, and such subcontractors or
agents receive or have access to Protected Information, each
subcontractor or agent shall sign an agreement with SED Site containing
substantially the same provisions as this Addendum and further
identifying PSUCHA as a third party beneficiary with rights of
enforcement and indemnification from such subcontractors or agents in
the event of any violation of such subcontractor or agent agreement.
SED Site shall implement and maintain appropriate sanctions against
agents and subcontractors that violate such restrictions and conditions
and shall mitigate the effects of any such violation.
6. Access to Protected Information. SED Site shall make Protected
Information maintained by SED Site or its agents or subcontractors in
Designated Record Sets available to PSUCHA for inspection and
copying within ten(10)business days of a request by PSUCHA to
enable PSUCHA to fulfill its obligations to permit individual access to
PHI under the Privacy Rule, including, but not limited to, 45 C.F.R.
Section 164.524.
7. Governmental Access to Records. SED Site shall make its internal
practices, books and records relating to the use and disclosure of
Protected Information available to the Secretary of the U.S. Department
of Health and Human Services (the "Secretary"), in a time and manner
designated by the Secretary, for purposes of determining PSI/CHA's
compliance with the Privacy Rule. SED Site shall provide to PSI/CHA a
copy of any Protected Information that SED Site provides to the
Secretary concurrently with providing such Protected Information to the
Secretary.
8. Minimum Necessary. SED Site (and its agents or subcontractors) shall
only request, use and disclose the minimum amount of Protected
Information necessary to accomplish the purpose of the request, use or
disclosure, in accordance with the Minimum Necessary requirements of
the Privacy Rule including,but not limited to, 45 CFR Sections
164.502(b) and 164.514(d).
9. Data Ownership. SED Site acknowledges that SED Site has no
ownership rights with respect to the Protected Information.
10. Retention of Protected Information. SED Site and its subcontractors or
agents shall retain all Protected Information throughout the term of the
MOU.
11. Notification of Breach. During the term of the MOU, SED Site shall
notify PSI/CHA within two (2) business days of any suspected or actual
breach of security, intrusion or unauthorized use or disclosure of PHI
and/or any actual or suspected use or disclosure of data in violation of
any applicable federal or state laws or regulations. SED Site shall take
(i)prompt corrective action to cure any such deficiencies and (ii) any
action pertaining to such unauthorized disclosure required by applicable
federal and state laws and regulations.
12. Audits, Inspection and Enforcement. Within ten (10)business days of a
written request by PSI/CHA, SED Site and its agents or subcontractors
shall allow PSI/CHA to conduct a reasonable inspection of the facilities,
systems, books,records, agreements, policies and procedures relating to
the use or disclosure of Protected Information pursuant to the MOU for
the purpose of determining whether SED Site has complied with the
MOU;provided, however, that: (i) SED Site and PSUCHA shall
mutually agree in advance upon the scope, timing and location of such
an inspection; (ii) PSUCHA shall protect the confidentiality of all
confidential and proprietary information of SED Site to which PSI/CHA
has access during the course of such inspection; and (iii) PSUCHA shall
execute a nondisclosure agreement, upon terms mutually agreed upon by
the parties, if requested by SED Site. The fact that PSUCHA inspects, or
fails to inspect, or has the right to inspect, SED Site's facilities, systems,
books, records, agreements, policies and procedures does not relieve
SED Site of its responsibility to comply with the MOU,nor does
PSUCHA's (i) failure to detect or(ii) detection, but failure to notify SED
Site or require SED Site's remediation of any unsatisfactory practices,
constitute acceptance of such practice or a waiver of PSUCI-JA's
enforcement rights under the MOU.
13. Safeguards During Transmission. SED Site shall be responsible for
using appropriate safeguards to maintain and ensure the confidentiality,
privacy and security of Protected Information transmitted to PSUCHA
pursuant to the MOU, in accordance with the standards and requirements
of the Privacy Rule, until such Protected Information is received by
PSUCHA.
H. Obligations of PSUCHA.
1. Safeguards During Transmission. PSUCHA shall be responsible for
using appropriate safeguards to maintain and ensure the confidentiality,
privacy and security of PHI transmitted to SED Site pursuant to the
MOU, in accordance with the standards and requirements of the Privacy
Rule, until such PHI is received by SED Site.
2. Notice of Changes. PSUCHA shall provide SED Site with a copy of its
notice of privacy practices produced in accordance with 45 CFR Section
164.520, as well as any subsequent changes or limitation(s)to such
notice,to the extent such changes or limitations may effect SED Site's
use or disclosure of Protected Information. PSUCHA shall provide SED
Site with any changes in, or revocation of, permission to use or disclose
Protected Information, to the extent it may affect SED Site's permitted
or required uses or disclosures. To the extent that it may affect SED
Site's permitted use or disclosure of PHI, PSUCHA shall notify SED
Site of any restriction on the use or disclosure of Protected Information
that PSUCHA has agreed to in accordance with 45 CFR Section
164.522. PSUCHA may effectuate any and all such notices of de-
identified information via posting on PSUCHA's web site. SED Site
shall continually monitor PSI/CHA's designated web site for notice of
changes to PSI/CHA's HIPAA privacy policies and practices.
Disclaimer. PSUCHA makes no warranty or representation that compliance by SED
Site with the MOU, this Addendum, HIPAA or the HIPAA Regulations will be
adequate or satisfactory for SED Site's own purposes. SED Site is solely responsible
for all decisions made by SED Site regarding the safeguarding of PHI.
J. Certification. To the extent that PSUCHA determines an examination is necessary in
order to comply with PSUCHA's legal obligations pursuant to HIPAA relating to
certification of its security practices,PSUCHA or its authorized agents or contractors,
may, at PSI/CHA's expense, examine SED Site's facilities, systems, procedures and
records as maybe necessary for such agents or contractors to certify to PSI/CHA the
extent to which SED Site's security safeguards comply with HIPAA, the HIPAA
Regulations, the MOU or this Addendum.
K. Amendment to Comply with Law. The parties acknowledge that state and federal
laws relating to data security and privacy are rapidly evolving and that amendment of
this Addendum may be required to provide for procedures to ensure compliance with
such developments. The parties specifically agree to take such action as is necessary
to implement the standards and requirements of HIPAA, the Privacy Rule and other
applicable laws relating to the security or privacy of PHI. The parties understand and
agree that PSI/CHA must receive satisfactory written assurance from SED Site that
SED Site will adequately safeguard all Protected Information. Upon the request of
either party, the other party agrees to promptly enter into negotiations concerning the
terms of an amendment to this Addendum embodying written assurances consistent
with the standards and requirements of HIPAA, the Privacy Rule or other applicable
laws. PSI/CHA may terminate the Addendum upon thirty(30) days written notice in
the event (i) SED Site does not promptly enter into negotiations to amend this
Addendum when requested by PSUCHA pursuant to this Section or(ii) SED Site
does not enter into an amendment to this Addendum providing assurances regarding
the safeguarding of PHI that PSUCHA, in its sole discretion, deems sufficient to
satisfy the standards and requirements of HIPAA and the Privacy Rule.
L. Assistance in Litigation or Administrative Proceedings. SED Site shall make itself,
and any subcontractors, employees or agents assisting SED Site in the performance of
its obligations under this Addendum, available to PSUCHA, at no cost to PSUCHA, to
testify as witnesses, or otherwise, in the event of litigation or administrative
proceedings being commenced against PSI/CHA, its directors, officers or employees
based upon a claimed violation of HIPAA, the Privacy Rule or other laws relating to
security and privacy of PHI, except where SED Site or its subcontractor, employee or
agent is a named adverse party.
M. No Third Party Beneficiaries. Nothing express or implied in this Addendum is
intended to confer, nor shall anything herein confer, upon any person other than
PSI/CHA, SED Site and their respective successors or assigns, any rights, remedies,
obligations or liabilities whatsoever.
N. Interpretation. This Addendum shall be interpreted as broadly as necessary to
implement and comply with HIPAA and the Privacy Rule. The parties agree that any
ambiguity in this Addendum shall be resolved in favor of a meaning that complies
and is consistent with HIPAA and the Privacy Rule.
O. Audits. In addition to any other audit rights in this Addendum, SED Site shall permit
PSI/CHA and any authorized federal agency to monitor and audit records and
activities which are or have been undertaken pursuant to this Addendum.
P. No Assignment. Except as otherwise provided, the duties and obligations of SED
Site shall not be assigned, delegated or subcontracted except with the express prior
written consent of PSI/CHA. Any subcontractors or agents used by SED Site to
perform any services in connection with this Addendum shall be subject to the
requirements of this Addendum.
IN WITNESS WHEREOF, the parties hereto have duly executed this Addendum as of the MOU
Effective Date.
CHILD HEALTH ADVOCATES, SATELLITE ELIGIBILITY
Operated by Policy Studies, Inc. DETERMINATION SITE
("PSI/CHA") ("SED SITE")
By -"Cf%c4t By L '
SED Site Authorized Person
Name: David E. Lon•
Title: Chair (03/12/2003
Attest:
ro. -`
/
By
Deputy Clerk to the'134a41,-;:#1
-;#, -Wi
WELD COUNTY DEPARTMENT OF `\Y
PUBLIC HALM Ar,,' ENVIdalriI,,IE
Mark E. Wallace, MD. MPH•Director
Memorandum
vine David E. Long, Chair
TO: Board of County Commissioners
COLORADO FROM: Mark E. Wallace, MD, MPH, Director
Department of Public Health and 7
Environment /J jai
DATE: March 10, 2003 ��'
SUBJECT: Memorandum of Understanding and
Addendum to MOU for CHP+ Satellite
Eligibility Determination Site
Enclosed for Board review and approval is a Memorandum of Understanding and an addendum
to the Memorandum of Understanding for Weld County Department of Public Health and
Environment to continue to be a SED (Satellite Eligibility Determination Site) for the Child
Health Plan Plus (CHP+). This plan provides for outpatient and inpatient medical services to
children under age nineteen in medically indigent families. As a Satellite Eligibility
Determination Site, WCDPHE will continue to assist clients in completing their applt"eations for
this insurance plan and submit each application with required documentation to the Child Health
Advocates. For providing these services, WCDPHE will be paid $10.00 for each completed
application submitted within time requirements.
The addendum to this MOU states that WCDPHE qualifies as a Business Associate of PSI/CHA
(Policy Studies Inc./Child Health Advocates) and both parties agree to protect the privacy and
provide for the security of PHI (Protected Health Information) in compliance with the Health
Insurance Portability and Accountability Act of 1996 (HIPAA). The term of this memorandum
of understanding and the addendum to it is from March 15, 2003 through June 30, 2001.,
I recommend your approval of these documents.
Enclosure
2003-0653
Hello