HomeMy WebLinkAbout20242825.tiffRESOLUTION
RE: APPROVE BUSINESS ASSOCIATE AGREEMENT FOR CASE MANAGEMENT
AGENCY (CMA) INFORMATION DATA SHARING AND AUTHORIZE CHAIR TO
SIGN - NORTHEAST HEALTH PARTNERS, LLC
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Board has been presented with a Business Associate Agreement for
Case Management Agency (CMA) Information Data Sharing between the County of Weld, State
of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of
the Department of Human Services, and Northeast Health Partners, LLC, commencing upon full
execution of signatures, with further terms and conditions being as stated in said agreement, and
WHEREAS, after review, the Board deems it advisable to approve said agreement, a copy
of which is attached hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of
Weld County, Colorado, that the Business Associate Agreement for Case Management Agency
(CMA) Information Data Sharing between the County of Weld, State of Colorado, by and through
the Board of County Commissioners of Weld County, on behalf of the Department of Human
Services, and Northeast Health Partners, LLC, be, and hereby is, approved.
BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized
to sign said agreement.
The above and foregoing Resolution was, on motion duly made and seconded, adopted
by the following vote on the 23rd day of October, A.D., 2024.
BOARD OF COUN
COMISSIONERS
WELD COU ► COLORAD
ATTEST:A►nJ W jel,..0;e/k Cr
KevinRoss, Chair
Weld County Clerk to the Board
Deputy Clerk to the Board
APP
u y ey 'f
Date of signature: °I 17qI 7,I4
reeman
Lori Saine
cc.. KS D
Ot /2.1/25
2024-2825
HR0096
Co►n c+ 818o
BOARD OF COUNTY COMMISSIONERS
PASS -AROUND REVIEW
PASS -AROUND TITLE: Business Associate Agreement with Northeast Health Partners, LLC.
DEPARTMENT: Human Services DATE: October 15, 2024
PERSON REQUESTING: Jamie Ulrich, Director, Human Services
Brief description of the problem/issue: The Department is requesting to enter into a Business Associate
Agreement with Northeast Health Partners, LLC., for the purpose of data sharing information for Case
Management Agency (CMA) clients. The agreement will allow the Department to use or disclose Protected
Health Information (PHI) received from or created on behalf of Northeast Health Partners to carry out the
responsibilities of the Department as the CMA. This information may be used to conduct treatment and health
care operations activities including data analytics, provided that such use or disclosure would not violate the
HIPAA Standards.
This Agreement has been reviewed and approved by Legal (B. Howell).
What options exist for the Board?
• Approval of the Business Associate Agreement with Northeast Health Partners, LLC.
• Deny approval of the Business Associate Agreement with Northeast Health Partners, LLC.
Consequences: The Department will not have an agreement in place with Northeast Health Partners.
Impacts: The Department will not be able to share client information resulting in a loss of data for clients
served.
Costs (Current Fiscal Year / Ongoing or Subsequent Fiscal Years):
• Total cost = This is a non -financial agreement.
Recommendation:
• Approval of the Business Associate Agreement and authorize the Chair to sign.
Support Recommendation Schedule
Place on BOCC Agenda Work Session Other/Comments:
Perry L. Buck, Pro -Tern
Mike Freeman
Scott K. James
Kevin D. Ross, Chair
Lori Saine
Pass -Around Memorandum; October 15, 2024 — CMS ID 8786
2024-2825
I Of ZS YzOO9(o
Northeast Health Partners, LLC,
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement") is made this day, September
12, 2024 (the "Effective Date"), by and between Northeast Health Partners LLC ("Covered
Entity"), and Weld County Department of Human Service ("Business Associate") on behalf of
itself and those of its affiliates providing services in connection with this Agreement ("Business
Associate").
RECITALS:
WHEREAS, Covered Entity and Business Associate are subject to federal standards for the
privacy and security of Protected Health Information (as defined below);
WHEREAS, Business Associate provides services to Covered Entity that require Business
Associate to use, access, disclose, receive or create Protected Health Information;
WHEREAS, Covered Entity and Business Associate are committed to complying with the
HIPAA Standards (as defined below), if applicable 42 C.F.R. Part 2 ("Part 2"), and contractual
obligations imposed upon Covered Entity by the State of Colorado, Department of Health Care
Policy and Financing (the "Department"), and desire to set forth the rights and responsibilities of
the parties with respect to Protected Health Information;
WHEREAS, to the extent that Business Associate meets the definition of a "covered entity"
(as defined at 45 C.F.R. § 160.103), Business Associate's obligations pursuant to this Agreement
shall apply only to PHI that is created, accessed, maintained, or transmitted by Business Associate
related solely to Business Associate's obligations to Covered Entity which are not part of Business
Associate's "covered functions" (as defined at 45 C.F.R. § 164.103).
NOW THEREFORE, in consideration of the mutual promises and covenants contained
herein, the sufficiency of which is hereby acknowledged by the parties, the parties agree as follows:
1. DEFINITIONS.
1.1 "Breach" shall have the same meaning as the term "breach" at 45 C.F.R. § 164.402.
1.2 "Designated Record Set" shall have the same meaning as the term "designated record
set" at 45 C.F.R. § 164.501 and means a group of records containing Protected Health Information
maintained by or for Covered Entity which fall within one of the following categories: (a) a health
care provider's medical and billing records about an Individual; (b) a health plan's enrollment,
payment, claims adjudication and case management records; or (c) records used in whole or in part
by Covered Entity to make decisions about the Individuals to whom the information relates.
1.3 "Discovery" as used in Section 3.5 means that the Unauthorized Use or Disclosure, or
Breach, is known to Business Associate or any employee, officer or other agent of Business
Associate or should reasonably have been known to Business Associate or any employee, officer
or agent of Business Associate to have occurred by exercising reasonable diligence, in accordance
with 45 C.F.R. § 164.410(a).
1
ACTIVE 700656705x3
1.4 "Individual" means the person who is the subject of Protected Health Information and
shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §
164.502(g).
1.5 "HIPAA Standards" means collectively the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and
Clinical Health ("HITECH") Act (Pub. L. No. 111-5 (2009), the Security Standards for the
Protection of Electronic Protected Health Information as set forth in 45 C.F.R. Part 160 and Part
164, Subparts A and C (the "Security Rule"), and the Standards for Privacy of Individually
Identifiable Health Information as set forth in 45 C.F.R. Part 160 and Part 164, Subparts A and E
(the "Privacy Rule") and any amendments and additions to such laws and regulations which may
be adopted from time to time.
1.6 "Protected Health Information" or "PHI" and "electronic Protected Health
Information" or "electronic PHI" shall have the same meaning as such terms as defined in 45
C.F.R. § 160.103 and means any information, whether oral or recorded in any form or medium,
that is (a) created or received by Covered Entity or by Business Associate or another person or
entity on behalf of or for the benefit of Covered Entity; (b) relates to the past, present or future
physical or mental health or condition of an Individual, the provision of health care to an
Individual, or the past, present or future payment for the provision of health care to an Individual,
and (c) identifies an Individual or with respect to which there is a reasonable basis to believe the
information can be used to identify the Individual.
1.7 "Required By Law" means a mandate contained in law that compels Covered Entity or
Business Associate to use or disclose PHI and that is enforceable in a court of law, including, but
not limited to, court orders, court -ordered warrants and statutes and regulations that require such
information if payment is sought under a government health care program.
1.8 "Service Provider" shall mean a person or entity that provides a service directly to
Covered Entity.
1.9 "Unsecured PHI" shall have the same meaning as "unsecured protected health
information" as defined in 45 C.F.R. § 164.102 and means PHI in any form that is not rendered
unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology
or methodology specified in guidance issued by the Secretary of the United States Department of
Health and Human Services ("Secretary").
1.10 Other Terms. All other terms used, but not otherwise defined, in this Agreement shall
have the same meaning as provided in the HIPAA Standards and, as applicable, Part 2.
2. PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH
INFORMATION.
2.1 Permitted Uses and Disclosures. Except as otherwise limited in this Agreement,
Business Associate may use or disclose PHI received from or created on behalf of Covered Entity
to carry out the responsibilities of Business Associate (to conduct treatment, and health care
operations activities including data analytics to Protected Health Information regarding Northeast
2
ACTIVE 700656705x3
Health Partners Medicaid Members) provided that such use or disclosure would not violate the
HIPAA Standards or, if applicable, Part 2, and/or this Agreement. Business Associate may use
PHI in connection with the proper management and administration of Business Associate.
Business Associate may disclose PHI in connection with the proper management and
administration of Business Associate or to carry out the legal responsibilities of Business Associate
if (a) the disclosure is Required By Law, or (b) Business Associate receives reasonable assurances
in writing from the person to whom the information is disclosed that the information will be held
confidentially, used or further disclosed only as Required By Law or for the purposes for which
the disclosure was made, and the person will notify Business Associate within five (5) business
days of any breaches of confidentiality of the PHI, to the extent he has obtained knowledge of such
breach. Despite the foregoing, if applicable, any disclosure of PHI that is subject to Part 2 must
meet the requirements set forth in Section 4.
2.1.1 Business Associate may use and disclose PHI to provide Data Aggregation services to
Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
2.1.2 Business Associate may also use and disclose PHI: (i) to respond to requests for PHI
either accompanied by an authorization that meets the requirements of 45 C.F.R. § 164.508 or
from a covered entity or health care provider in accordance with 45 C.F.R. § 164.506(c), where
directed or authorized by Covered Entity; and (ii) to de -identify the information in accordance with
HIPAA's de -identification standards, which may be used and disclosed by Business Associate as
permitted by law, including HIPAA, and for its own purposes, including, without limitation, for
purposes of developing comparative databases, performing statistical analysis and research, and
improving the quality of Business Associate's products and services; and (iv) as authorized in
writing by Covered Entity.
2.2 Unauthorized Uses and Disclosures. Any use or disclosure of PHI which is not
explicitly permitted by this Agreement is prohibited.
2.3 Violations of Law. Business Associate may use PHI to report violations of law to
appropriate authorities consistent with 45 C.F.R. § 164.502(j)(1).
2.4 Business Associate shall not directly or indirectly receive remuneration in exchange
for any PHI of an Individual without Covered Entity's prior written approval and notice from
Covered Entity that it has obtained from the Individual, in accordance with 45 C.F.R. § 164.508,
a valid authorization that includes a specification of whether the PHI can be further exchanged for
remuneration by Business Associate.
2.5 Business Associate may use or disclose PHI to communicate about a product or service
of Covered Entity, provided that such communication is made in a manner that does not constitute
marketing as defined in 45 C.F.R. § 164.501 or otherwise constitute a use or disclosure that
Covered Entity is prohibited from performing itself
3
ACTIVE 700656705x3
3. HIPAA-RELATED OBLIGATIONS AND ACTIVITIES OF BUSINESS
ASSOCIATE.
3.1 Compliance with HIPAA Standards. Business Associate shall comply with all
provisions of the HIPAA Standards applicable to Business Associate, this Agreement, and other
applicable law, including, if applicable, Part 2, as set forth below.
3.2 Nondisclosure. Business Associate shall not use or disclose PHI other than as
permitted in this Agreement, as Required By Law, or expressly excepted from the definition of
"Breach" under HIPAA (collectively the "Permitted Disclosures"). All Permitted Disclosures shall
be made in strict compliance with the HIPAA Standards. Any use or disclosure of PHI that is not
a Permitted Disclosure, including but not limited to any Breach of Unsecured PHI, shall be
considered an "Unauthorized Use or Disclosure" for purposes of this Agreement.
3.3 Safeguards. Business Associate agrees to use appropriate safeguards to prevent the use
or disclosure of PHI other than as permitted by this Agreement and to comply, where applicable,
with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI. Business Associate will
document and keep all such safeguards current. Business Associate shall maintain a
comprehensive written information privacy and security program that includes administrative,
technical, and physical safeguards designed to prevent the unauthorized use and disclosure of PHI,
and to protect the confidentiality, integrity, and availability of electronic PHI, including
maintaining an Incident Response Team to investigate and respond to unauthorized uses and
disclosures of PHI upon learning thereof, as required by 45 C.F.R. §§ 164.308, 164.310, 164.312,
and 164.316, as may be amended from time to time. Business Associate shall review, modify, and
update documentation of its safeguards as needed to ensure continued provision of reasonable and
appropriate protection of PHI.
3.4 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any
harmful effect, known to Business Associate, of any Unauthorized Use or Disclosure of PHI by
Business Associate in violation of this Agreement.
3.5 Reporting. In addition to the reporting required by Section 3.6, Business Associate
agrees to report to the Privacy Officer of Covered Entity any Unauthorized Use or Disclosure of
PHI of which Business Associate becomes aware, including such uses and disclosures arising
from a Security Incident. This reporting obligation shall include Unauthorized Uses or Disclosures
by Business Associate, its employees, subcontractors and/or agents. Each such report of an
Unauthorized Use or Disclosure will: (i) identify each Individual whose PHI has been or is
reasonably believed to have been accessed, acquired, or disclosed as a result of such Unauthorized
Use or Disclosure; (ii) identify the nature of the Unauthorized Use or Disclosure, including the
date of Discovery and Date of the Unauthorized Use or Disclosure; (iii) identify the PHI used or
disclosed; (iv) identify who made the Unauthorized Use or Disclosure; (v) identify who received
the unauthorized PHI; (vi) identify what corrective action Business Associate took or will take to
prevent further Unauthorized Use or Disclosures; (vii) identify what Business Associate did or will
do to mitigate any deleterious effect of the Unauthorized Use or Disclosure; and (viii) provide such
other information as Covered Entity may reasonably request.
4
ACTIVE 700656705x3
3.6 Breach Reporting. Following the discovery by Business Associate of any Breach of
Unsecured PHI by Business Associate or its Subcontractors, Business Associate agrees to notify
the Privacy Officer of Covered Entity without unreasonable delay, but no later than within four (4)
business days after Discovery by Business Associate of such Breach. The initial report shall be
followed by a written report to the Privacy Officer which shall be made as soon as reasonably
possible but in no event more than five (5) business days after Discovery by Business Associate
of such Breach Such notification shall, to the extent available: (i) identify each Individual whose
Unsecured PHI has been or is reasonably believed to have been accessed, acquired, or disclosed
as a result of such Breach; (ii) identify the Breach, including the date of Discovery and Date of the
Breach, if known; (iii) identify the types of Unsecured PHI involved in the Breach; (iv) identify
who made the Unsecured PHI; (v) identify who received the Unsecured PHI; (vi) identify what
corrective action Business Associate took or will take to prevent further Breaches; (vii) identify
what Business Associate did or will do to mitigate any deleterious effect of the Breach; and (viii)
provide such other information as Covered Entity may reasonably request.
Business Associate agrees to pay the actual and reasonable costs of Covered Entity to provide
required notifications and any associated costs incurred by Covered Entity as a result of a Breach
caused by Business Associate, such as credit monitoring for affected Individuals and including
any civil or criminal monetary penalties or fines levied by any federal or state authority having
jurisdiction. if Covered Entity reasonably determines that the nature of the Breach warrants such
measures.
Notwithstanding the above, if a law enforcement official provides Covered Entity and
Business Associate with a statement that the notification required under this paragraph would
impede a criminal investigation or cause damage to national security, Business Associate may
delay the notification for the period of time set forth in the statement as permitted under 45 C.F.R.
§ 164.412.
3.7 Agents and Subcontractors. In accordance with 45 C.F.R. § 164.308(b)(2) and
164.502(e)(1)(ii), Business Associate agrees to ensure that any subcontractor that creates, receives,
maintains, or transmits PHI on behalf of Business Associate agrees in writing to substantially the
same restrictions and conditions that apply to Business Associate through this Agreement with
respect to such information (a "Subcontractor Agreement"). If Business Associate knows or has
reason to know of a pattern of activity or practice of a subcontractor that constitutes a material
breach or violation of the subcontractor's obligations under the Subcontractor Agreement,
Business Associate shall take reasonable steps to cure the breach or end the violation, as applicable,
and, if Business Associate cannot, or Subcontractor does not, cure the breach within such period,
Business Associate shall terminate the Subcontractor Agreement with the subcontractor and notify
Covered Entity of the breach or violation involving its PHI.
3.8 Access. To the extent Business Associate maintains a Designated Record Set, Business
Associate shall provide access to PHI it maintains in the Designated Record Set to Covered Entity
or, as directed by Covered Entity, to an Individual or another person properly designated by the
Individual, at the written request of Covered Entity or an Individual in a prompt and reasonable
manner of receiving a written request from Covered Entity in order to meet the requirements of 45
C.F.R. § 164.524. If Business Associate maintains PHI electronically in a Designated Record Set
and if the Individual requests an electronic copy of such information, Business Associate shall
provide Covered Entity, or the Individual or person properly designated by the Individual, as
5
ACTIVE 700656705x3
directed by Covered Entity, access to the PHI in the electronic form and format requested by the
Individual, if it is readily producible in such form and format; or, if not, in a readable electronic
form and format as agreed to by Covered Entity and the Individual. If Business Associate receives
a request for access to PHI directly from an Individual, Business Associate shall promptly notify
Covered Entity, and if direct by Covered Entity, make such PHI available directly to the Individual
within the time required by 45 C.F.R. § 164.524.
3.9 Amendments. To the extent Business Associate maintains PHI in a Designated Record
Set, Business Associate shall make any amendment(s) to PHI in the Designated Record Set that
Covered Entity directs pursuant to and consistent with the timing and other provisions of 45 C.F.R.
§ 164.526 of receiving a written request from Covered Entity. Business Associate shall make any
such amendment only by appending the amendment to the PHI in the Designated Record Set, and
under no circumstance shall PHI be deleted from the Designated Record Set as part of the
amendment process. If Business Associate receives a request for an amendment to PHI maintained
in a Designated Record Set directly from an Individual, Business Associate shall promptly notify
Covered Entity of the request in writing consistent with the timing and other provisions of 45
C.F.R. § 164.526 to enable Covered Entity's compliance therewith. Any denial of amendment of
PHI maintained by Business Associate or its agents or Subcontractors shall be the responsibility
of the Department.
3.10 Records. Business Associate shall make its internal practices, books, and records
relating to the use and disclosure of PHI received from, or created or received by Business
Associate on behalf of, Covered Entity available to the Secretary, during regular business hours in
a time and manner designated by the Secretary, for purposes of the Secretary determining the
Department's or Covered Entity's compliance with the HIPAA Standards. Business Associate
shall cooperate with the Secretary if the Secretary undertakes an investigation or compliance
review of its policies, procedures, or practices to determine whether Business Associate is
complying with the HIPAA Standards, and permit access by the Secretary during normal business
hours to its facilities, books, records, accounts, and other sources of information, including PHI,
that are pertinent to ascertaining compliance.
3.11 Accounting of Disclosures. Business Associate shall document such disclosures of
PHI made by Business Associate, its employees, subcontractors or agents and information related
to such disclosures as are required for Covered Entity to respond to a request by an Individual for
an accounting of disclosures in accordance with 45 C.F.R. § 164.528 including: (a) the date of the
disclosure; (b) the name and address (if known) of the person or entity who received the disclosure;
(c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the
disclosure or a copy of the consent to the disclosure signed by the Individual to whom the PHI
relates. Business Associate agrees to provide Covered Entity within fifteen (15) days of receiving
a written request from Covered Entity, information collected in accordance with this Section. If
Business Associate receives a request for an accounting of disclosures of PHI directly from an
Individual, Business Associate shall notify Covered Entity of the request in writing within ten (10)
days of receipt of the request and forward it to Covered Entity. Additionally, as of the compliance
date set forth in the relevant regulations, if Business Associate makes disclosures of PHI through
an Electronic Health Record, Business Associate shall account for all such disclosures in
accordance with the HITECH Act and any future regulations promulgated thereunder. It shall be
the Department's responsibility to prepare and deliver any such accounting requested to an
Individual.
6
ACTIVE 700656705x3
3.12 Security of Electronic Data. If PHI is created, accessed, transmitted to or maintained
by Business Associate in electronic format, Business Associate agrees to:
(a) Develop, implement, maintain, and use administrative, technical and physical
safeguards that reasonably and appropriately protect the integrity, confidentiality, and
availability of the electronic PHI that Business Associate creates, receives, maintains or
transmits on behalf of Covered Entity and to comply with all applicable provisions of
Subpart C of Part 164 of the Security Rule;
(b) Ensure that any agent or subcontractor to whom Business Associate provides
electronic PHI agrees to implement reasonable and appropriate safeguards to protect such
PHI; and
(c) Report to Covered Entity any Security Incident impacting Covered Entity
member identifiable data of which Business Associate becomes aware. Notwithstanding
the foregoing, Business Associate and Covered Entity acknowledge the ongoing existence
and occurrence of attempted but unsuccessful Security Incidents that are trivial in nature,
such as pings and port scams, and Covered Entity acknowledges and agrees that no
additional notification to Covered Entity of such unsuccessful Security Incidents is
required. At the request of Covered Entity, Business Associate shall identify the date of
the Security Incident, the scope of the Security Incident, Business Associate's response to
the Security Incident, and the identification of the party responsible for causing the Security
Incident, if known.
3.13 Minimum Necessary. Business Associate will make reasonable efforts, to the extent
practicable, to limit requests for and the use and disclosure of PHI to a Limited Data Set (as defined
in 45 C.F.R. § 164.514(e)(2)) or, if needed by Business Associate, to the minimum necessary PHI
to accomplish the intended purpose of such use, disclosure or request, and as applicable, in
accordance with the regulations and guidance issued by the Secretary on what constitutes the
minimum necessary for Business Associate to perform its obligations to Covered Entity under this
Agreement or as Required By Law.
3.14 Data Ownership. Business Associate acknowledges that Business Associate has no
ownership rights with respect to the PHI.
3.15 Delegated Obligations. To the extent Business Associate is delegated to carry out
Covered Entity's obligations under the Privacy Rule, Business Associate shall comply with the
requirements of the Privacy Rule that apply to Covered Entity in the performance of such delegated
obligations.
4. PART 2 QUALIFIED SERVICE ORGANIZATION OBLIGATIONS AND
ACTIVITIES
In the event this Agreement results in the disclosure of substance use disorder patient records
protected under the federal regulations governing Confidentiality of Substance Use Disorder
Patient Records, 42 C.F.R. Part 2, Business Associate shall comply with provisions of the Part 2
Rules applicable to Business Associate.
7
ACTIVE 700656705x3
4.1 Federal Alcohol and Drug Abuse Confidentiality Regulation. PHI that relates to
alcohol and drug abuse ("Part 2 Information") also is protected by Part 2.
4.2. Confidentiality Agreement. For purposes of Part 2, Business Associate is a Qualified
Service Organization (as defined at 42 C.F.R. § 2.11), and acknowledges that in receiving, storing,
processing or otherwise dealing with any Part 2 Information from or for Covered Entity, (1) it is
fully bound by Part 2, as it would apply to Covered Entity, as a "Program" (as defined at 42 C.F.R.
§ 2.11), and (2) if necessary, will resist in judicial proceedings any efforts to obtain access to the
Part 2 Information, except as permitted by Part 2.
4.3. Prohibition on Redisclosure. Business Associate agrees to ensure that any Part 2
Information received from Covered Entity, will not be redisclosed to any other person or entity,
including an agency or Subcontractor who provides services for Business Associate, except as may
be permitted by Part 2.
5. ADDITIONAL REQUIREMENTS IMPOSED ON BUSINESS ASSOCIATE (AND
COVERED ENTITY) BY THE DEPARTMENT.
5.1 Safeguards During Transmission. Business Associate shall be responsible for using
appropriate safeguards, including encryption of PHI to maintain and ensure the confidentiality,
integrity, and security of PHI transmitted to Covered Entity or the Department pursuant to the
relevant underlying agreement, in accordance with the HIPAA Standards.
5.2 Retention of Protected Information. Except upon termination of this Agreement as
provided in Section 6, Business Associate shall retain all PHI throughout the term of the underlying
agreement with Covered Entity and shall continue to maintain the information required under
Section 3.10 of this Agreement as required by law, rule, or regulation .
5.3 Audits, Inspection and Enforcement. Upon request by the Department or Covered
Entity, Business Associate and its agents or subcontractors shall allow the Department or Covered
Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements,
policies and procedures relating to the use or disclosure of Protected Health Information pursuant
to this Agreement for the purpose of determining whether Business Associate has complied with
this Agreement; provided, however, that: (i) Business Associate and the Department or Covered
Entity shall mutually agree in advance upon the scope, timing and location of such an inspection;
and (ii) the Department or Covered Entity shall protect the confidentiality of all confidential and
proprietary information of Business Associate to which it has access during the course of such
inspection. The fact that the Department or Covered Entity inspects, or fails to inspect, or has the
right to inspect, Business Associate's facilities, systems, books, records, agreements, policies and
procedures does not relieve Business Associate of its responsibility to comply with this
Agreement, nor does the Department's or Covered Entity's (i) failure to detect or (ii) detection,
but failure to notify Business Associate or require Business Associate's remediation of any
unsatisfactory practices, constitute acceptance of such practice or a waiver of the Department's or
Covered Entity's enforcement rights under the relevant underlying agreements.
5.4 Restrictions and Confidential Communications. Within five (5) business days of notice
by Covered Entity of a restriction upon uses or disclosures or request for confidential
8
ACTIVE 700656705x3
communications pursuant to 45 C.F.R. Section 164.522, Business Associate will restrict the use
or disclosure of an Individual's PHI. Business Associate will not respond directly to an
Individual's requests to restrict the use or disclosure of PHI or to send all communications of PHI
to an alternate address. Business Associate will refer such requests to Covered Entity so that
Covered Entity can coordinate with the Department to prepare a timely response to the requesting
Individual and provide direction to Business Associate.
5.5 Injunctive Relief. The Department and Covered Entity shall have the right to seek
injunctive and other equitable and legal relief against Business Associate or any of its
Subcontractors in the event of any use or disclosure of PHI in violation of this Agreement or
applicable law.
5.7 No Waiver of Immunity. As related to the Department, no term or condition of this
Agreement shall be construed or interpreted as a waiver, express or implied, of any of the
immunities, rights, benefits, protection, or other provisions of the Colorado Governmental
Immunity Act, CRS 24-10-101 et seq. or the Federal Tort Claims Act, 28 U.S.C. 2671 et seq. as
applicable, as now in effect or hereafter amended.
5.8 Certification. To the extent that the Department or Covered Entity determines an
examination is necessary in order to comply with its legal obligations pursuant to the HIPAA
Standards and other applicable law relating to certification of its security practices, the Department
or Covered Entity or its authorized agents or contractors, may, at the Department's or Covered
Entity's expense, examine Business Associate's facilities, systems, procedures and records as may
be necessary for such agents or contractors to certify to the Department or Covered Entity the
extent to which Business Associate's security safeguards comply with the HIPAA Standards or
this Agreement.
5.9 Sanctions. Business Associate acknowledges that Covered Entity may impose
sanctions (contractually or otherwise, such as in the form of a letter of reprimand) on Business
Associate for violating the restrictions and conditions set forth in this Agreement.
6. TERM AND TERMINATION.
6.1 Term. The term of this Agreement shall commence on the Effective Date, and shall
terminate when all of the PHI provided by Covered Entity to Business Associate, or created or
received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered
Entity, or, if it is not feasible to return or destroy the PHI, protections are extended to such
information, in accordance with the termination provisions in this Section.
6.2 Termination for Cause. Upon Covered Entity's reasonable determination that Business
Associate has breached a material term of this Agreement, Covered Entity shall be entitled to do
any one or more of the following:
(a) Give Business Associate written notice of the existence of such breach and give
Business Associate an opportunity to cure the breach upon mutually agreeable terms. If Business
Associate does not cure the breach or end the violation according to such terms, or if Covered
Entity and Business Associate are unable to agree upon such terms, Covered Entity may
9
ACTIVE 700656705x3
immediately terminate this Agreement. If termination of this Agreement is not feasible, Covered
Entity shall report the breach to the Secretary, to the extent Required By Law.
(b) Immediately terminate this Agreement or any other arrangement between Covered
Entity and Business Associate which is the subject of such breach.
(c) Immediately stop all further disclosures of PHI to Business Associate pursuant to
the underlying agreement between the parties or other arrangement which is the subject of such
breach.
6.3 Termination Without Cause. This Agreement shall terminate upon any such date as
Covered Entity and Business Associate may agree in a writing signed by both parties.
6.4 Termination of Services. This Agreement shall terminate upon the termination or
expiration of the services provided by Business Associate.
6.5 Effect of Termination.
(a) Upon termination of this Agreement for any reason, Business Associate shall
return to Covered Entity, or destroy upon the prior written consent of Covered Entity, all PHI
received, created, received or maintained in any form by Business Associate on behalf of Covered
Entity. Business Associate shall retain no copies of such information. This Section shall also
apply to PHI that is in the possession of subcontractors or agents of Business Associates.
(b) In the event that Business Associate determines that return or destruction of PHI
is not feasible, Business Associate shall provide to Covered Entity written notification of the
conditions that make return or destruction infeasible. Upon mutual agreement of the parties that
return or destruction of PHI is infeasible, Business Associate shall extend the protections of this
Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that
make the return or destruction of the PHI infeasible, for so long as Business Associate maintains
such PHI.
(c) Business Associate shall cooperate with Covered Entity to the extent reasonably
necessary for Covered Entity to determine that all PHI has been properly returned, destroyed or
protected upon termination of this Agreement. If Business Associate destroys the PHI, Business
Associate shall certify in writing to Covered Entity that such PHI has been destroyed.
(d) Business Associate's obligations to protect the privacy and security of PHI as
provided in this Agreement, including Business Associate's obligations pursuant to this Section 6
are continuous and shall survive any termination, cancellation, expiration, or other conclusion of
this Agreement or any other agreement between Business Associate and Covered Entity.
6.6 Business Associate's Termination Rights. Business Associate shall ensure that it
maintains for itself substantially the same termination rights in this Section in any Subcontractor
Agreement it enters into with an agent or subcontractor.
10
ACTIVE 700656705x3
7. MISCELLANEOUS.
7.1 Indemnification; Limitation of Liability. To the extent permitted by law, Business
Associate shall indemnify, defend and hold harmless Covered Entity and the Department from any
and all liability, claim, lawsuit, injury, loss, expense or damage resulting from or relating to the
acts or omissions of Business Associate in connection with the representations, duties and
obligations of Business Associate under this Agreement. Any limitation of liability contained in
any other agreement between the parties shall not apply to the indemnification requirement of this
Section. This Section shall survive the termination of the Agreement.
7.2 Assistance in Litigation. Business Associate shall make itself, its employees, and any
subcontractors, employees or agents assisting Business Associate in the performance of its
obligations under this Agreement available to Covered Entity and the Department, at no cost to
Covered Entity or the Department, to testify as witnesses, or otherwise, in the event of litigation
or administrative proceedings being commenced against Covered Entity, the Department, its
directors, officers or employees based upon a claim of violation of the HIPAA Standards, if
applicable Part 2, or other laws related to security and privacy by Business Associate.
7.3 Relationship of the Parties. In the performance of the work, duties and obligations
described in this Agreement, the parties acknowledge and agree that each party is at all times acting
and performing as an independent contractor and at no time shall the relationship between the
parties be construed as a partnership, joint venture, employment, principal/agent relationship, or
master/servant relationship.
7.4 Entire Agreement. This Agreement is the sole understanding between the parties
relating to such matters, and supersedes all prior agreements and understandings, whether oral or
written. Nothing herein shall require Covered Entity to disclose any PHI to Business Associate
for such services or to utilize any service of Business Associate. Nothing herein requires Business
Associate to accept any PHI or to provide any particular services.
7.5 Assignment. No assignment of this Agreement or of the rights and obligations
hereunder by any party shall be valid, without the prior written consent of the other party. The
provisions of this Agreement shall be binding upon and shall inure to the benefit of the parties
hereto and each of their respective successors, heirs and permitted assigns, if any.
7.6 Severability. In the event that any one or more of the provisions of this Agreement
shall for any reason be held to be invalid, illegal, or unenforceable, the remaining provisions of
this Agreement shall not be affected thereby.
7.7 Waiver and Breach. The waiver by either party of a breach or violation of any provision
of this Agreement shall not operate as, or be construed to be, a waiver of any subsequent breach
of the same or other provisions hereof.
7.8 Notice. Any notice required or permitted to be given under this Agreement shall be in
writing and may be either personally delivered, sent by registered or certified mail in the U.S.
Postal Service, Return Receipt Requested, postage prepaid, or reputable overnight courier, delivery
prepaid and signature required, addressed to each party at the addresses set forth at the end of this
Agreement. Any such notice shall be deemed to have been given, if mailed as provided herein, as
11
ACTIVE 700656705x3
of forty -eighty (48) hours after mailing. All required notices shall be in writing and shall be to the
representatives at the addresses set forth below.
If for Covered Entity:
1300 N. 17th Ave
Greeley, CO 80631
If for Business Associate:
315 N. 11th Avenue
PO Box A
Greeley, Colorado 80632
Such addresses may be changed from time to time by either party by providing written notice to
the other in the manner set forth above. Any notice hereunder shall be deemed given and received
48 hours after mailing, if given by mailing in the manner provided above, or upon actual receipt
of the information if given by hand, facsimile or telegraph.
7.9 Amendments. This Agreement may only be amended or modified by written
agreement executed by all parties. The Parties agree to take such action as is necessary to amend
this Agreement from time to time as is necessary for Covered Entity to comply with the
requirements of the Privacy Regulations and HIPAA.
7.10 Governing Law/Construction. This Agreement shall be governed by applicable federal
law and the laws of the State of Colorado, without regard to conflict of laws principles. Any
ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity
to comply with the Privacy Regulations.
7.11 No Third Party Beneficiaries. Business Associate and Covered Entity agree that
Individuals who are the subject of PHI are not third party beneficiaries of this Agreement, but that
the Department is a third party beneficiary of this Agreement with rights of enforcement.
7.12 Further Acts. The parties agree that the intent of this Agreement is to comply with the
Business Associate provisions of the Privacy Regulations. Each of the parties shall execute and
deliver all documents, papers and instruments reasonably necessary or convenient to carry out the
terms of this Agreement. The parties shall, upon request at any time after the date of this
Agreement, execute, deliver and/or furnish all such documents and instruments, and do or cause
to be done all such acts and things as may be reasonable to effectuate the purpose and intent of this
Agreement as set forth herein.
12
ACTIVE 700656705x3
IN WITNESS WHEREOF, the parties have executed this Agreement to be effective as
of the Effective Date.
Covered Entity:
NORTHEAST HEALTH PARTNERS, LLC
iir,/thiff
By.
Chief Information Officer
Its:
10/28/2024
Date:
ACTIVE 700656705x3
Business Associate:
BOARD OF COUNTY COMMISSIONERS
WELD CO
By:
Kevin D. Ross, Chair
Date: OCT 2 3 2024
ATTEST: `"'
BY:
Clerk to the Board
CU/
Deputy Clerk to the Bo
13
Contract For
Entity Information
Entity Name* Entity ID*
NORTHEAST HEALTH PARTNERS @00040552
LLC
Contract Name *
NORTHEAST HEALTH PARTNERS LLC BUSINESS
ASSOCIATES AGREEMENT
Contract Status
CTB REVIEW
O New Entity?
Contract ID
8786
Contract Lead *
SADAMS
Contract Lead Email
sadams@weld.gov;cobbx
xlk@weld.gov
Parent Contract ID
Requires Board Approval
YES
Department Project #
Contract Description *
NORTHEAST HEALTH PARTNERS LLC BUSINESS ASSOCIATES AGREEMENT FOR THE PURPOSE OF DATA SHARING
INFORMATION FOR CASE MANAGEMENT AGENCY (CMA) CLIENTS. AGREEMENT IS IN PERPETUITY OR UNTIL ALL
PHI PROVIDED IS DESTROYED OR RETURNED. REVIEW IN ONE (1) YEAR.
Contract Description 2
PA ROUTING THROUGH THE NORMAL PROCESS. ETA TO
Contract Type * Department
AGREEMENT HUMAN SERVICES
Amount*
$ 0.00
Renewable*
YES
Automatic Renewal
Grant
IGA
Department Email
CM-
HumanServices@weld.gov
Department Head Email
CM-HumanServices-
DeptHead@weld.gov
County Attorney
GENERAL COUNTY
ATTORNEY EMAIL
County Attorney Email
CM-
COUNTYATTORNEY@WEL
D.GOV
TO CTB IS 10/15/2024.
Requested BOCC Agenda Due Date
Date* 10/19/2024
10/23/2024
Will a work session with BOCC be required?*
NO
Does Contract require Purchasing Dept. to be
included?
If this is a renewal enter previous Contract ID
If this is part of a MSA enter MSA Contract ID
Note: the Previous Contract Number and Master Services Agreement Number should be left blank if those contracts
are not in OnBase
Contract Dates
Effective Date
Termination Notice Period
Contact Information
Review Date*
07/14/2025
Renewal Date*
09/12/2025
Committed Delivery Date Expiration Date
Contact Info
Contact Name Contact Type Contact Email Contact Phone 1 Contact Phone 2
Purchasing
Purchasing Approver Purchasing Approved Date
Approval Process
Department Head Finance Approver Legal Counsel
JAMIE ULRICH CHERYL PATTELLI BYRON HOWELL
DH Approved Date Finance Approved Date Legal Counsel Approved Date
10/18/2024 10/18/2024 10/18/2024
Final Approval
BOCC Approved Tyler Ref #
AG 102324
BOCC Signed Date Originator
SADAMS
BOCC Agenda Date
10/23/2024
Hello