HomeMy WebLinkAbout20240333.tiffRESOLUTION
RE: APPROVE BUSINESS ASSOCIATE AGREEMENT FOR PROTECTED HEALTH
INFORMATION AND ELECTRONIC HEALTH INFORMATION FOR DEPENDENT
ELIGIBILITY VERIFICATION PROGRAM REGARDING BENEFIT PLANS, AND
AUTHORIZE CHAIR PRO-TEM TO SIGN - CONSOVA CORPORATION
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Board has been presented with a Business Associate Agreement for
Protected Health Information and Electronic Health Information for the Dependent Verification
Program Regarding Benefit Plans between the County of Weld, State of Colorado, by and through
the Board of County Commissioners of Weld County, on behalf of the Department of Human
Resources, and Consova Corporation, commencing upon full execution of signatures, with further
terms and conditions being as stated in said agreement, and
WHEREAS, after review, the Board deems it advisable to approve said agreement, a copy
of which is attached hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of
Weld County, Colorado, that the Business Associate Agreement for Protected Health Information
and Electronic Health Information for the Dependent Verification Program Regarding Benefit
Plans between the County of Weld, State of Colorado, by and through the Board of County
Commissioners of Weld County, on behalf of the Department of Human Resources, and Consova
Corporation, be, and hereby is, approved.
BE IT FURTHER RESOLVED by the Board that the Chair Pro-Tem be, and hereby is,
authorized to sign said agreement.
cc: ?' (SS /SDF), F'S (RR/cP)
03 /iq /2y
2024-0333
PE0036
BUSINESS ASSOCIATE AGREEMENT FOR PROTECTED HEALTH INFORMATION AND
ELECTRONIC HEALTH INFORMATION FOR DEPENDENT ELIGIBILITY VERIFICATION
PROGRAM REGARDING BENEFIT PLANS - CONSOVA CORPORATION
PAGE 2
The above and foregoing Resolution was, on motion duly made and seconded, adopted
by the following vote on the 12th day of February, A.D., 2024.
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
ATTEST:
f.,t;thit)
Weld County Clerk to the Board
BY: • tc)a4 u.)) c k_
Deputy Clerk to the Board
AP9RJVE
County Attorney
Z
Date of signature:
ZL1
EXCUSED
Kevari-D. Ross. Chair
63,,x
Perry L. B
Pro-Tem
Mike Freeman
EXCUSED
Scott K. James
e
2024-0333
PE0036
Ck�k "1-170
BOARD OF COUNTY COMMISSIONERS
PASS -AROUND REVIEW
PASS -AROUND TITLE:
DEPARTMENT:
PERSON REQUESTING:
Addition of BAA with Consova master services agreement approved earlier in 2023.
Human Resources
Staci Datteri-Frey /Jill Scott
DATE: 12/28/2023
Brief description of the problem/issue:
Consova noticed that their master services agreement approved earlier this year did not include their Business Associate Agreement (BAA). This
agreement would establish a relationship between Weld and Consova to ensure Consova protects the personal health information of Weld County.
What options exist for the Board?
Approve to have included in the master services agreement and allow project to commence in first quarter of 2024.
Not approve.
Consequences:
A non -approval would require Weld County to go out for RFP for services again and delay project. The intent behind project is ensuring we
are covering eligible dependents on our health plans as a cost containment measure. B
Impacts:
There are no financial impacts or changes to contract by approving the BAA.
Cost (Current Fiscal Year/Ongoing or Subsequent Fiscal Years:
N/A
Recommendation:
Staff recommendation is for approval once agreement is approved by county attomey's office.
Perry L. Buck, Pro -Tern
Mike Freeman, Chair
Scott K. James
Kevin D. Ross
Lori Saine
Support Recommendation Schedule
Place p BOCC Agenda Work Session Other/Comments:
2024-0333
241 PE 003co
DocuSign Envelope ID 3ED85821-64C2-45CA-88DB-546E6451B8A7
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (the "Agreement") is effective as o��' 4, 2024hereinafter
"Effective Date") by and between Weld County (hereinafter "Covered Entity"), and Consova Corporation
(hereinafter "Business Associate").
Recitals
WHEREAS, Parts 160, 162 and 164 of Chapter 45 of the Code of Federal Regulations (the "Privacy and
Security Rules") issued by the Department of Health and Human Services ("IIHS") under the Health
Insurance Portability and Accountability Act of 1996 ("H1PAA") and the Health Information Technology
for Economic and Clinical Health Act, Subtitle D -Privacy (§§ 13400-13424) of the American Recovery
and Reinvestment Act contain provisions concerning the privacy and security of Protected Health
Information and Electronic Protected Health Information;
WHEREAS, the Privacy and Security Rules require that a covered entity may disclose Protected Health
Information and Electronic Protected Health Information (each as defined below) to a business associate
if the covered entity obtains a written contract with satisfactory assurances from the business associate
that it will comply with all applicable Privacy and Security Rules;
WHEREAS, under IIITECt I, certain provisions of the Privacy and Security Rules now apply directly to
business associates, including Business Associate;
WHEREAS, Business Associate will have access to, create and/or receive certain Protected Health
Information and Electronic Health Information in conjunction with the services being provided by
Business Associate to Covered Entity.
NOW THEREFORE, Covered Entity and Business Associate agree as follows:
i. Definitions. The following terms shall have the meaning set forth below:
(a) ARRA. "ARRA" means the American Recovery and Reinvestment Act of 2009, and its
implementing regulations.
(b) Breach. "Breach" has the meaning set forth in 45 C.F.R. § 164.402 to the extent the Breach
relates to the Services.
(c)
Data Aggregation. "Data Aggregation" has the meaning set forth in 45 C.F.R. § 164.501.
(d) Designated Record Set. "Designated Record Set" has the meaning set forth in in 45 C.F.R. §
164.501.
(e) Electronic 'health Record. "Electronic Health Record" shall mean an electronic record of health -
related information with respect to an Individual that is created, gathered, managed and consulted by
authorized healthcare clinicians and staff.
(t) Electronic Protected Health Information. "Electronic Protected Health Information" or
"Electronic PHI" has the meaning set forth in 45 C.F.R. § 160.103.
DocuSign Envelope ID: 3EDEEB21-64C2-45CA-8808-546E6451B8A7
(g) Genetic Information. "Genetic information" has the meaning set forth in 45 C.F.R. § 160.103.
(h) HITECH. "HITECH" means the Health Information Technology for Economic and Clinical
Health Act, Subtitle D -Privacy (§§ 13400-13424) of ARRA and its implementing regulations.
(i) Ind[ vidual. "Individual" has the meaning set forth in 45 C.F.R. § 160.103, including a person
who qualif-es as the Individual's personal representative under 45 C.F.R. § 164.502(g).
(j) Limited Data Set. "Limited Data Set" means PHI that excludes the following direct identifiers of
the Individual or of relatives, employers or household members of the Individual:
(i) Names;
(ii) Post address information, other than town or city, state and zip code;
(iii) Telephone and fax numbers;
(iv) E-mail addresses;
(v) Social Security Numbers;
(vi) Medical record numbers;
(vii Health plan beneficiary numbers;
(vii ) Account numbers;
(ix) Certificate/License numbers;
(x) Vehicle identifiers and serial numbers, including license plate numbers;
(xi) Device identifiers and serial numbers;
(xii. Web Universal Resource Locators (URLs);
(xiii) Internet Protocol (IP) address numbers;
(xis) Biometric identifiers, including finger and voice prints; and
(xv` Full face photographic images and any comparable images.
(k) Protected Health Information. "Protected Health Information" or "PHI" has the meaning set forth
in 45 C.F.O. § 160.103 for "protected health information," but limited to the information created or
received by Business Associate from or on behalf of Covered Entity in performing the Services. Genetic
Information shall be considered PHI.
(I) Required By Law. "Required By Law" means "required by law" as set forth in 45 C.F.R. §
164.103
(m) Secretary. "Secretary" shall mean the Secretary of IIl1S or his or her designee.
2
DocuSign Envelope ID: 3ED85B21-64C2-45CA-88DB-546E6451B8A7
(n) Security Incident. "Security Incident" means a "security incident" as set forth in 45 C.F.R. §
164.304 to the extent the Security Incident relates to the Services.
(o) Services. "Services" shall mean the Services performed by Business Associate for Covered
Entity that require the Business Associate's access to, creation and/or receipt of Protected Health
Information or Electronic Health Information from Covered Entity.
(p) Standard Transactions. "Standard Transactions" means "standard transactions" as set forth in 45
C.F.R. § 162.103.
(q) Subcontractor. "Subcontractor" has the meaning set forth in 45 C.F.R. § 160.103.
(r) Unsecured Protected Health Information or Unsecured PHI. "Unsecured Protected Health
Information" or "Unsecured PHI" has the meaning set forth in 45 C.F.R. § 164.402.
2. Obligations and Activities of Business Associate
(a) General. Business Associate agrees to abide by all federal and applicable state laws concerning
the confidentiality, privacy, and security of Protected Health Information and Electronic Protected Health
Information in its possession to the extent such laws apply to Business Associate's Services. Business
Associate agrees to not use or further disclose Protected Health Information or Electronic Protected
Health Information except as permitted or required by this Agreement or the Privacy and Security Rules,
or as Required by Law.
(b) Privacy Safeguards. Business Associate shall maintain appropriate administrative, physical and
technical safeguards with respect to the Services to protect the privacy of Protected Health Information
and to limit incidental uses or disclosures to only those necessary to perform the Services.
(c) Safeguarding Electronic PHI. Business Associate shall adopt administrative, physical and
technical safeguards to protect the confidentiality, integrity and availability of the Electronic Protected
Health Information that it creates, receives, maintains or transmits on behalf of the Covered Entity in
performing the Services, including complying with Subpart C of 45 C.F.R. Part 164, by implementing
policies and procedures with respect to the Services that:
(i) Prevent, detect, contain and correct security violations in accordance with the
administrative safeguards set forth in 45 C.F.R. § 164.308;
(ii) Limit physical access to electronic information systems and the facility or facilities in
which they are housed, while ensuring that properly authorized access is allowed in accordance
with the physical safeguards set forth in 45 C.F.R. § 164.310; and
(iii) Allow access to electronic information systems that maintain Electronic PHI to only
those persons or software programs that have been granted access rights in accordance with the
technical safeguards set forth in 45 C.F.R. § 164.312.
(d) Duty to Mitigate. Business Associate agrees to mitigate, to the extent practicable or as directed
by Covered Entity, any harmful effect that is known to Business Associate of a use or disclosure of
3
DocuSign Envelope ID: 3ED85B21-64C2-45CA-88DB-546E6451B8A7
Protected Heath Information or Electronic Protected Health Information by Business Associate in
violation of the requirements of this Agreement, the Privacy and Security Rules, or other applicable law.
(e) Subcontractors. Business Associate agrees to ensure that any Subcontractor to whom it provides
Protected Heath Information or Electronic Protected Health Information received from, or created or
received by Business Associate on behalf of Covered Entity, agrees in writing to the same restrictions and
conditions tha apply through this Agreement to Business Associate with respect to such information in
accordance w=th 45 C.F.R. §§ 164.308(b)(2), 164.502(e)(i)(ii) and 164.504(e)(5). Business Associate will
provide a list of such Subcontractors to Covered Entity upon its request. Business Associate will advise
Covered Entity if any Subcontractor breaches its agreement with Business Associate with respect to the
disclosure or use of Protected Health Information or Electronic PHI. If Business Associate knows of a
pattern of activity or practice of its Subcontractor that constitutes a material breach or violation of the
Subcontractor's duties and obligations under its agreement with the Subcontractor ("Subcontractor
Material Breach"), Business Associate shall cure the breach or provide a reasonable period for
Subcontractor to cure the Subcontractor Material Breach; provided, however, that, if Business Associate
cannot, or Subcontractor does not, cure the Subcontractor Material Breach within such period, Business
Associate shall terminate the agreement with Subcontractor, if feasible, at the end of such period.
(f) Access to PHI. Business Associate agrees to provide access to Protected Health Information in a
Designated Record Set, within five (5) days of a request by Covered Entity and in the manner required by
law, to Covered Entity in order to meet the requirements under 45 C.F.R. § 164.524. If the PHI is held in
an Electronic Health Record in Business Associate's possession, then if an Individual requests it from
Covered Entity, Business Associate shall provide a copy of such information in an electronic format to
Covered Entity on its request. Business Associate shall provide a copy to Covered Entity for Covered
Entity to provide to the Individual directly, if the choice to receive such information in an electronic
format is clea-ly, conspicuously and specifically made by the Individual or Covered Entity.
(g) Amendment of PHI. Business Associate shall make any amendment(s) to Protected Health
Information in a Designated Record Set pursuant to 45 C.F.R. § 164.526 that the Covered Entity requests
and Business Associate agrees to make pursuant to the Privacy and Security Rules, within five (5) days of
a request by Covered Entity and in the manner required by law. Business Associate may charge a
reasonable fee for fulfilling requests for amendment(s).
(h) Audits. For purposes of determining compliance with the Privacy and Security Rules, Business
Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI
and Electronic PHI received from, or created or received by Business Associate on behalf of Covered
Entity as partof the Services, available to the Covered Entity or, at the request of the Covered Entity or
the Secretary, to the Secretary, within thirty (30) days or in the time and manner determined by the
Secretary. Business Associate shall give Covered Entity notice as soon as possible upon receiving any
communications received directly from the Secretary that relate to Covered Entity, if such notice is not
prohibited bylaw. Business Associate shall retain books and records relating to its use and disclosure of
Protected Health Information on Covered Entity's behalf for six (6) years from the date the information is
last used or relied upon.
(i) Documenting Disclosures. Business Associate agrees to document Business Associate's
disclosures of Protected Health Information, and information related to such disclosures, as would be
4
DocuSign Envelope ID: 3ED85B21-64C2-45CA-88DB-546E6451B8A7
required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of
Protected Health Information in accordance with 45 C.F.R. § 164.528.
(j) Accounting. Business Associate agrees to provide to Covered Entity, upon request and in the
time and manner required by law, an accounting of disclosures of an individual's Protected Health
Information by Business Associate, collected in accordance with Section 2(i) of this Agreement, to permit
Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected
Health Information in accordance with 45 C.F.R. § 164.528. Business Associate may impose a
reasonable fee for such accounting in accordance with 45 C.F.R. § 164.528(c).
(k) Minimum Necessary. Business Associate agrees that it shall request from the Covered Entity and
so disclose to its affiliates, subsidiaries, agents and Subcontractors or other third parties, only a Limited
Data Set or, if necessary or otherwise permitted by HHS regulations, the minimum Protected Health
Information necessary to perform or fulfill a specific function required or permitted hereunder or to
perform the Services. Business Associate agrees that the "minimum necessary" standard shall have the
meaning set forth in HITECH.
(1) Standard Transactions. If Business Associate conducts any Standard Transactions on behalf of
Covered Entity as part of the Services, Business Associate shall comply with the applicable requirements
of 45 C.F.R. Part 162.
(m) Reporting Security Incidents. Business Associate agrees to report any Security Incident within
five (5) days of becoming aware of such incident. However, certain low risk attempts to breach network
security, such as the incidents listed below, shall not constitute a Security Incident under this Agreement,
provided they do not penetrate the perimeter, do not result in an actual Breach of security and remain
within the normal incident level:
Pings on the firewall;
Port scans;
Attempts to log onto a system or enter a database with an invalid password or username;
Denial -of -service attacks that do not result in a server being taken off-line; and
Malware, such as worms or viruses.
(n) Reporting Privacy Breaches. Business Associate agrees to report to Covered Entity in writing
any material use or disclosure of PHI of which Business Associate has actual knowledge and which is not
permitted by this Agreement, including a Breach of Unsecured PHI, that involve the Services and of
which Business Associate becomes aware within five (5) days of its becoming aware and will take such
corrective action necessary, or as directed by Covered Entity, in order to prevent and minimize damage to
any Individual whose PHI was used or disclosed in such non —permitted manner by Business Associate
and to prevent any future such occurrences. The report of a Breach of Unsecured PHI shall include the
identification of each Individual whose Unsecured PHI has been or is reasonably believed by the Business
Associate to have been accessed, acquired, used or disclosed during the Breach and any other available
information that the Covered Entity requires to notify affected Individuals under HHS regulations.
5
DocuSign Envelope ID: 3ED85B21-64C2-45CA-88DB-546E6451B8A7
If the unauthorized use or disclosure qualifies as a Breach of Unsecured PHI and has been caused by
Business Associate, Business Associate agrees to comply with the notification provisions as required by
45 C.F.R Part 164 including those listed in (i), (ii) and (iii) below:
(i) Notification to Individuals.
Following the discovery of a Breach of Unsecured PHI by Business Associate, on behalf of Covered
Entity, Business Associate shall notify each Individual, whose Unsecured PHI has been, or is reasonably
believed to have been, accessed, acquired, or disclosed as a result of such Breach in accordance with 45
C.F.R. § 164.404, as amended. Business Associate shall provide the Covered Entity with an advance
copy of any notification to be provided by the Business Associate to an Individual. The Covered Entity's
prior written approval (which includes faxed and emailed approval) of a notification is required before the
Business Associate may provide notification to an Individual, subject to the next sentence. The Covered
Entity shall provide such prior written approval in a timely manner so as to satisfy the timeliness of
notification provisions set forth in 45 C.F.R. §164.404(b), and if it has not provided such approval on a
timely basis, Business Associate may proceed with notification.
(ii) Notification to HHS.
Following the discovery of a Breach of Unsecured PHI, the Business Associate shall also notify HHS on
behalf of Covered Entity in accordance with 45 C.F.R. § 164.408, as amended.
(iii) Notification to Media.
Following a Breach of Unsecured PHI involving more than 500 residents of a state or jurisdiction, the
Business Associate shall notify the media in accordance with 45 C.F.R. § 164.406, as amended. Business
Associate shall provide the Covered Entity with an advance copy of any notification to be provided by the
Business Associate to the media. The Covered Entity's prior written approval (which includes faxed and
emailed approval) of a notification is required before the Business Associate may provide notification to
the media, except that if Covered Entity has not provided such approval within the time necessary to
allow Business Associate to give any notification required by law, Business Associate may proceed with
notification.
(o) Subpoenas and Other Requests for Information. If not prohibited by law, Business Associate
agrees to notify Covered Entity of all requests received by Business Associate for disclosure of PHI or
Electronic PHI from a law enforcement or government official, or pursuant to a subpoena, other legal
request or court or administrative order that relate specifically to the Covered Entity, as soon as possible,
but no later than five (5) business days following Business Associate's receipt of such legal request.
(p) Prohibition on Sale of Records. Business Associate shall not directly or indirectly receive
remuneration in exchange for any PHI or Electronic PHI of any Individual unless the Business Associate
or Covered Entity obtains from the Individual, in accordance with 45 C.F.R. § 164.508, a valid
authorization that includes a specification of whether the PHI or Electronic PHI can be further exchanged
for remuneration by the entity receiving PHI or Electronic PHI of that Individual, except as otherwise
allowed under HITECH. The previous sentence does not apply to Business Associate's billing of
Covered Entity for Services.
6
DocuSign Envelope ID: 3ED85B21-64C2-45CA-88DB-546E6451B8A7
(q) Training. Business Associate shall provide training as to the Privacy and Security Rules to all of
its employees who will handle or be responsible for handling PHI or Electronic PHI on behalf of the
Covered Entity.
(r) HITECH Provisions Applicable to Business Associate. Notwithstanding anything in this
Agreement to the contrary, Business Associate agrees to comply with all privacy and security provisions
of HITECH applicable to it as a "business associate" within the meaning of 45 C.F.R. § 160.103.
3. Permitted Uses and Disclosures by Business Associate
3.1 General Use and Disclosure
Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health
Information to perform its obligations and Services to Covered Entity, provided that such use or
disclosure would not violate the Privacy and Security Rules if done by Covered Entity.
3.2 Specific Use and Disclosure Provisions
(a) Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health
Information and Electronic Protected Health Information for the proper management and administration
of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains
reasonable assurances from the person to whom the information is disclosed that it will be held
confidential and used or further disclosed only as Required By Law or for the purpose for which it was
disclosed to the person, and the person notifies the Business Associate of any instances of which it is
aware in which the confidentiality of the information has been breached.
(b) Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI and
Electronic PHI in order to perform its obligations and Services to Covered Entity, provided that such use
or disclosure would not violate the Privacy and Security Rules if done directly by Covered Entity.
Business Associate agrees to perform its Services and obligations for Covered Entity under this
Agreement, and intends that such Services will not violate the Privacy and Security Rules, Business
Associate's privacy policies or any applicable law respecting the privacy or security of PHI.
(c) Except as otherwise limited in this Agreement, and to the extent provided for under this
Agreement, Business Associate may use PHI and Electronic PHI to provide data aggregation services to
Covered Entity, as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B).
(d) Business Associate may use PHI and Electronic PHI to report violations of law to appropriate
federal and state authorities, consistent with 45 C.F.R. 164.502(j)(1).
4. Obligations of Covered Entity
4.1 Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
(a) Covered Entity shall provide Business Associate with the notice of privacy practices that Covered
Entity maintains in accordance with 45 C.F.R. § 164.520, as well as any changes to that notice.
7
DocuSign Envelope ID: 3ED85Bt1-64C2-45CA-88DB-546E6451B8A7
(b) Covered Entity shall provide Business Associate with notice of any changes in, or revocation of,
permission by Individual to use or disclose Protected Health Information, if such changes affect Business
Associate's permitted or required uses and disclosures.
(c) Covered Entity shall notify Business Associate, in writing, of any restriction to the use or
disclosure of Protected Health Information that Covered Entity has agreed to with an Individual in
accordance w th 45 C.F.R. § 164.522. Business Associate agrees to conform to any such restriction.
(d) Covered Entity acknowledges that it shall provide to, or request from, the Business Associate
only the minimum Protected Health Information necessary for Business Associate to perform or fulfill a
specific function required or permitted hereunder.
4.2 Permissible Requests by Covered Entity
Covered Entity represents and warrants that it has the right and authority to disclose Protected Health
Information to Business Associate for Business Associate to perform its obligations and provide services
to Covered Errtity, and Business Associate's use of the Protected Health Information to perform its
obligations and provide services to Covered Entity requested by Covered Entity does not, to the extent
Business Associate acts within the scope of any such request(s) and this Agreement, violate the Privacy
and Security lutes, Covered Entity's privacy notice, or any applicable law. Except as provided in
Section 3, Cowered Entity shall not request Business Associate to use or disclose Protected Health
Information in any manner that would not be permissible under the Privacy and Security Rules if done by
Covered Entity.
5. Tenn -nation
(a) Term. This Agreement shall be effective beginning on the Effective Date and shall terminate
when all of du Protected Health Information, in any form, received from, or created or received by
Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity; provided,
however, that if it is not feasible to destroy the Protected Health Information or to return the Protected
Health Information to Covered Entity, protections shall be extended to such information, in accordance
with the provisions of subsection (e).
(b) Covered Entity Termination for Cause. Notwithstanding any other provision of this Agreement,
upon Covered Entity's receipt of knowledge of a failure by Business Associate to perform Business
Associate's duties under this Agreement or other material breach of the provisions of this Agreement by
Business Associate (hereinafter collectively referred to as a "Business Associate Material Breach"),
Covered Entity shall provide a period of ten (10) business days for Business Associate to cure the
Business Associate Material Breach; provided, however, that, if Business Associate does not cure the
Business Associate Material Breach within such 10 -day period, Covered Entity shall terminate this
Agreement at -the end of such 10 -day period; and provided, further, that, if cure of such Business
Associate Maerial Breach is not possible, Covered Entity shall terminate this Agreement immediately
upon its receipt of knowledge of such Business Associate Material Breach.
(c) Tenn nation Relating to Judicial or Administrative Proceedings. Either party may terminate this
Agreement, effective immediately, if the other party is named as a defendant in a criminal proceeding for
a violation ofthe Privacy and Security Rules or other privacy or security laws, or is party to a finding or
8
CocuSign Envelope Itl 3Ff]B5821-64C2-45Ca-88DR-546F645188A7
stipulation in any administrative or civil proceeding that such party has violated the Privacy and Security
Rules or other privacy or security laws.
(d) Effect of Termination.
( I) Excett as provided in paragraph (2) of this section, upon termination of this Agreement for any
reason, Business Associate shall return or destroy all Protected Health Information and Electronic
Protected Health Information received from Covered Entity, or created or received by Business Associate
on behalf of Covered Entity, at the direction of Covered Entity. This provision shall apply to Protected
Health Information and Electronic Protected Health Information that is in the possession of
Subcontractors or agents of Business Associate. Business Associate shall retain no copies of the
Protected Health Information and Electronic Protected Health Information.
(21 In the event Business Associate determines that returning or destroy ing the Protected Health
Information cc Electronic Protected Health Information is infeasible, Business Associate shall provide to
Covered Entity notification of the conditions that make retum or destruction infeasible. Business
Associate shall extend the protections of this Agreement to such Protected Health Information or
Electronic Protected Health Information for which return or destruction infeasible, for so long as Business
Associate maintains such Protected Health Information or Electronic Protected I ealth Information.
Following the termination of this Agreement. Business Associate shall not disclose Protected Health
Information or Electronic Protected Health Information except to Covered Entity or as Required by I_aw.
6. tiliscellaneous
(a) Regulatory References. A reference in this Agreement to a section in the Privacy and Security
Rules means the section as in effector as amended, and for which compliance is required.
(b) Amendment. This Agreement may be amended upon the mutual written agreement of the parties.
Upon the enactment of any law or regulation affecting the use or disclosure of Protected Health
Information or Electronic Protected I lealth Information, or the publication of any decision of a court of
the I;cited States or any state relating to any such law or the publication of any interpretive policy or
opinion of any governmental agency charged with the enforcement of any such law or regulation, either
party may. by written notice to the other party, and by mutual agreement, amend the Agreement in such
manner as sac') party determines necessary to comply with such law or regulation. lithe other party
disagrees with such amendment, it shall so notify the first party in writing within thirty (301 days of the
notice. If the parties are unable to agree on an amendment within thirty (30) days thereafter, then either
of the parties may terminate the Agreement on thirty (30) days written notice to the other party.
(c) Survival. The obligations of Business Associate under Sections 5(d)(2) and 6(f) of this
Agreement shall survive the termination of this Agreement.
(d) Interpretation. Any ambiguity in this Agreement shall he resolved in favor of a meaning that
permits both parties to comply with the Privacy and Security Rules. In the event of any inconsistency or
conflict between this Agreement and any other agreement hetween the panics, the terms, provisions and
conditions of this Agreement shall govern and control.
9
DocuSign Envelope ID 3F -D85821 64C2-45CA-HOB 546E645i B8A7
(e) No Third Party Beneficiary. Nothing express or implied in this Agreement is intended to confer,
nor shall anything herein confer, upon any person other than the parties and the respective successors or
assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever
(1)The Parties agree and acknowledge that. except as otherwise expressly set forth herein or
mandated by applicable laws and regulations. the indemnification provisions set forth in Section 6 of the
Master Services Agreement between the Parties shall govern each Part's indemnification rights and
obligations for acts or omissions under this Agreement. and such Section 6 is incorporated herein by
reference.
(g) Insurance. Business Associate agrees to seek, and (if coverage is available) maintain insurance
coverage against the improper use and disclosure of PHI by Business Associate. Promptly following a
request by Covered Entity, Rosiness Associate will provide a certificate evidencing such insurance
coverage.
(h) Governing Law. This Agreement shall be governed by and construed in accordance with the laws
of the State of Colorado, not including its choice of law and conflicts of law rules, to the extent not
preempted by federal law.
Ii) Compliance with taws and Policies. Business Associate shall comply with all applicable Federal
and state laws and regulations concerning PHI during the term of this Agreement and, to the extent
provided in Article VI of this Agreement after the termination thereof, including without limitation: ( I )
the Privacy and Security Rules; and (2) state privacy or security laws, rules and regulations that apply to
Business Associate concerning Protected Health Information and that are not preempted by the Privacy
and Security Rules or ERISA.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed by their duly
authorizedrepresentatives as of the Effective Date
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
;z,Zti7?,44,.4
Perry f. Buc. , Chair Pro-Tem
FEB 1 2 2? 21,}
ATTEST:_.,(441W;li
Jerk to the Boar
Ry:
Deputy CI
Date: FEB 1 2 2024
Its:
Date
Consova Corporation
By: John Cratin
Its: SVP. CGO
Date: Dec 4, 2023
�O���o336
Contract Form
Entity Information
Entity Name *
CONSOVA CORPORATION
Contract Name *
BUSINESS ASSOCIATE AGREEMENT
Contract Status
CTB REVIEW
Entity ID"
@00047315
[0 New Entity?
Contract ID
7784
Contract Lead
BPETERSON
Contract Lead Email
bpeterson@weld.gov
Contract Description *
AGREEMENT TO ESTABLISH PHI BETWEEN WELD COUNTY AND CONSOVA.
Contract Description 2
Contract Type"
AGREEMENT
Amount"
$0.00
Renewable"
NO
Automatic Renewal
Grant
IGA
Department
HUMAN RESOURCES
Department Email
CM-
HumanResources@weldgo
v.com
Department Head Email
CM-HumanResources-
DeptHead@weldgov.com
County Attorney
GENERAL COUNTY
ATTORNEY EMAIL
County Attorney Email
CM-
COU NTYATTORN EY@WEL
DGOV.COM
Parent Contract ID
Requires Board Approval
YES
Department Project #
Requested BOCC Agenda Due Date
Date* 02/01/2024
02/05/2024
Will a work session with BOCC be required?*
NO
Does Contract require Purchasing Dept. to be
included?
If this is a renewal enter previous Contract ID
If this is part of a MSA enter MSA Contract ID
Note: the Previous Contract Number and Master Services Agreement Number should be left blank if those contracts
are not in OnBase
Contract Dates
Effective Date
Termination Notice Period
Contact Information
Review Date *
10/31/2028
Committed Delivery Date
Renewal Date
Expiration Date*
12/31/2028
Contact Info
Contact Name Contact Type Contact Email Contact Phone 1 Contact Phone 2
Purchasing
Purchasing Approver
Approval Process
Department Head
JILL SCOTT
DH Approved Date
02/08/2024
Final Approval
BOCC Approved
BOCC Signed Date
BOCC Agenda Date
02/12/2024
Purchasing Approved Date
Finance Approver
CHERYL PATTELLI
Finance Approved Date
02/08/2024
Tyler Ref #
AG 021224
Originator
BPETERSON
Legal Counsel
BRUCE BARKER
Legal Counsel Approved Date
02/08/2024
Hello