HomeMy WebLinkAbout20233424.tiff RESOLUTION
RE: APPROVE AGREEMENT FOR TRANSITION DATA SHARING FOR CASE
MANAGEMENT AGENCY(CMA)FUNCTIONS AND AUTHORIZE CHAIR TO SIGN
WHEREAS,the Board of County Commissioners of Weld County,Colorado,pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County,Colorado,and
WHEREAS,the Board has been presented with an Agreement for Transition Data Sharing
for Case Management Agency(CMA)Functions between the County of Weld,State of Colorado,
by and through the Board of County Commissioners of Weld County,on behalf of the Department
of Human Services, and the Colorado Department of Health Care Policy and Financing,
commencing upon full execution of signatures,and ending March 1,2024,with further terms and
conditions being as stated in said agreement,and
WHEREAS,after review,the Board deems it advisable to approve said agreement,a copy
of which is attached hereto and incorporated herein by reference.
NOW,THEREFORE, BE IT RESOLVED by the Board of County Commissioners of
Weld County,Colorado,that the Agreement for Transition Data Sharing for Case Management
Agency(CMA)Functions between the County of Weld,State of Colorado,by and through the
Board of County Commissioners of Weld County,on behalf of the Department of Human Services,
and the Colorado Department of Health Care Policy and Financing,be,and hereby is,approved.
BE IT FURTHER RESOLVED by the Board that the Chair be,and hereby is,authorized
to sign said agreement.
The above and foregoing Resolution was,on motion duly made and seconded,adopted
by the following vote on the 27th day of November,A.D.,2023.
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY,COLORADO
ATTEST: d�,t J L1 „-I;
.�-�+.rti1 ..�C.L�D Mike an,Chair
Weld County Clerk to the Board
��1 Per L.Buc Pro-Tem
BY: �,(J u4- /
Deputy Clerk to the Board
♦. '�•��tt K.James
ihda
AP'' ED AS T
.Ross
1361
ounty torney * � i'+ j M6Date of signature: `
Cc'.KW D 2023-3424
OIfo3/2y HR0095
„a- Con-Mief i 7( 3
BOARD OF COUNTY COMMISSIONERS
PASS-AROUND REVIEW
PASS-AROUND TITLE:State of Colorado Agreement for Transition Data Sharing.
DEPARTMENT: Human Services DATE: November 20,2023
PERSON REQUESTING: Jamie Ulrich,Director,Human Services
Brief description of the problem/issue:In response to the Case Management Agency(CMA)Request for
Proposal(RFP)and subsequent award, known to the Board as Tyler ID#2023-0543,the Department is
requesting to enter into a Data Sharing Agreement with the Colorado Department of Health Care Policy&
Financing(HCPF).This agreement will allow for the transfer of data from the existing CMA to the Weld County
Department of Human Services,who will be assuming CMA functions on March 1,2024.The signed agreement
will be shared with the outgoing agency(ies)in the Defined Service Area,which will allow the outgoing CMA to
share member information with the incoming CMA.
What options exist for the Board?
• Approval of the State of Colorado Agreement for Transition Data Sharing.
• Deny approval of the State of Colorado Agreement for Transition Data Sharing.
Consequences: Data sharing between outgoing and incoming CMAs will not occur.
Impacts:CMA records will not be shared with Weld County resulting in the loss of data for
clients served.
Costs(Current Fiscal Year/Ongoing or Subsequent Fiscal Years):
• This is a non-financial Agreement.
Recommendation:
• Approval of the State of Colorado Agreement for Transition Data Sharing and authorize the Chair to sign.
Support Recommendation Schedule
Place on BOCC Agenda Work Session Other/Comments:
Perry L.Buck,Pro-Tem
Mike Freeman,Chair reNE
Scott K.James
Kevin D.Ross PI-
Lori Saine
Pass-Around Memorandum;November 20,2023-CMS ID 7636 2023-3424
\/2-1 IVO 095
STATE OF COLORADO AGREEMENT FOR TRANSITION
DATA SHARING
COVER AND SIGNATURE PAGE
State Agency Contractor
Department of Health Care Policy and Financing Weld County Department of Human Services
Agreement Performance Beginning Date Agreement Expiration Date
The date this Agreement for Transition Data Sharing is signed Execution of the Department's Case Management Agency
by the Contractor (CMA)Contract with Contractor
Agreement Purpose
Permit the transfer of data from the Department's existing case management agency designated to serve Weld to Weld County
Department of Human Services who will assume Case Management Agency(CMA)functions for Weld for the purposes of
preparing the Contractor to begin work under its updated CMA contract prior to the execution of the Contract.
Exhibits and Order of Precedence
The following Exhibits and attachments are included with this Agreement:
1. Exhibit A,HIPAA Business Associate Addendum
2. Exhibit B,Statement of Work
In the event of a conflict or inconsistency between this Agreement and any Exhibit or attachment,such conflict or
inconsistency shall be resolved by reference to the documents in the following order of priority:
1. Exhibit A,HIPAA Business Associate Addendum
2. The provisions of the other sections of the main body of this Agreement.
3. Exhibit B,Statement of Work.
THE CONTRACTOR AGREES TO THE TERMS OF THIS AGREMENT
The person signing this Agreement represents and warrants that they are duly authorized to execute this Agreement and to
bind the Party authorizing such signature.
CONTRACTOR
Weld County Department of Human Services
by and through the Board of Weld County Commissioners
By:
BOCC Chair NV/2 7 2023
Date:
x.023—3c42-4
1. PARTIES
This Agreement is entered into by and between the STATE OF COLORADO acting by and through
the State agency named on the Cover Page for this Agreement(the"State,"the"Department,"or
"HCPF")and Contractor named on the Cover Page for this Agreement(the"Contractor")
(individually a"Party"and collectively the"Parties").Contractor and the State agree to the terms
and conditions in this Agreement.
2. TERM AND EFFECTIVE DATE
A. Effective Date
This Agreement shall be valid or enforceable upon the Agreement Performance Beginning
Date shown on the Cover and Signature Page for this Agreement.Once Contractor has signed
this agreement,the Department's acceptance of this agreement shall be documented by
providing,or authorizing an existing Contractor to provide,the Department's Protected
Health Information(PHI)and other information necessary for Contractor to begin the work
described in Exhibit B.
B. Term
The Parties' respective performances under this Agreement shall commence on the
Agreement Performance Beginning Date shown on the Cover Page for this Agreement and
shall terminate on the Agreement Expiration Date shown on the Cover Page for this
Agreement(the"Term")unless sooner terminated or further extended in accordance with the
terms of this Agreement.
C. Extension Terms
The Parties may agree to extend the Term of this Agreement using an amendment. Except
as modified by such amendment,the terms of this Agreement shall apply during the term of
the Agreement,as extended through amendments.
D. Early Termination
The Parties agree that either Party may terminate this agreement by providing notice to the
other Party.
3. STATEMENT OF WORK
The Contractor shall complete the requirements as described in this Agreement and in accordance
with the provisions of Exhibit B.
4. PAYMENTS
The Department shall not be responsible to Contractor for any payments under this Agreement.
The Department is providing access to information necessary for Contractor to begin performing
its transition work described in Exhibit B as its sole obligation under this Agreement.
5. CONFIDENTIAL INFORMATION-STATE RECORDS
A. Confidentiality
Contractor shall keep confidential,all information provided by the Department(the"State
Records"),unless those State Records are publicly available.Contractor shall not,without
prior written approval of the State,use,publish,copy,disclose to any third party,or permit
the use by any third party of any State Records,except as otherwise stated in this Agreement,
permitted by law or approved in Writing by the State.Contractor shall provide for the security
Page 1 of 5
of all State Records in accordance with all policies promulgated by the Colorado Office of
Information Security and all applicable laws,rules,policies,publications,and guidelines.
Contractor shall provide for the security of such data according to the federal Health
Insurance Portability and Accountability Act for all PHI,if applicable.Contractor shall
immediately forward any request or demand for State Records to the State's principal
representative.
B. Use,Security,and Retention
Contractor shall use,hold and maintain State Records in compliance with any and all
applicable laws and regulations in facilities located within the United States,and shall
maintain a secure environment that ensures confidentiality of all State Records wherever
located.Contractor shall provide the State with access,subject to Contractor's reasonable
security requirements,for purposes of inspecting and monitoring access and use of State
Records and evaluating security control effectiveness.Upon the expiration or termination of
this Agreement,Contractor shall return State Records provided to Contractor or destroy such
State Records and certify to the State that it has done so,as directed by the State.If Contractor
is prevented by law or regulation from returning or destroying State Records,Contractor
warrants it will guarantee the confidentiality of,and cease to use,such State Records.
C. Incident Notice and Remediation
If Contractor becomes aware of any unauthorized access or other event that is likely to result
in unauthorized access to State Records(an"Incident),it shall notify the State immediately
and cooperate with the State regarding recovery,remediation,and the necessity to involve
law enforcement,as determined by the State.Unless Contractor can establish that none of
Contractor or any of its agents,employees,assigns or affiliates are the cause or source of the
Incident,Contractor shall be responsible for the cost of notifying each person who may have
been impacted by the Incident.After an Incident,Contractor shall take steps to reduce the
risk of incurring a similar type of Incident in the future as directed by the State,which may
include,but is not limited to,developing and implementing a remediation plan that is
approved by the State at no additional cost to the State.The State may,in its sole discretion
and at Contractor's sole expense,require Contractor to engage the services of an independent,
qualified,State-approved third party to conduct a security audit.Contractor shall provide the
State with results of such audit and evidence of Contractor's planned remediation in response
to any negative findings.
D. Data Protection and Handling
Contractor shall ensure that all State Records in the possession of Contractor are protected
and handled in accordance with the requirements of this Agreement, including the
requirements of any Exhibits hereto,at all times.
E. Safeguarding PII
Contractor shall provide for the security of all Personally Identifying Information,in a
manner and form acceptable to the State,including,without limitation,State non-disclosure
requirements,use of appropriate technology,security practices,computer access security,
data access security, data storage encryption, data transmission encryption, security
inspections,and audits.Contractor shall be a"Third-Party Service Provider"as defined in
§24-73-103(1)(i),C.R.S.and shall maintain security procedures and practices consistent with
§§24-73-101 et seq.,C.R.S.
6. BREACH OF AGREEMENT
Page 2 of 5
In the event of a breach of this Agreement,the aggrieved Party shall give written notice of breach
to the other Party.If the notified Party does not cure the Breach of Agreement,at its sole expense,
within 30 days after the delivery of written notice,the Party may exercise any of the remedies as
described in§7 for that Party.Notwithstanding any provision of this Agreement to the contrary,
the State,in its discretion,need not provide notice or a cure period and may immediately terminate
this Agreement in whole or in part or institute any other remedy in this Agreement in order to
protect the public interest of the State.
7. REMEDIES
If the either Party is in breach of any provision of this Agreement and does not cure such breach,
the other Party,following the notice and cure period in§6 and the dispute resolution process in§8
shall have all remedies available at law and equity.
8. DISPUTE RESOLUTION
Except as herein specifically provided otherwise,disputes concerning the performance of this
Agreement which cannot be resolved by the designated Agreement representatives shall be referred
in writing to a senior departmental management staff member designated by the State and a senior
manager designated by Contractor for resolution.
9. GENERAL PROVISIONS
A. Assignment
Each Party's rights and obligations under this Agreement are personal and may not be
transferred or assigned without the prior,written consent of the other Party,except that the
Contractor may assign or transfer them to an affiliate with the same corporate ownership and
the State may assign or transfer them to another agency within the State without consent.Any
attempt at assignment or transfer in violation of this section shall be void.Any assignment or
transfer of a Party's rights and obligations shall be subject to the provisions of this
Agreement.
B. Binding Effect
Except as otherwise provided in§12.A.,all provisions of this Agreement,including the
benefits and burdens,shall extend to and be binding upon the Parties'respective successors
and assigns.
C. Authority
Each Party represents and warrants to the other that the execution and delivery of this
Agreement and the performance of such Party's obligations have been duly authorized.
D. Captions and References
The captions and headings in this Agreement are for convenience of reference only,and shall
not be used to interpret,define,or limit its provisions.All references in this Agreement to
sections (whether spelled out or using the § symbol), subsections, exhibits or other
attachments,are references to sections,subsections,exhibits or other attachments contained
herein or incorporated as a part hereof,unless otherwise noted.
E. Counterparts
This Agreement may be executed in multiple,identical,original counterparts,each of which
shall be deemed to be an original,but all of which,taken together,shall constitute one and
the same agreement.
Page 3 of 5
F. Modification
Except as otherwise provided in this Agreement,any modification to this Agreement shall
only be effective if agreed to in a formal amendment to this Agreement,properly signed by
both Parties.
G. Severability
The invalidity or unenforceability of any provision of this Agreement shall not affect the
validity or enforceability of any other provision of this Agreement,which shall remain in full
force and effect,provided that the Parties can continue to perform their obligations under this
Agreement in accordance with the intent of this Agreement.
H. Survival of Certain Agreement Terms
Any provision of this Agreement that imposes an obligation on a Party after termination or
expiration of this Agreement shall survive the termination or expiration of this Agreement
and shall be enforceable by the other Party.
I. Third Party Beneficiaries
Except for the Parties'respective successors and assigns described in§12.A.,this Agreement
does not and is not intended to confer any rights or remedies upon any person or entity other
than the Parties.Enforcement of this Agreement and all rights and obligations hereunder are
reserved solely to the Parties.Any services or benefits which third parties receive as a result
of this Agreement are incidental to this Agreement,and do not create any rights for such third
parties.
J. Indemnification
i. General Indemnification
Contractor shall indemnify,save,and hold harmless the State,its employees,agents
and assignees(the"Indemnified Parties"),against any and all costs,expenses,claims,
damages,liabilities,court awards and other amounts(including attorneys'fees and
related costs)incurred by any of the Indemnified Parties in relation to any act or
omission by Contractor,or its employees,agents,affiliates,or assignees in connection
with this Agreement.
ii. Confidential Information Indemnification
Disclosure or use of State Confidential Information by Contractor in violation of§5
may be cause for legal action by third parties against Contractor,the State,or their
respective agents.Contractor shall indemnify,save,and hold harmless the Indemnified
Parties, against any and all claims, damages, liabilities, losses, costs, expenses
(including attorneys'fees and costs)incurred by the State in relation to any act or
omission by Contractor,or its employees,agents,assigns,or affiliates in violation of
§5.
10. COLORADO SPECIAL PROVISIONS
A. COMPLIANCE WITH LAW.
Contractor shall strictly comply with all applicable federal and State laws,rules,and
regulations in effect or hereafter established,including,without limitation,laws applicable
to discrimination and unfair employment practices.
B. CHOICE OF LAW,JURISDICTION,AND VENUE.
Page 4 of 5
Colorado law,and rules and regulations issued pursuant thereto,shall be applied in the
interpretation,execution,and enforcement of this Agreement.Any provision included or
incorporated herein by reference which conflicts with said laws,rules,and regulations shall
be null and void.All suits or actions related to this Agreement shall be filed and proceedings
held in the State of Colorado and exclusive venue shall be in the City and County of Denver.
Page 5 of 5
EXHIBIT A, HIPAA BUSINESS ASSOCIATES ADDENDUM
This HIPAA Business Associate Agreement("Agreement")between the State and Contractor is agreed to
in connection with,and as an exhibit to,the Contract.For purposes of this Agreement,the State is referred
to as"Covered Entity"and the Contractor is referred to as"Business Associate".Unless the context clearly
requires a distinction between the Contract and this Agreement,all references to"Contract"shall include
this Agreement.
1.PURPOSE
Covered Entity wishes to disclose information to Business Associate,which may include Protected Health
Information("PHI").The Parties intend to protect the privacy and security of the disclosed PHI in
compliance with the Health Insurance Portability and Accountability Act of 1996("HIPAA"),Pub.L.No.
104-191(1996)as amended by the Health Information Technology for Economic and Clinical Health Act
("HITECH Act")enacted under the American Recovery and Reinvestment Act of 2009("ARRA")Pub.L.
No.111-5(2009),implementing regulations promulgated by the U.S.Department of Health and Human
Services at 45 C.F.R.Parts 160,162 and 164(the"HIPAA Rules")and other applicable laws,as amended.
Prior to the disclosure of PHI,Covered Entity is required to enter into an agreement with Business Associate
containing specific requirements as set forth in,but not limited to,Title 45,Sections 160.103,164.502(e)
and 164.504(e)of the Code of Federal Regulations("C.F.R.")and all other applicable laws and regulations,
all as may be amended.
2.DEFINITIONS
The following terms used in this Agreement shall have the same meanings as in the HIPAA Rules:Breach,
Data Aggregation,Designated Record Set,Disclosure,Health Care Operations,Individual,Minimum
Necessary,Notice of Privacy Practices,Protected Health Information,Required by Law,Secretary,Security
Incident,Subcontractor,Unsecured Protected Health Information,and Use.
The following terms used in this Agreement shall have the meanings set forth below:
a. Business Associate."Business Associate"shall have the same meaning as the term"business
associate"at 45 C.F.R.160.103,and shall refer to Contractor.
b. Covered Entity."Covered Entity"shall have the same meaning as the term"covered entity"at
45 C.F.R.160.103,and shall refer to the State.
c. Information Technology and Information Security. "Information Technology" and
"Information Security"shall have the same meanings as the terms"information technology"
and"information security",respectively,in§24-37.5-102,C.R.S.
Capitalized terms used herein and not otherwise defined herein or in the HIPAA Rules shall have the
meanings ascribed to them in the Contract.
3.OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
EXHIBIT A,HIPAA BAA Page 1 of 9 Revised 8/18
a. Permitted Uses and Disclosures.
i. Business Associate shall use and disclose PHI only to accomplish Business Associate's
obligations under the Contract.
i. To the extent Business Associate carries out one or more of Covered Entity's
obligations under Subpart E of 45 C.F.R.Part 164,Business Associate shall comply
with any and all requirements of Subpart E that apply to Covered Entity in the
performance of such obligation.
ii. Business Associate may disclose PHI to carry out the legal responsibilities of Business
Associate,provided,that the disclosure is Required by Law or Business Associate
obtains reasonable assurances from the person to whom the information is disclosed
that:
A. the information will remain confidential and will be used or disclosed only as
Required by Law or for the purpose for which Business Associate originally
disclosed the information to that person,and;
B. the person notifies Business Associate of any Breach involving PHI of which
it is aware.
iii. Business Associate may provide Data Aggregation services relating to the Health Care
Operations of Covered Entity.Business Associate may de-identify any or all PHI
created or received by Business Associate under this Agreement,provided the de-
identification conforms to the requirements of the HIPAA Rules.
b. Minimum Necessary.Business Associate,its Subcontractors and agents,shall access,use,and
disclose only the minimum amount of PHI necessary to accomplish the objectives of the
Contract,in accordance with the Minimum Necessary Requirements of the HIPAA Rules
including,but not limited to,45 C.F.R.164.502(b)and 164.514(d).
c. Impermissible Uses and Disclosures.
i. Business Associate shall not disclose the PHI of Covered Entity to another covered
entity without the written authorization of Covered Entity.
ii. Business Associate shall not share,use,disclose or make available any Covered Entity
PHI in any form via any medium with or to any person or entity beyond the boundaries
or jurisdiction of the United States without express written authorization from Covered
Entity.
d. Business Associate's Subcontractors.
i. Business Associate shall, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and
164.308(b)(2),ensure that any Subcontractors who create,receive,maintain,or
transmit PHI on behalf of Business Associate agree in writing to the same restrictions,
EXHIBIT A,HIPAA BAA Page 2 of 9 Revised 8/18
conditions, and requirements that apply to Business Associate with respect to
safeguarding PHI.
ii. Business Associate shall provide to Covered Entity,on Covered Entity's request,a list
of Subcontractors who have entered into any such agreement with Business Associate.
iii. Business Associate shall provide to Covered Entity,on Covered Entity's request,
copies of any such agreements Business Associate has entered into with
Subcontractors.
e. Access to System.If Business Associate needs access to a Covered Entity Information
Technology system to comply with its obligations under the Contract or this Agreement,
Business Associate shall request,review,and comply with any and all policies applicable to
Covered Entity regarding such system including,but not limited to,any policies promulgated
by the Office of Information Technology and available at http://oit.state.co.us/about/policies.
f. Access to PHI.Business Associate shall,within ten days of receiving a written request from
Covered Entity,make available PHI in a Designated Record Set to Covered Entity as necessary
to satisfy Covered Entity's obligations under 45 C.F.R.164.524.
g. Amendment of PHI.
i. Business Associate shall within ten days of receiving a written request from Covered
Entity make any amendment to PHI in a Designated Record Set as directed by or agreed
to by Covered Entity pursuant to 45 C.F.R. 164.526,or take other measures as
necessary to satisfy Covered Entity's obligations under 45 C.F.R.164.526.
ii. Business Associate shall promptly forward to Covered Entity any request for
amendment of PHI that Business Associate receives directly from an Individual.
h. Accounting Rights.Business Associate shall,within ten days of receiving a written request
from Covered Entity,maintain and make available to Covered Entity the information necessary
for Covered Entity to satisfy its obligations to provide an accounting of Disclosure under 45
C.F.R.164.528.
i. Restrictions and Confidential Communications.
i. Business Associate shall restrict the Use or Disclosure of an Individual's PHI within
ten days of notice from Covered Entity of:
A. a restriction on Use or Disclosure of PHI pursuant to 45 C.F.R.164.522;or
B. a request for confidential communication of PHI pursuant to 45 C.F.R.
164.522.
ii. Business Associate shall not respond directly to an Individual's requests to restrict the
Use or Disclosure of PHI or to send all communication of PHI to an alternate address.
EXHIBIT A,HIPAA BAA Page 3 of 9 Revised 8/18
iii. Business Associate shall refer such requests to Covered Entity so that Covered Entity
can coordinate and prepare a timely response to the requesting Individual and provide
direction to Business Associate.
j. Governmental Access to Records. Business Associate shall make its facilities, internal
practices,books,records,and other sources of information,including PHI,available to the
Secretary for purposes of determining compliance with the HIPAA Rules in accordance with
45 C.F.R.160.310.
k. Audit,Inspection and Enforcement.
i. Business Associate shall obtain and update at least annually a written assessment
performed by an independent third party reasonably acceptable to Covered Entity,
which evaluates the Information Security of the applications,infrastructure,and
processes that interact with the Covered Entity data Business Associate receives,
manipulates, stores and distributes. Upon request by Covered Entity, Business
Associate shall provide to Covered Entity the executive summary of the assessment.
ii. Business Associate,upon the request of Covered Entity,shall fully cooperate with
Covered Entity's efforts to audit Business Associate's compliance with applicable
HIPAA Rules.If,through audit or inspection,Covered Entity determines that Business
Associate's conduct would result in violation of the HIPAA Rules or is in violation of
the Contract or this Agreement,Business Associate shall promptly remedy any such
violation and shall certify completion of its remedy in writing to Covered Entity.
1. Appropriate Safeguards.
i. Business Associate shall use appropriate safeguards and comply with Subpart C of 45
C.F.R.Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other
than as provided in this Agreement.
ii. Business Associate shall safeguard the PHI from tampering and unauthorized
disclosures.
iii. Business Associate shall maintain the confidentiality of passwords and other data
required for accessing this information.
iv. Business Associate shall extend protection beyond the initial information obtained
from Covered Entity to any databases or collections of PHI containing information
derived from the PHI.The provisions of this section shall be in force unless PHI is de-
identified in conformance to the requirements of the HIPAA Rules.
m. Safeguard During Transmission.
i. Business Associate shall use reasonable and appropriate safeguards including,without
limitation,Information Security measures to ensure that all transmissions of PHI are
authorized and to prevent use or disclosure of PHI other than as provided for by this
Agreement.
EXHIBIT A,HIPAA BAA Page 4 of 9 Revised 8/18
ii. Business Associate shall not transmit PHI over the internet or any other insecure or
open communication channel unless the PHI is encrypted or otherwise safeguarded
with a FIPS-compliant encryption algorithm.
n. Reporting of Improper Use or Disclosure and Notification of Breach.
i. Business Associate shall,as soon as reasonably possible,but immediately after
discovery of a Breach,notify Covered Entity of any use or disclosure of PHI not
provided for by this Agreement,including a Breach of Unsecured Protected Health
Information as such notice is required by 45 C.F.R.164.410 or a breach for which
notice is required under§24-73-103,C.R.S.
ii. Such notice shall include the identification of each Individual whose Unsecured
Protected Health Information has been, or is reasonably believed by Business
Associate to have been,accessed,acquired,or disclosed during such Breach.
iii. Business Associate shall,as soon as reasonably possible,but immediately after
discovery of any Security Incident that does not constitute a Breach,notify Covered
Entity of such incident.
iv. Business Associate shall have the burden of demonstrating that all notifications were
made as required,including evidence demonstrating the necessity of any delay.
o. Business Associate's Insurance and Notification Costs.
i. Business Associate shall bear all costs of a Breach response including,without
limitation,notifications,and shall maintain insurance to cover:
A. loss of PHI data;
B. Breach notification requirements specified in HIPAA Rules and in§24-73-
103,C.R.S.;and
C. claims based upon alleged violations of privacy rights through improper use
or disclosure of PHI.
ii. All such policies shall meet or exceed the minimum insurance requirements of the
Contract or otherwise as may be approved by Covered Entity(e.g.,occurrence basis,
combined single dollar limits,annual aggregate dollar limits,additional insured status,
and notice of cancellation).
iii. Business Associate shall provide Covered Entity a point of contact who possesses
relevant Information Security knowledge and is accessible 24 hours per day,7 days
per week to assist with incident handling.
iv. Business Associate,to the extent practicable,shall mitigate any harmful effect known
to Business Associate of a Use or Disclosure of PHI by Business Associate in violation
of this Agreement.
EXHIBIT A,HIPAA BAA Page 5 of 9 Revised 8/18
p. Subcontractors and Breaches.
i. Business Associate shall enter into a written agreement with each of its Subcontractors
and agents,who create,receive,maintain,or transmit PHI on behalf of Business
Associate.The agreements shall require such Subcontractors and agents to report to
Business Associate any use or disclosure of PHI not provided for by this Agreement,
including Security Incidents and Breaches of Unsecured Protected Health Information,
on the first day such Subcontractor or agent knows or should have known of the Breach
as required by 45 C.F.R.164.410.
ii. Business Associate shall notify Covered Entity of any such report and shall provide
copies of any such agreements to Covered Entity on request.
q. Data Ownership.
i. Business Associate acknowledges that Business Associate has no ownership rights
with respect to the PHI.
ii. Upon request by Covered Entity,Business Associate immediately shall provide
Covered Entity with any keys to decrypt information that the Business Association has
encrypted and maintains in encrypted form,or shall provide such information in
unencrypted usable form.
r. Retention of PHI.Except upon termination of this Agreement as provided in Section 5 below,
Business Associate and its Subcontractors or agents shall retain all PHI throughout the term of
this Agreement,and shall continue to maintain the accounting of disclosures required under
Section 3.h above,for a period of six years.
4.OBLIGATIONS OF COVERED ENTITY
b. Safeguards During Transmission.Covered Entity shall be responsible for using appropriate
safeguards including encryption of PHI,to maintain and ensure the confidentiality,integrity,
and security of PHI transmitted pursuant to this Agreement,in accordance with the standards
and requirements of the HIPAA Rules.
c. Notice of Changes.
i. Covered Entity maintains a copy of its Notice of Privacy Practices on its website.
Covered Entity shall provide Business Associate with any changes in,or revocation of,
permission to use or disclose PHI,to the extent that it may affect Business Associate's
permitted or required uses or disclosures.
ii. Covered Entity shall notify Business Associate of any restriction on the use or disclosure
of PHI to which Covered Entity has agreed in accordance with 45 C.F.R.164.522,to the
extent that it may affect Business Associate's permitted use or disclosure of PHI.
EXHIBIT A,HIPAA BAA Page 6 of 9 Revised 8/18
5.TERMINATION
d. Breach.
i. In addition to any Contract provision regarding remedies for breach,Covered Entity
shall have the right,in the event of a breach by Business Associate of any provision of
this Agreement,to terminate immediately the Contract,or this Agreement,or both.
ii. Subject to any directions from Covered Entity,upon termination of the Contract,this
Agreement,or both,Business Associate shall take timely,reasonable,and necessary
action to protect and preserve property in the possession of Business Associate in
which Covered Entity has an interest.
b. Effect of Termination.
i. Upon termination of this Agreement for any reason,Business Associate,at the option
of Covered Entity,shall return or destroy all PHI that Business Associate,its agents,
or its Subcontractors maintain in any form,and shall not retain any copies of such PHI.
ii. If Covered Entity directs Business Associate to destroy the PHI,Business Associate
shall certify in writing to Covered Entity that such PHI has been destroyed.
iii. If Business Associate believes that returning or destroying the PHI is not feasible,
Business Associate shall promptly provide Covered Entity with notice of the
conditions making return or destruction infeasible.Business Associate shall continue
to extend the protections of Section 3 of this Agreement to such PHI,and shall limit
further use of such PHI to those purposes that make the return or destruction of such
PHI infeasible.
6.INJUNCTIVE RELIEF
Covered Entity and Business Associate agree that irreparable damage would occur in the event Business
Associate or any of its Subcontractors or agents use or disclosure of PHI in violation of this Agreement,the
HIPAA Rules or any applicable law. Covered Entity and Business Associate further agree that money
damages would not provide an adequate remedy for such Breach.Accordingly,Covered Entity and
Business Associate agree that Covered Entity shall be entitled to injunctive relief,specific performance,
and other equitable relief to prevent or restrain any Breach or threatened Breach of and to enforce
specifically the terms and provisions of this Agreement.
7.LIMITATION OF LIABILITY
Any provision in the Contract limiting Contractor's liability shall not apply to Business Associate's liability
under this Agreement,which shall not be limited.
8.DISCLAIMER
EXHIBIT A,HIPAA BAA Page 7 of 9 Revised 8/18
Covered Entity makes no warranty or representation that compliance by Business Associate with this
Agreement or the HIPAA Rules will be adequate or satisfactory for Business Associate's own purposes.
Business Associate is solely responsible for all decisions made and actions taken by Business Associate
regarding the safeguarding of PHI.
9.CERTIFICATION
Covered Entity has a legal obligation under HIPAA Rules to certify as to Business Associate's Information
Security practices.Covered Entity or its authorized agent or contractor shall have the right to examine
Business Associate's facilities,systems,procedures,and records,at Covered Entity's expense,if Covered
Entity determines that examination is necessary to certify that Business Associate's Information Security
safeguards comply with the HIPAA Rules or this Agreement.
10.AMENDMENT
e. Amendment to Comply with Law.The Parties acknowledge that state and federal laws and
regulations relating to data security and privacy are rapidly evolving and that amendment of
this Agreement may be required to provide procedures to ensure compliance with such
developments.
i. In the event of any change to state or federal laws and regulations relating to data
security and privacy affecting this Agreement,the Parties shall take such action as
is necessary to implement the changes to the standards and requirements of
HIPAA,the HIPAA Rules and other applicable rules relating to the confidentiality,
integrity,availability and security of PHI with respect to this Agreement.
ii. Business Associate shall provide to Covered Entity written assurance satisfactory
to Covered Entity that Business Associate shall adequately safeguard all PHI,and
obtain written assurance satisfactory to Covered Entity from Business Associate's
Subcontractors and agents that they shall adequately safeguard all PHI.
iii. Upon the request of either Party,the other Party promptly shall negotiate in good faith
the terms of an amendment to the Contract embodying written assurances consistent
with the standards and requirements of HIPAA,the HIPAA Rules,or other applicable
rules.
iv. Covered Entity may terminate this Agreement upon 30 days'prior written notice in the
event that:
A. Business Associate does not promptly enter into negotiations to amend the
Contract and this Agreement when requested by Covered Entity pursuant to
this Section;or
B. Business Associate does not enter into an amendment to the Contract and this
Agreement,which provides assurances regarding the safeguarding of PHI
EXHIBIT A,HIPAA BAA Page 8 of 9 Revised 8/18
sufficient,in Covered Entity's sole discretion,to satisfy the standards and
requirements of the HIPAA,the HIPAA Rules and applicable law.
b. Amendment of Appendix.The Appendix to this Agreement may be modified or amended by
the mutual written agreement of the Parties,without amendment of this Agreement.Any
modified or amended Appendix agreed to in writing by the Parties shall supersede and replace
any prior version of the Appendix.
11.ASSISTANCE IN LITIGATION OR ADMINISTRATIVE PROCEEDINGS
Covered Entity shall provide written notice to Business Associate if litigation or administrative proceeding
is commenced against Covered Entity,its directors,officers,or employees,based on a claimed violation by
Business Associate of HIPAA,the HIPAA Rules or other laws relating to security and privacy or PHI.
Upon receipt of such notice and to the extent requested by Covered Entity,Business Associate shall,and
shall cause its employees,Subcontractors,or agents assisting Business Associate in the performance of its
obligations under the Contract to,assist Covered Entity in the defense of such litigation or proceedings.
Business Associate shall,and shall cause its employees,Subcontractor's and agents to,provide assistance,
to Covered Entity,which may include testifying as a witness at such proceedings.Business Associate or
any of its employees,Subcontractors or agents shall not be required to provide such assistance if Business
Associate is a named adverse party.
12.INTERPRETATION AND ORDER OF PRECEDENCE
Any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent
with the HIPAA Rules.In the event of an inconsistency between the Contract and this Agreement,this
Agreement shall control.This Agreement supersedes and replaces any previous,separately executed
HIPAA business associate agreement between the Parties.
13.SURVIVAL
Provisions of this Agreement requiring continued performance,compliance,or effect after termination shall
survive termination of this contract or this agreement and shall be enforceable by Covered Entity
EXHIBIT A,HIPAA BAA Page 9 of 9 Revised 8/18
EXHIBIT B,STATEMENT OF WORK
1. PURPOSE OF DATA TRANSFER
1.1. The Department is providing permission for data sharing between the Contractor and outgoing
agency contracted with the Department to provide Case Management Agency(CMA)activities
under this Agreement so that Contractor may complete the following in relation to the transition
of members to the Contractor under its amended contract:
1.1.1. Early communication so that members know who to contact and who their case managers
will be prior to March 1,2024.
1.1.1.1. Informing members of upcoming changes is a priority;members receiving information
prior to March 1 is crucial for continuity of care.
1.1.1.2. The Department will not be able to make the Care and Case Management(CCM)System
and Bridge data available until March 1.
1.1.2. Having the internal database system operating early to ensure readiness on March 1 for
members who rely on services and supports.
1.1.3. Prevent delays in providing services to members.
1.1.4. Obtain outgoing Single Entry Point(SEP)and/or Community Centered Board(CCB)
member information necessary to perform Contractor's work as a Case Management Agency
(CMA).
1.1.4.1. Service Provider names and information are not required to be entered Department
systems. To ensure continuity of care,the outgoing agency's internal database will be
the resource to confirm correct service provider information.
1.1.5. Obtaining necessary member eligibility information to be able to perform contract
compliance tasks such as DSS 1 s,schedules of contacts and who has an eligibility break live
in the internal database system.These are report functions versus looking at each case file in
the BUS or Bridge and will help predict work starting March 1.
1.1.6. Obtaining data necessary to perform Release(s)Of Information(ROIs)in time to load that
information into the internal database.
1.1.6.1. The incoming CMA will operate under the"Weld County,Release of Information"from
the prior contractor for a set period of time.This set period of time will be organized
through the privacy officer at the Department.
2. DATA EXTRACTS INCLUDED IN THIS AGREEMENT:
2.1. Activities Extract
2.2. Alerts Extract
2.3. Care Givers Extract
2.4. Members Demographics Extract
2.5. Notes Extract
2.6. Program Extract
Exhibit B,SOW Page 1 of 2
2.7. Service Plan Extract
2.8. Data-Document Control File
2.9. Any other extracts or files approved by the Department in writing
2.10. DD Delay Determination files
2.11. Member files and related data for State General Fund Programs
2.12. Any other data necessary to facilitate this transition
Exhibit B,SOW Page 2 of 2
.ntract .
Entity Information
Entity Name* Entity ID* O New Entity?
DEPARTMENT OF HEALTH CARE @00023890
POLICIES&FINANCIAL
Contract Name* Contract ID Parent Contract ID
DEPARTMENT OF HEALTH CARE POLICY AND 7636
FINANCING(AGREEMENT FOR TRANSITION DATA * Requires Board Approval
SHARING) Contract Lead
WLUNA YES
Contract Status
Contract Lead Email Department Project#
CTB REVIEW
wluna@weldgov.com;cob
bxxlk@weldgov.com
Contract Description*
HCPF-WELD OHS(AGRMT.FOR TRANSITION DATA SHARING). PURPOSE:TO PERMIT THE TRANSFER OF DATA
FROM THE EXISTING CASE MGMT AGENCY(CMA)DESIGNATED TO SERVE WELD TO WELD DHS WHO WILL ASSUME
THE CMA FUNCTIONS ON 03/01/24.TERM:EXECUTION-PERP.DUE 1
Contract Description 2
PA ROUTING THROUGH NORMAL PROCESS. ETA TO CTB 11/22/23.
Contract Type* Department Requested BOCC Agenda Due Date
AGREEMENT HUMAN SERVICES Date* 11/18/2023
11/22/2023
Amount* Department Email
30.00 CM- Will a work session with BOCC be required?*
HumanServices@weldgov. NO
Renewable*
com
NO Does Contract require Purchasing Dept.to be
Department Head Email included?
Automatic Renewal CM-HumanServices-
DeptHead@weldgov.com
Grant
County Attorney
GENERAL COUNTY
IGA ATTORNEY EMAIL
County Attorney Email
CM-
COU NTYATTO RN EY@WEL
DGOV.COM
If this is a renewal enter previous Contract ID
If this is part of a MSA enter MSA Contract ID
Note:the Previous Contract Number and Master Services Agreement Number should be left blank if those contracts
are not in OnBase
Contract Dates
Effective Date Review Date* Renewal Date
10/01/2024
Termination Notice Period Committed Delivery Date Expiration Date*
01/01/2025
Contact Information
Contact Info
Contact Name Contact Type Contact Email Contact Phone 1 Contact Phone 2
Purchasing
Purchasing Approver Purchasing Approved Date
Approval Process
Department Head Finance Approver Legal Counsel
JAMIE ULRICH CHRIS D'OVIDIO BYRON HOWELL
DH Approved Date Finance Approved Date Legal Counsel Approved Date
11/21/2023 11/22/2023 11/22/2023
Final Approval
BOCC Approved Tyler Ref#
AG 112723
BOCC Signed Date Originator
WLUNA
BOCC Agenda Date
11/27/2023
Houstan Aragon
From: noreply@weldgov.com
Sent: Wednesday,October 2,2024 11:15 AM
To: CM-ClerktoBoard;Sara Adams;Lesley Cobb;CM-HumanServices-DeptHead
Subject: Fast Tracked Contract ID(8760)
Contract#8760 has been Fast Tracked to CM-Contract Maintenance.
You will be notified in the future based on the Contract information below:
Entity Name:DEPARTMENT OF HEALTH CARE POLICIES&FINANCIAL Contract Name:DEPARTMENT
OF HEALTH CARE POLICY AND FINANCING(AGREEMENT FOR TRANSITION DATA SHARING)Contract
Amount:$0.00 Contract ID:8760 Contract Lead:SADAMS
Department:HUMAN SERVICES Review Date:8/1/2025 (ii\rrVCkC1 \t g-1 (2°
Renewable Contract:YES
Renew Date:10/1/2025 1
Expiration Date: Rks)-biack-Re i\-)If I f
Tyler Ref#:
Thank-you
Z0Z3
k\zuet5
Houstan Aragon
From: Sara Adams
Sent: Wednesday,October 2,2024 11:16 AM
To: CTB
Cc: HS-Contract Management
Subject: FAST TRACK:HCS CMA Agreement for Transition Data Sharing
Attachments: CMA Transition Data MOU Weld(full)(e).pdf
Good morning CTB,
FAST TRACK ITEM:
Attached please find the Agreement for Transition Data Sharing with the State of Colorado,Tyler ID#
2023-3424,and originally CMS#7636.The agreement is in perpetuity and there are no changes to the
agreement at this point and it is being Fast Track in CMS for tracking purposes only(CMS#8760).
Thank you,
Sara
Sara Adams
Contract Administrative Coordinator
Weld County Dept.of Human Services
315 N.11th Avenue,Building A
PO Box A
Greeley,CO 80632
(970)400-6603
sadams#hweld.gov
m--
Confidentiality Notice:This electronic transmission and any attached documents or other writings are intended only for the
person or entity to which it is addressed and may contain information that is privileged,confidential or otherwise protected from disclosure.If you
have received this communication in error,please immediately notify sender by return e-mail and destroy the communication.Any disclosure,
copying,distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the
named recipient is strictly prohibited.
1
Houstan Aragon
From: noreply@weldgov.com
Sent: Thursday,August 14,2025 12:26 PM
To: CM-ClerktoBoard;Sara Adams;Lesley Cobb;CM-HumanServices-DeptHead
Subject: Fast Tracked Contract ID(9829)
Contract#9829 has been Fast Tracked to CM-Contract Maintenance.
You will be notified in the future based on the Contract information below:
Entity Name:DEPARTMENT OF HEALTH CARE POLICIES&FINANCIAL Contract Name:DEPARTMENT OF HEALTH
CARE POLICY AND FINANCING(AGREEMENT FOR TRANSITION DATA SHARING)Contract Amount:$0.00 Contract
ID:9829 Contract Lead:SADAMS
Department:HUMAN SERVICES
eOnti(aCAINOS
Review Date:8/1/2026
Renewable Contract:YES �1Ze\A-eloued
Renew Date:10/1/2026 FA- Tva
Expiration Date:
Tyler Ref#:
Thank-you
1 Zoz3-3L1-2�
Houstan Aragon
From: Sara Adams
Sent: Thursday,August 14,2025 12:25 PM
To: CTB
Cc: HS-Contract Management
Subject: FAST TRACK-Colorado Department of Health Care Policy&Finance(CMS#9829)
Attachments: CMA Transition Data MOU Weld(e).pdf
Good afternoon CTB,
FAST TRACK ITEM:
Attached please find the Colorado Department of Health Care Policy&Finance Case Management Agency
Agreement for Transition Data Sharing(Tyler ID#2023-3424).This agreement is in perpetuity and is
reviewed on a yearly basis.No changes are required.This will be a Fast Track item in CMS for tracking
purposes only(CMS#9829).
Thank you,
Sara
WEL4
ca,
Sara Adams
Contract Administrative Coordinator
Department of Human Services
Desk:970-400-6603
P.O.Box A,315 N.11th Ave.,Greeley,CO 80632
013000
Join Our Team
Important:This electronic transmission and any attached documents or other writings are intended only for the
person or entity to which it is addressed and may contain information that is privileged,confidential or otherwise
protected from disclosure.If you have received this communication in error,please immediately notify sender by
return e-mail and destroy the communication.Any disclosure,copying,distribution or the taking of any action
concerning the contents of this communication or any attachments by anyone other than the named recipient is
strictly prohibited.
1
Hello