HomeMy WebLinkAbout20203236.tiffRESOLUTION
RE: APPROVE DATA USE AGREEMENT FOR SARA ALERT SOFTWARE AND
AUTHORIZE CHAIR TO SIGN - MITRE CORPORATION, AND THE ASSOCIATION OF
PUBLIC HEALTH LABORATORIES, INC.
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Board has been presented with a Data Use Agreement for the Sara Alert
Software among the County of Weld, State of Colorado, by and through the Board of County
Commissioners of Weld County, an behalf of the Department of Public Health and Environment,
the Mitre Corporation, and the Association of Public Health Laboratories, Inc., commencing upon
full execution of signatures, with further terms and conditions being as stated in said agreement,
and
WHEREAS, after review, the Board deems it advisable to approve said agreement, a copy
of which is attached hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of
Weld County, Colorado, that the Data Use Agreement for the Sara Alert Software among the
County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld
County, on behalf of the Department of Public Health and Environment, the Mitre Corporation,
and the Association of Public Heath Laboratories, Inc., be, and hereby is, approved.
BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized
to sign said agreement.
The above and foregoing Resolution was, on motion duly made and seconded, adopted
by the following vote on the 2nd day of November, A.D., 2020.
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
ATTEST: �� s\) .,v ;A
Weld County Clerk to the Board
BY
a
eputy Clerk to the Board
APPRO ED
ounty Attorney
Date of signature: l l 113190
111O/2-0
Mike Freeman, Chair
Steve oreno, Pro-Tem
Kevin D. Ross
2020-3236
HL0052
BC0054
Contract =o IV 1402027
BOARD OF COUNTY COMMISSIONERS
PASS -AROUND REVIEW/ WORK SESSION REQUEST
RE: WCDPHE Contract for Sara Alert System
DEPARTMENT: PUBLIC HEALTH & ENVIRONMENT DATE: 10/26/2020
PERSON REQUESTING: Mark Lawley, Executive Director
Brief description of the problem/issue:
For the Board's review and approval is a contract between Sara Alert (MITRE Corporation) and the Board of
County Commissioners of Weld County for the use and benefit of the Weld County Department of Public
Health and Environment (WCDPHE).
Sara Alert is a free system available to local health departments to support disease outbreak investigation and
contact tracing. This system allows for daily reporting of symptoms using, web, text, phone and emails, is fully
HIPAA compliant and protects individual data by not storing information beyond the 14 -day quarantine time.
Residents using this system will be able to report their symptom status to the health department in real-time,
using the technology of their choice, allowing for faster outbreak detection and better control of disease spread.
All contacts will first receive a notification phone call from a WCDPHE contact tracer to explain the exposure
and quarantine recommendations, gather demographic information, review symptoms, and explain the
automated monitoring system
Sara Alert will reduce the hours put in by staff for the multiple follow-up calls conducted throughout the 14 -day
quarantine period and allot this time to additional immediate notification calls to those who have been exposed
to COVID-19 cases. This will contribute to decreasing the spread of the virus in the community by reducing the
number of residents exposed to possible secondary infections and will be a much -needed force multiplier for
our COVID-19 contact tracing staff. Weld County Chief Information Officer, Ryan Rose, has reviewed the
Sara Alert system and contract, and is supportive of bringing the system to Weld County.
What options exist for the Board? (Include consequences, impacts, costs, etc. of options)
Approving and signing this contract will enable WCDPHE to expand contract tracing capacity to better meet
demand and offer residents a faster, better way to interact with the health department during outbreak
investigations.
Declining this contract will result in ongoing impairment of the health department's ability to quickly investigate
disease outbreaks and limit responsiveness to continued COVID-19 spread and other communicable diseases.
Recommendation: I recommend approval of this continuation contract with CDPHE
Mike Freeman, Chair
Steve Moreno, Pro Tern
Barbara Kirkmeyer
Scott James
Kevin Ross
Approve Schedule
Recommendation Work Session
214
Other/Comments
2020-3236
1-ILOO5
SCO0 S`'1
SARA ALERT
DATA USE AGREEMENT
This DATA USE AGREEMENT (this "Agreement") is made by and among Weld
County Department of Public Health & Environment (the "Participating Jurisdiction"), The
MITRE Corporation ("MITRE"), a Delaware not -for-profit company with a business address of
7515 Colshire Drive, McLean, VA 22102, and the Association of Public Health Laboratories,
Inc. ("APHL"), a District of Columbia nonprofit corporation with a business address of 8515
Georgia Ave, Suite 700, Silver Spring, MD 20910 (APHL and MITRE, collectively, the "Service
Providers"). This Agreement shall be effective as of the Effective Date set forth in Section III
below. Capitalized terms used in this Agreement without definition shall have the respective
meanings assigned to such terms by the Administrative Simplification section of the Health
Insurance Portability and Accountability Act of 1996 and its implementing regulations as
amended by the HITECH Act (as defined in Section I.C of this Agreement; collectively,
"HIPAA").
WHEREAS, the Participating Jurisdiction is authorized to conduct public health
surveillance activities of individuals potentially exposed to SARS-CoV-2, the novel coronavirus
that causes COVID-19;
WHEREAS, MITRE has developed the Sara Alert software and program initiative that
allows for the deployment of an open source solution that (1) enables public health officials to
enroll individuals at risk of developing COVID-19 infection, (2) allows individuals to enter
symptoms daily and (3) provides dashboards for federal, state, and local public health officials
("Sara Alert");
WHEREAS, APHL has agreed to host Sara Alert on the APHL Informatics Messaging
Services (AIMS) platform which is a HIPAA-compliant, Federal Information Security
Management Act (FISMA) moderate secure, cloud based environment that accelerates the
implementation of health messaging by providing shared services to aid in the transport,
validation, translation, hosting and routing of electronic data;
WHEREAS, the Participating Jurisdiction desires to utilize Sara Alert to enable public
health officials to monitor Participating Jurisdiction residents potentially exposed to the novel
coronavirus and at risk to develop COVID-19; and
WHEREAS, that Participating Jurisdiction and the Service Providers agree that there
are certain terms and conditions that must apply to the Service Providers' use of the
Participating Jurisdiction Data (as defined in Section 1) and that this Agreement will control
at all times the Service Providers' access to, and use and disclosure of, the Participating
Jurisdiction Data in connection with the Sara Alert activities and operations.
NOW THEREFORE, in consideration of the mutual promises and covenants contained
herein and other good and valuable consideration, the receipt and sufficiency of which are
hereby acknowledged, the Participating Jurisdiction and the Service Providers agree as follow:
Page 1 of 16
020.20-3�3cP
I. GENERAL PROVISIONS
A. Effect.
The provisions of this Agreement shall control the Service Providers' access to, and use
and disclosure, of the Participating Jurisdiction Data, including if applicable, Protected Health
Information in connection with Sara Alert. The terms and provisions of this Agreement shall
supersede any conflicting or inconsistent terms and provisions of any agreement or contract
between the parties regarding Sara Alert.
For purposes of this Agreement, "Participating Jurisdiction Data" shall mean all content,
property, data and information furnished by the Participating Jurisdiction or any agency,
commission or board of the Participating Jurisdiction, or by any third party agent thereof, or by
any authorized user, including any person enrolled in or monitored using the Sara Alert system,
of or from the Participating Jurisdiction, and any data derived therefrom, including metadata; and
(ii) all trademarks, trade names, logos and other Participating Jurisdiction identifiers, Internet
uniform resource locators, user name or names, Internet addresses and e-mail addresses obtained
or developed pursuant to this Agreement.
This Agreement shall not apply to, modify, or supersede any other provision of any
agreement or contract governing any activities or services between the parties not related to Sara
Alert.
B. No Third -Party Beneficiaries.
The parties have not created and do not intend to create by this Agreement any third -
party rights.
II. OBLIGATIONS OF THE SERVICE PROVIDERS
A. Use and Disclosure of Participating Jurisdiction Data.
The Service Providers may use and disclose the Participating Jurisdiction Data as: (i)
permitted or required under this Agreement, including data uses detailed in Attachment A — Data
Uses and Restrictions, but subject to restrictions contained therein; or as required by applicable
law in connection with Sara Alert activities or operations. The Participating Jurisdiction grants to
each Service Provider a limited license to Participating Jurisdiction Data for the sole and
exclusive purpose of operating the Sara Alert system, including a license to collect, process,
store, generate, and display Participating Jurisdiction Data only to the extent necessary for such
purpose. Each Service Provider shall not, and shall assure that its employees, other agents, and
contractors do not, use or disclose Participating Jurisdiction Data in any manner that would
constitute a violation of this Agreement if so used or disclosed by such Service Provider.
In addition to the authorized data use detailed on Attachment A, the Service Providers
shall be permitted to access, use or disclose Participating Jurisdiction Data as set forth below:
1. The Service Providers may access, use and disclose Participating Jurisdiction
Data in connection with Sara Alert activities or operations for and on behalf of the
Participating Jurisdiction, as set forth in applicable policies and procedures
governing the exchange of Participating Jurisdiction Data. The parties expressly
acknowledge that this Agreement shall not apply to routing or transmission
activities or functions not related to Sara Alert.
Page 2 of 16
2. The Service Providers may use Participating Jurisdiction Data internally for the
Service Providers' proper management and administrative services or to carry out
its legal responsibilities.
3. A Service Provider may disclose Participating Jurisdiction Data to a third party
for the Service Provider's proper management and administration, provided that
(1) the disclosure is required by law, (2) the Service Provider makes such
disclosure pursuant to an agreement consistent with the Service Provider's
obligations under this Agreement or (3) the Service Provider makes the disclosure
pursuant to a written agreement under which third party is required to (i) protect
the confidentiality of Participating Jurisdiction Data, (ii) only use or further
disclose Participating Jurisdiction Data as required by law or for the purpose for
which it was disclosed to the third party and (iii) notify the Participating
Jurisdiction of any acquisition, access, use, or disclosure of Participating
Jurisdiction Data in a manner not permitted by the confidentiality agreement.
4. The Service Providers may use Participating Jurisdiction Data to provide Data
Aggregation services and report generation services relating to the health care and
public health operations of the Participating Jurisdiction if required or permitted
in connection with Sara Alert or this Agreement.
5. The Service Providers may de -identify Participating Jurisdiction Data, consistent
with applicable HIPAA requirements and in furtherance of Sara Alert.
B. Safeguards.
The Service Providers shall use appropriate safeguards to prevent the use or disclosure of
Participating Jurisdiction Data other than as permitted or required by this Agreement. Service
Providers shall: (a) keep and maintain Participating Jurisdiction Data in strict confidence, using
such degree of care as is appropriate and consistent with its obligations as further described in
this Agreement and applicable law to avoid unauthorized access, use, disclosure, or loss; (b) use
and disclose Participating Jurisdiction Data solely and exclusively for the purpose of providing
the services, such use and disclosure being in accordance with this Agreement and applicable
law; and (c) not use, sell, rent, transfer, distribute, or otherwise disclose or make available
Participating Jurisdiction Data for Service Providers' own purposes or for the benefit of anyone
other than the Participating Jurisdiction without the Participating Jurisdiction's prior written
consent.
At no time may any Participating Jurisdiction Data be copied, disclosed, or retained by
Service Providers for subsequent use in any transaction that does not include Participating
Jurisdiction. Upon expiration or termination of this Agreement, Service Providers shall return or
destroy all Participating Jurisdiction Data and all copies thereof, and Service Providers shall have
no further right or license to such Participating Jurisdiction Data. In no event shall the Service
Providers claim any security interest in Participating Jurisdiction Data.
C. Breach Notification Coverage.
Before commencing work on this Agreement and throughout the term of this Agreement,
Service Provider agrees to procure and maintain Breach Notification Coverage of not less than
$1,000,000. Service Provider will provide upon request certificates of insurance to show that the
foregoing minimum coverage is in effect.
Page 3 of 16
D. Agreements by Subcontractors.
The Service Providers acknowledge that subcontractors, who create, receive, maintain, or
transmit Participating Jurisdiction Data for or on behalf of the Service Providers shall be required
to follow the terms of this Agreement and all applicable Participating Jurisdiction and federal
laws. The Service Providers shall obtain and maintain written agreements with each
subcontractor that has or will maintain, receive or otherwise have access to Participating
Jurisdiction Data which is received from, or created or received by the Service Providers on
behalf of the Participating Jurisdiction, pursuant to which such subcontractor agrees to be bound
by the same restrictions, terms and conditions that apply to the Service Providers under this
Agreement with respect to such Participating Jurisdiction Data.
E. HIPAA Addendum.
The parties acknowledge and agree that the Health Information Technology for
Economic and Clinical Health Act and its implementing regulations (collectively, the "HITECH
Act") impose requirements with respect to privacy, security and breach notification applicable to
Business Associates (collectively, the "HITECH BA Provisions"). To the extent that provisions
of the HITECH Act and the HITECH BA Provisions are applicable to activities undertaken or
services provided by a Service Provider hereunder in connection with Sara Alert, the provisions
set out in Attachment B — Business Associate Addendum, establishes the terms and conditions
that apply under a Business Associate Agreement to be entered into by the applicable parties to
govern such Service Provider's access to, and use or disclosure of, Protected Health Information.
III. GENERAL TERMS AND CONDITIONS
A. Term and Termination.
The term of this Agreement shall begin as of the date on which it shall have been
executed by each of the parties (the "Effective Date") and shall continue until termination or
expiration as set forth in this Section III. If not terminated earlier, the term of this Agreement
shall expire on the third anniversary of the Effective Date. This Agreement may be unilaterally
terminated by the Participating Jurisdiction or by either of the Service Providers at any time by
giving at least thirty (30) days' prior written notice to the other parties.
B. Return or Destruction of Information upon Termination.
Upon expiration or earlier termination of Sara Alert, the Service Providers shall, subject
to prior notice to and approval from the Participating Jurisdiction, either return or destroy all
Participating Jurisdiction Data received from Participating Jurisdiction residents or created or
received by the Service Providers on behalf of the Participating Jurisdiction and which the
Service Providers still maintain in any form.
Notwithstanding the foregoing, to the extent that a Service Provider reasonably
determines that it is not feasible to return or destroy such Participating Jurisdiction Data, the
terms and provisions of this Agreement shall survive termination and such Participating
Jurisdiction Data shall be used or disclosed solely for such purpose or purposes which prevented
the return or destruction of such Participating Jurisdiction Data.
Page 4 of 16
C. Prior Approvals.
This Agreement shall not be binding unless and until all requisite prior approvals have
been obtained in accordance with current Participating Jurisdiction law, bulletins, and
interpretations.
D. Amendment.
No changes, modifications, or amendments in the terms and conditions of this Agreement
shall be effective unless reduced to writing duly approved by the Participating Jurisdiction, and
signed by the duly authorized representative of the Participating Jurisdiction and each of the
Service Providers.
E. No Click -through Terms.
Where an authorized user is required to "click through" or otherwise accept or made
subject to any online terms and conditions or any other such terms in accessing or using the
Service Providers' system, or any other contracted services, such terms and conditions shall not
be binding and shall have no force or effect as to this Agreement, the services and the authorized
Participating Jurisdiction users.
F. Counterparts.
This Agreement may be executed in multiple counterparts, each of which shall be
deemed an original but both of which together shall constitute one and the same instrument.
Copies of signatures sent by facsimile transmission or scanned and sent by email are deemed to
be originals for purposes of execution and proof of this Agreement.
Page 5of16
DocuSign Envelope ID: F9674EBB-CB7E-46FA-9F1C-6610720E45B8
IN WITNESS WHEREOF, the parties hereto have signed this Agreement this 29th day of
October , 2020.
THE MITRE CORPORATION
DocuSigned by:
By: Aitcurci,Ls (Ji11u
a4mnifaveA Wyler
Title: Associate General counsel
Date: 10/29/2020
THE ASSOCIATION OF PUBLIC HEALTH LABORATORIES, INC.
By:
�—DocuSigned by:
SCb t j. fjukU"
me2op2sb°psEJ. Becker
Title: chief Executive Officer
Date: 10/29/2020
WELD COUNTY:
ATTEST: __ �/ . •�C. BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
BY:
n.v _
Deputy Cler�3o the Soar• AIL' p'�! ke Freeman, Chair
t2'! O22020
Page 6 of 16
azooto-
ATTACHMENT A
Data Uses and Restrictions
Sara Alert is a standards -based, open source tool that allows public health officials to monitor
individuals at risk for COVID-19, enabling real-time insights and increased reporting capability
for early containment of the virus. The tool allows individuals to report daily symptoms through
web, text, email, and phone calls. The tool was developed by MITRE in partnership with state,
local, and federal partners and is hosted by APHL on the AIMS platform.
Restrictions. The Service Providers confirm that as of the Effective Date of the
Agreement, the Sara Alert system does not have the capability to track the location of
individuals. The Service Providers acknowledge that the Participating Jurisdiction neither
desires nor intends to use the Sara Alert system to track the location of Participating
Jurisdiction residents. Accordingly, the Service Providers agree that if or when the Sara
Alert system may have capability to track individuals' location, such capability will not
be deployed for the use by the Participating Jurisdiction, except as expressly agreed by
the Participating Jurisdiction in an amendment or modification to the Agreement duly
made by the Participating Jurisdiction and the Service Providers. If or when such
functionality may exist, and absent express adoption of such functionality in accordance
with the preceding sentence, such functionality shall be disabled with respect to
Participating Jurisdiction residents by the Service Providers, or by the Participating
Jurisdiction, with prompt notice and assistance from the Service Providers, as needed.
For Monitoring Exposed Individuals
Sara Alert enables public health officials to enroll individuals at risk of developing
COVID-19, for example, individuals from affected areas or contacts of known cases.
Once enrolled, individuals enter their (and other members of their household) symptoms
daily through their preferred platform (i.e., web browser via mobile or desktop, text -
based, voice), providing public health officials real-time insights. The information is
stored in a secure database and displayed on monitoring line lists so that public health
officials can quickly and efficiently identify individuals requiring care coordination or
follow up for non -response.
For Monitoring Ill Individuals
Sara Alert enables public health officials to enroll individuals who have developed
disease, like COVID-19, who need to be monitored to determine when it is safe to
discontinue isolation. Once enrolled, individuals enter their symptoms daily through their
preferred platform (i.e., web browser via mobile or desktop, text -based, voice), providing
public health officials with real-time insights. The information is stored in a secure
database and displayed on monitoring line lists so that public health officials can quickly
and efficiently identify individuals who may discontinue isolation.
Importing - Epi-X Notification Spreadsheet
Sara Alert can import data from the spreadsheets distributed to jurisdictions via Epi-X
notifications. The Epi-X notification spreadsheet import populates a limited subset of
Sara Alert enrollment data elements noted in the FAQ below. After import, the record can
be updated with additional information by a public health user.
Page 7 of 16
Importing - Sara Alert Format Spreadsheet
Sara Alert can populate all enrollment data elements using the Sara Alert template. This
functionality supports jurisdictions who wish to use Sara Alert and are currently
maintaining case or contact information in other systems that can export to a .CSV
formatted file, such as REDCap®. The most current import template formatting guidance
is available in the user interface.
Exporting - Monitoring Line List Export
Users can currently export a .CSV file of the following data elements: Monitoree Name,
Assigned Jurisdiction, State/Local ID, Sex, Date of Birth, End of Monitoring Period
Date, Exposure Risk Level, Monitoring Plan, Latest Symptom Report Date, Transferred
Data (if applicable). Reason for Closure (if applicable), Latest Public Health Action (if
applicable), Status (e.g., name of line list), and Closed Date (if applicable).
Exporting - Sara Alert Format
The Sara Alert formatted export allows users to export a .CSV file of all enrollment data
elements in a Sara Alert record. Enrollment data elements include demographics, contact
information, travel history, planned travel, and potential exposure information.
An expanded export functionality that will allow users to export a .CSV file of all data
elements in a Sara Alert record, including symptom report history, is anticipated to be
released in mid -to -late April.
The current export capability exports the following data elements: Monitoree Name,
Assigned Jurisdiction, State/Local ID, Sex, Date of Birth, End of Monitoring Period
Date, Exposure Risk Level, Monitoring Plan, and Latest Symptom Report Date.
The expanded export functionality will include all data elements in a Sara Alert record
and is anticipated to be released in mid -April.
Notifications - For Monitoring Exposed Individuals
Currently, individuals who have not reported within a defined timeframe (e.g., 24 hours)
will appear on the yellow "non -reporting" line list. Public health officials can review this
line list and prioritize follow up to collect missing reports.
Similarly, individuals who reported symptoms on their last report appear on the red
"symptomatic" tab.
Notifications - For Monitoring Ill Individuals
Currently, individuals who have not reported within a defined timeframe (e.g., 24 hours)
will appear on the yellow "non -reporting" line list. Public health officials can review this
line list and prioritize follow up to collect missing reports.
Transfers between Jurisdictions
Sara Alert allows for the transfer of contacts between jurisdictions, subject to jurisdiction
configuration and hierarchy.
Customization
State, territorial, local, or tribal jurisdictions can add symptoms to the minimal set of
symptom assessed on the daily report by working with the Sara Alert administrator. Each
jurisdiction will be required to include the minimal set of symptoms (currently, subjective
fever, cough, and shortness of breath) as defined by CDC guidance. From that minimal
Page 8 of 16
set of symptoms, state jurisdictions can add additional symptoms to the minimal set.
Local jurisdictions can add additional symptoms to the set defined by their state.
Concurrent Use for Different Diseases
Sara Alert is configurable for different diseases, but each instance can only support one
disease at a time. If a separate database is stood up, the Sara Alert functionality could be
used to support a different disease. Establishing a separate instance of Sara Alert for a
different disease would require identification of resources and support for the separate
instance.
Security and Privacy
The application has granular record control and encryption, at the single record -level and
single user level to meet data use laws and policies. Different roles are available in the
system that restrict access to individual level information; this follows the best practice of
restricting access to information to only users who require it. A user may also only access
records that belong to their assigned jurisdiction.
The Sara Alert monitoring database will be hosted by APHL on the AIMS platform.
APHL works to strengthen laboratory systems serving the public's health in the United
States and globally. APHL represents state and local governmental health laboratories in
the United States. Public health laboratories monitor, detect and respond to health threats.
The information will be purged from the Sara Alert database as described in the Sara
Alerts User Guide, and generally fourteen days after the monitoring period has ended.
Public health agencies can export records that are scheduled for deletion in order to
comply with local records retention requirements.
Page 9 of 16
ATTACHMENT B
Business Associate Addendum
To the extent that provisions of the HITECH Act and the HITECH BA Provisions are applicable
to activities undertaken or services provided by a Service Provider in connection with Sara Alert,
the parties shall enter into a Business Associate Agreement (a "BAA") containing terms and
conditions as set forth in the terms of this Business Associate Addendum (the "Addendum"). For
purposes of this Addendum and any BAA, the Participating Jurisdiction shall be referred to as
the "Covered Entity" and the applicable Service Provider shall be referred to as the "Business
Associate". This BAA supplements and is made a part of the Agreement between the
Participating Jurisdiction and the Service Provider.
Covered Entity and Business Associate will enter into a BAA to comply with the standards
promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"),
including the Standards for the Privacy of Individually Identifiable Health Information, at 45
CFR Parts 160 and 164 ("Privacy Rule"), and the Security Standards, at 45 CFR Parts 160 and
164 ("Security Rule"), as amended by Subtitle D of the Health Information Technology for
Economic and Clinical Health Act (HITECH), and any associated federal rules and regulations.
The BAA will provide that the parties agree as follows:
1. Definitions. All capitalized terms used but not otherwise defined in this BAA have the
meanings set forth in 45 CFR Parts 160 and 164 as amended by HITECH and associated federal
rules and regulations. Unless otherwise specified, when used in this BAA, defined terms used in
the singular shall be understood if appropriate in their context to include the plural when
applicable.
"Agent" means an Individual acting within the scope of the agency of the Business Associate, in
accordance with the Federal common law of agency, as referenced in 45 CFR § 160.402(c) and
includes Subcontractors.
"Breach" means the acquisition, Access, Use or Disclosure of Protected Health Information
(PHI) which compromises the Security or privacy of the PHI, except as excluded in the
definition of Breach in 45 CFR § 164.402.
"Business Associate" shall have the meaning given for "Business Associate" in 45 CFR §
160.103 and shall the Service Provider, including its Agents and Subcontractors.
"Electronic PHI" shall mean PHI created, received, maintained or transmitted electronically in
accordance with 45 CFR § 160.103.
"Individual" includes a Person who qualifies as a personal representative in accordance with 45
CFR § 164.502(g).
Page 10 of 16
"Protected Health Information" (or "PHI") shall have the meaning given in 45 CFR § 160.103,
limited to the PHI created or received by Business Associate from or on behalf of Covered
Entity.
"Required by Law" means a mandate contained in law that compels an entity to make a use or
disclosure of PHI and that is enforceable in a court of law and shall have the meaning given in 45
CFR § 164.103.
"Report" means submissions required by this BAA as provided in section 2.3 below.
"Security Incident" means the attempted or successful unauthorized Access, Use, Disclosure,
modification, or destruction of Information or interference with system operations in an
Information System relating to PHI in accordance with 45 CFR § 164.304.
"Services" includes all work performed by the Business Associate for or on behalf of Covered
Entity that requires the Use and/or Disclosure of PHI to perform a Business Associate function
described in 45 CFR § 160.103.
"Subcontractor" means a Person to whom Business Associate delegates a function, activity, or
service, other than in the capacity of a member of the workforce of such Business Associate.
"Successful Security Incident" shall mean a Security Incident that results in the unauthorized
Access, Use, Disclosure, modification, or destruction of information or interference with system
operations in an Information System.
"Unsuccessful Security Incident" shall mean a Security Incident such as routine occurrences that
do not result in unauthorized Access, Use, Disclosure, modification, or destruction of
information or interference with system operations in an Information System, such as: (i)
unsuccessful attempts to penetrate computer networks or services maintained by Business
Associate; and (ii) immaterial incidents such as pings and other broadcast attacks on Business
Associate's firewall, port scans, unsuccessful log -on attempts, denials of service and any
combination of the above with respect to Business Associate's Information System.
"Targeted Unsuccessful Security Incident" means an Unsuccessful Security Incident that appears
to be an attempt to obtain unauthorized Access, Use, Disclosure, modification or destruction of
the Covered Entity's Electronic PHI.
2. Contact Information for Privacy and Security Officers and Reports.
2.1 Business Associate shall provide, within ten (10) days of the execution of this BAA, written
notice to the Agreement manager the names and contact information of both the HIPAA Privacy
Officer and HIPAA Security Officer of the Business Associate. This information must be
updated by Business Associate any time these contacts change.
2.2 Covered Entity shall provide, within ten (10) day of the execution of this BAA, written
notice of Covered Entity's HIPAA Privacy Officer and HIPAA Security Officer contact
information.
Page 11 of 16
2.3 Business Associate shall submit all Reports required by this BAA in accordance with
delivery instructions reasonably established by Covered Entity.
3. Permitted and Required Uses/Disclosures of PHI.
3.1 Subject to the terms in this BAA, Business Associate may Use or Disclose PHI to
perform Services, as specified in the Agreement. Such Uses and Disclosures are limited to the
minimum necessary to provide the Services. Business Associate shall not Use or Disclose PHI in
any manner that would constitute a violation of the Privacy Rule if Used or Disclosed by
Covered Entity in that manner. Business Associate may not Use or Disclose PHI other than as
permitted or required by this Agreement or as Required by Law and only in compliance with
applicable laws and regulations.
3.2 Business Associate may make PHI available to its Workforce, Agent and Subcontractor
who need Access to perform Services as permitted by this Agreement, provided that Business
Associate makes them aware of the Use and Disclosure restrictions in this BAA and binds them
to comply with such restrictions.
3.3 Business Associate shall be directly liable under HIPAA for impermissible Uses and
Disclosures of PHI.
4. Business Activities. Business Associate may Use PHI if necessary for Business
Associate's proper management and administration or to carry out its legal responsibilities.
Business Associate may Disclose PHI for Business Associate's proper management and
administration or to carry out its legal responsibilities if a Disclosure is Required by Law or if
Business Associate obtains reasonable written assurances via a written agreement from the
Person to whom the information is to be Disclosed that such PHI shall remain confidential and
be Used or further Disclosed only as Required by Law or for the purpose for which it was
Disclosed to the Person, and the Agreement requires the Person to notify Business Associate,
within five (5) business days, in writing of any Breach of Unsecured PHI of which it is aware.
Such Uses and Disclosures of PHI must be of the minimum amount necessary to accomplish
such purposes.
5. Electronic PHI Security Rule Obligations.
5.1 With respect to Electronic PHI, Business Associate shall:
a) Implement and use Administrative, Physical, and Technical Safeguards in compliance with 45
CFR sections 164.308, 164.310, and 164.312;
b) Identify in writing upon request from Covered Entity all the safeguards that it uses to protect
such Electronic PHI;
c) Prior to any Use or Disclosure of Electronic PHI by an Agent or Subcontractor, ensure that
any Agent or Subcontractor to whom it provides Electronic PHI agrees in writing to implement
and use Administrative, Physical, and Technical Safeguards that reasonably and appropriately
protect the Confidentiality, Integrity and Availability of Electronic PHI. The written agreement
must identify Covered Entity as a direct and intended third party beneficiary with the right to
Page 12 of 16
enforce any breach of the agreement concerning the Use or Disclosure of Electronic PHI, and be
provided to Covered Entity upon request;
d) Report in writing to Covered Entity any Successful Security Incident or Targeted Security
Incident as soon as it becomes aware of such incident and in no event later than five (5) business
days after such awareness. Such report shall be timely made notwithstanding the fact that little
information may be known at the time of the report and need only include such information then
available;
e) Following such report, provide Covered Entity with the information necessary for Covered
Entity to investigate any such incident; and
f) Continue to provide to Covered Entity information concerning the incident as it becomes
available to it.
5.2 Reporting Unsuccessful Security Incidents. Business Associate shall provide Covered
Entity upon written request a Report that: (a) identifies the categories of Unsuccessful Security
Incidents; (b) indicates whether Business Associate believes its current defensive security
measures are adequate to address all Unsuccessful Security Incidents, given the scope and nature
of such attempts; and (c) if the security measures are not adequate, the measures Business
Associate will implement to address the security inadequacies.
5.3 Business Associate shall comply with any reasonable policies and procedures Covered
Entity implements to obtain compliance under the Security Rule.
6. Reporting and Documenting Breaches.
6.1 Business Associate shall Report to Covered Entity any Breach of Unsecured PHI as soon
as it, or any Person to whom PHI is disclosed under this Agreement, becomes aware of any such
Breach, and in no event later than five (5) business days after such awareness, except when a law
enforcement official determines that a notification would impede a criminal investigation or
cause damage to national security. Such Report shall be timely made notwithstanding the fact
that little information may be known at the time of the Report and need only include such
information then available.
6.2 Following the Report described in 6.1, Business Associate shall conduct a risk
assessment and provide it to Covered Entity with a summary of the event. Business Associate
shall provide Covered Entity with the names of any Individual whose Unsecured PHI has been,
or is reasonably believed to have been, the subject of the Breach and any other available
information that is required to be given to the affected Individual, as set forth in 45 CFR §
164.404(c). Upon request by Covered Entity, Business Associate shall provide information
necessary for Covered Entity to investigate the impermissible Use or Disclosure. Business
Associate shall continue to provide to Covered Entity information concerning the Breach as it
becomes available.
6.3 When Business Associate determines that an impermissible acquisition, Access, Use or
Disclosure of PHI for which it is responsible is not a Breach, and therefore does not necessitate
notice to the impacted Individual, it shall document its assessment of risk, conducted as set forth
in 45 CFR § 402(2). Business Associate shall make its risk assessment available to Covered
Page 13 of 16
Entity upon request. It shall include 1) the name of the person making the assessment, 2) a brief
summary of the facts, and 3) a brief statement of the reasons supporting the determination of low
probability that the PHI had been compromised.
7. Mitigation and Corrective Action. Business Associate shall mitigate, to the extent
practicable, any harmful effect that is known to it of an impermissible Use or Disclosure of PHI,
even if the impermissible Use or Disclosure does not constitute a Breach. Business Associate
shall draft and carry out a plan of corrective action to address any incident of impermissible Use
or Disclosure of PHI. Business Associate shall make its mitigation and corrective action plans
available to Covered Entity upon request.
8. Providing Notice of Breaches.
8.1 If Covered Entity determines that a Breach of PHI for which Business Associate was
responsible, and if requested by Covered Entity, Business Associate shall provide notice to the
Individual whose PHI has been the subject of the Breach. When so requested, Business Associate
shall consult with Covered Entity about the timeliness, content and method of notice, and shall
receive Covered Entity's approval concerning these elements. Business Associate shall be
responsible for the cost of notice and related remedies.
8.2 The notice to affected Individuals shall be provided as soon as reasonably possible and in
no case later than sixty (60) calendar days after Business Associate reported the Breach to
Covered Entity.
8.3 The notice to affected Individuals shall be written in plain language and shall include, to
the extent possible, 1) a brief description of what happened, 2) a description of the types of
Unsecured PHI that were involved in the Breach, 3) any steps Individuals can take to protect
themselves from potential harm resulting from the Breach, 4) a brief description of what the
Business Associate is doing to investigate the Breach to mitigate harm to Individuals and to
protect against further Breaches, and 5) contact procedures for Individuals to ask questions or
obtain additional information, as set forth in 45 CFR § 164.404(c).
8.4 Business Associate shall notify Individuals of Breaches as specified in 45 CFR §
164.404(d) (methods of Individual notice).
9. Agreements with Subcontractors. Business Associate shall enter into a Business
Associate Agreement with any Subcontractor to whom it provides PHI to require compliance
with HIPAA and to ensure Business Associate and Subcontractor comply with the terms and
conditions of this Agreement. Business Associate must enter into such written agreement before
any Use by or Disclosure of PHI to such Subcontractor. The written agreement must identify
Covered Entity as a direct and intended third party beneficiary with the right to enforce any
breach of the agreement concerning the Use or Disclosure of PHI. Business Associate shall
provide a copy of the written agreement it enters into with a Subcontractor to Covered Entity
upon request. Business Associate may not make any Disclosure of PHI to any Subcontractor
without prior written consent of Covered Entity.
10. Access to PHI. Business Associate shall provide access to PHI in a Designated Record
Set to Covered Entity or as directed by Covered Entity to an Individual to meet the requirements
under 45 CFR § 164.524. Business Associate shall provide such access in the time and manner
Page 14 of 16
reasonably designated by Covered Entity. Within five (5) business days, Business Associate shall
forward to Covered Entity for handling any request for Access to PHI that Business Associate
directly receives from an Individual.
11. Amendment of PHI. Business Associate shall make any amendments to PHI in a
Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526,
whether at the request of Covered Entity or an Individual. Business Associate shall make such
amendments in the time and manner reasonably designated by Covered Entity. Within five (5)
business days, Business Associate shall forward to Covered Entity for handling any request for
amendment to PHI that Business Associate directly receives from an Individual.
12. Accounting of Disclosures. Business Associate shall document Disclosures of PHI and all
information related to such Disclosures as would be required for Covered Entity to respond to a
request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §
164.528. Business Associate shall provide such information to Covered Entity or as directed by
Covered Entity to an Individual, to permit Covered Entity to respond to an accounting request.
Business Associate shall provide such information in the time and manner reasonably designated
by Covered Entity. Within five (5) business days, Business Associate shall forward to Covered
Entity for handling any accounting request that Business Associate directly receives from an
Individual.
13. Books and Records. Subject to the attorney -client and other applicable legal privileges,
Business Associate shall make its internal practices, books, and records (including policies and
procedures and PHI) relating to the Use and Disclosure of PHI available to Covered Entity as
reasonably requested by Covered Entity. Business Associate shall make the same information
available to Covered Entity, upon Covered Entity's request, in the time and manner reasonably
designated by Covered Entity so that Covered Entity may determine whether Business Associate
is in compliance with this Agreement.
16. Penalties. Business Associate understands that: (a) there may be civil or criminal
penalties for misuse or misappropriation of PHI and (b) violations of this Agreement may result
in notification by Covered Entity to law enforcement officials and regulatory, accreditation, and
licensure organizations.
17. Training. Business Associate understands its obligation to comply with the law and shall
provide appropriate training and education to ensure compliance with this Agreement. If
requested by Covered Entity, Business Associate shall participate in Covered Entity's training
regarding the Use, Confidentiality, and Security of PHI; however, participation in such training
shall not supplant nor relieve Business Associate of its obligations under this Agreement to
independently assure compliance with the law and this Agreement.
18. Miscellaneous.
18.1 In the event of any conflict or inconsistency between the terms of this BAA and the terms
of the Agreement (including any other addendum or attachment thereto), the terms of this BAA
shall govern with respect to its subject matter. Otherwise, the terms of the Agreement continue in
effect.
Page 15 of 16
18.2 Each party shall cooperate with the other party to amend this BAA from time to time as is
necessary for such party to comply with the Privacy Rule, the Security Rule, or any other
standards promulgated under HIPAA. This BAA may not be amended, except by a writing
signed by all parties hereto.
18.3 Any ambiguity in this BAA shall be resolved to permit the parties to comply with the
Privacy Rule, Security Rule, or any other standards promulgated under HIPAA.
18.4 Business Associate shall not have or claim any ownership of PHI.
18.5 Business Associate shall abide by the terms and conditions of this BAA with respect to
all PHI even if some of that information relates to specific services for which Business Associate
may not be a "Business Associate" of Covered Entity under the Privacy Rule.
18.6 Business Associate is prohibited from directly or indirectly receiving any remuneration in
exchange for an Individual's PHI. Business Associate will refrain from marketing activities that
would violate HIPAA, including specifically Section 13406 of the HITECH Act. Reports or data
containing PHI may not be sold without Covered Entity's or the affected Individual's written
consent.
18.7 The provisions of this BAA that by their terms encompass continuing rights or
responsibilities shall survive the expiration or termination of the Agreement.
Page 16 of 16
Contract Form
New Contract Request
Entity Information
Entity Name
Entity ID*
SARA ALERT MITRE CORPORATION O00042885
Contract Name*
SARA ALERT DATA USE AGREEMENT
Contract Status
CTB REVIEW
❑ New Entity?
Contract ID
4228
Contract Lead*
NWONDER
Contract Lead Email
nwonderWco.weld.co.us
Parent Contract ID
Requires Board Approval
YES
Department Project #
NA
Contract Description *
DATA USE AGREEMENT BETWEEN WCDPHE, MITRE CORP & APHL FOR USE OF SARA ALERT (OPEN SOURCE) SYSTEM, FREE TO
LOCAL HEALTH DEPTS IN SUPPORT OF DISEASE OUTBREAK INVESTIGATIONS AND CONTRACT TRACING.
Contract Description 2
Contract Type
AGREEMENT
Amount*
30.00
Renewable*
NO
Automatic Renewal
NO
Grant
IGA
Department
INFORMATION
TECHNOLOGY-GIS
Department Email
CM-
InformationTechnologyGIS
weldgov.com
Department Head Email
CM -
I nformationTech nol ogyGI S-
DeptHeadWweldgov.com
County Attorney
GENERAL COUNTY
ATTORNEY EMAIL
County Attorney Email
CM-
COUNTYA I I O RN EYWWELDG
OV.COM
Requested I1DCC Agenda
Date*
11102 2020
Due Date
10/29.`2020
Will a work session with BOCC be required?*
NO
Does Contract require Purchasing Dept. to be included?
NO
If this is a renewal enter previous Contract ID
If this is part of a MSA enter MSA Contract ID
Note: the Previous Contract Number and Master Services Agreement Number should be left blank if those contracts are not in
OnBase
Contract Dates
Effective Date
11/02;2020
Review Date*
08/02;2021
Renewal Date
Termination Notice Period
Contact Information
Committed Delivery Date
Contact Info
Contact Name Contact Type Contact Email
NICOLE LLEWELLYN PRIMARY
Purchasing
Purchasing Approver
Approval Process
Department Head
RYAN ROSE
OH Approved Date
10'30;2020
Final Approval
ROCC Approved
BOCC Signed Date
BOCC Agenda Date
11'02;2020
Originator
NWONDER
NLLEWELLYN@MITRE.ORG
@M ITRE.ORG
Finance Approver
CHRIS D'OVIDIO
Expiration Date*
10131,'2030
Contact Phone 1 Contact Phone 2
443-200-4009
Purchasing Approved Date
Finance Approved Date
10;30/2020
Tyler Ref #
AG 110220
Legal Counsel
KARIN MCDOUGAL
Legal Counsel Approved Date
10:'30 2020
Hello