HomeMy WebLinkAbout20191143.tiffRESOLUTION
RE: APPROVE BUSINESS ASSOCIATE AGREEMENT AND AUTHORIZE CHAIR TO SIGN
- NORTHEAST HEALTH PARTNERS, LLC
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Board has been presented with a Business Associate Agreement
between the County of Weld, State of Colorado, by and through the Board of County
Commissioners of Weld County, on behalf of the Department of Human Services, and Northeast
Health Partners, LLC, commencing upon full execution of signatures, with further terms and
conditions being as stated in said agreement, and
WHEREAS, after review, the Board deems it advisable to approve said agreement, a copy
of which is attached hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld
County, Colorado, that the Business Associate Agreement between the County of Weld, State of
Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the
Department of Human Services, and Northeast Health Partners, LLC, be and hereby is, approved.
BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized
to sign said agreement.
The above and foregoing Resolution was, on motion duly made and seconded, adopted
by the following vote on the 20th day of March, A.D., 2019.
BOARD OF COUNTY COMMISSIONERS
W , D COUNTY, COL • ' ' DO t
ATTEST: datifigivW j o•e1
Weld County Clerk to the Board
BY:
Deputy Clerk o the Boar
APPROVED AS TO FORM:
A -c'( County Attorney
Date of signature: 3-2"1- t
Barbara Kirkmeyer, ( hair
EXCUSED
Mike Freeman, Pro-Tem
Steve Moreno
James
2019-1143
HR0090
£*L+Itr*24`7L0
PRIVILEGED AND CONFIDENTIAL
MEMORANDUM
DATE: February 26, 2019
TO: Board of County Commissioners — Pass -Around
FR: Judy A. Griego, Director, Human Services
RE: Business Associate Agreement (BAA) with Northeast Health
Partners, LLC
Please review and indicate if you would like a work session prior to placing this item on the Board's agenda.
Request Board Approval of the Department's Business Associate Agreement (BAA) with Northeast
Health Partners, LLC. Northeast Health Partners, LLC, is requiring a Business Associate Agreement (BAA)
with the Department to ensure compliance with HIPPA standards with regard to Protected Health Information
(PHI) that may be used, accessed, disclosed, received, or created in the course of business.
The BAA has been reviewed and approved by Karin McDougal.
I do not recommend a Work Session. I recommend approval of this Agreement and further recommend the
Chair to sign.
Sean P. Conway
Mike Freeman, Pm-Tem
Scott James
Barbara Kirkmeyer, Chair
Steve Moreno
Approve Schedule
Recommendation Work Session
,9Tai
mF
Arn-
Other/Comments:
2019-1143
Pass -Around Memorandum; February 26, 2019 — CMS 2476 Page 1
i-{R0D9b
Karla Ford
From:
Sent:
To:
Subject:
Barbara Kirkmeyer
Tuesday, February 26, 2019 7:31 PM
Karla Ford
Re: PA FOR ROUTING: Northeast BAA (CMS 2476)
Ok with me
Sent from my iPhone
On Feb 26, 2019, at 7:04 PM, Karla Ford <Icfprdcw eIdgaov.cpm> wrote:
Approve recommendation?
Karla Ford*
Office Manager, Board of Weld County Commissioners
1150 O Street, P.O. Box 758, Greeley, Colorado 80632
:: 970.336-7204 :: wektgovsiorn :: www.weldaov.com
My working hours are Monday -Thursday T:00a.m.-4:00 p.m.
Friday 7:00a.m. - Noon
<image003.jpg>
Confidentiality Notice: This electronic transmission and any attached documents or other writings ore intended only for the person or entity to
which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received
this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying,
distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named
recipient is strictly prohibited.
From: Tobi Cullins
Sent: Tuesday, February 26, 2019 5:04 PM
To: Karla Ford <kfordc weldgov.com>
Cc: Barb Connolly <bXontVIIVetW ttKov,com>; Bruce Barker <jabarkertaweldaov.com>; Esther Gesick
<eeestck@wel"deov.com>; HS Contract Management <11S -Car ra lanagemen co.ifvejd.co.us>; Jamie
Ulrich <ulrichlleweldeov.com>; Judy Griego <grieaoiagDweidgov,com>; Lennie Bottorff
<bottorli@weldgov.corin>
Subject: PA FOR ROUTING: Northeast BAA (CMS 2476)
Good afternoon, Karla.
Please see attached PA, initialed by Commissioner James, for routing. This item is in CMS (ID 2476).
Thank you.
Regards,
Tobi A. Cullins
Contract Management and Compliance Coordinator
Administration Support Unit (ASU)
Contract Management Team: 970-400-6556
Direct: 970-400-6392
Fax: 970-353-5215
1
Northeast Health Partners, LLC,
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement") is made this 1 day of
January, 2019 (the "Effective Date"), by and between Northeast Health Partners LLC ("Covered
Entity"), and Weld County Department of Human Services ("Business Associate").
RECITALS:
WHEREAS, Covered Entity and Business Associate are subject to federal standards for
the privacy and security of Protected Health Information (as defined below);
WHEREAS, Business Associate provides services to Covered Entity that require Business
Associate to use, access, disclose, receive or create Protected Health Information;
WHEREAS, Covered Entity and Business Associate are committed to complying with the
HIPAA Standards (as defined below), 42 C.F.R. Part 2 ("Part 2"), and contractual obligations
imposed upon Covered Entity by the State of Colorado, Department of Health Care Policy and
Financing (the "Department"), and desire to set forth the rights and responsibilities of the parties
with respect to Protected Health Information;
WHEREAS, to the extent that Business Associate meets the definition of a "covered entity"
(as defined at 45 C.F.R. § 160.103), Business Associate's obligations pursuant to this Agreement
shall apply only to PHI that is created, accessed, maintained, or transmitted by Business Associate
related solely to Business Associate's obligations to Covered Entity which are not part of Business
Associate's "covered functions" (as defined at 45 C.F.R. § 164.103).
NOW THEREFORE, in consideration of the mutual promises and covenants contained
herein, the sufficiency of which is hereby acknowledged by the parties, the parties agree as follows:
1. DEFINITIONS.
1.1 "Breach" shall have the same meaning as the term "breach" at 45 C.F.R. § 164.402.
1.2 "Designated Record Set" means a group of records containing Protected Health
Information maintained by or for Covered Entity which fall within one of the following categories:
(a) a health care provider's medical and billing records about an Individual; (b) a health plan's
enrollment, payment, claims adjudication and case management records; or (c) records used in
whole or in part by Covered Entity to make decisions about the Individuals to whom the
information relates.
1.3 "Discovery" as used in Section 3.5 means that the Unauthorized Use or Disclosure,
or Breach, is known to Business Associate or any employee, officer or other agent of Business
Associate or should reasonably have been known to Business Associate or any employee, officer
or agent of Business Associate to have occurred by exercising reasonable diligence, in accordance
with 45 C.F.R. § 164.410(a).
1.4 "Individual" means the person who is the subject of Protected Health Information
and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R.
§ 164.502(g).
1.5 "HIPAA Standards" means collectively the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and
Clinical Health ("HITECH") Act (Pub. L. No. 111-5 (2009), the Security Standards for the
Protection of Electronic Protected Health Information as set forth in 45 C.F.R. Part 160 and Part
164, Subparts A and C (the "Security Rule"), and the Standards for Privacy of Individually
Identifiable Health Information as set forth in 45 C.F.R. Part 160 and Part 164, Subparts A and E
(the "Privacy Rule") and any amendments and additions to such laws and regulations which may
be adopted from time to time.
1.6 "Protected Health Information" or "PHI" means any information, whether oral or
recorded in any form or medium, that is (a) created or received by Covered Entity or by Business
Associate or another person or entity on behalf of or for the benefit of Covered Entity; (b) relates
to the past, present or future physical or mental health or condition of an Individual, the provision
of health care to an Individual, or the past, present or future payment for the provision of health
care to an Individual, and (c) identifies an Individual or with respect to which there is a reasonable
basis to believe the information can be used to identify the Individual.
1.7 "Required By Law" means a mandate contained in law that compels Covered Entity
or Business Associate to use or disclose PHI and that is enforceable in a court of law, including,
but not limited to, court orders, court -ordered warrants and statutes and regulations that require
such information if payment is sought under a government health care program.
1.8 "Service Provider" shall mean a person or entity that provides a service directly to
Covered Entity in connection with one or more "Covered Accounts" as such accounts are defined
in 16 CFR Part 681 (the "Red Flag Rules").
1.9 "Unsecured PHI" means PHI in any form that is not rendered unusable, unreadable,
or indecipherable to unauthorized persons through the use of a technology or methodology
specified in guidance issued by the Secretary of the United States Department of Health and
Human Services ("Secretary").
1.10 Other Terms. All other terms used, but not otherwise defined, in this Agreement
shall have the same meaning as provided in the HIPAA Standards and as applicable, Part 2.
2. PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH
INFORMATION.
2.1 Permitted Uses and Disclosures. Except as otherwise limited in this Agreement,
Business Associate may use or disclose PHI received from or created on behalf of Covered Entity
to carry out the responsibilities of Business Associate as outlined in Attachment A provided that
such use or disclosure would not violate the HIPAA Standards or Part 2, this Agreement or the
policies and procedures of Covered Entity. Business Associate may use PHI in connection with
the proper management and administration of Business Associate. Business Associate may
disclose PHI in connection with the proper management and administration of Business Associate
or to carry out the legal responsibilities of Business Associate if (a) the disclosure is Required By
Law, or (b) Business Associate receives reasonable assurances in writing from the person to whom
the information is disclosed that the information will be held confidentially, used or further
disclosed only as Required By Law or for the purposes for which the disclosure was made, and the
person will notify Business Associate within five (5) business days of any breaches of
confidentiality of the PHI, to the extent he has obtained knowledge of such breach. Despite the
foregoing, any disclosure of PHI that is subject to Part 2 must meet the requirements set forth in
Section 4.
2.2 Unauthorized Uses and Disclosures. Any use or disclosure of PHI which is not
explicitly permitted by this Agreement is prohibited.
2.3 Violations of Law. Business Associate may use PHI to report violations of law to
appropriate authorities consistent with 45 C.F.R. § 164.502(j)(1).
3. HIPAA-RELATED OBLIGATIONS AND ACTIVITIES OF BUSINESS
ASSOCIATE.
3.1 Compliance with HIPAA Standards. Business Associate shall comply with all
provisions of the HIPAA Standards applicable to Business Associate, this Agreement, and other
applicable law, including Part 2, as set forth below.
3.2 Non -disclosure. Business Associate shall not use or disclose PHI other than as
permitted or required by this Agreement or as Required By Law (collectively the "Permitted
Disclosures"). All Permitted Disclosures shall be made in strict compliance with the HIPAA
Standards. Any use or disclosure of PHI that is not a Permitted Disclosure, including but not
limited to any Breach of Unsecured PHI, shall be considered an "Unauthorized Use or Disclosure"
for purposes of this Agreement.
3.3 Safeguards. Business Associate agrees to use appropriate safeguards to prevent the
use or disclosure of PHI other than as permitted by this Agreement. Business Associate will
document and keep all such safeguards current. Business Associate shall maintain a
comprehensive written information privacy and security program that includes administrative,
technical, and physical safeguards appropriate to the size and complexity of the Business
Associate's operations and nature and scope of its activities. Business Associate shall review,
modify, and update documentation of its safeguards as needed to ensure continued provision of
reasonable and appropriate protection of PHI.
3.4 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any
harmful effect, known to Business Associate, of any Unauthorized Use or Disclosure.
3.5 Reporting. Business Associate agrees to report to the Privacy Officer of Covered
Entity any Unauthorized Use or Disclosure of PHI of which Business Associate becomes aware.
The initial report shall be made by telephone call to the Privacy Officer of Covered Entity within
seventy-two (72) hours after Discovery by Business Associate of such Unauthorized Use or
Disclosure. The initial report shall be followed by a written report to the Privacy Officer which
shall be made as soon as reasonably possible but in no event more than five (5) business days after
Discovery by Business Associate of such Unauthorized Use or Disclosure. This reporting
obligation shall include Unauthorized Uses or Disclosures by Business Associate, its employees,
subcontractors and/or agents. Each such report of an Unauthorized Use or Disclosure will: (i)
identify each Individual whose Unsecured PHI has been or is reasonably believed to have been
accessed, acquired, or disclosed as a result of such Unauthorized Use or Disclosure; (ii) identify
the nature of the Unauthorized Use or Disclosure, including the date of Discovery and Date of the
Unauthorized Use or Disclosure; (iii) identify the PHI used or disclosed; (iv) identify who made
the Unauthorized Use or Disclosure; (v) identify who received the unauthorized PHI; (vi) identify
what corrective action Business Associate took or will take to prevent further Unauthorized Use
or Disclosures; (vii) identify what Business Associate did or will do to mitigate any deleterious
effect of the Unauthorized Use or Disclosure; and (viii) provide such other information as Covered
Entity may reasonably request. Business Associate agrees to pay the actual costs of Covered Entity
to provide required notifications and any associated costs incurred by Covered Entity as a result
of a Breach caused by Business Associate, such as credit monitoring for affected patients, and
including any civil or criminal monetary penalties or fines levied by any federal or state authority
having jurisdiction if Covered Entity reasonably determines that the nature of the Breach warrants
such measures.
3.6 Agents and Subcontractors. In accordance with 45 C.F.R. § 164.308(b)(2) and
164.502(e)(1)(ii), Business Associate agrees to ensure that any agent or subcontractor that creates,
receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the
same restrictions and conditions that apply to Business Associate through this Agreement with
respect to such information (a "Subcontractor Agreement"). The Subcontractor Agreement shall
identify the Department as a third party beneficiary with rights of enforcement and indemnification
from such Subcontractors in the event of any violation of such Subcontractor Agreement. If
Business Associate knows or has reason to know of a pattern of activity or practice of a
subcontractor that constitutes a material breach or violation of the subcontractor's obligations
under the Subcontractor Agreement, Business Associate shall take reasonable steps to cure the
breach or end the violation, as applicable, and, if such steps are unsuccessful: (A) Business
Associate shall terminate the Subcontractor Agreement and any related business arrangements
between Business Associate and the subcontractor involving the use, disclosure, or creation of
PHI, if feasible; or (B) if such termination is not feasible, Business Associate shall report the
situation to Covered Entity.
3.7 Access. To the extent Business Associate maintains a Designated Record Set,
Business Associate shall provide access to PHI it maintains in the Designated Record Set to
Covered Entity or, as directed by Covered Entity, to an Individual or another person properly
designated by the Individual, within five (5) days of receiving a written request from Covered
Entity in order to meet the requirements of 45 C.F.R. § 164.524. If Business Associate maintains
PHI electronically in a Designated Record Set and if the Individual requests an electronic copy of
such information, Business Associate shall provide Covered Entity, or the Individual or person
properly designated by the Individual, as directed by Covered Entity, access to the PHI in the
electronic form and format requested by the Individual, if it is readily producible in such form and
format; or, if not, in a readable electronic form and format as agreed to by Covered Entity and the
Individual. If Business Associate receives a request for access to PHI directly from an Individual,
Business Associate shall notify Covered Entity of the request in writing within one (1) business
day.
3.8 Amendments. To the extent Business Associate maintains PHI in a Designated
Record Set, Business Associate shall make any amendment(s) to PHI in the Designated Record
Set that Covered Entity directs pursuant to 45 C.F.R. § 164.526 within five (5) days of receiving
a written request from Covered Entity. Business Associate shall make any such amendment only
by appending the amendment to the PHI in the Designated Record Set, and under no circumstance
shall PHI be deleted from the Designated Record Set as part of the amendment process. If Business
Associate receives a request for an amendment to PHI maintained in a Designated Record Set
directly from an Individual, Business Associate shall notify Covered Entity of the request in
writing within one (1) business day. Any denial of amendment of PHI maintained by Business
Associate or its agents or Subcontractors shall be the responsibility of the Department.
3.9 Records. Business Associate shall make its internal practices, books, and records
relating to the use and disclosure of PHI received from, or created or received by Business
Associate on behalf of, Covered Entity available to Covered Entity or to the Secretary, during
regular business hours in a time and manner designated by the Secretary, the Department, or
Covered Entity, for purposes of the Secretary determining the Department's, Covered Entity's or
Business Associate's compliance with the HIPAA Standards. Business Associate shall provide to
Covered Entity a copy of any PHI that Business Associate provides to the Secretary concurrently
with providing such PHI to the Secretary when the Secretary is investigating Covered Entity or
the Department. Business Associate shall cooperate with the Secretary if the Secretary undertakes
an investigation or compliance review of its policies, procedures, or practices to determine whether
Business Associate is complying with the HIPAA Standards, and permit access by the Secretary
during normal business hours to its facilities, books, records, accounts, and other sources of
information, including PHI, that are pertinent to ascertaining compliance.
3.10 Accounting of Disclosures. Business Associate shall document such disclosures of
PHI made by Business Associate, its employees, subcontractors or agents and information related
to such disclosures as are required for Covered Entity to respond to a request by an Individual for
an accounting of disclosures in accordance with 45 C.F.R. § 164.528 including: (a) the date of the
disclosure; (b) the name and address (if known) of the person or entity who received the disclosure;
(c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the
disclosure or a copy of the consent to the disclosure signed by the Individual to whom the PHI
relates. Business Associate agrees to provide Covered Entity within five (5) business days of
receiving a written request from Covered Entity, information collected in accordance with this
Section. If Business Associate receives a request for an accounting of disclosures of PHI directly
from an Individual, Business Associate shall notify Covered Entity of the request in writing within
one (1) business day of receipt of the request and forward it to Covered Entity. Additionally, as
of the compliance date set forth in the relevant regulations, if Business Associate makes disclosures
of PHI through an Electronic Health Record, Business Associate shall account for all such
disclosures in accordance with the HITECH Act and any future regulations promulgated
thereunder. It shall be the Department's responsibility to prepare and deliver any such accounting
requested to an Individual.
3.11 "Trading Partner" Provisions: Use and Disclosure in Connection with Standard
Transactions. If Business Associate conducts Standard Transactions (as defined in 45 C.F.R. Part
162) for or on behalf of Covered Entity , Business Associate will comply, and will require each
subcontractor or agent involved with the conduct of such Standard Transactions to comply, with
each applicable requirement of 45 C.F.R. Part 162. Business Associate will not enter into, or
permit its subcontractors or agents to enter into, any trading partner agreement in connection with
the conduct of Standard Transactions for or on behalf of Covered Entity that: (a) changes the
definition, data condition, or use of a data element or segment in a Standard Transaction; (b) adds
any data elements or segments to the maximum defined data set; (c) uses any code or data element
that is marked "not used" in the Standard Transaction's implementation specification or is not in
the Standard Transaction's implementation specification; or (d) changes the meaning or intent of
the Standard Transaction's implementation specification.
3.12 Prevention of Identity Theft. If Business Associate is a Service Provider as defined
above, Business Associate shall perform all services and conduct all activities under the underlying
agreement between the parties and this Agreement in accordance with reasonable policies and
procedures which are designed to identify, prevent, and mitigate identity theft in accordance with
the standards established by the Red Flag Rules and other applicable law. Business Associate shall
provide its identity theft policies and procedures to Covered Entity upon request. Business
Associate's failure to establish the policies required by this Section or to conform its conduct to
such policies shall constitute a material breach of this Agreement and the underlying agreement
between the parties.
3.13 Security of Electronic Data. If PHI is created, accessed, transmitted to or
maintained by Business Associate in electronic format, Business Associate agrees to:
(a) Develop, implement, maintain, and use administrative, technical and
physical safeguards that reasonably and appropriately protect the integrity, confidentiality,
and availability of the electronic PHI that Business Associate creates, receives, maintains
or transmits on behalf of Covered Entity and to comply with all applicable provisions of
Subpart C of Part 164 of the Security Rule;
(b) Ensure that any agent or subcontractor to whom Business Associate
provides electronic PHI agrees to implement reasonable and appropriate safeguards to
protect such PHI; and
(c) Report to Covered Entity any Security Incident of which Business Associate
becomes aware. Notwithstanding the foregoing, Business Associate and Covered Entity
acknowledge the ongoing existence and occurrence of attempted but unsuccessful Security
Incidents that are trivial in nature, such as pings and port scams, and Covered Entity
acknowledges and agrees that no additional notification to Covered Entity of such
unsuccessful Security Incidents is required. However, to the extent that Business Associate
becomes aware of an unusually high number of such unsuccessful Security Incidents due
to the repeated acts of a single party, Business Associate shall notify Covered Entity of
these attempts and provide the name, if available, of said party. At the request of Covered
Entity, Business Associate shall identify the date of the Security Incident, the scope of the
Security Incident, Business Associate's response to the Security Incident, and the
identification of the party responsible for causing the Security Incident, if known.
3.14 Minimum Necessary. Business Associate will make reasonable efforts, to the
extent practicable, to limit requests for and the use and disclosure of PHI to a Limited Data Set (as
defined in 45 C.F.R. § 164.514(e)(2)) or, if needed by Business Associate, to the minimum
necessary PHI to accomplish the intended purpose of such use, disclosure or request, and as
applicable, in accordance with the regulations and guidance issued by the Secretary on what
constitutes the minimum necessary for Business Associate to perform its obligations to Covered
Entity under this Agreement or as Required By Law.
3.15 Data Ownership. Business Associate acknowledges that Business Associate has no
ownership rights with respect to the PHI.
3.16 Delegated Obligations. To the extent Business Associate is delegated to carry out
Covered Entity's obligations under the Privacy Rule, Business Associate shall comply with the
requirements of the Privacy Rule that apply to Covered Entity in the performance of such delegated
obligations.
PART 2 QUALIFIED SERVICE ORGANIZATION OBLIGATIONS AND ACTIVITIES
4.1 Federal Alcohol and Drug Abuse Confidentiality Regulation. PHI that relates to
alcohol and drug abuse ("Part 2 Information") also is protected by Part 2.
4.2. Confidentiality Agreement. For purposes of Part 2, Business Associate is a
Qualified Service Organization (as defined at 42 C.F.R. § 2.11), and acknowledges that in
receiving, storing, processing or otherwise dealing with any Part 2 Information from or for
Covered Entity, (1) it is fully bound by Part 2, as it would apply to Covered Entity, as a "Program"
(as defined at 42 C.F.R. § 2.11), and (2) if necessary, will resist in judicial proceedings any efforts
to obtain access to the Part 2 Information, except as permitted by Part 2.
4.3. Prohibition on Redisclosure. Business Associate agrees to ensure that any Part 2
Information received from Covered Entity, will not be redisclosed to any other person or entity,
including an agency or Subcontractor who provides services for Business Associate, except as may
be permitted by Part 2.
5. ADDITIONAL REQUIREMENTS IMPOSED ON BUSINESS ASSOCIATE (AND
COVERED ENTITY) BY THE DEPARTMENT.
5.1 Insurance. Business Associate shall maintain insurance to cover loss of PHI data
and claims based upon alleged violations of privacy rights through improper use or disclosure of
PHI. All such policies shall meet or exceed the minimum insurance requirements of the underlying
agreement between Covered Entity and the Department (e.g., occurrence basis, combined single
dollar limits, annual aggregate dollar limits, additional insured status and notice of cancellation),
as reflected in the underlying agreement between Covered Entity and Business Associate.
5.2 Safeguards During Transmission. Business Associate shall be responsible for using
appropriate safeguards, including encryption of PHI to maintain and ensure the confidentiality,
integrity, and security of PHI transmitted to Covered Entity or the Department pursuant to the
relevant underlying agreement, in accordance with the HIPAA Standards.
5.3 Retention of Protected Information. Except upon termination of this Agreement as
provided in Section 6, Business Associate shall retain all PHI throughout the term of the
underlying agreement with Covered Entity and shall continue to maintain the information required
under Section 3.10 of this Agreement for a period of six (6) years.
5.4 Audits, Inspection and Enforcement. Upon request by the Department or Covered
Entity, Business Associate and its agents or subcontractors shall allow the Department or Covered
Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements,
policies and procedures relating to the use or disclosure of Protected Health Information pursuant
to this Agreement for the purpose of determining whether Business Associate has complied with
this Agreement; provided, however, that: (i) Business Associate and the Department or Covered
Entity shall mutually agree in advance upon the scope, timing and location of such an inspection;
and (ii) the Department or Covered Entity shall protect the confidentiality of all confidential and
proprietary information of Business Associate to which it has access during the course of such
inspection. The fact that the Department or Covered Entity inspects, or fails to inspect, or has the
right to inspect, Business Associate's facilities, systems, books, records, agreements, policies and
procedures does not relieve Business Associate of its responsibility to comply with this
Agreement, nor does the Department's or Covered Entity's (i) failure to detect or (ii) detection,
but failure to notify Business Associate or require Business Associate's remediation of any
unsatisfactory practices, constitute acceptance of such practice or a waiver of the Department's or
Covered Entity's enforcement rights under the relevant underlying agreements.
5.5 Restrictions and Confidential Communications. Within five (5) business days of
notice by Covered Entity of a restriction upon uses or disclosures or request for confidential
communications pursuant to 45 C.F.R. Section 164.522, Business Associate will restrict the use
or disclosure of an Individual's PHI. Business Associate will not respond directly to an
Individual's requests to restrict the use or disclosure of PHI or to send all communications of PHI
to an alternate address. Business Associate will refer such requests to Covered Entity so that
Covered Entity can coordinate with the Department to prepare a timely response to the requesting
Individual and provide direction to Business Associate.
5.6 Injunctive Relief. The Department and Covered Entity shall have the right to
injunctive and other equitable and legal relief against Business Associate or any of its
Subcontractors in the event of any use or disclosure of PHI in violation of this Agreement or
applicable law.
5.7 No Waiver of Immunity. As related to the Department and the Business Associate
who is also a public entity, no term or condition of this Agreement shall be construed or interpreted
as a waiver, express or implied, of any of the immunities, rights, benefits, protection, or other
provisions of the Colorado Governmental Immunity Act, CRS 24-10-101 et seq. or the Federal
Tort Claims Act, 28 U.S.C. 2671 et seq. as applicable, as now in effect or hereafter amended.
5.8 Certification. To the extent that the Department or Covered Entity determines an
examination is necessary in order to comply with its legal obligations pursuant to the HIPAA
Standards and other applicable law relating to certification of its security practices, the Department
or Covered Entity or its authorized agents or contractors, may, at the Department's or Covered
Entity's expense, examine Business Associate's facilities, systems, procedures and records as may
be necessary for such agents or contractors to certify to the Department or Covered Entity the
extent to which Business Associate's security safeguards comply with the HIPAA Standards or
this Agreement.
5.9 Sanctions. Business Associate acknowledges that Covered Entity may impose
sanctions (contractually or otherwise, such as in the form of a letter of reprimand) on Business
Associate for violating the restrictions and conditions set forth in this Agreement.
6. TERM AND TERMINATION.
6.1 Term. The term of this Agreement shall commence on the Effective Date, and shall
terminate when all of the PHI provided by Covered Entity to Business Associate, or created or
received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered
Entity, or, if it is not feasible to return or destroy the PHI, protections are extended to such
information, in accordance with the termination provisions in this Section.
6.2 Termination for Cause. Upon Covered Entity's reasonable determination that
Business Associate has breached a material term of this Agreement, Covered Entity shall be
entitled to do any one or more of the following:
(a) Give Business Associate written notice of the existence of such breach and give
Business Associate an opportunity to cure the breach upon mutually agreeable terms. If Business
Associate does not cure the breach or end the violation according to such terms, or if Covered
Entity and Business Associate are unable to agree upon such terms, Covered Entity may
immediately terminate this Agreement. If termination of this Agreement is not feasible, Covered
Entity shall report the breach to the Secretary, to the extent Required By Law.
(b) Immediately terminate this Agreement or any other arrangement between
Covered Entity and Business Associate which is the subject of such breach.
(c) Immediately stop all further disclosures of PHI to Business Associate pursuant
to the underlying agreement between the parties or other arrangement which is the subject of such
breach.
6.3 Termination Without Cause. This Agreement shall terminate upon any such date
as Covered Entity and Business Associate may agree in a writing signed by both parties.
6.4 Termination of Services. This Agreement shall terminate upon the termination or
expiration of the services provided by Business Associate.
6.5 Effect of Termination.
(a) Upon termination of this Agreement for any reason, Business Associate shall
return to Covered Entity, or destroy upon the prior written consent of Covered Entity, all PHI
received, created, received or maintained in any form by Business Associate on behalf of Covered
Entity. Business Associate shall retain no copies of such information. This Section shall also
apply to PHI that is in the possession of subcontractors or agents of Business Associates.
(b) In the event that Business Associate determines that return or destruction of
PHI is not feasible, Business Associate shall provide to Covered Entity written notification of the
conditions that make return or destruction infeasible. Upon mutual agreement of the parties that
return or destruction of PHI is infeasible, Business Associate shall extend the protections of this
Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that
make the return or destruction of the PHI infeasible, for so long as Business Associate maintains
such PHI.
(c) Business Associate shall cooperate with Covered Entity to the extent reasonably
necessary for Covered Entity to determine that all PHI has been properly returned, destroyed or
protected upon termination of this Agreement. If Business Associate destroys the PHI, Business
Associate shall certify in writing to Covered Entity that such PHI has been destroyed.
(d) Business Associate's obligations to protect the privacy and security of PHI as
provided in this Agreement, including Business Associate's obligations pursuant to this Section 6
are continuous and shall survive any termination, cancellation, expiration, or other conclusion of
this Agreement or any other agreement between Business Associate and Covered Entity.
6.6 Business Associate's Termination Rights. Business Associate shall ensure that it
maintains for itself the termination rights in this Section in any Subcontractor Agreement it enters
into with an agent or subcontractor.
7. MISCELLANEOUS.
7.1 Indemnification; Limitation of Liability. To the extent permitted by law, Business
Associate shall indemnify, defend and hold harmless Covered Entity and the Department from any
and all liability, claim, lawsuit, injury, loss, expense or damage resulting from or relating to the
acts or omissions of Business Associate in connection with the representations, duties and
obligations of Business Associate under this Agreement. Any limitation of liability contained in
any other agreement between the parties shall not apply to the indemnification requirement of this
Section. This Section shall survive the termination of the Agreement.
7.2 Assistance in Litigation. Business Associate shall make itself and any
subcontractors, employees or agents assisting Business Associate in the performance of its
obligations under this Agreement available to Covered Entity and the Department, at no cost to
Covered Entity or the Department, to testify as witnesses, or otherwise, in the event of litigation
or administrative proceedings being commenced against Covered Entity, the Department, its
directors, officers or employees based upon a claim of violation of the HIPAA Standards, Part 2,
or other laws related to security and privacy by Business Associate.
7.3 Relationship of the Parties. In the performance of the work, duties and obligations
described in this Agreement, the parties acknowledge and agree that each party is at all times acting
and performing as an independent contractor and at no time shall the relationship between the
parties be construed as a partnership, joint venture, employment, principal/agent relationship, or
master/servant relationship.
7.4 Entire Agreement. This Agreement is the sole understanding between the parties
relating to such matters, and supersedes all prior agreements and understandings, whether oral or
written. Nothing herein shall require Covered Entity to disclose any PHI to Business Associate
for such services or to utilize any service of Business Associate. Nothing herein requires Business
Associate to accept any PHI or to provide any particular services beyond those specified in
Attachment A.
7.5 Assignment. No assignment of this Agreement or of the rights and obligations
hereunder by any party shall be valid, without the prior written consent of the other party. The
provisions of this Agreement shall be binding upon and shall inure to the benefit of the parties
hereto and each of their respective successors, heirs and permitted assigns, if any.
7.6 Severability. In the event that any one or more of the provisions of this Agreement
shall for any reason be held to be invalid, illegal, or unenforceable, the remaining provisions of
this Agreement shall not be affected thereby.
7.7 Waiver and Breach. The waiver by either party of a breach or violation of any
provision of this Agreement shall not operate as, or be construed to be, a waiver of any subsequent
breach of the same or other provisions hereof.
7.8 Notice. Any notice required or permitted to be given under this Agreement shall
be in writing and may be either personally delivered, sent by registered or certified mail in the U.S.
Postal Service, Return Receipt Requested, postage prepaid, or reputable overnight courier, delivery
prepaid and signature required, addressed to each party at the addresses set forth at the end of this
Agreement. Any such notice shall be deemed to have been given, if mailed as provided herein, as
of forty -eighty (48) hours after mailing. All required notices shall be in writing and shall be to the
representatives at the addresses set forth below.
8. TERM AND TERMINATION.
8.1 The term of this Agreement shall commence on the Effective Date and shall
continue until terminated as permitted herein.
8.2 Termination for Cause. Upon Northeast Health Partners, LLC 's reasonable
determination that Contractor has breached a material term of this Agreement, Northeast Health
Partners, LLC shall be entitled to do any one or more of the following:
(a) Give Contractor written notice of the existence of such breach and give
Contractor a reasonable period, which shall not be less than 30 days, to cure the breach. If
Contractor does not cure the breach or end the violation within such period, Northeast Health
Partners, LLC may immediately terminate this Agreement. If termination of this Agreement is
not feasible, Northeast Health Partners, LLC shall report the breach to the Secretary of DHHS.
(b) Immediately stop all further disclosures of PHI to Contractor pursuant to the
Management Services Agreement or other arrangement which is the subject of such breach.
8.3 Termination by Agreement. This Agreement shall terminate upon any such date
as Northeast Health Partners, LLC and Contractor may agree in a writing signed by both parties.
8.4 Termination of Management Services Agreement. This Agreement shall
terminate upon the termination or expiration of the Management Services Agreement.
8.5 Effect of Termination.
(a) Upon termination of this Agreement for any reason, Contractor shall return to
Northeast Health Partners, LLC, or destroy, all PHI received, created or maintained in any form
by Contractor on behalf of Northeast Health Partners, LLC . Contractor shall retain no copies of
such information. This Section shall also apply to PHI that is in possession of subcontractors or
agents of Contractor.
(b) In the event that Contractor determines that return or destruction of PHI is not
feasible, Contractor shall provide to Northeast Health Partners, LLC written notification of the
conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that
return or destruction of PHI is infeasible, Contractor shall extend the protections of this
Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that
make the return or destruction infeasible, for so long as Contractor maintains such PHI.
(c) Contractor shall cooperate with Northeast Health Partners, LLC to the extent
reasonably necessary for Northeast Health Partners, LLC to determine that all PHI has been
properly returned, destroyed or protected upon termination of this Agreement. Such cooperation
shall include allowing Northeast Health Partners, LLC to review electronic and computer
systems for data and deleting electronic access paths and codes which allow Contractor to
receive or transmit PHI in electronic formats.
(d) Contractor's obligation to protect the privacy of PHI is continuous and
survives any termination, cancellation, expiration, or other conclusion of this Agreement or any
other agreement between Contractor and Northeast Health Partners, LLC. The respective rights
and obligations of Contractor under this Section 7 regarding the return, destruction or protection
of PHI after termination shall survive the termination of this Agreement.
9. MISCELLANEOUS.
9.1 Scope of Agreement. This Agreement relates only to the use, disclosure and
protection of PHI if it is disclosed to, created or received by Contractor in connection with any
relation between Contractor and Northeast Health Partners, LLC. This Agreement is the sole
understanding between the parties relating such matters, and supersedes all prior agreements and
understandings, whether oral or written. Nothing herein requires Contractor to accept any PHI or
to provide any particular services.
9.2 Assignment. No assignment of this Agreement or of the rights and obligations
hereunder by any party shall be valid, without the prior written consent of the other party. The
provisions of this Agreement shall be binding upon and shall inure to the benefit of the parties
hereto and each of their respective successors, heirs and permitted assigns, if any.
9.3 Severability. In the event that any one or more of the provisions of this
Agreement shall for any reason be held to be invalid, illegal, or unenforceable, the remaining
provisions of this Agreement shall not be affected thereby.
9.4 Waiver and Breach. The waiver by either party of a breach or violation of any
provision of this Agreement shall not operate as, or be construed to be, a waiver of any
subsequent breach of the same or other provisions hereof.
9.5 Notice. All notices required or permitted under this Agreement shall be in writing
and shall be delivered in person or deposited in the United States mail, postage prepaid,
addresses as follows:
If for NORTHEAST HEALTH PARTNERS, LLC:
1300 N. 17th Ave
Greeley, CO 80631
If for Contractor:
Such addresses may be changed from time to time by either party by providing written notice to
the other in the manner set forth above. Any notice hereunder shall be deemed given and
received 48 hours after mailing, if given by mailing in the manner provided above, or upon
actual receipt of the information if given by hand, facsimile or telegraph.
9.6 Amendments. This Agreement may only be amended or modified by written
agreement executed by all parties. The Parties agree to take such action as is necessary to amend
this Agreement from time to time as is necessary for NORTHEAST HEALTH PARTNERS,
LLC to comply with the requirements of the Privacy Regulations and HIPAA.
9.7 Governing Law/Construction. This Agreement shall be governed by applicable
federal law and the laws of the State of Colorado, without regard to conflict of laws principles.
Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Northeast
Health Partners, LLC to comply with the Privacy Regulations.
9.8 No Third Party Beneficiaries. Contractor and Northeast Health Partners, LLC
agree that Individuals who are the subject of PHI are not third party beneficiaries of this
Agreement.
9.9 Further Acts. The parties agree that the intent of this Agreement is to comply
with the Business Associate provisions of the Privacy Regulations. Each of the parties shall
execute and deliver all documents, papers and instruments reasonably necessary or convenient to
carry out the terms of this Agreement. The parties shall, upon request at any time after the date
of this Agreement, execute, deliver and/or furnish all such documents and instruments, and do or
cause to be done all such acts and things as may be reasonable to effectuate the purpose and
intent of this Agreement as set forth herein.
IN WITNESS WHEREOF, the parties have executed this Agreement to be effective as
of the Effective Date.
NORTHEAST HEALTH PARTNERS, LLC
By:
Executive Director
Its:
Date: Apr 5, 2019
ATTEST: 1id%dW/ • `dt"D'41
CLERK TO THE BOARD
COUNTY OF WELD, COLORADO
by and through the BOARD OF COUNTY
COMMISSIONERS OF THE COUNTY OF
WELD
By: � I I/_ _ By
Lbara Kirkmeye , Chair
MAR 2 0 2019
02o/q- //143
Hello