The URL can be used to link to this page

Browse Search

Home My WebLink About20162244.tiffRESOLUTION RE: APPROVE AGREEMENT FOR HIPAA BUSINESS ASSOCIATE AND AUTHORIZE CHAIR TO SIGN - NORTH RANGE BEHAVIORAL HEALTH WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS, the Board has been presented with an Agreement for HIPAA Business Associate between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Sheriffs Office, and North Range Behavioral Health, commencing upon full execution of signatures and ending, July 18, 2017, with further terms and conditions being as stated in said agreement, and WHEREAS, after review, the Board deems it advisable to approve said agreement, a copy of which is attached hereto and incorporated herein by reference. NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld County, Colorado, that the Agreement for HIPAA Business Associate between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Sheriffs Office, and North Range Behavioral Health, be and hereby is, approved. BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized to sign said agreement. The above and foregoing Resolution was, on motion duly made and seconded, adopted by the following vote on the 18th day of July, A.D., 2016. BOARD OF COUNTY COMMISSIONERS WELD COUNTY, COLORADO ATTEST: Mike Freeman, Chair Weld County Clerk toBoard Sean P. Conway, Pro-Tem ounty • ttorney Date of signature: ‘8'110111, cc: SOCZGlRa) 49E C PR3 g/ act/1Co 2016-2244 S00037 1N TcLU CCf 3t N STEVE REAMS To: Board of County Commissioners From: Lieutenant Brandon Cody, Weld County Sheriff— Detentions Date: 07/07/2016 Subject: Intergovernmental agreement for crisis assessment protocol between Weld County North Range Behavioral Health Commissioners, Attached is a memorandum of understanding between Weld Count)> Sheriff Office and North Range Behavioral Health Crisis Response Team (CRT). 1 he foundation 7t this partnersh p is t. ensure community members being released from the Weld County Jail hose access to the !net appropriate level of care/treatment for their mental health needs. Especial when WCSO mental health staff are not present or ay,-ailahie to perform mental health- substance abuse evaluation. A WCSO Certified Peace Officer may contact a CR t member who would respond to the Weld County Jail and conduct an assessment or a community member in a secured environment where WCSO Deputies are present upon their release. Furtnermore. this is a NO COST agreement h, either parties and has already been signed by ' RBH. Hie attached MOU and North Range Behassieral Health FIIPPA Business Associate Agreement have been sent to and reviewed by Frank Haug, Assistant Weld County Attorney., I recommend you approve this agreement. Please let me know it Ou hone any questions or concerns. Thank you for your time Agree with Staff Val ork Session Recommendation Kirkmeser i Requested Freeman mC- Conway Cozad Vh reno Heatiti r 75, a iii 'J (1/2 h.vesf Substi5oi 1._.1: ,'9(25 25 it 2 nl. _ Aoradc 5551)4 < Nei 6'5.1 i L - Comments 2016-2244 HIIPAA Business Associate Agreement Weld County, Board of County Commissioners on behalf of the Weld County Sheriff's Office acknowledges that it is a "Business Associate" of North Range Behavioral Health as defined by the standards for Privacy or Individually identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (" IIIPAA"). as amended by Sections 13400 through 13424 of the Health Information Technology for Neonontic Clinical 1 Icalth Act (the "HITECH Act"), which was enacted as part of the American Recovery and Reinvestment Act of 2009 ("ARRA"). In accordance with the terms set forth in this "Privacy Agreement," Weld County Sheriff's Office and North Range Behavioral Health shall use reasonable hest efforts to protect the privacy of Protected Health Information. 1. Terms and Terminology. 1.1. Provider. "Provider" means North Range Behavioral Health. 1.2. llu`irless Associate. "Business Associate" means Weld County Sheriff's Office. 1.3. Patient. "Patient- means a patient of Provider. 1.4. Terms. Terms used, hut not defined, in this Privacy Agreement shall have the same meaning as those terms in the Privacy Rule or the Security Rule. 1.5. Privacy Rule. "Privacy Rule" shall mean the standards for Privacy of Individually Identifiable Health Information contained in 45 CFR Parts 160 and 164, Subparts A and F. 1.6. Protected Health Information. "Protected I leaith Information'' and/or "PHI" means information, whether oral or recorded in any form or medium, including demographic information, that: (i) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual: (ii) identifies the individual, or for which there is a reasonable basis for believing that the information can be used to identify the individual: and (iii) is received by Business Associate from or on behalf of Provider, or is created by Business Associate for Provider. or is made accessible to Business Associate by Provider. Ptil includes, without limitation. "Electronic Protected Health Information" and/or "liPI II,"" as that term is defined at 45 CFR 160.103. 1.7. Patient Record. "Patient Record'" means any item. collection, or grouping of information that includes Protected I lealth Information that is maintained, collected, used, or distributed by Provider. 1.8. ,"'eriices Agreement. "Services Agreement" means the Intergovernmental Agreement for Crisis Assessments by and between Practice and Business Associate having an effective date of Full execution date of the Agreement by the parties, for a one (1) year period. Page 1 of() 9&7/ ' - o2 a ct4 1'c°raurr. "Person" means any legal entity or individual. 1.10. Seem -fly Rule. "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information contained in 45 CFR Parts 160 and 164. Subparts A and 1.11. Personal Health Records. "Personal I lealth Records'. means electronic records of personal health information. regardless of whether the information has been created or received by Provider, health plan. employer, or health care clearinghouse, in order to distinguish it from individually identifiable health information that is created or received by Provider, health plan, employer, or health care clearinghouse. Personal Health Records includes the kinds of' records managed, shared and controlled by or primarily for the Patient, hut not records managed by or primarily for commercial enterprises, such as life insurance companies. 1.12. Unsecured Protected Health In/ormciion, "Unsecured Protected Health Information" and/or "Unsecured Pill" means information that is not secured through the use of a technology or methodology identified by the Secretary to render the Protected Health Information unusable. unreadable and undecipherable to unauthorized users. 2. Business Associate's Obligations. 2.1. Business Associate Subject ru .Same ,Standards and Scone Penalties OS Provider. Business Associate will comply with the use and disclosure provisions of the Privacy Rule and the security standards regarding administrative, physical and technical safeguards of the Security Rule. As set forth in the IIITECli Act, Business Associate will he subject to civil and criminal penalties for violation of the Privacy Rule or the Security Rule. 2.2. Perutirled (ices and Disclosures. Business Associate shall use or disclose PHI solely as necessary to perform the services set forth in the Services Agreement, and as permitted or required by this Privacy Agreement or as required by law. 2.3. So/guards. Business Associate shall use appropriate privacy and security measures to prevent the use or disclosure of Phil other than as permitted under this Privacy Agreement. Such measures shall include. but not he limited to: (i) implementing and maintaining appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any EPH1 that it creates, receives. maintains, or transmits on behalf of Provider, as required by the Privacy Rule and Security Rule; and (ii) taking measures to ensure compliance with standards and implementation specifications with respect to the administrative, physical, and technical safeguards, as required by 45 C.F.R. §* 164.308, 164.310, 1 64.3 l 2. and 164.316. 2.4. A/iri,c;uriun. If Business Associate uses or discloses Phil in a manner other than as permitted under this Privacy Agreement, Business Associate shall use its reasonable best efforts to mitigate the effects of the use or disclosure. These efforts shall include, but are not he limited to, ensuring that the improper use of P111 is discontinued immediately, seeking return or Page 2 of 9 destruction of the improperly disclosed PHI, and ensuring that any person to whom PHI was improperly disclosed will not redisclose such information. 2.5. Ditty to Report. Business Associate shall immediately notify Provider of any use or disclosure of PI -II of which Business Associate is aware that is not expressly authorized under this Privacy Agreement. whether made by Business Associate, its employees, representatives, agents, or subcontractors. Business Associate shall also immediately notify Provider of any attempted or successful unauthorized access, use, disclosure. modification, or destruction of inhumation, or interference with the system operations in an information system. Business Associate shall provide in such notice the remedial or other actions taken to correct the unauthorized use or disclosure. 2.6. Age ?Hs, Business Associate will ensure that any of its employees, agents, subcontractors, or other third parties with which Business Associate does business are aware of and are bound to abide by Business Associate's obligations under this Privacy Agreement, 2.7. ticvcss to Patient Record. Business Associate understands that a Patient has the right to access the PHl in its Patient Record in accordance with 45 C.F,R. § 164.524. To provide Patients with access to Patient Records held by Business Associate, Business Associate agrees to provide access to, or copies of, any Patient Record upon request by Provider. Provider shall request access by giving at least 48 hours notice by facsimile. telephone. or electronic mail, Business Associate may. charge Provider for the reasonable costs of copying only it Provider is allowed under state and federal law to recoup such costs from the Patient. 2. 3. ;lnrcr,rclmc'r,ls to Patier,! Record. Business Associate understands that a Patient may have the right to amend the PHI in its Patient Record, To provide Patients with the ability to amend PHI in Patient Records held by Business Associate, Business Associate agrees to make amendments to any Patient Record upon request of Provider, Business Associate shall make such amendment within 30 days of the written request of Provider. 2.c). Druz to Docrurren! Dis<:lc,.tiures, Business Associate will document each disclosure it makes of PHI to any other person. including Provider, The documentation shall include: The date of the disclosure: ii. The name of the person receiving the PHI, and, iI'known, the address of such person; and iii. A brief statement of the purpose of the disclosure or, instead of such statement. a copy of the request for disclosure. b. Notwithstanding Section 2.9(a), Business Associate is not required to document the following disclosures: Page 3 of9 Unless otherwise required by Section 2.10, disclosures made for the purpose of. or incidental to, carrying out treatment, payment, or health care operations;. li. Disclosures made prior to April 14. 2003; iii. Disclosures made to provide the Patient with access to its PHI under Section 2.7; iv. Disclosures made pursuant to a Patient's written authorization; Disclosures required by law for national security or intelligence purposes: vi. Disclosures to correctional institutions or law enforcement officials having lawful custody of a Patient; vii. Disclosures made as part of a limited data set; viii. Disclosures made to persons involved in the individual's care; and Disclosures made for notification purposes such as in an emergency. 2.10. Accntmting rtt Disclosures, Business Associate understands that a Patient has the right to an accounting of disclosures of PHI. To provide Patients with such an accounting, Business Associate will make available the documentation Business Associate has collected in accordance with Section 2.9 upon written request of Provider. Business Associate shall provide the accounting within 30 days of receipt of Provider's request. If disclosures were made by Business Associate through the use ol'an electronic health record, the Patient has the right to receive an accounting of disclosures of personal health records made by Business Associate for treatment, payment, and health care operations during the previous 3 years. 2.1 1. Minimum Necessary. Business Associate represents and warrants that it will use and disclose PHI in accordance with the Privacy Rule's "minimum necessary" standards. 2.12. Other Owes and Disclosures. Business Associate will not use or disclose Protected Health information in any manner that would not he permissible under the Privacy Rule or the Security Rule if used or disclosed by Provider. 2.13. Books- and Record~' and internal Practices. Business Associate agrees to make all internal practices, books. and records relating to the use and disclosure of PHI available to Provider or to the Secretary of the U.S. Department of Health and Human Services (the "Secretary"), in a time and manner designated by Provider or the Secretary for the purposes of the Secretary determining Provider's compliance with the Privacy Rule and the Security Rule. Page 4 of 9 Updaied5'1iIU 2.14 Business Associate's Obligation) Regarding Unsecured Protected Health hrrjormatioo. Business Associate shall comply with the following obligations that relate to Unsecured PI-ll. Notification of Provider. Business Associate will notify Provider of any Patient whose Unsecured PI ll has been. or is reasonably believed by Business Associate to have been, inappropriately accessed, disclosed, or used. Such notification shall include the names and contact information of the Patients involved and shall be made without unreasonable delay, but in no case later than 30 days following discovery of such breach, unless delayed for law enforcement purposes. b. Notification of Patient. Business Associate will notify the Patient by first class mail or by e-mail (if the Patient has indicated a preference to receive information by e-mail) of any breaches of Unsecured Pill as soon as possible, but in any event. no later than 60 days following the discovery of the breach. Business Associate will obtain Provider's approval of the form and content of the written notification before its issuance. c. Posting Notice of Breach. In the event the breach involves I 0 or more Patients whose contact information is out of date, Business Associate will post a notice of the breach on the home page of its website or in a major print or broadcast media. Business Associate will obtain Provider's approval of the term and content of the written notice before its posting. d. (`ontactingMedia Outlets. If a breach involves more than 500 Patients in a single state or jurisdiction, Business Associate will send a notice to prominent media outlets, Business Associate will obtain Provider's approval of the form and content of the written notice before its issuance to the media outlets. Notice to the .5'eereturv. If a breach involves more than 500 Patients, Business Associate will immediately notify the Secretary. Business Associate will obtain Provider's approval of the form and content of the written notice before its issuance. Con/ems of.Notice. The notices required under this Section shall include the following: A brief description of the breach , including the date of the breach and the date of its discovery, if known; A description of the types of Unsecured PfII involved in the breach: Steps the Patient should take to protect himself/herself from Page 5 of 9 I pdatcd (VI /10 potential harm resulting from the breach; A brief description of actions Business Associate is taking to investigate the breach. mitigate losses, and protect against further breaches; and Contact information, including a toll -free telephone number, e- mail address, website or postal address to permit Patient to ask questions or obtain additional information. Annual Report to Secretary and Maintenance c.t Log. Business Associate will submit an annual report to the Secretary ofa breach that involved less than 500 Patients during the year and will maintain a written log of breaches involving less than 500 Patients. 3. Obligations of Provider. 3.1. Notice of Privacy Practice's. To the extent that such limitation or restriction may affect Business Associate's use or disclosure of Pill, Provider shall provide Business Associate with a copy of its Notice of Privacy Practices, and notify Business Associate of: Any limitation(s) in its Notice of Privacy Practices; Any changes in, or revocation of, permission by a Patient to use or disclose PIIi; and Any restriction to the use or disclosure of PHI to which Provider has agreed, to the extent that such restriction may affect Business Associate's use or disclosure of PHI, 3.2. Permissible Requests. Provider shall not request Business Associate to use or disclose P111 in any manner that would not he permissible under the Privacy Rule if used or disclosed by Provider. 4. Term and Termination. 4.1. Term. The 'Perm of this Privacy Agreement shall he effective as of the effective date of the Services Agreement and shall continue in effect until all obligations of the parties have been met, unless terminated by mutual agreement of the parties or as provided in Section 4. Termination for Cause. Provider may immediately terminate this Privacy Agreement and the Services Agreement if, after providing Business Associate written notice of the existence of a material breach of this Privacy Agreement, Business Associate fails to, or is unable to. cure the breach upon mutually agreeable terms within 10 days. Page 6of9 t;pdatud WI/ I 0 4.3. Lf/ect nfTermination. Except as provided in Section 4.3(b), upon expiration or termination of the Services Agreement for any reason, Business Associate shall return or destroy all Pill, including PI -II that is in the possession of subcontractor or agents of Business Associate. Business Associate shall retain no copies of PHI. b. To the extent that it is not feasible for Business Associate to return or destroy all Pill, then Business Associate's obligations under this Privacy Agreement shall continue for as long as Business Associate maintains such PHI; and Business Associate's further uses and disclosures of PHI shall be limited to those purposes that make it not feasible for Business Associate to return or destroy the information for as long as Business Associate maintains such PHI, 5. Miscellaneous Provisions. 5.1. ,Notice. Notices, requests, and other communications that are required to be in writing must be personally delivered, mailed by prepaid certified mail, return receipt requested, or sent by overnight carrier, and must be addressed as follows. Such notice shall be effective upon being mailed or personally delivered. IF to Provider: North Range Behavioral Health Larry Pottorff, Executive Director 1300 North 17111 Avenue Greeley, CO 80631 If to Business Associate: Weld County Sheriff's Office Matt Elbe, Director of Inmate Services 1950 O Street — PO Box 758 Greeley, CO 80631 5.2. Mutual Representation and Warranty. Business Associate and Provider each represents and warrants to the other that all of its employees, agents, representatives, and members of its work force, whose services may be used to fulfill obligations under this Privacy Agreement and/or the Services Agreement. are or shall he appropriately informed of the terms of this Privacy Agreement and are under legal obligation to fully comply with all provisions of this Privacy Agreement. Page 7 of 9 IJhd:il 'u Gi 1 1 l 5.3. Business Associate WorrcoMy. To the extent required by law or regulations. Business Associate warrants that it has implemented a Red Flags Program in accordance with the Federal Trade Commission's Identity Theft Prevention Red Flags Rule. 16 CFR § 681.1 elseq., or that it agrees to comply with Provider's Red Flags Program. 5.4. ;Vo Third Party Beneficiaries, Nothing express or implied in this Privacy Agreement is intended to confer, or shall confer, any rights, remedies, or liabilities upon any person other than Business Associate and Provider. 5.5. E//eel o/'Assigrtmenl. This Privacy Agreement shall be binding upon and shall inure to the benefit of Business Associate and Provider and their respective transferees, successors and assigns. except that Business Associate shall not have the right to assign or transfer this Privacy Agreement, or Business Associate's rights and obligations hereunder. without Provider's prior written consent. Upon assignment or transfer of this Privacy Agreement. Business Associate shall return or destroy all PHI in accordance with the terms set forth in Section 4.3. 5.6. Regulatory Re/ererrces. A reference in this Privacy Agreement to a section in the Privacy Rule or the Security Rule or a term defined in the Privacy Rule or the Security Rule means the section or definition as in effect or as amended. 5.7. Amer dmenl. Business Associate and Provider agree to take such action to amend this Privacy Agreement as is necessary for Provider to comply with the requirements of the Privacy Rule and the Security Rule. 5.8. Strruivui. The respective rights and obligations of Business Associate under this Privacy Agreement shall survive the termination of this Privacy Agreement and the Services Agreement. 5.9. Inlerprelulion. Any ambiguity in this Privacy Agreement shall he resolved to permit Provider to comply with the Privacy Rule and the Security Rule. C'uprirn.e w I headings. The captions and headings in this Privacy Agreement are included for convenience and reference only, and shall in no way he held or deemed to define, limit, describe, explain, modify, amplify or add to the interpretation, construction or meaning of, or the scope or intent of, this Privacy Agreement. [Signature Page Follows] Page 8 019 Updated 6/1/I 0 IN WITNESS WI IEREOF, Provider and Business Associate have executed or caused the execution or this Privacy Agreement as of the dates set forth below: Provider: North Range Behavioral Health: Its.: Date: Weld Count' Sheriff's Office: Its: Date. lIpdot�d 6/1/10 tS-1 Page 9 019 ATTEST: dairdeiti 't1 Weld C% t Clerk to the :oard WELD COUNTY, COLORADO BY: Deputy CI to the B APP ED AS T • FUN l2�G�R Controller County Attorney BOARD OF COUNTY COMMISSIONERS 1mce.cIze_ Mike Freeman, Chair JUL 1 8 2016 PPROVED AS TO SUBSTANCE: (See Attached) Elected Official or Department Head Director of General Services 02-4/6 -o2o2rf1- Hello