BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of the of, (the Effective Date ), by and between day hereafter referred to as ( Business Associate ), and Kalamazoo County by and through its Health and Community Services Department, hereafter referred to as the ( COUNTY ). 1. PURPOSE. The purpose of this Agreement (the Agreement ) is to assure the privacy and security of protected health information and electronic protected health information in accordance with the regulations, including the Privacy Rule and the Security Rule, issued by the Department of Health and Human Services ( HHS ) under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Clinical and Economic Health Act of 2009, as each may be amended from time to time (collectively, HIPAA ), including amendments for HITECH and the Omnibus Rule. Protected Health Information or PHI is information regarding the physical or mental condition of an individual, or the treatment of or payment for that condition, that identifies or can be used to identify the individual; Electronic Protected Health Information (or Electronic PHI ) is limited to PHI transmitted by or maintained in electronic media. For purposes of this Agreement, PHI and Electronic PHI are limited to PHI or Electronic PHI that creates, receives, maintains or transmits on behalf of the COUNTY. The Privacy Rule and the Security Rule provide that a covered entity is permitted to disclose PHI and Electronic PHI to a business associate and allow the business associate to obtain and receive PHI and Electronic PHI, if the covered entity obtains satisfactory assurances in the form of a written contract that the business associate will appropriately safeguard the PHI and Electronic PHI. The parties have entered or plan to enter a certain Purchase of Service Agreement, dated, that governs the underlying services (the Principal Agreement ). The COUNTY (the Covered Entity ) is or may be a covered entity within the meaning of that term under HIPAA., ( Business Associate ), provides services or performs functions or activities for or on behalf of the Covered Entity and in that capacity uses or discloses PHI, or otherwise creates, receives, maintains or transmits PHI; and, accordingly, is or may be a business associate to the Covered Entity. This Agreement modifies the Principal Agreement only if, and to the extent that, the Covered Entity is a covered entity and Business Associate is a business associate as those terms are defined at 45 CFR 160.103. 2. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE. Business Associate agrees that it will not use or disclose PHI created for, or received from, or on behalf of, the Covered Entity, except as provided for in this Section 2 or otherwise required by law. (a) General Rule. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI in order to perform its obligations and services to the Covered Entity under the Principal Agreement, provided that such use or disclosure would not violate the Privacy Rule or the Security Rule if done directly by the Covered Entity. If Business Associate Page 1 of 8
performs an obligation of the Covered Entity under HIPAA, Business Associate will be compliant with the relevant HIPAA provision. (b) Other Uses and Disclosures. (1) Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. (2) Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (3) Except as otherwise limited in this Agreement, Business Associate may use PHI to report violations of law to appropriate federal and state authorities, consistent with the provisions of HIPAA. (4) Except as otherwise limited in this Agreement, Business Associate may use PHI to create a Limited Data Set or a De-Identified data set, as those terms are defined under HIPAA. Business Associate may further use or disclose a Limited Data Set pursuant to a Data Use Agreement for the purposes and as specified under HIPAA; and may further use or disclose a De-Identified data set for any lawful purpose not inconsistent with the Principal Agreement. 3. BUSINESS ASSOCIATE RESPONSIBILITIES. (a) Business Associate will not use or further disclose PHI or Electronic PHI other than as required by this Agreement or as required by law, including situations where HIPAA may not permit certain disclosures requested by patients. (b) Business Associate agrees to use appropriate safeguards and apply such security measures that are in compliance with the Privacy Rule and other applicable laws to prevent the use or disclosure of the PHI other than as allowed under this Agreement. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI, as required by the Security Rule. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement, the Privacy Rule, the Security Rule or other applicable law. (d) Business Associate agrees to promptly report to the Covered Entity any breach or use or disclosure of PHI not provided for by this Agreement of which Business Associate Page 2 of 8
becomes aware. Business Associate agrees to promptly report any security incident (as that term is defined in the Security Rule) of which it becomes aware to the Covered Entity. In the event of a breach of unsecured PHI (as defined at 45 CFR 164.402), Business Associate shall notify the Covered Entity promptly without unreasonable delay, and in any event within forty-five (45) days, of its discovery of such breach, the identification of each individual whose unsecured PHI was or is reasonably believed to have been accessed, acquired or disclosed during such breach. (e) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of the Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate will advise the Covered Entity if any agent or subcontractor breaches its agreement with Business Associate with respect to the disclosure or use of PHI, and, except as otherwise provided by HIPAA, if the breach is material to the subcontractor s obligation or arrangement, Business Associate will take reasonable steps to cure the breach or end the violation, as applicable, and if such steps are unsuccessful, terminate the Business Associate s contract or arrangement with the subcontractor, if feasible. (f) Within fifteen (15) days of a request by the Covered Entity, Business Associate agrees to provide access to, or a copy of, PHI in a designated record set, or as otherwise required by HIPAA, to the Covered Entity in order to meet the requirements of the Privacy Rule. (g) Within fifteen (15) days of a request by the Covered Entity, Business Associate agrees to make any amendments to PHI in a designated record set that the Covered Entity directs or agrees to pursuant to the 45 CFR 164.526, or as otherwise required by HIPAA, at the request of the Covered Entity or the individual. (h) For purposes of the Secretary of HHS determining the Covered Entity s compliance with HIPAA, Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of the Covered Entity available to the Secretary of HHS. (i) Business Associate agrees to document such disclosures of PHI as would be required to respond, or to enable the Covered Entity to respond, to a request by an individual for an accounting of disclosures of PHI in accordance with the Privacy Rule, and will do so for at least the minimum amount of time required by HIPAA (including for records maintained in electronic form). Business Associate agrees to provide to the Covered Entity or the individual, as the case may be, upon its request the information collected in accordance with this section of this Agreement, to respond or to permit the Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with the Privacy Rule. (j) Business Associate agrees to notify the Covered Entity of all requests for the disclosure of PHI from a law enforcement or government official, or pursuant to a subpoena, court or administrative order, or other legal request as soon as possible prior to making the requested disclosure. Page 3 of 8
(k) Business Associate acknowledges that it shall request from the Covered Entity and so disclose to its affiliates, subsidiaries, agents and subcontractors or other third parties, only the minimum necessary PHI, within the meaning of the Privacy Rule, to perform or fulfill a specific function required or permitted hereunder. 4. THE COVERED ENTITY S RESPONSIBILITIES. (a) The Covered Entity will provide Business Associate with the notice of privacy practices that the Covered Entity uses or produces, or that is produced on the Covered Entity s behalf, in accordance with the Privacy Rule, as well as any changes to that notice. The Covered Entity shall notify Business Associate of any limitations in the Covered Entity s notice of privacy practices to the extent such limitations may affect Business Associate s use or disclosure of PHI. (b) The Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an individual to use or disclose PHI, if such changes affect Business Associate s permitted or required uses and disclosures. (c) The Covered Entity shall notify Business Associate of any restriction to or confidential communication of the use or disclosure of PHI that the Covered Entity has agreed to, or is required to adhere to in accordance with the Privacy Rule, and Business Associate agrees to conform to any such restriction or confidential communication. (d) The Covered Entity shall not request Business Associate to use, disclose or transmit PHI in any manner that would not be permissible under the Privacy Rule or Security Rule if done by the Covered Entity. 5. TERM AND TERMINATION. (a) Term. The provisions of this Agreement shall take effect as of the date first written above and shall terminate when all of the PHI provided by the Covered Entity to Business Associate, or created or received by Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity, or, if it is infeasible to return or destroy such PHI, protections are extended to such information, in accordance with the provisions in this Agreement. (b) Termination for Cause. Upon either party s material breach of this Agreement, the aggrieved party shall provide an opportunity for the breaching party to cure the breach or end the violation. The aggrieved party shall have the right to immediately terminate the Agreement and related agreements (including the Principal Agreement if necessary to comply with HIPAA) if the breaching party does not cure the breach or end the violation within a reasonable time as determined by the aggrieved party, or immediately terminate the Agreement and any related agreements (including the Principal Agreement if necessary to comply with HIPAA) if cure of such breach is not possible. If neither cure nor termination is feasible, the aggrieved party shall notify the Secretary (or his or her designee) of the breach or violation. (c) This Agreement shall terminate immediately and automatically upon termination or expiration of the Principal Agreement, subject to the survival provisions set forth herein. Page 4 of 8
(d) Effect of Termination. (1) Except as provided in paragraph (2) of this section, upon termination of the Agreement, for any reason, Business Associate shall destroy all electronic PHI received from the Covered Entity, or created or received by Business Associate on behalf of the Covered Entity. Covered Entity acknowledges that Business Associate maintains only electronic records including those records containing PHI. (2) In the event Business Associate determines that destroying the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI only for those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Following the termination of the Agreement, Business Associate shall not disclose PHI except to the Covered Entity or as required by law. 6. MISCELLANEOUS. (a) Amendment. This Agreement may be amended upon the mutual written agreement of the parties. Upon the enactment of any law or regulation affecting the use or disclosure of PHI, or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, propose an amendment to the Agreement as such party determines necessary to comply with such law or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to agree on an amendment within thirty (30) days thereafter, then either of the parties may terminate the Agreement immediately upon written notice to the other party. An amendment shall be effective only upon the mutual written agreement of the parties. (b) Survival. The respective rights and obligations of the parties under Section 5 of this Agreement shall survive the termination of the Agreement. (c) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Covered Entity and the Business Associate to comply with HIPAA. In the event of any inconsistency or conflict between this Agreement and any other agreement between the parties, the terms, provisions and conditions of this Agreement shall govern and control. Page 5 of 8
IN WITNESS WHEREOF, each of the undersigned parties is duly authorized to execute this Agreement on behalf of their respective party as of the date first set forth above. Signature of Authorized Official Date Name Title COUNTY: John Patrick Taylor, Chairperson Date Timothy A. Snow, Clerk/Register Date Page 6 of 8
IN WITNESS WHEREOF, each of the undersigned parties is duly authorized to execute this Agreement on behalf of their respective party as of the date first set forth above. Signature of Authorized Official Date Name Title COUNTY: John Patrick Taylor, Chairperson Date Timothy A. Snow, Clerk/Register Date Page 7 of 8
IN WITNESS WHEREOF, each of the undersigned parties is duly authorized to execute this Agreement on behalf of their respective party as of the date first set forth above. Signature of Authorized Official Date Name Title COUNTY: John Patrick Taylor, Chairperson Date Timothy A. Snow, Clerk/Register Date Page 8 of 8