HomeMy WebLinkAboutC-9515-2 - Business Associate AgreementBUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement is entered into by and between PATH, a California
nonprofit corporation ("Business Associate"), and the City of Newport Beach, a California
municipal corporation and charter city ("Covered Entity"), which is a covered entity under
the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the HIPAA
privacy and security regulations, 45 CFR Part 160 and 45 CFR Part 164 Subpart C (the
"Security Rule"), Subpart D (the "Data Breach Notification Rule"), and Subpart E (the
"Privacy Rule") (the "HIPAA Regulations").
The parties are entering into this Agreement to assist the Covered Entity in complying
with HIPAA and to set forth Business Associate's obligations underthe Health Information
Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act"). Terms used
in this Agreement have the meanings given them in the HIPAA Regulations. This
Agreement applies to any Protected Health Information Business Associate receives from
Covered Entity, or creates or receives on behalf of Covered Entity, under its agreements
with Covered Entity (the "Principal Agreements").
AGREEMENT
1. Business Associate may use and disclose Covered Entity's Protected Health
Information to provide Covered Entity with the goods and services contemplated by the
Principal Agreements. Except as expressly provided below, this Agreement does not
authorize Business Associate make any use or disclosure of Protected Health Information
that Covered Entity would not be permitted to make.
2. Business Associate will:
(a) Not use or further disclose Covered Entity's Protected Health Information except as
permitted or required by the Principal Agreements or this Agreement, or as required by
law;
(b) Use appropriate safeguards and comply, where applicable, with the Security Rule
with respect to electronic protected health information, to prevent use or disclosure of
Covered Entity's Protected Health Information other than as provided for by the Principal
Agreements or this Agreement;
(c) Report to Covered Entity two days any use or disclosure of Covered Entity's
Protected Health Information not provided for by the Principal Agreements or this
Agreement of which it becomes aware, including breaches of unsecured protected health
information as required by the Data Breach Notification Rule (45 CFR § 164.410), and
any security incident affecting Covered Entity's electronic Protected Health Information,
of which Business Associate becomes aware;
(d) Mitigate, to the extent practicable, any harmful effect that is known to Business
Associate of a use or disclosure of protected health information by Business Associate in
violation of this Agreement or the HIPAA Regulations;
(e) Ensure that Business Associate's subcontractors that create, receive, maintain, or
transmit protected health information on behalf of the Business Associate, agree in writing
to the same restrictions and conditions that apply to Business Associate with respect to
such information including compliance with the Security Rule with respect to electronic
protected health information;
(f) Make any Protected Health Information that Business Associate stores or maintains
for Covered Entity in a designated record set available to Covered Entity to enable
Covered Entity to meet Covered Entity's obligation to provide access to the information
in accordance with 45 CFR §164.524;
(g) Make any Protected Health Information that Business Associate maintains for
Covered Entity in a designated record set available to Covered Entity for amendment in
accordance with 45 CFR §164.526, and incorporate any amendments Covered Entity
requests;
(h) Make available to Covered Entity the information concerning disclosures that
Business Associate makes of Covered Entity's Protected Health Information required to
enable Covered Entity to provide an accounting of disclosures in accordance with 45 CFR
§164.528;
(i) To the extent that Business Associate carries out Covered Entity's obligations under
the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered
Entity in the performance of such obligations;
(j) Limit its requests for and uses and disclosures of Covered Entity's Protected Health
Information to the minimum necessary, and comply with any minimum necessary policies
and procedures that Covered Entity provides to Business Associate;
(k) Make Business Associate's internal practices, books, and records relating to
Business Associate's use and disclosure of Protected Health Information received from
Covered Entity, or created or received by Business Associate on behalf of Covered Entity,
available to the Secretary of the United States Department of Health and Human Services
for purposes of determining Covered Entity's compliance with the HIPAA Regulations;
and
(1) On termination of the Principal Agreements, return or destroy all Covered Entity's
Protected Health Information that Business Associate still maintains in any form and
retain no copies of such information or, if return or destruction is not feasible, extend the
protections of this Agreement to that information and limit further use and disclosure to
those purposes that make the return or destruction of the information infeasible.
3. Business Associate may use Covered Entity's Protected Health Information for the
management and administration of Business Associate's company and to carry out
Business Associate's own legal responsibilities, and Business Associate may disclose
the information for these purposes if Business Associate is required to do so by law, or if
PATH Page 2
Business Associate obtains reasonable assurances from the recipient of the information
(1) that it will be held confidentially, and used or further disclosed only as required by law
or for the purpose for which it was disclosed to the recipient, and (2) that the recipient will
notify Business Associate of any instances of which the recipient is aware in which the
confidentiality of the information is breached.
4. Business Associate may use Covered Entity's Protected Health Information for data
aggregation services, as permitted by the HIPAA Regulations.
5. Business Associate may deidentify Covered Entity's Protected Health Information,
and use and disclose the deidentified information without restriction.
6. If Covered Entity determines that Business Associate has violated a material term of
this Agreement, and if Business Associate fails to cure such violation within thirty days of
delivery of written notice of the violation, Covered Entity may immediately terminate the
Principal Agreements.
7. This Agreement is to be interpreted in accordance with the Health Insurance
Portability and Accountability Act of 1996, the HITECH Act, and the regulations under it,
as they may be amended from time to time.
APPROVED AS TO FORM:
CITY ATTORNEY'S OFFICE
Date:
By:.rl
ron C. Harp
Attorney
ATTEST:
Date:
CITY OF NEWPORT BEACH,
a California municipal corporation
Date: 2 / I Sl ",kq
11.1
Qe
K. Leung v
ity Manager
CONSULTANT: PATH, a California
nonprofit corporation
Date:
By: III r By: Signed in Counterpart
Leilani I. Brown Jennifer Hark -Dietz
City Clerk Chief Executive Officer
}
r
�jc,FaR%
Date:
By: Signed in Counterpart
Sandy Oluwek
Chief Financial Officer
PATH Page 3
Business Associate obtains reasonable assurances from the recipient of the information
(1) that it will be held confidentially, and used or further disclosed only as required by law
or for the purpose for which it was disclosed to the recipient, and (2) that the recipient will
notify Business Associate of any instances of which the recipient is aware in which the
confidentiality of the information is breached.
4. Business Associate may use Covered Entity's Protected Health Information for data
aggregation services, as permitted by the HIPAA Regulations.
5. Business Associate may deidentify Covered Entity's Protected Health Information,
and use and disclose the deidentified information without restriction.
6. If Covered Entity determines that Business Associate has violated a material term of
this Agreement, and if Business Associate fails to cure such violation within thirty days of
delivery of written notice of the violation, Covered Entity may immediately terminate the
Principal Agreements.
7. This Agreement is to be interpreted in accordance with the Health Insurance
Portability and Accountability Act of 1996, the HITECH Act, and the regulations under it,
as they may be amended from time to time.
APPROVED AS TO FORM:
CITY ATTORNEY'S OFFICE
Date: o'? / 13 J Zk
By: D4 (.tip
ron C. Harp
Attorney
CITY OF NEWPORT BEACH,
a California municipal corporation
Date:
By:
Grace K. Leung
City Manager
ATTEST: CONSULTANT: PATH, a California
Date: nonprofit corpor tion
Date: 2f 2 t�24-
By: By:
Leilani I. Brown Jennifer Hark -Dietz
City Clerk Chief Executive Officer
Date:
By:
Sandy Oluwek
Chief Financial Officer
PATH Page 3
Business Associate obtains reasonable assurances from the recipient of the information
(1) that it will be held confidentially, and used or further disclosed only as required by law
or for the purpose for which it was disclosed to the recipient, and (2) that the recipient will
notify Business Associate of any instances of which the recipient is aware in which the
confidentiality of the information is breached.
4. Business Associate may use Covered Entity's Protected Health Information for data
aggregation services, as permitted by the HIPAA Regulations.
5. Business Associate may deidentify Covered Entity's Protected Health Information,
and use and disclose the deidentified information without restriction.
6. If Covered Entity determines that Business Associate has violated a material term of
this Agreement, and if Business Associate fails to cure such violation within thirty days of
delivery of written notice of the violation, Covered Entity may immediately terminate the
Principal Agreements.
7. This Agreement is to be interpreted in accordance with the Health Insurance
Portability and Accountability Act of 1996, the HITECH Act, and the regulations under it,
as they may be amended from time to time.
APPROVED AS TO FORM:
CITY ATTORNEY'S OFFICE
Date: 4/ 3 J 2K
By: 0 P-0
ron C. Harp Zl�y �zy
Attorney
ATTEST:
Date:
in
Leilani I. Brown
City Clerk
CITY OF NEWPORT BEACH,
a California municipal corporation
Date:
By:
Grace K. Leung
City Manager
CONSULTANT: PATH, a California
nonprofit corporation
Date:
By:
Jennifer Hark -Dietz
Chief Executive Officer
Date:
By: A 114
Sandy Oluwek-
Chief Financial Officer
PATH Page 3