HomeMy WebLinkAboutC-8594-2 - Business Associate AgreementN
S
CT
00 BUSINESS ASSOCIATE AGREEMENT BETWEEN
U RAY KLEIN, INC. DBA PROFESSIONAL CREDIT SERVICE
AND CITY OF NEWPORT BEACH
THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement') is entered this 14th
day of May, 2019 ("Effective Date"), by and between the CITY OF NEWPORT BEACH,
a California municipal corporation and charter city ("City"), and RAY KLEIN, INC., a
Washington corporation doing business as ("DBA") Professional Credit Service
("Consultant') whose address is 12204 SE Mill Plain Blvd., Suite 101, Vancouver,
Washington 98684, and is made with reference to the following:
RECITALS
A. City is a municipal corporation duly organized and validly existing under the laws
of the State of California with the power to carry on its business as it is now being
conducted under the statutes of the State of California and the Charter of City.
B. Contemporaneously with this Agreement, Consultant and City entered into that
certain, Professional Services Agreement With Ray Klein, Inc. DBA Professional
Credit Service for Delinquent Account Collections Services ("Collections
Agreement'), whereby City engaged Consultant to provide delinquent account
collections services, which may include Consultant operating as the City's
contracted outside billing company providing statements to and collecting
payments from patients or other responsible parties who have received
paramedic field services and/or emergency ambulance transportation services
from the City.
C. This Agreement is executed to ensure that Consultant will appropriately
safeguard protected health information ('PHP') that is created, received,
maintained, or transmitted on behalf of the City in compliance with the applicable
provisions of Public Law 104-191 of August 21, 1996, known as the Health
Insurance Portability and Accountability Act of 1996, Subtitle F — Administrative
Simplification, Sections 261, et seq., as amended ("HIPAA"), the regulations
codified at 45 C.F.R. Parts 160 and 164 ("HIPAA Regulations"), and with Public
Law 111-5 of February 17, 2009, known as the American Recovery and
Reinvestment Act of 2009, Title XII, Subtitle D — Privacy, Sections 13400, et seq.,
the Health Information Technology and Clinical Health Act, as amended (the
"HITECH Act').
NOW, THEREFORE, it is mutually agreed by and between the undersigned
parties as follows:
A. General Provisions
1. Meaning of Terms. The terms used in this Agreement shall have the same
meaning as those terms defined in the HIPAA, the HIPAA Regulations, and
the HITECH Act.
2. Regulatory References. Any reference in this Agreement to a regulatory
section means the section currently in effect or as amended.
3. Interpretation. Any ambiguity in this Agreement shall be interpreted to permit
compliance with the HIPAA, the HIPAA Regulations, and the HITECH Act.
B. Obligations of Business Associate
1. Consultant shall not use or further disclose protected health information
('PHP') other than as permitted or required by this Agreement or as required
by law.
2. Consultant shall use appropriate safeguards and comply, where applicable,
with the HIPAA Security Rule with respect to electronic protected health
information ("e -PHP') and implement appropriate physical, technical and
administrative safeguards to prevent use or disclosure of PHI other than as
provided for by this Agreement.
3. Consultant shall report in writing to City each security incident (as defined in
the HIPAA Security Rule) or any use or disclosure of PHI not provided for by
this Agreement no later than three (3) business days after becoming aware of
such security incident or non -permitted use or disclosure. If such security
incident or non -permitted use or disclosure constitutes a breach of unsecured
PHI, then Consultant shall comply with the requirements of Section B.4
below.
4. Consultant shall investigate each unauthorized access, acquisition, use or
disclosure of PHI that it discovers to determine whether such unauthorized
access, acquisition, use or disclosure constitutes a reportable breach of
unsecured PHI. If Consultant determines that a reportable breach of
unsecured PHI has occurred, Consultant shall notify City of such breach in
writing without unreasonable delay but no later than sixty (60) calendar days
after discovery of the breach, in accordance with 45 C.F.R. §164.410(c). City
shall have sole control over the timing and method of providing notification of
such breach to the affected individual(s), the Secretary and, if applicable, the
media, as required by the HITECH Act. Consultant shall reimburse City for its
reasonable costs and expenses in providing the notification, including, but not
limited to, any administrative costs associated with providing notice, printing
and mailing costs, and costs of mitigating the harm (which may include the
costs of obtaining credit monitoring services and identity theft insurance) for
affected individuals whose PHI has or may have been compromised as a
result of the breach.
5. In accordance with 45 CFR 164.502(e)(1) and 164.308(b), ensure that any
subcontractors that create, receive, maintain, or transmit PHI on behalf of
Ray Klein, Inc. DBA Professional Credit Service Page 2
Consultant agree to the same restrictions, conditions, and requirements that
apply to Consultant with respect to such information;
6. Make PHI in a designated record set available to City and to an individual
who has a right of access in a manner that satisfies the City's obligations to
provide access to PHI in accordance with 45 CFR §164.524 within thirty (30)
days of a request;
7. Make any amendment(s) to PHI in a designated record set as directed by the
City, or take other measures necessary to satisfy the City's obligations under
45 CFR §164.526;
8. Maintain and make available information required to provide an accounting of
disclosures to the City or an individual who has a right to an accounting within
sixty (60) days and as necessary to satisfy the City's obligations under 45
CFR §164.528;
9. To the extent that Consultant is to carry out any of the City's obligations under
the HIPAA Privacy Rule, Consultant shall comply with the requirements of the
Privacy Rule that apply to the City when it carries out that obligation;
10. Make its internal practices, books, and records relating to the use and disclosure
of PHI received from, or created or received by Consultant on behalf of the City,
available to the Secretary of the Department of Health and Human Services for
purposes of determining Consultant and the City's compliance with HIPAA, the
HIPAA Regulations, and the HITECH Act;
11. Restrict the use or disclosure of PHI if the City notifies Consultant of any
restriction on the use or disclosure of PHI that the City has agreed to or is
required to abide by under 45 CFR §164.522; and
12. If the City is subject to the Red Flags Rule (found at 16 CFR §681.1 et seq.),
Consultant agrees to assist the City in complying with its Red Flags Rule
obligations by: (a) implementing policies and procedures to detect relevant
Red Flags (as defined under 16 C.F.R. §681.2); (b) taking all steps necessary
to comply with the policies and procedures of the City's Identity Theft
Prevention Program; (c) ensuring that any agent or third party who performs
services on its behalf in connection with covered accounts of the City agrees
to implement reasonable policies and procedures designed to detect, prevent,
and mitigate the risk of identity theft; and (d) alerting the City of any Red Flag
incident (as defined by the Red Flag Rules) of which it becomes aware, the
steps it has taken to mitigate any potential harm that may have occurred, and
provide a report to the City of any threat of identity theft as a result of the
incident.
Ray Klein, Inc. DBA Professional Credit Service Page 3
C. Permitted Uses and Disclosures by Business Associate
The specific uses and disclosures of PHI that may be made by Consultant on
behalf of the City include:
1. The preparation of invoices to patients, carriers, insurers and others
responsible for payment or reimbursement of the services provided by the
City to its patients;
2. Preparation of reminder notices and documents pertaining to collections of
overdue accounts;
3. The submission of supporting documentation to carriers, insurers and other
payers to substantiate the healthcare services provided by the City to its
patients or to appeal denials of payment for the same; and
4. Other uses or disclosures of PHI as permitted by HIPAA necessary to perform
the services that Consultant has been engaged to perform on behalf of the
City.
D. Relationship of Parties
1. Consultant is an independent contractor and not an agent of City under this
Agreement. Consultant has the sole right and obligation to supervise,
manage, contract, direct, procure, perform or cause to be performed all of
Consultant obligations under this Agreement.
E. Indemnification
1. Notwithstanding anything to the contrary in the underlying services agreement
between the City and Consultant, at Consultant expense, Consultant agrees
to indemnify, defend and hold harmless City, its City Council, boards and
commissions, officers, agents, volunteers, and employees (the "Indemnities")
from and against any and all fines, penalties, damages, losses, claims or
causes of action and expenses (including, without limitation, court costs and
reasonable attorneys' fees) arising from any violation of the HIPAA, the
HIPAA Regulations, or the HITECH Act or from any negligence or wrongful
acts or omissions, including but not limited to failure to perform its obligations
that results in a violation of the HIPAA, the HIPAA Regulations, or the
HITECH Act, by Consultant or its employees, directors, officers,
subcontractors, agents or other members of Consultant workforce.
Consultant obligation to indemnify the Indemnities shall survive the expiration
or termination of this Agreement for any reason.
Ray Klein, Inc. DBA Professional Credit Service Page 4
F. Term and Termination
1. The term of this Agreement shall be effective as of the Effective Date and
shall terminate on the later of (i) the termination of the Collections Agreement,
as may be extended, or (ii) the date that all of the PHI provided by City to
Consultant, or created or received by Consultant on behalf of City, is
destroyed or returned to City, or, if it is infeasible to return or destroy the PHI,
protections are extended to such information, in accordance with Section F.3
below.
2. Upon City's knowledge of a material breach or violation of this Agreement by
Consultant, City shall either:
a. Notify Consultant of the breach in writing, and provide an opportunity
for Consultant to cure the breach or end the violation within ten (10)
business days of such notification; provided that if Consultant fails to
cure the breach or end the violation within such time period to the
satisfaction of City, City shall have the right to immediately terminate
this Agreement and the underlying services agreement between City
and Consultant upon written notice to Consultant ;
b. Upon written notice to Consultant, immediately terminate this
Agreement and the underlying services agreement between City and
Consultant if City determines that such breach cannot be cured; or
C. If City determines that neither termination nor cure is feasible, City
shall report the violation to the Secretary.
3. Upon termination of this Agreement for any reason, Consultant shall return to
the City or destroy all PHI received from the City, or created, maintained, or
received by Consultant on behalf of the City that Consultant still maintains in
any form. Consultant shall retain no copies of the PHI. However, if
Consultant determines that neither return nor destruction of PHI is feasible,
Consultant shall notify City of the conditions that make return or destruction
infeasible, and may retain PHI provided that Consultant (a) continues to
comply with the provisions of this Agreement for as long as it retains PHI,
and (b) further limits uses and disclosures of such PHI to those purposes
that make the return or destruction of PHI infeasible.
G. Notices
1. All notices, demands, requests or approvals to be given under the terms of
this Agreement shall be given in writing, and conclusively shall be deemed
served when delivered personally, or on the third business day after the
deposit thereof in the United States mail, postage prepaid, first-class mail,
addressed as hereinafter provided. All notices, demands, requests or
approvals from Consultant to City shall be addressed to City at:
Ray Klein, Inc. DBA Professional Credit Service Page 5
Attn: Revenue Manager
Finance Department
City of Newport Beach
100 Civic Center Dr.
PO Box 1768
Newport Beach, CA 92658
2. All notices, demands, requests or approvals from City to Consultant shall be
addressed to Consultant at:
Attention: Rob Nestell
Ray Klein, Inc. dba Professional Credit Service
400 International Way, Suite 200
Springfield, OR 97477
H. Amendment to Comply with Law
1. This Agreement shall be deemed amended to incorporate any mandatory
obligations of City or Consultant under the HITECH Act and its implementing
HIPAA Regulations. Additionally, City and Consultant agree to take such
action as is necessary to amend this Agreement from time to time as
necessary for City to implement its obligations pursuant to the HIPAA, the
HIPAA Regulations, or the HITECH Act.
I. Applicable Law and Venue
This Agreement shall be governed by and construed in accordance with the
laws of the State of California (without regards to conflict of laws principles).
City and Consultant agree that all actions or proceedings arising in
connection with this Agreement shall be tried and litigated exclusively in the
State or federal (if permitted by law and if a party elects to file an action in
federal court) courts located in Orange County, California.
J. Counterparts
This Agreement may be executed in two or more counterparts, each of which
shall be deemed an original and all of which together shall constitute one and the same
instrument.
K. No Attorneys' Fees
In the event of any dispute or legal action arising under this Agreement, the
prevailing party shall not be entitled to attorneys' fees.
Ray Klein, Inc. DBA Professional Credit Service Page 6
IN WITNESS WHEREOF, the parties have caused this Agreement to be
executed on the dates written below.
APPROVED AS TO FORM:
OFFICE OF THE CITY ATTORNEY
Date: 6 • p•i9
By:
ao
C Harp
City Attorney
ATTEST:
Date:
By:h6m
C'
Leilani I. grown
City Clerk
CITY OF NEWPORT BEACH,
A Californi municipal corporation
Date: D
By.
Grace K. Leung
City Manager
CONSULTANT: Ray Klein, Inc., a
Washington corporation doing business as
("DBA") Profes ional Credit Service
Date: r>�' i
By:
Y
G. Scott Purcell
Chief Executive Officer
Date:
Joseph Hawes
Chief F' ancial Officer
Ray Klein, Inc. DBA Professional Credit Service Page 7