HomeMy WebLinkAboutC-8076-2A - Business Associate Agreement (Outside Billing Company) (for PSA for Emergency Medical and Ambulance Billing Services)BUSINESS ASSOCIATE AGREEMENT
(OUTSIDE BILLING COMPANY)
BETWEEN WITTMAN ENTERPRISES, LLC AND
CITY OF NEWPORT BEACH
THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement") is entered this 1st
day of October, 2016 ("Effective Date") between THE CITY OF NEWPORT BEACH, a
California municipal corporation and charter city ("City") and WITTMAN ENTERPRISES,
LLC, a California limited liability ("Wittman") whose address is 11093 Sub Center Drive,
Rancho Cordova, California 95670, and is made with reference to the following:
RECITALS
A. City is a municipal corporation duly organized and validly existing under the laws
of the State of California with the power to carry on its business as it is now being
conducted under the statutes of the State of California and the Charter of City.
B. Wittman is the City's contracted outside billing company, contracted with to
provide statements to and collect payments from patients who have received
paramedic field services and emergency ambulance transportation services from
the City.
C. This Agreement is executed to ensure that Wittman will appropriately safeguard
protected health information ("PHI") that is created, received, maintained, or
transmitted on behalf of the City in compliance with the applicable provisions of
Public Law 104-191 of August 21, 1996, known as the Health Insurance
Portability and Accountability Act of 1996, Subtitle F — Administrative
Simplification, Sections 261, et seq., as amended ("HIPAA"), the regulations
codified at 45 C.F.R. Parts 160 and 164 ("HIPAA Regulations"), and with Public
Law 111-5 of February 17, 2009, known as the American Recovery and
Reinvestment Act of 2009, Title XII, Subtitle D — Privacy, Sections 13400, et seq.,
the Health Information Technology and Clinical Health Act, as amended (the
"HITECH Act").
NOW, THEREFORE, it is mutually agreed by and between the undersigned
parties as follows:
A. General Provisions
1. Meaning of Terms. The terms used in this Agreement shall have the same
meaning as those terms defined in the HIPAA, the HIPAA Regulations, and
the HITECH Act.
2. Regulatory References. Any reference in this Agreement to a regulatory
section means the section currently in effect or as amended.
3. Interpretation. Any ambiguity in this Agreement shall be interpreted to permit
compliance with the HIPAA, the HIPAA Regulations, and the HITECH Act.
B. Obligations of Business Associate
1. Wittman shall not use or further disclose protected health information ("PHP')
other than as permitted or required by this Agreement or as required by law.
2. Wittman shall use appropriate safeguards and comply, where applicable, with
the HIPAA Security Rule with respect to electronic protected health
information ("e -PHI") and implement appropriate physical, technical and
administrative safeguards to prevent use or disclosure of PHI other than as
provided for by this Agreement.
3. Wittman shall report in writing to City each security incident (as defined in the
HIPAA Security Rule) or any use or disclosure of PHI not provided for by this
Agreement no later than three (3) business days after becoming aware of
such security incident or non -permitted use or disclosure. If such security
incident or non -permitted use or disclosure constitutes a breach of unsecured
PHI, then Wittman shall comply with the requirements of Section 6.4. below.
4. Wittman shall investigate each unauthorized access, acquisition, use or
disclosure of PHI that it discovers to determine whether such unauthorized
access, acquisition, use or disclosure constitutes a reportable breach of
unsecured PHI. If Wittman determines that a reportable breach of unsecured
PHI has occurred, Wittman shall notify City of such breach in writing without
unreasonable delay but no later than sixty (60) calendar days after discovery
of the breach, in accordance with 45 C.F.R. §164.410(c). City shall have sole
control over the timing and method of providing notification of such breach to
the affected individual(s), the Secretary and, if applicable, the media, as
required by the HITECH Act. Wittman shall reimburse City for its reasonable
costs and expenses in providing the notification, including, but not limited to,
any administrative costs associated with providing notice, printing and mailing
costs, and costs of mitigating the harm (which may include the costs of
obtaining credit monitoring services and identity theft insurance) for affected
individuals whose PHI has or may have been compromised as a result of the
breach.
5. In accordance with 45 CFR 164.502(e)(1) and 164.308(b), ensure that any
subcontractors that create, receive, maintain, or transmit PHI on behalf of
Wittman agree to the same restrictions, conditions, and requirements that
apply to Wittman with respect to such information;
6. Make PHI in a designated record set available to City and to an individual
who has a right of access in a manner that satisfies the City's obligations to
Wittman Enterprises, LLC Page 2
provide access to PHI in accordance with 45 CFR §164.524 within thirty (30)
days of a request;
7. Make any amendment(s) to PHI in a designated record set as directed by the
City, or take other measures necessary to satisfy the City's obligations under
45 CFR §164.526;
8. Maintain and make available information required to provide an accounting of
disclosures to the City or an individual who has a right to an accounting within
sixty (60) days and as necessary to satisfy the City's obligations under 45
CFR §164.528;
9. To the extent that Wittman is to carry out any of the City's obligations under
the HIPAA Privacy Rule, Wittman shall comply with the requirements of the
Privacy Rule that apply to the City when it carries out that obligation;
10. Make its internal practices, books, and records relating to the use and disclosure
of PHI received from, or created or received by Wittman on behalf of the City,
available to the Secretary of the Department of Health and Human Services for
purposes of determining Wittman and the City's compliance with HIPAA, the
HIPAA Regulations, and the HITECH Act;
11. Restrict the use or disclosure of PHI if the City notifies Wittman of any
restriction on the use or disclosure of PHI that the City has agreed to or is
required to abide by under 45 CFR §164.522; and
12. If the City is subject to the Red Flags Rule (found at 16 CFR §681.1 et seq.),
Wittman agrees to assist the City in complying with its Red Flags Rule
obligations by: (a) implementing policies and procedures to detect relevant
Red Flags (as defined under 16 C.F.R. §681.2); (b) taking all steps necessary
to comply with the policies and procedures of the City's Identity Theft
Prevention Program; (c) ensuring that any agent or third party who performs
services on its behalf in connection with covered accounts of the City agrees
to implement reasonable policies and procedures designed to detect, prevent,
and mitigate the risk of identity theft; and (d) alerting the City of any Red Flag
incident (as defined by the Red Flag Rules) of which it becomes aware, the
steps it has taken to mitigate any potential harm that may have occurred, and
provide a report to the City of any threat of identity theft as a result of the
incident.
Wittman Enterprises, LLC Page 3
C. Permitted Uses and Disclosures by Business Associate
The specific uses and disclosures of PHI that may be made by Wittman on behalf
of the City include:
1. The preparation of invoices to patients, carriers, insurers and others
responsible for payment or reimbursement of the services provided by the
City to its patients;
2. Preparation of reminder notices and documents pertaining to collections of
overdue accounts;
3. The submission of supporting documentation to carriers, insurers and other
payers to substantiate the healthcare services provided by the City to its
patients or to appeal denials of payment for the same; and
4. Other uses or disclosures of PHI as permitted by HIPAA necessary to perform
the services that Wittman has been engaged to perform on behalf of the City.
D. Relationship of Parties
1. Wittman is an independent contractor and not an agent of City under this
Agreement. Wittman has the sole right and obligation to supervise, manage,
contract, direct, procure, perform or cause to be performed all of Wittman's
obligations under this Agreement.
E. Indemnification
1. Notwithstanding anything to the contrary in the underlying services agreement
between the City and Wittman, at Wittman's expense, Wittman agrees to
indemnify, defend and hold harmless City, its City Council, boards and
commissions, officers, agents, volunteers, and employees (the "Indemnities")
from and against any and all fines, penalties, damages, losses, claims or
causes of action and expenses (including, without limitation, court costs and
reasonable attorneys' fees) arising from any violation of the HIPAA, the
HIPAA Regulations, or the HITECH Act or from any negligence or wrongful
acts or omissions, including but not limited to failure to perform its obligations
that results in a violation of the HIPAA, the HIPAA Regulations, or the
HITECH Act, by Wittman or its employees, directors, officers, subcontractors,
agents or other members of Wittman workforce. Wittman's obligation to
indemnify the Indemnities shall survive the expiration or termination of this
Agreement for any reason.
Wittman Enterprises, LLC Page 4
F. Term and Termination
1. The term of this Agreement shall be effective as of the Effective Date and
shall terminate as of the date that all of the PHI provided by City to Wittman,
or created or received by Wittman on behalf of City, is destroyed or returned
to City, or, if it is infeasible to return or destroy the PHI, protections are
extended to such information, in accordance with Section F.3 below.
2. Upon City's knowledge of a material breach or violation of this Agreement by
Wittman, City shall either:
a. Notify Wittman of the breach in writing, and provide an opportunity for
Wittman to cure the breach or end the violation within ten (10)
business days of such notification; provided that if Wittman fails to cure
the breach or end the violation within such time period to the
satisfaction of City, City shall have the right to immediately terminate
this Agreement and the underlying services agreement between City
and Wittman upon written notice to Wittman;
b. Upon written notice to Wittman, immediately terminate this Agreement
and the underlying services agreement between City and Wittman if
City determines that such breach cannot be cured; or
C. If City determines that neither termination nor cure is feasible, City
shall report the violation to the Secretary.
3. Upon termination of this Agreement for any reason, Wittman shall return to
the City or destroy all PHI received from the City, or created, maintained, or
received by Wittman on behalf of the City that Wittman still maintains in any
form. Wittman shall retain no copies of the PHI. However, if Wittman
determines that neither return nor destruction of PHI is feasible, Wittman
shall notify City of the conditions that make return or destruction infeasible,
and may retain PHI provided that Wittman: (a) continues to comply with the
provisions of this Agreement for as long as it retains PHI, and (b) further
limits uses and disclosures of such PHI to those purposes that make the
return or destruction of PHI infeasible.
G. Notices
1. All notices, demands, requests or approvals to be given under the terms of
this Agreement shall be given in writing, and conclusively shall be deemed
served when delivered personally, or on the third business day after the
deposit thereof in the United States mail, postage prepaid, first-class mail,
addressed as hereinafter provided. All notices, demands, requests or
approvals from Wittman to City shall be addressed to City at:
Wittman Enterprises, LLC Page 5
Attn: Angela Velazquez, Administrative Manager
Fire Department
City of Newport Beach
100 Civic Center Dr.
PO Box 1768
Newport Beach, CA 92658
2. All notices, demands, requests or approvals from City to Wittman shall be
addressed to Wittman at:
Attention: Corrine Wittman -Wong
Wittman Enterprises, LLC
11093 Sub Center Drive
Rancho Cordova, CA 95670
H. Amendment to Comply with Law
1. This Agreement shall be deemed amended to incorporate any mandatory
obligations of City or Wittman under the HITECH Act and its implementing
HIPAA Regulations. Additionally, City and Wittman agree to take such action
as is necessary to amend this Agreement from time to time as necessary for
City to implement its obligations pursuant to the HIPAA, the HIPAA
Regulations, or the HITECH Act.
I. Applicable Law and Venue
1. This Agreement shall be governed by and construed in accordance with the
laws of the State of California (without regards to conflict of laws principles).
City and Wittman agree that all actions or proceedings arising in connection
with this Agreement shall be tried and litigated exclusively in the State or
federal (if permitted by law and if a party elects to file an action in federal
court) courts located in Orange County, California.
J. Counterparts
This Agreement may be executed in two or more counterparts, each of which
shall be deemed an original and all of which together shall constitute one and the same
instrument.
K. No Attorneys' Fees
In the event of any dispute or legal action arising under this Agreement, the
prevailing party shall not be entitled to attorneys' fees.
Wittman Enterprises, LLC Page 6
IN WITNESS WHEREOF, the parties have caused this Agreement to be
executed on the dates written below.
APPROVED AS TO FORM:
OFFICE OF THE CITY ATTORNEY
Date: /
By:�( w�
Aaron C. Harp
City Attorney
ATTEST:rr--
Date:
aLeilati 1. Brows
City CIE
CITY OF NEWPORT BEACH,
A California municipal corporation
Date:
By:
,IDiane B. Dixon
Mayor
CONSULTANT: Wittman Enterprises,
LLC, a California limited liability company
Date: /6) / -i4
Corinne Wittman -Wong
Chief Executive Officer
By: �.estt�--vim
Walter Imboden
Chief Financial Officer
Wittman Enterprises, LLC Page 7