The URL can be used to link to this page

Home My WebLink AboutC-5823 - Business Associate Agreement for Records Storage�' ,C-,j dJ;J f IRON MOUNTAINO BUSINESS ASSOCIATE AGREEMENT Iron Mountain Information Management, LLC (Hereinafter referred to as "Iron Mountain ") Customer (Name, Address and Iron Mountain Account No.): CITY OF NEWPORT BEACH ATTN: FIRE DEPT 100 CIVIC CENTER DRIVE PO BOX 1768 NEWPORT BEACH CA 92658 (Account No.) CF314 (Hereinafter referred to as "Customer ") Effective Date: April 3, 2014 This Business Associate Agreement is hereby entered into by and between Iron Mountain and Customer, as of the Effective Date set forth above. This Business Associate Agreement ("BAA ") supplements and amends the Customer Agreement, entered into by and between Iron Mountain and Customer, dated 03/13/2003, (hereinafter "Services Agreement ") under which Iron Mountain is providing certain information management services ( "Services ") for Customer. This BAA shall be incorporated into the Agreement, as if it set forth in its entirety therein, and except to the extent modified in this BAA, all terms and conditions set forth in the Services Agreement shall remain in full force and effect and govern the Services provided by Business Associate to Covered Entity. Notwithstanding the foregoing, in the event of a conflict between the terms of this BAA and the Services Agreement, solely as it relates to the parties' obligations hereunder, the terms and conditions of this BAA shall prevail. Iron Mountain and Customer are entering into this BAA in order for both parties to meet their respective obligations as they become effective and binding upon the parties under the HIPAA Privacy, Security, and Enforcement Rules, the provisions of the HITECH Act, as incorporated in the American Recovery and Reinvestment Act of 2009, along with any implementing regulations including those implemented as part of the final Omnibus rulings (collectively referred to as the " HIPAA Rules "), under which Customer is a "Covered Entity" or "Business Associate" and Iron Mountain is a "Business Associate" of Customer. For purposes of this Agreement, any references, hereinafter, to Business Associate shall be deemed references to Iron Mountain. Business Associate provides storage and management services with respect to information received from or on behalf of Customer. In most cases, Business Associate does not know the content of information in storage, or whether it constitutes Protected Health Information (as defined below). For purposes of complying with the terms of this BAA, Business Associate shall assume that all information received from or on behalf of Customer pursuant to the Services Agreement consists of Protected Health Information, except where the compliance with a contractual requirement requires actual knowledge as to whether Protected Health Information is involved, and in such cases Customer, shall advise Business Associate regarding PHI content of specific items in storage, and any other details regarding such PHI necessary for Business Associate's performance of this BAA. BusinessAssociateAgreernent Ver. 7/1/2013 0 2013 Iron Mountain Incorporated Page 1 of 4 1. Definitions: Capitalized terms used but not otherwise defined in this BAA shall have the same meaning as ascribed to those terms in HIPAA Rules. a. "Breach" shall have the same meaning as set forth in 45 CFR §164.402. b. "Business Associate" shall mean the Business Associate entity identified above to the extent it receives, maintains, or transmits Protected Health Information in delivering Services to Customer. c. " HIPAA" shall mean the Health Insurance Portability and Accountability Act of 1996. d. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR § 160 and § 164, Subparts A and E. e. "Protected Health Information" or "PHI" shall have the same meaning as the term `protected health information' in 45 CFR § 160.103 and shall be limited to the PHI created by Business Associate on behalf of Customer or received from or on behalf of Customer pursuant to the Services Agreement. f. "Security Incident" shall have the same meaning as set forth in 45 CFR § 164.304. g. "Security Rule" shall mean the Standards for Security of Individually Identifiable Health Information at 45 CFR § 164, Subparts A and C. h. "HITECH Act" shall mean the applicable provisions of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009, and including any implementing regulations. 2. Obligations and Activities of Business Associate. a. Business Associate agrees to not Use or further Disclose PHI other than as permitted or required by this BAA or as required by law. b. Business Associate agrees to use appropriate safeguards designed to prevent Uses or Disclosures of the PHI other than as provided for by this BAA or the Services Agreement. c. Business Associate agrees to implement and maintain procedures that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI, and consistent with and as required of business associates by the HIPAA Rules. However, it shall be the responsibility of Customer and not Business Associate to comply with requirements under 45 CFR §164.312 to implement encryption or decryption mechanisms for electronic PHI maintained on physical media (e.g. tapes) stored by Business Associate. d. Business Associate agrees to report to Customer any Security Incident, Breach, or other Use or Disclosure of PHI of which it becomes aware that is not permitted or required by this BAA or the Services Agreement. In the event of a Breach, such notification shall be made in accordance with and as required of a business associate by the HIPAA Rules, including without limitation pursuant to 45 CFR 164.410. Business Associate will provide reasonable assistance and cooperation in the investigation of any such Breach and shall document the specific Deposits which have been compromised, the identity of any unauthorized third party who may have accessed or received the PHI, if known, and any actions that have been taken by Business Associate to mitigate the effects of such Breach. e. Business Associate agrees to require any agent or subcontractor, to whom it delivers PHI for the purposes of assisting in providing services pursuant to the Services Agreement, to enter into a written agreement requiring such agent or subcontractor to provide privacy and security protections to such PHI at least as stringent as those required of Business Associate through this BAA. f If Business Associate has custody of PHI in a Designated Record Set with respect to Individuals, and if Customer so requests, Business Associate agrees to provide access to such PHI to Customer by retrieving such BusinessAssociateAgreetnent Ver. 7 /1/2013 0 2013 Iron Mountain Incorporated Page 2 of 4 PHI in accordance with the terms and conditions of the Services Agreement, so the Customer may respond to an Individual in order to meet the requirements of 45 CFR §164.524. g. Business Associate agrees that if an amendment to PHI in a Designated Record Set is required, if Business Associate has custody of PHI in a Designated Record Set with respect to Individuals, and if Customer instructs Business Associate to retrieve such PHI in accordance with the Services Agreement, Business Associate shall perform such service so that Customer may make any amendment to such PHI as may be required by either Customer or an Individual pursuant to 45 CFR § 164.526. h. Business Associate agrees to make its internal practices, books and records relating solely to the Use and Disclosure of PHI, available to the Secretary, upon Customer's request and with not less than ten (10) days advance written notification, so the Customer may meet the requirements under 45 CFR § 160.310. i. Business Associate agrees to document and make available to Customer Disclosures of PHI and information related to such Disclosures provided that Customer has provided Business Associate with information sufficient to enable Business Associate to know which records or data received from or on behalf of Customer by Business Associate contain PHI. The documentation of Disclosures shall contain such information as would be required for Customer to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528 or other provisions of the HIPAA Rules. 3. Permitted Uses and Disclosures by Business Associate. Except as otherwise limited in this BAA, Business Associate may (1) Use or Disclose PHI to perform Services for, or on behalf of Customer pursuant to the Services Agreement; (2) Use PHI for the proper management and administration of Business Associate; or (3) Use or Disclose PHI to carry out Business Associate's legal responsibilities. 4. Obligations of Customer. a. Customer shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer or Business Associate. Customer shall not direct Business Associate to act in a manner that would not be compliant with the HIPAA Rules. b. This BAA shall only apply to PHI stored by Business Associate in the USA for Customer pursuant to the Services Agreement. c. Customer shall notify Business Associate of any limitation(s) in its notice of privacy practices of Customer in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's Use or Disclosure of PHI. d. Customer shall notify Business Associate of any changes in, or revocation of, permission by Individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate's Use or Disclosure of PHI. e. Customer shall notify Business Associate in writing of any restriction to the Use or Disclosure of PHI that Customer has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of PHI. f. Customer agrees that it will respond to a Customer request for an accounting of disclosures of electronic health records under 45 CFR § 164.528 in accordance with Section 13405(c)(3)(A) of the HITECH Act. 5. Term and Termination. a. Term. The Term shall commence as of the Effective Date set forth above and shall terminate upon the later to occur of (i) the expiration of the Service Agreement, or (ii) when all PHI provided by Customer to Business Associate is destroyed or returned to Customer, or (iii) if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section 5(c). b. Termination for Cause. Upon a party's knowledge of a material breach of the BAA by the other party, the non - breaching party shall provide an opportunity for the breaching party to cure the breach. If the breaching party does not cure the breach within thirty (30) days, following the breaching party's receipt of a written notice from the non - breaching parry setting forth the details of such material breach, then the non - breaching party shall have the right to terminate this BAA and the Services Agreement according to the terms of the Services Agreement, or, if termination is not feasible, shall report the problem to the Secretary of Health and Human Services. BusinessAssociateAgreement Ver. 7 /112013 © 2013 Iron Mountain Incorporated Page 3 of c. Effect of Termination. i. Except as provided in Section 5.c.ii. below, upon termination of this BAA, for any reason, Business Associate shall, if feasible, return or destroy all PHI received from Customer in accordance with the Services Agreement. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. ii. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Customer notification of the conditions that make return or destruction infeasible. Upon notice to Customer, Business Associate shall extend the protections of this BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI pursuant to the terms of the Services Agreement. 6. Miscellaneous. a. Regulatory References. A reference in this BAA to a section of the HIPAA Rules shall mean that section of HIPAA, the Privacy Rule, the Security Rule, the HITECH ACT, or the final Omnibus Rules as amended and in effect, and for which compliance is required. b. Amendment. The parties agree to negotiate in good faith any amendment to this BAA that may be required from time to time as is necessary for the Customer or Business Associate to comply with the requirements of the HIPAA Rules. If the parties cannot reach mutual agreement on the terms of any such amendment within sixty (60) days following the date of receipt of any such written request made by Customer to Business Associate, then either party shall have the right to terminate this BAA and the Services Agreement upon providing not less than thirty (30) days' written notice to the other party. c. Survival. The respective rights and obligations of Business Associate under Section 5(c) above shall survive the termination of this BAA. d. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Customer, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever. e. Independent Contractor. Business Associate, including its directors, officers, employees and agents, is an independent contractor and not an agent (as defined under Federal common law of agency) of Customer or a member of its workforce. Without limiting the generality of the foregoing, Customer shall have no right to control, direct, or otherwise influence Business Associate's conduct in the course of performing the services, other than through the enforcement of this BAA or the Services Agreement, or the mutual amendment of same. f. Precedence; Entire Agreement. Any ambiguity in this BAA shall be resolved to permit the parties to comply with the HIPAA Rules. This BAA constitutes the entire agreement between the parties with respect to the subject matter hereof, and shall supersede all previous communications, representations, agreements and understandings relating to the HIPAA Rules, including any and all prior business associate agreements between the parties. Customer By: (Signature) Name: � A APPROVED Title: Iron Mountain Information Management, LLC By: (Signature) Name: Title: Date: APR 3 Q 2014 Date: APPROVED AS TO FORM: �ity'S`%rriereeine © 2013 Iron Mountain Incorporated h-'POR14 Page 4 of 4 c. Effect of Termination, i. Except as provided in Section 5.c:ii. below, upon termination of this BAA, for any reason, Business Associate shall, if feasible, retain or destroy all PHI received from Customer in accordance with the Services Agreement: This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate, shall retain no copies of the PHI. ii. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Customer notification of the conditions that make return or destruction infeasible. Upon notice to Customer, Business Associate shall extend the protections of this BAA to such PHI and limit further Uses and Disclosures of such PHT to those purposes that make the retain or destruction infeasible, for so long as Business Associate maintains such PHI pursuant to the terms of the Services Agreement. 6. Miscellaneous. a. Repalatory References. A reference in this BAA to a section of the HIPAA Rules shall mean that section of HIPAA, the Privacy Rule, the Security Rule, the HITECH ACT, or the Rust Omnibus Rules as amended and in effect, and for which compliance is teguira3. b. Ammdmmt. The parties agree to negotiate in good faith any amendment to this BAA that may be required from time to time as is necessary for the Customer or Business Associate to comply with the requirements' of the HIPAA Rules. If the parties cannot reach mutual agreement on the terms of any such amendment within sixty (60) days following the date of receipt of any such written request made by Customer to Business Associate, them either party shall have the right to terminate this BAA and the Services Agreement upon providing not less than thirty (30) days' written notice to the other party. c. Survival, The respective rights and obligations of Business Associate under Section 5(c) above shall survive the termination of this BAA. d. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Customer; Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever. e. ladeoendent Contractor. Business Associate, including its directors, offreern, employees and agents, is an independent contractor and not an agent (as defined under Federal common law of agency) of Customer or a member of its workforce. Without limiting the generality of the foregoing, Customer shall have no right to control, direct, or otherwise influence Business Associate's conduct in the course of performing the services, other than through the enforcement of this BAA or the Services Agreement, or the mutual amendment of same f. Precedence Entire Agiumeril, Any ambiguity in this BAA shall be resolved to permit the parties to comply with the HIPAA Rules. This BAA constitutes the entire agreement between the patties with respect to the subject matter hereoC and shall supersede all previous communications, representations, agreements and understandings relating to the HIPAA Rules, including any and all prior business associate agreements between the parties, . . . Customer Iron Mt By: By: (3ig'ea+urej. Name: Name: t eta -11— MUM ap Title: Title: Date: .A R 3 2014 Date: APPROVED AS TO FORM; -24-(' I 02013 Iron Mounteu, Lxm aarned Page4 of City iii ;