HomeMy WebLinkAboutC-5860 - Business Associate Agreement0
�J
,2
BUSINESS ASSOCIATE AGREEMENT
BETWEEN RECOGNITION SOLUTIONS INCORPORATED AND
CITY OF NEWPORT BEACH
THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement") is entered this 22"a
day of October, 2013 ("Effective Date') between THE CITY OF NEWPORT BEACH, a
Califomia municipal corporation and charter city ("City') and RECOGNITION
SOLUTIONS INCORPORATED, a California corporation ("RECOGNITION
SOLUTIONS INCORPORATED") whose address is 10645 N. Tatum Blvd. #243
Phoenix, Arizona 85028 and is made with reference to the following:
RECITALS
A. City is a municipal corporation duly organized and validly existing under the laws
of the State of Califomia with the power to carry on its business as it is now being
conducted under the statutes of the State of California and the Charter of the
City.
B. RECOGNITION SOLUTIONS INCORPORATED is the City's contracted outside
billing company, contracted with to provide statements to and collect payments
from patients who have received paramedic field services and emergency
ambulance transportation services from the City.
C. This Agreement is executed to ensure that RECOGNITION SOLUTIONS
INCORPORATED will appropriately safeguard protected health information
("PHI") that is created, received, maintained, or transmitted on behalf of the City
in compliance with the applicable provisions of Public Law 104-191 of August 21,
1996, known as the Health Insurance Portability and Accountability Act of 1996,
Subtitle F — Administrative Simplification, Sections 261, et seq., as amended
("HIPAA"), the regulations codified at 45 C.F.R. Parts 160 and 164 ("HIPAA
Regulations"), and with Public Law 111-5 of February 17, 2009, known as the
American Recovery and Reinvestment Act of 2009, Title XII, Subtitle D — Privacy,
Sections 13400, et seq., the Health Information Technology and Clinical Health
Act, as amended (the "HITECH Act").
NOW, THEREFORE, it is mutually agreed by and between the undersigned
parties as follows:
A. General Provisions
1. Meaning of Terms. The terms used in this Agreement shall have the same
meaning as those terms defined in the HIPAA, the HIPAA Regulations, and
the HITECH Act.
2. Requlatory References. Any reference in this Agreement to a regulatory
section means the section currently in effect or as amended.
3. Interpretation. Any ambiguity in this Agreement shall be interpreted to permit
compliance with the HIPAA, the HIPAA Regulations, and the HITECH Act.
B. Obligations of Business Associate
1. RECOGNITION SOLUTIONS INCORPORATED shall not use or further
disclose protected health information ("PHI") other than as permitted or
required by this Agreement or as required by law.
2. RECOGNITION SOLUTIONS INCORPORATED shall use appropriate
safeguards and comply, where applicable, with the HIPAA Security Rule with
respect to electronic protected health information ("e-PHI') and implement
appropriate physical, technical and administrative safeguards to prevent use
or disclosure of PHI other than as provided for by this Agreement.
3. RECOGNITION SOLUTIONS INCORPORATED shall report in writing to City
each security incident (as defined in the HIPAA Security Rule) or any use or
disclosure of PHI not provided for by this Agreement no later than three (3)
business days after becoming aware of such security incident or non -
permitted use or disclosure. If such security incident or non -permitted use or
disclosure constitutes a breach of unsecured PHI, then RECOGNITION
SOLUTIONS INCORPORATED shall comply with the requirements of Section
B.4. below.
4. RECOGNITION SOLUTIONS INCORPORATED shall investigate each
unauthorized access, acquisition, use or disclosure of PHI that it discovers to
determine whether such unauthorized access, acquisition, use or disclosure
constitutes a reportable breach of unsecured PHI. If RECOGNITION
SOLUTIONS INCORPORATED determines that a reportable breach of
unsecured PHI has occurred, RECOGNITION SOLUTIONS
INCORPORATED shall notify City of such breach in writing without
unreasonable delay but no later than sixty (60) calendar days after discovery
of the breach, in accordance with 45 C.F.R. §164.410(c). City shall have sole
control over the timing and method of providing notification of such breach to
the affected individual(s), the Secretary and, if applicable, the media, as
required by the HITECH Act. RECOGNITION SOLUTIONS
INCORPORATED shall reimburse City for its reasonable costs and expenses
in providing the notification, including, but not limited to, any administrative
costs associated with providing notice, printing and mailing costs, and costs
of mitigating the harm (which may include the costs of obtaining credit
monitoring services and identity theft insurance) for affected individuals
whose PHI has or may have been compromised as a result of the breach.
5. In accordance with 45 CFR 164.502(e)(1) and 164.308(b), ensure that any
subcontractors that create, receive, maintain, or transmit PHI on behalf of
RECOGNITION SOLUTIONS INCORPORATED agree to the same
RECOGNITION SOLUTIONS INCORPORATED 2
restrictions, conditions, and requirements that apply to RECOGNITION
SOLUTIONS INCORPORATED with respect to such information;
6. Make PHI in a designated record set available to City and to an individual
who has a right of access in a manner that satisfies the City's obligations to
provide access to PHI in accordance with 45 CFR §164.524 within thirty (30)
days after receipt of a request;
7. Make any amendment(s) to PHI in a designated record set as directed by the
City, or take other measures necessary to satisfy the City's obligations under
45 CFR §164.526;
8. Maintain and make available information required to provide an accounting of
disclosures to the City or an individual who has a right to an accounting within
sixty (60) days and as necessary to satisfy the City's obligations under 45
CFR §164.528;
9. To the extent that RECOGNITION SOLUTIONS INCORPORATED is to carry
out any of the City's obligations under the HIPAA Privacy Rule,
RECOGNITION SOLUTIONS INCORPORATED shall comply with the
requirements of the Privacy Rule that apply to the City when it carries out that
obligation;
10. Make its internal practices, books, and records relating to the use and disclosure
of PHI received from, or created or received by RECOGNITION SOLUTIONS
INCORPORATED on behalf of the City, available to the Secretary of the
Department of Health and Human Services for purposes of determining
RECOGNITION SOLUTIONS INCORPORATED'S and the City's compliance
with HIPAA, the HIPAA Regulations, and the HITECH Act;
11. Restrict the use or disclosure of PHI if the City notifies RECOGNITION
SOLUTIONS INCORPORATED of any restriction on the use or disclosure of
PHI that the City has agreed to or is required to abide by under 45 CFR
§164.522;and
12.If the City is subject to the Red Flags Rule (found at 16 CFR §681.1 et seq.),
RECOGNITION SOLUTIONS INCORPORATED agrees to assist the City in
complying with its Red Flags Rule obligations by: (a) implementing policies
and procedures to detect relevant Red Flags (as defined under 16 C.F.R.
§681.2); (b) taking all steps necessary to comply with the policies and
procedures of the City's Identity Theft Prevention Program; (c) ensuring that
any agent or third party who performs services on its behalf in connection with
covered accounts of the City agrees to implement reasonable policies and
procedures designed to detect, prevent, and mitigate the risk of identity theft;
and (d) alerting the City of any Red Flag incident (as defined by the Red Flag
Rules) of which it becomes aware, the steps it has taken to mitigate any
RECOGNITION SOLUTIONS INCORPORATED 3
potential harm that may have occurred, and provide a report to the City of any
threat of identity theft as a result of the incident.
C. Permitted Uses and Disclosures by Business Associate
The specific uses and disclosures of PHI that may be made by RECOGNITION
SOLUTIONS INCORPORATED on behalf of the City include:
1. The preparation of invoices to patients, carriers, insurers and others
responsible for payment or reimbursement of the services provided by the
City to its patients;
2. Preparation of reminder notices and documents pertaining to collections of
overdue accounts;
3. The submission of supporting documentation to carriers, insurers and other
payers to substantiate the healthcare services provided by the City to its
patients or to appeal denials of payment for the same; and
4. Other uses or disclosures of PHI as permitted by HIPAA necessary to perform
the services that RECOGNITION SOLUTIONS INCORPORATED has been
engaged to perform on behalf of the City.
D. Relationship of Parties
1. RECOGNITION SOLUTIONS INCORPORATED is an independent contractor
and not an agent of City under this Agreement. RECOGNITION SOLUTIONS
INCORPORATED has the sole right and obligation to supervise, manage,
contract, direct, procure, perform or cause to be performed all of
RECOGNITION SOLUTIONS INCORPORATED'S obligations under this
Agreement.
E. Indemnification
1. Notwithstanding anything to the contrary in the underlying services agreement
between the City and RECOGNITION SOLUTIONS INCORPORATED, at
RECOGNITION SOLUTIONS INCORPORATED'S expense, RECOGNITION
SOLUTIONS INCORPORATED agrees to indemnify, defend and hold
harmless City and City's employees, directors, officers, managers, or agents
(the "Indemnities') from and against any and all fines, penalties, damages,
losses, claims or causes of action and expenses (including, without limitation,
court costs and reasonable attorneys' fees) arising from any violation of the
HIPAA, the HIPAA Regulations, or the HITECH Act or from any negligence or
wrongful acts or omissions, including but not limited to failure to perform its
obligations that results in a violation of the HIPAA, the HIPAA Regulations, or
the HITECH Act, by RECOGNITION SOLUTIONS INCORPORATED or its
RECOGNITION SOLUTIONS INCORPORATED 4
employees, directors, officers, subcontractors, agents or other members of
RECOGNITION SOLUTIONS INCORPORATED'S workforce.
RECOGNITION SOLUTIONS INCORPORATED'S obligation to indemnify the
Indemnities shall survive the expiration or termination of this Agreement for
any reason.
F. Term and Termination
1. The term of this Agreement shall be effective as of the Effective Date and
shall terminate as of the date that all of the PHI provided by City to
RECOGNITION SOLUTIONS INCORPORATED, or created or received by
RECOGNITION SOLUTIONS INCORPORATED on behalf of City, is
destroyed or retumed to City, or, if it is infeasible to retum or destroy the PHI,
protections are extended to such information, in accordance with Section F.3
below.
2. Upon City's knowledge of a material breach or violation of this Agreement by
RECOGNITION SOLUTIONS INCORPORATED, City shall either:
a. Notify RECOGNITION SOLUTIONS INCORPORATED of the breach in
writing, and provide an opportunity for RECOGNITION SOLUTIONS
INCORPORATED to cure the breach or end the violation within ten
(10) business days of such notification; provided that if RECOGNITION
SOLUTIONS INCORPORATED fails to cure the breach or end the
violation within such time period to the satisfaction of City, City shall
have the right to immediately terminate this Agreement and the
underlying services agreement between City and RECOGNITION
SOLUTIONS INCORPORATED upon written notice to RECOGNITION
SOLUTIONS INCORPORATED;
b. Upon written notice to RECOGNITION SOLUTIONS
INCORPORATED, immediately terminate this Agreement and the
underlying services agreement between City and RECOGNITION
SOLUTIONS INCORPORATED if City determines that such breach
cannot be cured; or
c. If City determines that neither termination nor cure is feasible, City
shall report the violation to the Secretary.
3. Upon termination of this Agreement for any reason, RECOGNITION
SOLUTIONS INCORPORATED shall retum to the City or destroy all PHI
received from the City, or created, maintained, or received by
RECOGNITION SOLUTIONS INCORPORATED on behalf of the City that
RECOGNITION SOLUTIONS INCORPORATED still maintains in any form.
RECOGNITION SOLUTIONS INCORPORATED shall retain no copies of
the PHI. However, if RECOGNITION SOLUTIONS INCORPORATED
RECOGNITION SOLUTIONS INCORPORATED 5
determines that neither return nor destruction of PHI is feasible,
RECOGNITION SOLUTIONS INCORPORATED shall notify City of the
conditions that make return or destruction infeasible, and may retain PHI
provided that RECOGNITION SOLUTIONS INCORPORATED (a) continues
to comply with the provisions of this Agreement for as long as it retains PHI,
and (b) further limits uses and disclosures of such PHI to those purposes
that make the return or destruction of PHI infeasible.
G. Notices
1. All notices, demands, requests or approvals to be given under the terms of
this Agreement shall be given in writing, and conclusively shall be deemed
served when delivered personally, or on the third business day after the
deposit thereof in the United States mail, postage prepaid, first-class mail,
addressed as hereinafter provided. All notices, demands, requests or
approvals from RECOGNITION SOLUTIONS INCORPORATED to City shall
be addressed to City at:
Attn: Cathy Ord, EMS Manager
Fire Department
City of Newport Beach
100 Civic Center Dr.
PO Box 1768
Newport Beach, CA 92658
2. All notices, demands, requests or approvals from City to RECOGNITION
SOLUTIONS INCORPORATED shall be addressed to RECOGNITION
SOLUTIONS INCORPORATED at:
Attention: Michael Wimmer
RECOGNITION SOLUTIONS INCORPORATED
10645 N. Tatum Blvd #243
Phoenix, AZ 85028
H. Amendment to Comply with Law
1. This Agreement shall be deemed amended to incorporate any mandatory
obligations of City or RECOGNITION SOLUTIONS INCORPORATED under
the HITECH Act and its implementing HIPAA Regulations. Additionally, City
and RECOGNITION SOLUTIONS INCORPORATED agree to take such
action as is necessary to amend this Agreement from time to time as
necessary for City to implement its obligations pursuant to the HIPAA, the
HIPAA Regulations, or the HITECH Act.
I. Applicable Law and Venue
RECOGNITION SOLUTIONS INCORPORATED 6
1. This Agreement shall be governed by and construed in accordance with the
laws of the State of California (without regards to conflict of laws principles).
City and RECOGNITION SOLUTIONS INCORPORATED agree that all
actions or proceedings arising in connection with this Agreement shall be
tried and litigated exclusively in the State or federal (if permitted by law and if
a party elects to file an action in federal court) courts located in Orange
County, California.
J. Counterparts
This Agreement may be executed in two or more counterparts, each of which
shall be deemed an original and all of which together shall constitute one and the same
instrument.
IN WITNESS WHEREOF, the parties have caused this Agreement to be
executed on the dates written below.
APPROVED AS TO FORM:
OFFICE OF THE CITY ATTORNEY
Date: I1-1-13
By: ��la,itintnn 7
Aaron C. arp
City Attorney
ATTEST:
Date: � • ��• 1�
By:
Leilani I. Brown
City Clerk
�r
CITY OF NEWPORT BEACH,
A Califor is m nicipal corporation
Date: i I/2S 13
By:
Chief Scott Poster
Fire Department
RECOGNITION
INCORPORATED,
corporatio
Date: fc�fn/2of'{
By:
MIC AEL WIMMER
Pres
SOLUTIONS
a California
RECOGNITION SOLUTIONS INCORPORATED 7