HomeMy WebLinkAboutContract1
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement “Agreement” is entered into effective the ____ day of
____________, 20__ by City of Renton, by and through its Police Department “Business
Associate” and the Puget Sound Regional Fire Authority “Covered Entity.”
RECITALS
1.Covered Entity is a municipal corporation organized and operating in the State of
Washington that provides emergency and non-medical emergency services to its patients
including care coordination services.
2.Business Associate has contracted with Covered Entity to provide FDCARES services to its
Police Department that may require access to Covered Entity’s patient health information
“Services.”
3.Covered Entity and Business Associate have agreed to conduct all of their business in
compliance with all applicable federal, state and local statutes, regulations, rules and
policies, including but not limited to the Health Insurance Portability and Accountability
Act of 1996 and associated rules as set forth in 45 CFR parts 160 and 164 ("HIPAA"); and
4.In order to provide the Services, Business Associate and its directors, officers, partners,
employees, advisors, agents and consultants (the “Agents”), will require access to Health
Information that identifies Covered Entity patients.
5.For purposes of this Agreement, Health Information includes information created or
received by the Covered Entity that relates to health care services provided to a Covered
Entity patient, including demographic information collected from patients and other
individuals, that identifies the individual patient or with respect to which there is a
reasonable basis upon which to believe that the information can be used to identify an
individual patient; and
6.It appears that the Business Associate is a Business Associate of the Covered Entity as that
term is defined in the HIPAA regulations; and
7.Covered Entity is willing to provide Business Associate with access to the Health
Information to enable Business Associate to perform the Services consistent with chapter
70.02 RCW and HIPAA.
AGREEMENT
In consideration for granting Business Associate access to the Health Information and for other
good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged,
Business Associate agrees as follows:
CAG-24-046
18th
February 24
2
1.Permitted Uses. Business Associate may use or disclose Covered Entities Health Information
as necessary to perform Business Associate’s Services as set forth in Recital 2 above and any
Underlying Contracts between Business Associate and Covered Entity.
2. Confidentiality. Business Associate and its Agents agree to keep the Health Information
strictly confidential and will use and/or disclose the Health Information solely for the purpose of
providing the Services. Business Associate will disclose the contents of the Health Information to
its Agents only as minimally necessary and only to the extent required for the Business Associate
to provide the Services.
3.Confidentiality and Subcontractors. Business Associate agrees to ensure that any
subcontractors that create, receive, maintain, or transmit protected health information on behalf
of the Business Associate agree to the same restrictions, conditions, and requirements that apply
to the Business Associate with respect to such information.
4.General Privacy Compliance. Business Associate shall maintain and safeguard the privacy,
security, and confidentiality of all Health Information transmitted or received from the Covered
Entity in accordance with the provisions of chapter 70.02 RCW and HIPAA, as amended, and in
accordance with all other applicable federal, state and local statutes, regulations and Covered
Entity policies regarding the confidentiality of patient Health Information.
5.Minimum Necessary. Business Associate agrees to limit all uses and disclosures of Health
Information to the minimum amount necessary to accomplish the intended purpose of the use
or disclosure. Business Associate agrees that in all uses and disclosures that it will include only
the minimum amount of Health Information necessary to accomplish the purpose of the use or
disclosure as necessary for Business Associate to perform the Services.
6.Underlying Contracts. This Agreement is incorporated into all existing and current contract(s)
“Underlying Contracts” between the parties under which Business Associate is carrying out
activities or functions involving the use of Covered Entities Health Information.
7.Privacy and Security Obligations. On receipt of Health Information, Business Associate will:
7.1. Not use or further disclose the Health Information other than as permitted or required
by this Agreement, or as required by law, including but not limited to Chapter 42.56 RCW (The
Public Records Act);
7.2. Use appropriate safeguards to prevent the use or disclosure of such Health
Information other than as provided for by this Agreement;
7.3. Business Associate will not transfer Protected Health Information outside the United
States without the prior written consent of the Covered Entity. In this context, a “transfer”
outside the United States occurs if Business Associate’s workforce members, agents, or
subcontractors physically located outside the United States are able to access, use, or disclose
Protected Health Information.
3
7.4. Business Associate shall not engage in any sale (as defined in the HIPAA Rules) of
Protected Health Information.
7.5. Ensure that any agents, including subcontractors, to whom Business Associate
provides Health Information agree in writing to the same restrictions and conditions that apply
to Business Associate with respect to such Health Information;
7.6. Make Health Information available for inspection and copying in a manner consistent
with Covered Entity Policy and all applicable laws;
7.7. Make Health Information available for amendment and incorporate any amendments
to Health Information in a manner consistent with Covered Entity Policy and all applicable laws;
7.8. Make Health Information available as required to provide an accounting of disclosures
in a manner consistent with Covered Entity Policy and all applicable laws;
7.9. Incorporate any amendments or corrections to the Health Information when notified
in a manner consistent with Covered Entity Policy and all applicable laws;
7.10. Maintain all records of Health Information received from, or created or received on
behalf of, the Covered Entity and document subsequent uses and disclosures in a manner
consistent with Covered Entity Policy and all applicable laws, including but not limited to Chapter
42.56 RCW (The Public Records Act). Business Associate shall maintain such records and
accountings for a minimum of six years;
7.11. Make Business Associate's internal practices, books and records relating to the use
and disclosure of Health Information received from, or created or received by the Business
Associate on behalf of, the Covered Entity available to the Secretary of Health and Human
Services (“HHS”) for purposes of determining the Covered Entity's compliance with HIPAA;
7.12. Except as provided for in this Agreement, in the event Business Associate receives an
access, amendment, accounting of disclosure, or other similar request directly from an Individual,
Business Associate will redirect the Individual to the Covered Entity.
7.13. At termination of the Agreement, if feasible, return or destroy all Health Information
that the Business Associate still maintains in any form and retain no copies of such Health
Information in accordance with the applicable law of the State of Washington, or, if such return
or destruction is not feasible, extend the protection of this Agreement to the Health Information
and limit further uses and disclosures to those purposes that make the return or destruction of
the Health Information not feasible.
8.Creation of De-identified Data. In the event Business Associate wishes to convert PHI to DID,
it must first subject its proposed plan for accomplishing the conversion to Covered Entity for
Covered Entities approval, which shall not be unreasonably withheld provided such conversion
4
meets the requirements of 45 C.F.R. Part 164.514. Business Associate may only use DID as
directed or otherwise agreed to by Covered Entity.
9.Breaches and Security Incidents.
9.1. Reporting.
9.1.1. Impermissible Use or Disclosure. Business Associate will report to Covered Entity
any use or disclosure of Protected Health Information not permitted by this BAA immediately
and not more than seventy-two (72) hours after Business Associate discovered such non-
permitted use or disclosure.
9.1.2. Breach of Unsecured Protected Health Information. Business Associate will
report to Covered Entity any potential Breach of Unsecured Protected Health Information
immediately and not more than seventy-two (72) hours after discovery of such potential Breach.
Business Associate will treat a potential Breach as being discovered in accordance with 45 CFR
164.410. Business Associate will make the notice and report to Covered Entity’s Privacy Officer.
If a delay is requested by a law-enforcement official in accordance with 45 CFR 164.412, Business
Associate may delay notifying Covered Entity for the applicable time period. Business Associate’s
report will include at least the following, provided that absence of any information will not be
cause for Business Associate to delay the report and available information will be provided in a
subsequent report as soon as reasonably possible:
9.1.2.1. Identify the nature of the Breach, which will include a brief description of
what happened, including the date of any Breach and the date of the discovery of any Breach,
and the number of individuals who are subject to a Breach;
9.1.2.2. Identify the types of Protected Health Information that were involved in
the Breach (such as whether full name, Social Security number, date of birth, home address,
account number, diagnosis, or other information were involved);
9.1.2.3. Identify who made the non-permitted use or disclosure and who received
the non-permitted disclosure;
9.1.2.4. Identify what corrective or investigative action Business Associate took or
will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects, and
to protect against any further Breaches;
9.1.2.5. Identify what steps the individuals who were subject to a Breach should
take to protect themselves; and
9.1.2.6. Provide such other information, including a written report and risk
assessment under 45 CFR 164.402, as Covered Entity may reasonably request.
5
9.2. Security Incidents. Business Associate will report to Covered Entity any Security
Incidents of which Business Associate become aware. Business Associate will make this report
and treat a Security Incident as provided in the provisions set forth above.
9.3. Mitigation. Business Associate shall mintage, to the extent practicable, any harmful
effect known to the Business Associate resulting from a use or disclosure in violation of this BAA.
Business Associate at its sole expense, or, if Covered Entity elects to carry out some or all
mitigation efforts, reimburse Covered Entity for its reasonable costs and expenses (including
without limitation administrative costs, costs of legal action and attorney engagement, and
payment of fines, settlements and damages) incurred in connection with mitigation efforts.
10. Indemnification. Business Associate agrees to defend, indemnify, and hold harmless Covered
Entity and its commissioners, employees, officers and agents against any and all claims, demands,
causes of action, losses, damages, liabilities, judgment, costs and expenses (including reasonable
attorneys' fees) asserted against or incurred by the Covered Entity or its commissioners,
employees, officers and agents as a result of any violation of, or failure to comply with, the
provisions of this Agreement by Business Associate and/or its Agents.
11.Limitation of Liability. Business Associate acknowledges and understands that Covered Entity
makes no representations or warranties, express or implied, regarding the content or
completeness of the Health Information provided to Business Associate. Business Associate
agrees to release Covered Entity and its commissioners, employees, officers and agents, from all
claims, demands, causes of action, losses, damages, liabilities, costs or expenses (including
reasonable attorneys' fees) asserted against or incurred by Business Associate or its Agents by
sole reason of the Business Associate’s use or disclosure of the Health Information.
12.Breach of Agreement - Termination.
12.1. In the event that the Covered Entity becomes aware of a pattern or practice of the
Business Associate that constitutes a material breach or violation of the Business Associate’s
obligations under this Agreement, which breach is not cured within five (5) days after notice is
provided to the Business Associate, this Agreement shall terminate.
12.2. In the event of a default or breach by the Business Associate as set forth in Section 9.1
of this Agreement, the Covered Entity shall have available to it any legal or equitable right or
remedy to which Covered Entity is entitled, including but not limited to, injunctive relief. Covered
Entity shall not be deemed to have waived any of its rights or remedies because of its failure or
delay in exercising any such right or remedy in a particular instance.
13.Continuing Privacy and Security Obligations. Business Associate’s obligations to protect the
privacy and safeguard the security of Protected Health Information as specified in this BAA will
be continuous and survive termination or other conclusion of this BAA.
14.Re-Negotiation. The parties agree to negotiate in good faith any modification to this
Agreement that may be necessary or required to ensure consistency with amendments to and
6
changes in applicable federal and state laws and regulations, including but not limited to,
regulations promulgated pursuant to HIPAA.
15. Penalties for Noncompliance. Business Associate acknowledges that it is subject to civil and
criminal enforcement for failure to comply with the HIPAA Rules, to the extent provided by the
HITECH Act and the HIPAA Rules.
16. Availability of Disclosure Information. Business Associate will maintain the Disclosure
Information for at least seven (7) years following the date of the accountable disclosure to which
the Disclosure Information relates. Business Associate will make the Disclosure Information
available to Covered Entity within seven (7) calendar days following Covered Entity’s request for
such Disclosure Information to comply with an individual’s request for an accounting of
disclosure.
17. Miscellaneous Provisions.
17.1. Any ambiguity in this Agreement shall be interpreted to permit compliance with the
HIPAA Rules.
17.2. Notwithstanding the foregoing, this Agreement shall be binding upon and shall inure
to the benefit of the parties, and any successor to the parties whether by operation of law or
otherwise.
17.3. All notices given pursuant to this Agreement shall be in writing and shall be delivered
by hand or sent by registered or certified mail, return receipt requested, postage pre-paid,
addressed to the party for whom it is intended at its address as set forth below. Any address for
the giving of notice may be changed by giving notice to that effect to the other party. Each such
notice shall be deemed to have been given on the date of its receipt by the party for whom it was
intended.
17.4. If any provision of this Agreement is or becomes unenforceable, the remainder of this
Agreement shall nevertheless remain binding to the fullest extent possible, taking into
consideration the purposes and spirit of this Agreement.
17.5. This Agreement contains the entire understanding of the parties with regard to the
subject matter hereof, and supersedes all other agreements and understandings, written and
oral, relating to the subject matter hereof. This Agreement may not be amended or modified,
nor may any of its provisions be waived, except by a writing executed by both of the parties or,
in the case of a waiver, by the party waiving compliance. The waiver of any one breach shall not
be construed as a waiver of any rights or remedies with respect to any other breach or
subsequent breach.
17.6. This Agreement shall be governed by and construed in accordance with the laws of
the State of Washington applicable to agreements made and to be performed entirely within
7
such State, with regard to principles of conflicts of law. The venue of any action arising under this
Agreement shall be in King county Washington.
17.7. This Agreement may be executed in one or more counterpart copies, each of which
shall be deemed an original and together shall constitute one and the same Agreement.
18.Term. The term of this Agreement shall be identical to the term specified in any Underlying
Contracts, the terms of which are incorporated herein by this reference. Any provision of this
Agreement which by its terms is intended to survive the termination or expiration of this
Agreement shall so survive.
BUSINESS ASSOCIATE:
City of Renton
By:
(signature)
Print Name: Armondo Pavone, Mayor
DATE:
COVERED ENTITY:
Puget Sound Regional Fire Authority
By:
(signature)
Print Name: Brian Carson, Fire Chief
DATE:
ATTEST:
Jason A. Seth, City Clerk
NOTICES TO BE SENT TO:
Jeff Hardin
Renton Police Department
1055 South Grady Way
Renton, WA 98057-3232
NOTICES TO BE SENT TO:
Kent RFA FDCARES Division
24611 116th Ave. S.E.
Kent, WA 98030
2-18-2024