Business Associate Agreement Template - Broward County, Florida

ADVERTISEMENT
BUSINESS ASSOCIATE AGREEMENT BETWEEN
BROWARD COUNTY, FLORIDA AND _________________
This BUSINESS ASSOCIATE AGREEMENT ("BAA") is entered into by and
between Broward County, Florida ("County"), and ____________, a ____________
corporation authorized to do business in the State of Florida with its principal office located
("Business
Associate")
in
connection
with
the
at
______________________
_______________________________ (the " Agreement").
RECITALS
1. Business Associate provides services related to the operation of certain
activities/programs that involve the use or disclosure of Protected Health Information
(“PHI”);
2. The operation of such activities/programs is subject to the federal Health
Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health
Information Technology for Economic and Clinical Health Act (“HITECH”);
3. HIPAA and HITECH mandate that certain responsibilities of contractors with
access to PHI be documented through a written agreement; and
4. The County and Business Associate desire to comply with the requirements of
HIPAA and HITECH and acknowledge their respective responsibilities.
NOW, THEREFORE, for good and valuable consideration, the receipt and
sufficiency of which are hereby acknowledged, the parties agree as follows:
Section 1: Definitions
1.1
All terms used in this BAA not otherwise defined herein shall have the meanings
stated in the Privacy and Security Rules, 45 CFR Parts 160, 162, 164, and 42
U.S.C. § 17921.
1.2
“HIPAA Laws” mean collectively HIPAA, HITECH, 42 CFR Part 2 (if applicable),
and the related regulations and amendments.
1.3
When the term “PHI” is used in this BAA, it includes the term “Electronic
Protected Health Information” or “EPHI.”
1.4
Penalties as used in Section 3.18 below are defined as civil penalties that may
be applied to the Business Associate and its workforce members by the
Secretary of Health and Human Services (HHS). The amount of the penalties
range depending on the type of violation. In determining penalties, the Secretary
may take into account:
BUSINESS ASSOCIATE AGREEMENT BETWEEN
BROWARD COUNTY, FLORIDA AND _________________
This BUSINESS ASSOCIATE AGREEMENT ("BAA") is entered into by and
between Broward County, Florida ("County"), and ____________, a ____________
corporation authorized to do business in the State of Florida with its principal office located
("Business
Associate")
in
connection
with
the
at
______________________
_______________________________ (the " Agreement").
RECITALS
1. Business Associate provides services related to the operation of certain
activities/programs that involve the use or disclosure of Protected Health Information
(“PHI”);
2. The operation of such activities/programs is subject to the federal Health
Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health
Information Technology for Economic and Clinical Health Act (“HITECH”);
3. HIPAA and HITECH mandate that certain responsibilities of contractors with
access to PHI be documented through a written agreement; and
4. The County and Business Associate desire to comply with the requirements of
HIPAA and HITECH and acknowledge their respective responsibilities.
NOW, THEREFORE, for good and valuable consideration, the receipt and
sufficiency of which are hereby acknowledged, the parties agree as follows:
Section 1: Definitions
1.1
All terms used in this BAA not otherwise defined herein shall have the meanings
stated in the Privacy and Security Rules, 45 CFR Parts 160, 162, 164, and 42
U.S.C. § 17921.
1.2
“HIPAA Laws” mean collectively HIPAA, HITECH, 42 CFR Part 2 (if applicable),
and the related regulations and amendments.
1.3
When the term “PHI” is used in this BAA, it includes the term “Electronic
Protected Health Information” or “EPHI.”
1.4
Penalties as used in Section 3.18 below are defined as civil penalties that may
be applied to the Business Associate and its workforce members by the
Secretary of Health and Human Services (HHS). The amount of the penalties
range depending on the type of violation. In determining penalties, the Secretary
may take into account:
a. the nature and extent of the violation;
b. the nature and extent of harm resulting from such violation;
c. the degree of culpability of the covered entity or business associate;
d. the history of prior compliance with the administrative simplification
provision including violations by the covered entity or business associate;
e. the financial condition of the covered entity or business associate, and
f. such other matters as justice may require.
Section 2: Confidentiality
2.1
County and Business Associate shall comply with all federal and state laws
governing the privacy and security of PHI.
2.2
If this box is checked, the County and Business Associate are required to
comply with 42 CFR Part 2 with respect to patient identifying information
concerning alcohol and substance abuse treatment.
Section 3: Obligations and Activities of the Business Associate
Use and Disclosure of PHI
3.1
The Business Associate shall not use or disclose PHI other than as permitted or
required by this BAA or as required by law. Business Associate may:
a.
Use and disclose PHI only as necessary to perform its obligations under
the Agreement, provided that such use or disclosure would not violate
HIPAA Laws if done by the County;
b.
Use the PHI received in its capacity as a Business Associate of the
County for its proper management and administration and to fulfill any
legal responsibilities of Business Associate;
c.
Disclose PHI in its possession to a third party for the proper management
and administration of Business Associate, or to fulfill any legal
responsibilities of Business Associate, provided that the disclosure would
not violate HIPAA Laws if made by the County, or is required by law, and
Business Associate has received from the third party written assurances
that (i) the information will be kept confidential and used or further
2
disclosed only for the purposes for which it was disclosed to the third party
or as required by law; (ii) the third party will notify Business Associate of
any instances of which it becomes aware in which the confidentiality of the
information may have been breached; and (iii) the third party has agreed
to implement reasonable and appropriate steps to safeguard the
information;
d.
Use PHI to provide data aggregation activities relating to the operations of
the County; and
e.
De-identify any and all PHI created or received by Business Associate
under the Agreement, provided that the de-identification conforms to the
requirements of the HIPAA Laws.
3.2
Business Associate shall limit its use and disclosure of, and request for PHI when
practical or as required by law, to the information making up a Limited Data Set,
as defined by HIPAA, and in all other cases subject to the requirements of 45
CFR 164.502(b), to the minimum amount of PHI necessary to accomplish the
intended purpose of the use, disclosure, or request.
3.3
Business Associate is prohibited from selling PHI, using PHI for marketing
purposes, or attempting to re-identify any PHI information in violation of HIPAA
Laws.
Administrative, Physical, and Technical Safeguards
3.4
Business Associate shall implement administrative, physical, and technical
safeguards that protect the confidentiality, integrity and availability of PHI that it
creates, receives, maintains, or transmits on behalf of the County. The
safeguards shall include written policies, procedures, a security risk assessment,
training of Business Associate employees, and sanctions that are in compliance
with HIPAA Laws.
3.5
Business Associate shall require all of its subcontractors, agents, and other third
parties that receive, use, transmit, maintain, store, or have access to PHI to
agree, in writing, to the same restrictions and conditions that apply to Business
Associate pursuant to this BAA, including implementation of administrative,
physical, and technical safeguards.
Access of Information; Amendment of Information; Accounting of Disclosures
3.6
Business Associate shall make available to the County all PHI in Designated
Record Sets within ten (10) days of the County's request for the County to meet
3
the requirements under 45 CFR § 164.524.
3.7
Business Associate shall make any amendments to PHI in a Designated Record
Set as directed or agreed to by the County pursuant to 45 CFR § 164.526 in the
time and manner reasonably designated by the County.
3.8
Business Associate shall timely document such disclosures of PHI and
information related to such disclosures as would be required for the County to
respond to an individual for an accounting of disclosures of PHI in accordance
with 45 CFR § 164.528. Further, Business Associate shall provide to the County
an accounting of all disclosure of PHI during the term of this BAA within ten (10)
days of termination of this BAA, or sooner if reasonably requested by the County
for purposes of any monitoring/auditing of the County for compliance with HIPAA
Laws.
3.9
Business Associate shall provide the County, or an individual under procedures
approved by the County, information and documentation collected in accordance
with the preceding paragraph to respond to an individual requesting an
accounting for disclosures as provided under 45 CFR § 164.528 and HIPAA
Laws.
Mitigation
3.10 Business Associate shall mitigate, to the extent possible and at its own expense,
any harmful effect that is known to Business Associate of a use or disclosure of
PHI by the Business Associate in violation of the requirements of this BAA or
applicable law.
3.11 Business Associate shall take appropriate disciplinary action against any
members of its workforce who use or disclose PHI in any manner not authorized
by this BAA or applicable law.
Reporting of Breaches and Mitigation of Breach
3.12 Business Associate shall notify the County's HIPAA Privacy Official at (954) 357-
6500 of any impermissible access, acquisition, use or disclosure of any
unsecured PHI within twenty-four (24) hours of Business Associate becoming
aware of such access, acquisition, use or disclosure. Unsecured PHI shall refer
to such PHI that is not secured through use of a technology or methodology
specified by the Secretary of HHS that renders such PHI unusable, unreadable,
or indecipherable to unauthorized individuals. A breach of unsecured PHI shall
be treated as discovered by Business Associate as of the first day on which such
breach is known to the Business Associate or, by exercising reasonable
diligence, would have been known to Business Associate, including any
4
employee, officer, contractor, subcontractor, or other agent of Business
Associate.
3.13 Business Associate shall submit a written report of a breach to the County within
ten (10) business days after initial notification, and shall document the following:
a. The identification of each individual whose PHI has been, or is reasonably
believed by Business Associate, to have been accessed, acquired, used, or
disclosed during the breach;
b. A brief description of what occurred, including the date of the breach and the
date of the discovery of the breach, if known;
c. A description of the types of PHI that are involved in the breach (such as full
name, social security number, date of birth, home address, account number,
diagnosis, etc.)
d. A description of what is being done to investigate the breach, to mitigate harm
to individuals, and the reasonable and appropriate safeguards being taken to
protect against future breaches;
e. Any steps the County or the individual impacted by the breach should take to
protect himself or herself from potential harm resulting from the breach;
f. Contact procedures for the Business Associate to enable individuals to ask
questions or learn additional information, which may include, in the discretion
of the County, a toll-free telephone number, e-mail address, website, or postal
address, depending upon the available contact information that the Business
Associate has for the affected individuals; and
g. Any other reasonable information requested by the County.
3.14 In the event of a breach, Business Associate shall, in consultation with and at the
direction of the County, assist the County in conducting a risk assessment of the
breach and mitigate, to the extent practicable, any harmful effect of such breach
known to Business Associate.
3.15 The County, in its sole discretion, will determine whether the County or Business
Associate shall be responsible to provide notification to individuals whose
unsecured PHI has been disclosed, as well as to the Secretary of HHS and the
media.
5

Download Business Associate Agreement Template - Broward County, Florida

109 times
Rate
4.8(4.8 / 5) 8 votes
ADVERTISEMENT