The URL can be used to link to this page

Agr HIPPA Business Associate AgreementBUSINESS ASSOCIATE AGREEMENT Whereas, [CITY OF SALINA EMS 1(Business Associate) Name of Contractor or other entity will provide/provides certain services to the Department of Veterans Affairs (Covered Entity), and, in connection with the provision of those services, the Covered Entity will disclose/discloses to Business Associate Protected Health Information (PHI) and Electronic Protected Health Information (EPHI) that is subject to protection under the regulations issued by the Department of Health and Human Services, as mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); 45 CFR Parts 160 and 164, Sub; arts A and E, the Stan6ards for Privacy of individually Identifiable Health Information ("Privacy Rule"); and 45 CFR Parts 160 and 164, Subparts A and C, the Security Standard ("Security Rule"); and Whereas, VA is a "Covered Entity" as that term is defined in the HIPAA implementing regulations, 45 CFR 160.103, and Whereas, [CITY OF SALINA EMS j, as a recipient of PHI Name of Business Associate from Covered Entity, is a "Business Associate" of the Covered Entity as the term "Business Associate" is defined in the HIPAA implementing regulations, 45 CFR 160.103; and Whereas, pursuant to the Privacy and Security Rules, all Business Associates of Covered Entities must agree in writing to certain mandatory provisions regarding the use and disclosure of PHI and EPHI; and Whereas, the purpose of this Agreement is to comply with the requirements of the Privacy and Security Rules, including, but not limited to, the Business Associate contract requirements ^t 45 C.F.R. §§164.308(b), 164.314(a), 164.502(e), and 164.504(e), and as may be amended. NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the parties agree as follows: 1. Definitions. Unless otherwise provided in this Agreement, capitalized terms have the same meanings as set forth in the Privacy and Security Rules. The term "Protected Health Information" or the abbreviation "PHI" shall include the term "Electronic Protected Health information" and the abbreviation "EPHI" in this Agreement. 2. Ownership of PHI. PHI provided to Business Associate or created, gathered or received by Business Associate, its agents and subcontractors under this agreement is the property of Covered Entity. 3. Scope of Use and Disclosure by Business Associate of Protected Health Information and Electronic Protected Health Information A. Business Associate shall be permitted to make Use and Disclosure of PHI that is disclosed to it by Covered Entity, or created, gathered or received by Business Associate on behalf of Covered Entity, as necessary to perform its obligations under this Agreement, and [CITY OF SALINA Ems, contractor number or agreement description provided that the Covered Entity may make such Use or Disclosure under the Privacy and Security Rules, and the Use or Disclosure complies with the Covered Entity's minimum necessary policies and procedures . B. Unless otherwise limited herein, in addition to any other Uses and/or Disclosures permitted or authorized by this Agreement or required by law, Business Associate may: (1) use the PHI in its possession for its proper management and administration and to fulfill any legal responsibilities of Business Associate; (2) make a Disclosure of the PHI in its possession to a third party for the purpose of Business Associate's proper management and administration or to fulfill any legal responsibilities of Business Associate; provided, however, that the disclosures are Required By Law or permitted by ,24 Federal law and VA Policy and Business Associate has received from the third party written assurances that (a) the information will be held confidentially and Used or further Disclosure made only as Required By Law or for the purposes for which it was disclosed to the third party; and (b) the third party will notify the Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached; (3) engage in Data Aggregation activities, consistent with the Privacy Rule; and (4) de -identify any and all PHI created or received by Business Associate under this Agreement; provided, that the de -identification conforms to the requirements of the Privacy Rule. 2 4. Obligations of Business Associate. In connection with its Use and Disclosure of PHI received from Covered Entity or created, gathered or received on behalf of Covered Entity, Business Associate agrees that it will: A. Use or make further Disclosure of PHI only as permitted or required by this Agreement or as Required By Law; B. Use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this Agreement,- C. greement; C. To the extent practicable, mitigate any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of this Agreement; D. Promptly report to Covered Entity any Security Incident, or Use or Disclosure of PHI not provided for by this Agreement, of which Business Associate becomes aware; E. Require contractors, subcontractors or agents to whom Business Associate provides PHI to agree to the same restrictions and conditions that apply to Business Associate pursuant to this Agreement, including implementation of reasonable and appropriate safeguards to protect PHI; F. Make available to the Secretary of Health and Human Services Business Associate's internal practices, books and records, including policies and procedures, relating to the Use or Disclosure of PHI for purposes of determining Covered Entity's compliance with the Privacy and Security Rules, subject to any applicable legal privileges; G. If the Business Associate maintains PHI in a Designated Record Set, maintain the information necessary to document the disclosures of PHI sufficient to make an accounting of those disclosures as required under the Privacy Rule and the Privacy Act, 5 USC 552a, and within (15) days of receiving a request from Covered Entity, make available the information necessary for Covered Entity to make an accounting of Disclosures of PHI about an individual in the Designated Record Set or Covered Entity's Privacy Act System of Records; H. If the Business Associate maintains PHI in a Designated Record Set or Privacy Act System of Records, within ten (10) days of receiving a written request from Covered Entity, make available PHI in the Designated Record Set or System of Records necessary for Covered Entity to respond to individuals' requests for access to PHI about them that is not in the possession of Covered Entity; 91 If the Business Associate maintains PHI in a Designated Record Set or Privacy Act System of Records, within fifteen (15) days of receiving a written request from Covered Entity, incorporate any amendments or corrections to the PHI in the Designated Record Set or System or Records in accordance with the Privacy Rule and Privacy Act; J. Not make any Uses or Disclosures of PHI that Covered Entity would be prohibited from making. K. When Business Associate is uncertain whether it may make a particular Use or Disclosure of PHI in performance of this Agreement and the underlying agreement, the Business Associate will obtain the approval of the Covered Entity before making the Use or Disclosure. L. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality and integrity, and availability of the PHI that Business Associate creates, receives, maintains, or transmits on behalf of the Covered Entity as required by the Security Rule. M. Upon completion of the contract, the Business Associate shall return or destroy the PHI gathered, created, received or processed during the performance of this contract, and no data will be retained by the Business Associate, and any agents and subcontractors of the Business Associate. The Business Associate shall certify that all PHI has been returned to the Covered Entity or destroyed. If immediate return or destruction of all data is not possible, the Business Associate shall certify that all PHI retained will be safeguarded to prevent unauthorized Uses or Disclosures. Until the Business Associate has completed certification, Covered Entity will withhold 15% of the final payment of the contract. 5. Obligations of Covered Entity. Covered Entity agrees that it: A. Has obtained, and will obtain, from Individuals any consents, authorizations and other permissions necessary or required by laws applicable to Covered Entity for Business Associate and Covered Entity to fulfill their obligations under this Agreement or the underlying agreement, [CITY OF SALINA EMS 1; describe agreement or enter contract number B. Will promptly notify Business Associate in writing of any restrictions on the Use and Disclosure of PHI about Individuals that Covered Entity has agreed to that may affect Business Associate's ability to perform its obligations under this Agreement; C. Will promptly notify Business Associate in writing of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such n changes or revocation may affect Business Associate's ability to perform its obligations under this Agreement or the underlying agreement. 6. Termination. A. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either: (1) provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; (2) immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; (3) if neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary of Health and Human Services. B. Automatic Termination. This Agreement will automatically terminate upon completion of the Business Associate's duties under the underlying agreement, or termination of that agreement by either party. C. Effect of Termination. (1) Termination of this Agreement will result in cessation of activities by the Business Associate, and any agents or subcontractors of it involving PHI under this Agreement and [CITY OF SALINA EMS j Contract number or agreement description (2) Upon termination of this Agreement, Business Associate will return or destroy all PHI received from Covered Entity or created, gathered or received by Business Associate and its agents and subcontractors on behalf of Covered Entity under this Agreement. The Business Associate shall certify that all PHI has been returned to Covered Entity or destroyed. If immediate return or destruction of all PHI is not possible, the contractor further certifies that any data retained will be safeguarded to prevent unauthorized Uses or Disclosures. 7. Amendment. Business Associate and Covered Entity agree to take such action as is necessary to amend this Agreement for Covered Entity to comply with the requirements of the Privacy and Security Rules or other applicable law. 8. Survival. The obligations of Business Associate under section 6.C. (2) of this Agreement shall survive any termination of this Agreement.. 5 9. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever. 10.Other Applicable Law. This Agreement does not, and is not intended to, abrogate any responsibilities of the parties under any other applicable law. 11.In the event terms and conditions differ, the terms and conditions of the contract [CITY OF SALINA EMS ] shall take precedence. Contract number or agreement description 12.Effective Date. This Agreement shall be effective on April 14, 2003. City of SaIina FVR VA 8siesie By: By: Name: JANET L. FORD Name: 1j;b-dney Fra z Title: HIPPA Coordinator Title: Director of finance Date: April 8, 2003 Date: Jkpril 17 2003 1 April 8, 2003 CITY OF SALINA EMS P0BOX 736 SALINA , KS 67402-0736 DEPARTMENT OF VETERANS AFFAIRS Robert J. Dole Medical & Regional Office Center 5500 East Kellogg Wichita KS 67218 f� In Reply Refer To: 589A7/001 I Reference: CITY OF g ALINA EMS Your Organization has been identified as a Business Associate of the Department of Veterans Affairs for the above Contract/Agreement, as defined in Health Insurance Portability and Accountability Act (HIPPA), Public Law 104-191. Please execute the enclosed Business Associate Agreement and return it to me by Close of Business, April 15, 2003. Execution of the Agreement will enable us to achieve compliance with HIPPA privacy and security standards for the use and disclosure of protected health information to our Business Associates. Your cooperation in this matter is greatly appreciated. If you have any questions regarding this matter, please contact Janet Ford at (316) 685-2221 ext. 3322. Sincerely yours, l.'. -' c4 JANET L. FORD HIPPA Coordinator Enclosure