The URL can be used to link to this page

Home My WebLink AboutAuxiant Business Assoc. Agreement 3.7.2014 RECEIVED LL4AR 072014 BUSINESS ASSOCIATE AGREEMENT CITY CEEK'S OFFICE This agreement ("Agreement") is effective upon execution, and is made by and between Auxiant ("Business Associate")and City of Oshkosh ("Covered Entity"). These parties mutually agree to comply with the requirements of the implementing regulations at 45 Code of Federal Regulations ("C.F.R.") Parts 160-64 for the Administrative Simplification provisions of Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") as amended by the Health Information Technology for Economic and Clinical Health Act(the"HITECH Act"). Definitions: The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Specific definitions: (a) Business Associate. "Business Associate" shall generally have the same meaning as the term "business associate"at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Auxiant. (b) Covered Entity. "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, and in reference to the party to this agreement, shall mean City of Oshkosh. (c) HIPAA Rules. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. 1. Privacy of Protected Health Information. a) Permitted Uses and Disclosures. Business Associate is permitted to use and disclose Protected Health Information that it creates or receives on Covered Entity's behalf or receives from Covered Entity (or another business associate of Covered Entity) and to request Protected Health Information on Covered Entity's behalf(collectively, "Protected Health Information")only: i) Functions and Activities on Covered Entity's Behalf. To perform functions, activities, services, and operations on behalf of Covered Entity. ii) Business Associate's Operations. For Business Associate's proper management and administration or to carry out Business Associate's legal responsibilities, provided that, with respect to disclosure of Covered Entity's Protected Health Information, either: A) The disclosure is Required by Law; or B) Business Associate obtains reasonable assurance from any person or entity to which Business Associate will disclose Protected Health Information that the person or entity will: 1) Hold Covered Entity's Protected Health Information in confidence and use or further disclose Covered Entity's Protected Health Information only for the purpose for which Business Associate disclosed Covered Entity's Protected Health Information to the person or entity or as Required by Law; and HIPAA Business Associate Agreement 2013 Page 1 of 8 'f 2) Promptly notify Business Associate (who will in turn notify Covered Entity in accordance with Section 4(a)) of any instance of which the person or entity becomes aware in which the confidentiality of Covered Entity's Protected Health Information was breached. 3) Business associate may provide data aggregation services related to the health care operations of the Covered Entity if applicable. b) Minimum Necessary. Business Associate will, in its performance of the functions, activities, services, and operations specified in Section 1(a) above, make reasonable efforts to use, to disclose, and to request only the minimum amount of Covered Entity's Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure or request as required by 45 C.F.R. §164.502(b) and § 13405(b) of the HITECH Act, except that Business Associate will not be obligated to comply with this minimum necessary limitation with respect to: i) Disclosure to or request by a health care provider for Treatment; ii) Use for or disclosure to an individual who is the subject of Covered Entity's Protected Health Information, or that individual's personal representative; iii) Use or disclosure made pursuant to an authorization compliant with 45 C.F.R. § 164.508 that is signed by an individual who is the subject of Covered Entity's Protected Health Information to be used or disclosed, or by that individual's personal representative; iv) Disclosure to the United States Department of Health and Human Services ("DHHS") in accordance with Section 5(a)of this Agreement; v) Use or disclosure that is Required by Law; or vi) Any other use or disclosure that is excepted from the minimum necessary limitation as specified in 45 C.F.R. § 164.502(b)(2). c) Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose Covered Entity's Protected Health Information, except as permitted or required by this Agreement or in writing by Covered Entity or as Required by Law. This Agreement does not authorize Business Associate to use or disclose Covered Entity's Protected Health Information in a manner that will violate 45 C.F.R. Part 164, Subpart E"Privacy of Individually Identifiable Health Information" (the"Privacy Rule") if done by Covered Entity, except as set forth in Section 1(a)(ii). d) Information Safeguards. i) Privacy of Covered Entity's Protected Health Information. Business Associate will develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards to reasonably protect the privacy of Covered Entity's Protected Health Information. The safeguards must reasonably protect Covered Entity's • Protected Health Information from any intentional or unintentional use or disclosure in violation of the Privacy Rule and limit incidental uses or disclosures made pursuant to a use or disclosure otherwise permitted by this Agreement. ii) Security of Covered Entity's Electronic Protected Health Information. Business Associate will develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that Business HIPAA Business Associate Agreement 2013 Page 2 of 8 Associate creates, receives, maintains, or transmits on Covered Entity's behalf as required by the Security Rule, 45 C.F.R. Part 164, Subpart C. e) Subcontractors and Agents. Business Associate will require any of its subcontractors and agents, to which Business Associate is permitted by this Agreement or in writing by Covered Entity to disclose Covered Entity's Protected Health Information and / or Electronic Protected Health Information, to provide reasonable assurance that such subcontractor or agent will comply with the same privacy and security safeguard obligations with respect to Covered Entity's Protected Health Information and /or Electronic Protected Health Information that are applicable to Business Associate under this Agreement. 2. Compliance with Transaction Standards. If Business Associate conducts in whole or part electronic Transactions on behalf of Covered Entity for which DHHS has established Standards, Business Associate will comply, and will require any subcontractor or agent it involves with the conduct of such Transactions to comply, with each applicable requirement of the Transaction Rule, 45 C.F.R. Part 162. Business Associate will not enter into, or permit its subcontractors or agents to enter into, any Trading Partner Agreement in connection with the conduct of Standard Transactions on behalf of Covered Entity that: a) Changes the definition, data condition, or use of a data element or segment in a Standard Transaction; b) Adds any data element or segment to the maximum defined data set; c) Uses any code or data element that is marked "not used" in the Standard Transaction's implementation specification or is not in the Standard Transaction's implementation specification; or d) Changes the meaning or intent of the Standard Transaction's implementation specification. 3. Individual Rights. a) Access. Business Associate will, within thirty (30) calendar days following Covered Entity's request, make available to Covered Entity or, at Covered Entity's direction, to an individual (or the individual's personal representative) for inspection and obtaining copies Covered Entity's Protected Health Information about the individual that is in Business Associate's custody or control, so that Covered Entity may meet its access obligations under 45 C.F.R. § 164.524. b) Amendment. Business Associate will, upon receipt of written notice from Covered Entity, promptly amend or permit Covered Entity access to amend any portion of Covered Entity's Protected Health Information, so that Covered Entity may meet its amendment obligations under 45 C.F.R. § 164.526. c) Disclosure Accounting. So that Covered Entity may meet its disclosure accounting obligations under 45 C.F.R. § 164.528 and, if and when applicable, § 13405(c) of the HITECH Act, and if there are any conflicts between this section and 45 C.F.R. § 164.528 and, if and when applicable, § 13405(c) of the HITECH Act then the applicable statute(s) shall control: i) Disclosures Subject to Accounting. In accordance with 45 C.F.R. §164.528, Business Associate will record the information specified in Section 3(c)(iii) below ("Disclosure Information") for each disclosure of Covered Entity's Protected Health Information, not excepted from disclosure accounting as specified in Section 3(c)(ii) below, that Business Associate makes to Covered Entity or to a third party. HIPAA Business Associate Agreement 2013 Page 3 of 8 ii) Disclosures Not Subject to Accounting. Business Associate will not be obligated to record Disclosure Information or otherwise account for disclosures of Covered Entity's Protected Health Information: A) That occurred before April 14, 2003 (2004 if Covered Entity is a "small" health plan); B) For Treatment, Payment or Health Care Operations activities; C) To an individual who is the subject of Covered Entity's Protected Health Information disclosed, or to that individual's personal representative; D) Pursuant to an authorization compliant with 45 C.F.R. § 164.508 that is signed by an individual who is the subject of Covered Entity's Protected Health Information disclosed, or by that individual's personal representative; E) For notification of and to persons involved in the care or payment related to the health care of an individual who is the subject of Covered Entity's Protected Health Information disclosed and for disaster relief; F) To law enforcement officials or correctional institutions in accordance with 45 C.F.R. § 164.512(k)(5); G) For national security or intelligence purposes in accordance with 45 C.F.R. § 164.512(k)(2); H) In a Limited Data Set; I) Incident to a use or disclosure that Business Associate is otherwise permitted to make by this Agreement; and J) Otherwise excepted from disclosure accounting as specified in 45 C.F.R. § 164.528. iii) Disclosure Information. With respect to any disclosure by Business Associate of Covered Entity's Protected Health Information that is not excepted from disclosure accounting by Section 3(c)(ii) above, Business Associate will record the following Disclosure Information as applicable to the type of accountable disclosure made: A) Disclosure Information Generally. Except for repetitive disclosures of Covered Entity's Protected Health Information as specified in Section 3(c)(iii)(B) below, the Disclosure Information that Business Associate must record for each accountable disclosure is (i) the disclosure date, (ii) the name and (if known) address of the entity to which Business Associate made the disclosure, (iii) a brief description of Covered Entity's Protected Health Information disclosed, and (iv) a brief statement of the purpose of the disclosure. B) Disclosure Information for Repetitive Disclosures. For repetitive disclosures of Covered Entity's Protected Health Information that Business Associate makes for a single purpose to the same person or entity (including Covered Entity), the Disclosure Information that Business Associate must record is either the Disclosure Information specified in Section 3(c)(iii)(A) above for each accountable disclosure, or (i) the Disclosure Information specified in Section 3(c)(iii)(A) above for the first of the repetitive accountable disclosures, (ii) the HIPAA Business Associate Agreement 2013 Page 4 of 8 frequency, periodicity, or number of the repetitive accountable disclosures, and (iii)the date of the last of the repetitive accountable disclosures. iv) Availability of Disclosure Information. Business Associate will maintain the Disclosure Information for at least 6 years following the date of the accountable disclosure to which the Disclosure Information relates. Business Associate will make the Disclosure Information available to Covered Entity within sixty (60) calendar days following Covered Entity's request for such Disclosure Information to comply with an individual's request for disclosure accounting. d) Restriction Agreements and Confidential Communications. Business Associate will comply with any agreement that Covered Entity makes that either(i) restricts use or disclosure of Covered Entity's Protected Health Information pursuant to 45 C.F.R. § 164.522(a), or(ii) requires confidential communication about Covered Entity's Protected Health Information pursuant to 45 C.F.R. § 164.522(b), provided that Covered Entity notifies Business Associate in writing of the restriction or confidential communication obligations that Business Associate must follow. Covered Entity will promptly notify Business Associate in writing of the termination of any such restriction agreement or confidential communication requirement and, with respect to termination of any such restriction agreement, instruct Business Associate whether any of Covered Entity's Protected Health Information will remain subject to the terms of the restriction agreement. e) Permissible Requests by Covered Entity. Covered entity shall not request Business Associate to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by covered entity, except if Business Associate will use or disclose protected health information for data aggregation or management and administration and legal responsibilities of the Business Associate. 4. Privacy Obligation Breach and Security Incidents. a) Reporting. i) Privacy Breach. Business Associate will report to Covered Entity any use or disclosure of Covered Entity's Protected Health Information not permitted by this Agreement or in writing by Covered Entity. Business Associate will make the report to Covered Entity's Privacy Official not more than 14 calendar days after Business Associate learns of such non-permitted use or disclosure. Business Associate's report will at least: A) Identify the nature of the non-permitted use or disclosure; B) Identify Covered Entity's Protected Health Information used or disclosed; C) Identify who made the non-permitted use or disclosure and who received the non-permitted disclosure; D) Identify what corrective action Business Associate took or will take to prevent further non-permitted uses or disclosures; E) Identify what Business Associate did or will do to mitigate any deleterious effect of the non-permitted use or disclosure; and F) Identify who was notified of any breach and provide a copy of said notification to Covered Entity if such notification occurred. HIPAA Business Associate Agreement 2013 Page 5 of 8 G) Provide such other information, including a written report, as Covered Entity may reasonably request. ii) Security Incidents. Business Associate will report to Covered Entity within 14 calendar days any attempted or successful (A) unauthorized access, use, disclosure, modification, or destruction of Covered Entity's Electronic Protected Health Information or (B) interference with Business Associate's system operations in Business Associate's information systems, of which Business Associate becomes aware. Business Associate will make this report upon Covered Entity's request, except if any such security incident resulted in a disclosure of Covered Entity's Protected Health Information or Electronic Protected Health Information not permitted by this Agreement, Business Associate will make the report in accordance with Section 4(a)(i)above. b) Termination of Agreement. i) Right to Terminate for Breach. Covered Entity may terminate Agreement if it determines, after reasonable due diligence, that Business Associate has breached any provision of this Agreement[and upon written notice to Business Associate of the breach, Business Associate fails to cure the breach within thirty(30) calendar days after receipt of the notice. Covered Entity may exercise this right to terminate Agreement by providing Business Associate written notice of termination. Any such termination will be effective immediately or at such other date specified in Covered Entity's notice of termination. ii) Right to Terminate on Regulation Change. Either Covered Entity or Business Associate may terminate Agreement if amendment or addition to 45 C.F.R. Parts 160-64 affects the obligations under this Agreement of the party exercising the right of termination. The party so affected may terminate this Agreement by giving the other party written notice of such termination at least 90 calendar days before the compliance date of such amendment or addition to 45 C.F.R. Parts 160-64. iii) Obligations on Termination. A) Return or Destruction of Covered Entity's Protected Health Information as Feasible. Subject to Subsection 4(b)(iii)(B) below, upon termination or other conclusion of this Agreement, Business Associate will, if feasible, return to Covered Entity or destroy all of Covered Entity's Protected Health Information in whatever form or medium, including all copies thereof and all data, compilations, and other works derived therefrom that allow identification of any individual who is a subject of Covered Entity's Protected Health Information. Business Associate will require any subcontractor or agent,to which Business Associate has disclosed Covered Entity's Protected Health Information as permitted by Section 1(e) of this Agreement, to if feasible return to Business Associate (so that Business Associate may return it to Covered Entity) or destroy all of Covered Entity's Protected Health Information in whatever form or medium received from Business Associate, including all copies thereof and all data, compilations, and other works derived therefrom that allow identification of any individual who is a subject of Covered Entity's Protected Health Information, and certify to Business Associate that all such information has been returned or destroyed. Business Associate will complete these obligations as promptly as possible, but not later than ninety (90) calendar days following the effective date of the termination or other conclusion of this Agreement. B) Procedure When Return or Destruction Is Not Feasible. Business Associate will identify any of Covered Entity's Protected Health Information, including any that Business Associate has disclosed to subcontractors or agents as permitted by Section 1(e) of this Agreement, that cannot feasibly be returned HIPAA Business Associate Agreement 2013 Page 6 of 8 to Covered Entity or destroyed and explain why return or destruction is infeasible. Business Associate will limit its further use or disclosure of such information to those purposes that make return or destruction of such information infeasible. Business Associate will require such subcontractor or agent to limit its further use or disclosure of Covered Entity's Protected Health Information that such subcontractor or agent cannot feasibly return or destroy to those purposes that make the return or destruction of such information infeasible. Business Associate will complete these obligations as promptly as possible, but not later than sixty (60) calendar days following the effective date of the termination or other conclusion of this Agreement. C) Continuing Privacy and Security Obligation. Business Associate's obligation to protect the privacy and safeguard the security of Covered Entity's Protected Health Information as specified in this Agreement will be continuous and survive termination or other conclusion of this Agreement. iv. . Indemnity. Business Associate will indemnify and hold harmless Covered Entity and any Covered Entity affiliate, officer, director, employee or agent from and against any claim, cause of action, liability, damage, cost or expense, including attorneys' fees and court or proceeding costs, arising out of or in connection with any non-permitted use or disclosure of Covered Entity's Protected Health Information or other breach of this Agreement by Business Associate or any subcontractor or agent under Business Associate's control 5. General Provisions. a) Inspection of Internal Practices, Books, and Records. Business Associate will make its internal practices, books, and records relating to its use and disclosure of Covered Entity's Protected Health Information available to Covered Entity and to DHHS to determine Covered Entity's compliance with the Privacy Rule, 45 C.F.R. Part 164, Subpart E. b) Definitions. The terms "Covered Entity," "Electronic Protected Health Information," "Protected Health Information," "Standard," "Trading Partner Agreement," and "Transaction" have the meanings set out in 45 C.F.R. § 160.103. The term "Standard Transaction" has the meaning set out in 45 C.F.R. § 162.103. The term "Required by Law" has the meaning set out in 45 C.F.R. § 164.103. The terms "Health Care Operations," "Payment," "Research," and "Treatment" have the meanings set out in 45 C.F.R. § 164.501. The terms"Limited Data Set" has the meaning set out in 45 C.F.R. § 164.514(e). The term "use" means, with respect to Protected Health Information, utilization, employment, examination, analysis or application within Business Associate. The terms "disclose" and "disclosure" mean, with respect to Protected Health Information, release, transfer, providing access to or divulging to a person or entity not within Business Associate. For purposes of this Agreement, Covered Entity's Protected Health Information encompasses Covered Entity's Electronic Protected Health Information. c) Amendment to Agreement. Upon the compliance date of any final regulation or amendment to final regulation promulgated by DHHS that affects Business Associate's use or disclosure of Covered Entity's Protected Health Information or Standard Transactions and this Agreement will automatically amend such that the obligations imposed on Business Associate remain in compliance with the final regulation or amendment to final regulation, unless Covered Entity or Business Associate elects to terminate Agreement in accordance with Section 4(b)(ii). d) No Third Party Beneficiaries. Nothing in this Agreement shall be construed as creating any rights or benefits to any third parties. HIPAA Business Associate Agreement 2013 Page 7 of 8 6. Conflicts.The terms and conditions of this agreement will override and control any conflicting term or condition of the Agreement. All non-conflicting terms and conditions of this Agreement remain in full force and effect. IN WITNESS WHEREOF, Cove Entity and Business Associate execute this Agreement in multiple originals to be effective this day of februa -j , 20J1(except as otherwise specified). City of Oshkosh AUXIANT By: 4A—._ /j 4II By: irk Printed Name: Mai Rc h 1od / Printed Name: /rbk( CA.4 (A(Q Its: I. 1(Y)et.in gC CY Its: �J aitah(t,Date: 2/ /t /)`-f Date: AC HIPAA Business Associate Agreement 2013 Page 8 of 8