2017-60 fr1! oc?!?. 161 cI-e
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (this "Agreement") is entered into, and
effective as of January 1, 2017 (the "Effective Date") by and between LifeStream Behavioral
Center, Inc. ("LifeStream" or "Covered Entity") and Clermont Police Department ("Business
Associate"). The parties to this Agreement if not referred to as Covered Entity or LifeStream or
Business Associate may sometimes collectively be referred to "the Parties." The Parties
mutually agree as follows:
INTRODUCTION
The purpose of this Agreement is to comply with the requirements of (i) the Health
Insurance Portability and Accountability Act of 1996 ("HIPAA") and the associated regulations,
as may be amended; (ii) the HIPAA Privacy Rule codified at, 45 C.F.R. Parts 160 and 164,
Subparts A and E, as may be amended; (iii) the HIPAA Security Rule codified at 45 C.F.R. Part
160 and 164, Subpart C, as may be amended; (iv) the Breach Notification Rule, codified at 45
C.F.R. Part 164, Subpart D, as may be amended; (v) the Enforcement Rule codified at 45 C.F.R.
Part 160, Subparts C and D, as may be amended; (vi) the Health Information Technology for
Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act
of 2009 (the"HITECH Act"); and (vii) the HIPAA Omnibus Final Rule published in the Federal
Register at 78 Fed. Reg. 5,566 (Jan. 25, 2013), and effective on March 26, 2013. The HITECH
Act provides further protection for the privacy and security of PHI used and disclosed through
health information technology: The Privacy, Security, Breach Notification and Enforcement
Rules are collectively referred to herein as the "HIPAA Rules." Unless otherwise defined in this
Agreement, capitalized terms have the meanings given in the HIPAA Rules and the HITECH
Act.
In consideration of the new and continuing obligations under the Services Agreement
referenced below and other good and valuable consideration, the parties agree to comply with
this Agreement and the requirements of the HIPAA Rules and the HITECH Act as follows:
1. Services. LifeStream and Business Associate have entered into an agreement
under which Business Associate will perform certain services for LifeStream ("the Services
Agreement") Under the Services Agreement, Business Associate may create, receive, use,
maintain or transmit PHI from or on behalf of Covered Entity in the course of providing certain
services (the "Services") for Covered Entity. The Services Agreement is incorporated herein by
reference. In the event of a conflict between the terms of the Services Agreement and this
Agreement,this.Agreement shall control.
2. Permitted Uses.and Disclosures. Business Associate may use and/or disclose
PHI only as permitted orrequired by this Agreement, or as otherwise required by law. Business
Associate may disclose PHI to, and permit the use of PHI by, its employees, contractors, agents,
or other representatives only to the extent directly related to and necessary for the performance
of Services under the Services Agreement. Business Associate shall make uses and disclosures,
and requests for PHI from Covered Entity, only in a manner consistent with HIPAA's minimum
necessary requirements, and no more than the minimum PHI necessary to perform under the
Services Agreement. Business Associate shall not use or disclose PHI in a manner(i)inconsistent
PERSONNEL:209:R:11/13
BUSINESS ASSOCIATE AGREEMENT
Page 2 of 8
with Covered Entity's obligations under the HIPAA Rules or the HITECH Act, or(ii) that would
violate the HIPAA Rules or the HITECH Act if disclosed or used in such a manner by Covered
Entity. Business Associate may use PHI for the proper management and administration of
Business Associate's business and to carry out its responsibilities in accordance with 45 C.F.R. §
164.504(e)(4). Business Associate may not de-identify PHI received from, or created on behalf
of Covered Entity without the express written authorization of Covered Entity. Business
Associate shall make no use or disclosure of PHI in any manner which is contrary to the interest
of LifeStream or will cause LifeStream harm.
3. Safeguards-for the Protection of PHI. Business Associate shall conduct an
accurate and thorough risk assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of Electronic PHI held by Covered Entity. Business
Associate shall comply with the HIPAA Security Rule codified at 45 C.F.R. Part 160 and 164,
Subpart C, as may be amended, and with the applicable provisions of the HIPAA Privacy Rule
codified at 45 C.F.R. Parts 160 and 164, Subparts A and E, as may be amended, to the extent
Business Associate is to carry out any of Covered Entity's obligations under the Privacy Rule.
4. Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures.
If,Business Associate has knowledge of any use or disclosure of PHI not provided for by this
Agreement, then Business Associate shall promptly notify Covered Entity in accordance with
Section 12. Business Associate shall establish and implement procedures and other reasonable
efforts for mitigating, to the extent possible, any harmful effects arising from any improper use
and/or disclosure of PHI of which it becomes aware. Furthermore, in the event Business
Associate becomes aware of a.Security Incident involving PHI, by itself or any of its agents or
{ subcontractors, Business Associate shall notify Covered Entity in writing within ten (10)
calendar days, of such Security_Incident. Business Associate shall identify the: (i) date of the
Security Incident; (ii) scope of the Security Incident; (iii) Business Associate's response to the
Security Incident; and (iv) identification of the party responsible for the Security Incident, if
known. Covered Entity and Business Associate agree to'act together in good faith to take
reasonable steps to investigate and mitigate any harm caused by such unauthorized use or
Security Incident. For these purposes, a "Security Incident" shall mean the successful
unauthorized access, use, disclosure, modification or destruction of information or interference
with system operations in an information system.
5. Data Breach Notification and Mitigation. Business Associate agrees to
promptly notify Covered Entity of any"Breach" of"Unsecured PHI" as those terms are defined
by 45 C.F.R. §164.402 (hereinafter a "Data Breach"). The Parties acknowledge and agree that
45 C.F.R. §164.404, as described below in this Section, governs the determination of the date of
a Data Breach. Business Associate shall, following the discovery of a Data Breach, promptly
notify Covered Entity and in no event later than five (5) calendar days after Business Associate
discovers such Data Breach, unless Business Associate is prevented from doing so by 45 C.F.R.
§164.412 concerning law enforcement investigations. For purposes of reporting a Data Breach
to Covered Entity, the discovery of a Data Breach shall occur as of the first day on which such
Data Breach is known to Business Associate or, by exercising reasonable diligence, would have
been known to Business Associate. Business Associate shall be considered to have had
knowledge of a Data Breach if the Data Breach is known, or by exercising reasonable diligence
would have been known, to any person (other than the person committing the Data Breach) who
is an employee, officer or other agent of Business Associate. No later than five(5) calendar days
PERSONNEL:209:R:11/13
BUSINESS ASSOCIATE AGREEMENT
Page 3 of 8
following a Data Breach, Business Associate shall provide Covered Entity with sufficient
information to permit Covered Entity to comply with the Data Breach notification requirements
set forth at 45 C.F.R. §164.400 et seq. Specifically, if the following information is known to (or
can be reasonably obtained by) Business Associate, Business Associate shall provide Covered
Entity with: (i) contact information for Individuals who were or who may have been impacted by
the Data Breach (e.g., first and last name, mailing address, street address, phone number, email
address); (ii) a brief description of the circumstances of the Data.Breach, including the date of
the Data Breach, date of discovery, and number of Individuals affected by the Data Breach;
(iii) a description of the types of unsecured PHI involved in the Data Breach (e.g., names, social
security number, date of birth, address(es), account numbers of any type, disability codes,
diagnosis and/or billing codes and similar information); (iv) a brief description of what the
Business Associate has done or is doing to investigate the Data Breach, mitigate harm to the
Individual impacted by the Data Breach, and protect against future Data Breaches; and
(v) appoint a liaison and provide contact information for same so that the Covered Entity may
ask questions and/or learn additional information concerning the Data Breach. Following a Data
Breach, Business Associate shall 'have a continuing duty to inform Covered Entity of new
information learned by Business-Associate regarding the Data Breach, including but not limited
to the information described in the items above.
6. Use and Disclosure of PHI by Subcontractors, Agents, and Representatives.
Business Associate shall require any subcontractor, agent, or other representative that is
authorized to create, receive, maintain, or transmit PHI on behalf of Business Associate to
execute a business-associate agreement to agree in writing to the same terms set forth herein.
Business Associate shall terminate its business associate agreement with any subcontractor,
agent or other representative if such subcontractor, agent or representative fails to abide by any
material term of such agreement. Such business associate agreement shall identify Covered
Entity as a third-party beneficiary with rights of enforcement in the event of any HIPAA
violations. Any Agreement with any subcontractor, agent or other representative shall
specifically include all of the terms of Paragraph 2 of this Agreement.
7. Individual Rights. Business Associate shall comply with the following
Individual rights requirements as applicable to PHI used or maintained by Business Associate:
7.1. Right of Access. Business Associate agrees top rovide access to PHI
maintained by Business Associate in a Designated Record Set, at the request of Covered
Entity, to Covered Entity 'or, as directed by Covered Entity, to an Individual in order to
meet the requirements under 45 C.F.R. §164.524. Such access shall be provided by
Business Associate in the time and manner designated by Covered Entity, including,
where applicable, access by electronic means pursuant to Section 13405(e) of the
HITECH Act.
7.2. Right of Amendment. Business Associate agrees to make any
amendment(s) to PHI maintained by Business Associate in a Designated Record Set that
Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of
Covered Entity or an Individual, and in the time and manner designated by Covered
Entity.
7.3. Right to Accounting of Disclosures. Business Associate agrees to
document such disclosures of PHI as would be required for Covered Entity to respond to a
PERSONNEL:209:R:11/13
BUSINESS ASSOCIATE AGREEMENT
Page 4 of 8
request by an Individual for an accounting of disclosures of PHI in accordance with 45
C.F.R. §164.528. Business Associate agrees to provide to Covered Entity or an
Individual, in the time and manner designated by Covered Entity, such information
collected in order to permit Covered Entity to respond to a request by an Individual for an
accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528, as amended by
Section 13405(c) of the"HITECH Act and any related regulations or guidance issued by
HHS in accordance with such provision.
7.4. No Waiver of Privilege. Notwithstanding 7.1, 7.2, and 7.3 above,
Business Associate shall not permit access to any record if such access would violate
LifeStream's or Business Associate's ethical responsibilities or any privileges which
Business Associate or LifeStream may have under Florida or Federal law. To the
maximum extent permitted by law, LifeStream hereby reserves and retains any and all
privileges which LifeStream may have under Florida or Federal law related to the
confidentiality of all patientrecordsof LifeStream or any attorney-client privilege or any
attorney-work product privilege- which LifeStream may have with respect to Business
Associate's performance of its obligations under this section. The parties acknowledge
that LifeStream retains the right to waive its attorney-client privilege with regard to its
own records and to expressly instruct Business Associate to provide access to those
records as a result of that waiver. In the. event LifeStream determines to waive any
privilege which it may have, LifeStream shall provide Business Associate with written
notice of that waiver before Business Associate may act on any such decision.
8. Ownership.of PHI. Covered Entity holds all right, title and interest in and to any
and all PHI received by Business Associate from, or created or received by Business Associate
on behalf of, Covered Entity, and Business Associate does not hold, and shall not acquire by
virtue of this Agreement or by virtue of_providing any services or goods to Covered Entity in the
course of fulfilling its obligations pursuant to this Agreement, any right, title or interest in or to
such PHI. Except as specified in this Agreement, Business Associate shall have no right to
compile, distribute, make any statistical analysis, or develop any report utilizing any PHI
provided to Business Associate under this Agreement nor may Business Associate release any
information about PHI or the PHI to any other governmental or private agency or entity without
the express written consent of LifeStream.
9. Prohibition on Sale of PHI. Business Associate shall not sell or receive any
remuneration, direct or indirect, of any kind in exchange for PHI or in exchange for the
disclosure of PHI to any public or private agency or entity, except as expressly permitted by this
Agreement or by the Services Agreement or by written authorization of LifeStream.
10. Inspection of Books and Records. If Business Associate receives a request,
made by or on behalf of HHS requiring Business Associate to make available its internal
practices, books, and records relating to the use and disclosure of PHI to HHS for the purpose of
determining compliance of Covered Entity with the Privacy Standards or the Security Standards,
then Business Associate shall promptly notify Covered Entity of such request. Except as
otherwise set forth below, Business Associate shall make its books and records relating to the use
and disclosure of PHI by Covered Entity available to HHS and its authorized representatives for
purposes of determining compliance of Covered Entity with the Privacy Standards and Security
Standards.
PERSONNEL:209:R:11/13
II
' BUSINESS ASSOCIATE AGREEMENT
' Page 5 of 8
To the extent permitted by law, Covered Entity hereby reserves and retains any and all
privileges in which it has an interest under Federal or Florida law including attorney-client
privilege or attorney-work product privilege with respect to Business Associate's performance if
its obligations under this Agreement and this Section 10. Business Associate, to the maximum
extent permitted bylaw, hereby reserves and retains any and all privileges it may have including
all work product or other privileges or rights. If the Services Agreement is for legal services,
then this section shall not be construed to require Business Associate to disclose or produce
communications subject to the attorney-client, work-product, or other privileges or rights with
respect' to materials that analyze, evaluate or discuss the legal implication of PHI.
Notwithstanding the above, in no event shall Business Associate delay complying with a request
of HHS or its authorized representatives if such delay appears reasonably likely to result in any
penalty, fine or other liability being levied or imposed upon Covered Entity (such likelihood to
be determined in the sole discretion of Covered Entity), and Covered Entity has instructed
Business Associate in writing to disclose the information requested by HHS or its authorized
representatives. The Parties acknowledge that Covered Entity retains the right to: (i) waive the
attorney-client privilege with regard to.books and records, and (ii) expressly instruct Business
Associate to provide HHS and its authorized representatives with such books and records in the
event of such waiver.
11. Term and Termination.
11.1. Term. This Agreement shall commence on the Effective Date and end
with the termination of the Services Agreement unless terminated sooner pursuant to
Section 11.2.
11.2. Termination for Breach by Covered Entity. As provided for under 45
C.F.R. § 164.504(e)(2)(iii), Covered Entity may immediately terminate this Agreement,
all relevant Services Agreement(s) and any related agreements if Covered Entity
determines that Business Associate has breached a material term of this Agreement.
Alternatively, and in the sole discretion of Covered Entity, Covered Entity may choose to
provide Business Associate with written notice of the existence of the breach and provide
Business Associate with thirty (30) calendar days to cure said breach upon mutually
agreeable terms.
11.3. Termination by Business Associate. If Business Associate determines that
Covered Entity has breached a material term of this Agreement, then Business Associate
shall provide Covered Entity with written notice of the existence of the breach and shall
provide Covered Entity with thirty (30) calendar days to cure said breach upon mutually
agreeable terms or end the violation within,this thirty(30) day period. Failure by Covered
Entity to cure said breach or violation in the manner set forth above shall be grounds for
immediate termination of the Services Agreement by Business Associate.
11.4: Effect of Termination. Upon termination of this Agreement, Business
Associate shall recover any PHI relating to this Agreement in possession of Business
Associate and its subcontractors, agents, or representatives. Business Associate shall
return to Covered Entity or destroy all such PHI plus all other PHI relating to this
Agreement in its possession, and shall retain no copies. If Business Associate believes
that it is not feasible to return or destroy the PHI as described above, Business Associate
PERSONNEL:209:R:11/13
' BUSINESS ASSOCIATE AGREEMENT
' Page 6 of 8
shall notify Covered Entity in writing. The notification shall include: (i) a written
statement that Business Associate has determined that it is infeasible to return or destroy
the PHI in its possession, and (ii) the specific reasons for such determination. If the
Parties agree that Business Associate cannot feasibly return or destroy the PHI, Business
Associate shall ensure that any and all protections, requirements and restrictions contained
in this Agreement shall be extended to any PHI retained after the termination of this
Agreement, and that any further uses and/or disclosures shall be limited to the purposes
that make the return or destruction of the PHI infeasible. If the Parties do not agree that
Business Associate cannot feasibly return or destroy the PHI, then Business Associate
shall comply with this Paragraph 11.4. If Business Associate refuses to comply with this
Paragraph 11.4, then Covered Entity shall treat the refusal as a material breach of this
Agreement.. In all events, Business Associate further agrees to comply with other
applicable state or federal law, which may require a specific period of retention, redaction,
or other treatment of such PHI. It is expressly understood that all limitations, restrictions
or prohibitions on the use or disclosure of PHI by Business Associate shall continue to
exist and shall survive termination of this Agreement for any reason.
12. Notices. Any and all notices and other communications required or permitted to
be given under this Agreement shall be: (a) delivered by personal delivery, provided the person
to whom delivered signs &receipt; (b) delivered by commercial courier such as Federal Express,
providedthe person to whom delivered signs a receipt or the commercial courier can verify
delivery; (c) sent by overnight U.S. express mail, provided the postal service can verify delivery;
(d) sent by registered or certified mail, postage prepaid, provided delivery is actually made; or
(e) sent by facsimile, provided the person that sent the notice can verify delivery. All notices
shall be sent to the following,addresses or to such other addresses as shall be furnished by notice
to the other party in accordance with the provisions of this Section 12:
If to Covered Entity: P. 0. Box 491000
Leesburg, FL�34 749-1000
Attn: 1 I Lime 0-1/P re t -
ti
If to Business Associate: 3600 S. Highway 27
Clermont, FL 34711
Attn: le,n4- L'o I vn --r-
13. .Miscellaneous.
13.1. Survival. The respective rights and obligations of the Parties under
Section 10 (Inspection of Books and Records), Section 11.4 (Effect of Termination), and
Section 13 (Miscellaneous) shall survive termination of this Agreement indefinitely, and
those other provisions of this Agreement that,apply to rights or obligation of a Party,
PERSONNEL:209:R:11/13
' BUSINESS ASSOCIATE AGREEMENT
' Page 7 of 8
which continue or arise upon or after the termination of this Agreement shall survive the
termination this Agreement to the extent necessary to enforce such rights and obligations
and to otherwise effectuate such provisions. It is expressly understood that all limitations,
restrictions or prohibitions on the use or disclosure of PHI by Business Associate shall
continue to exist and shall survive termination of this Agreement for any reason.
13.2. State Law. In addition to HIPAA and the HITECH Act, Business
Associate shall comply with all applicable Florida law related to patient privacy or other
privacy restrictions on records of LifeStream and federal security and privacy laws.
13.3. Regulatory References. A citation in this Agreement to the Code of
Federal Regulations shall mean the cited section as that section may be amended from
time to time.
13.4. Amendment. This Agreement may be amended or modified only in a
writing signed by the Parties. The Parties agree that they shall negotiate amendments to
this Agreement to conform to any changes in the HIPAA Rules as are necessary for
Covered Entity to comply with the current requirements of the HIPAA Rules. In addition,
in the event that either Party believes in good faith that any provision of this Agreement
fails to comply with the then-current requirements of the HIPAA Rules or any other
applicable legislation, then such Party shall notify the other Party of its belief in writing.
For a period of up to thirty (30) days, the Parties shall address in good faith such concern
and amend the terms of this Agreement, if necessary to bring it into compliance. If, after
such thirty-day period, the Agreement fails to comply with the HIPAA Rules or any other
applicable legislation, then either Party has the right to terminate this Agreement and the
Services Agreement upon written notice to the other Party.
13.5. Interpretation. Any ambiguity in this Agreement shall be interpreted to
permit compliance with the HIPAA Rules and the HITECH Act and permit compliance
with requirements of Florida patient confidentiality law to the extent they are more
stringent than HIPAA Rules or the HITECH Act.
13.6. Governing Law; Venue. This Agreement shall be governed by and
construed in all respects by the laws of the State of Florida. The state court forum for any
action commenced under this Agreement shall be in the Circuit Court in and for the Fifth
Judicial Circuit of Florida. In the event Federal Court jurisdiction is mandated by some
state or federal law, then venue and jurisdiction shall be The United States District Court
in the Middle District of Florida, Orlando.
13.7. No Third Party Beneficiaries. Except as provided in Section 6, nothing
express or implied in this Agreement is intended to confer, nor shall anything herein
confer, upon any person other than the Parties and the respective successors and permitted
assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
13.8. Severability. In the event any provision of this Agreement is held to be
unenforceable for any reason, such unenforceability shall not affect the remainder of this
Agreement, which shall remain in full force and effect.
13.9. Assignment. Neither Party may assign this Agreement without the prior
written consent of the other.
PERSONNEL:209:R:11/13
• BUSINESS ASSOCIATE AGREEMENT
' Page 8 of 8
13.10. Attorney's Fees and Costs. Should legal action be required to enforce the
terms of this Agreement, the prevailing Party will be entitled to receive from the other
Party all costs incurred in connection with such action, including reasonable attorney,
legal assistant, investigator, and other paralegal and clerical fees and costs, including such
costs and fees on appeal,if any.
13.11. Binding Effect. The provisions of this Agreement shall be binding upon
and shall inure to the benefit of the Parties and their respective heirs, executors,
administrators, legal representatives, successors and assigns.
IN WITNESS WHEREOF,the Parties hereto have executed this Agreement effective
as of the Effective Date.
Covered Entity: Business Associate:
LifeStream Behavioral Center, Inc. Clermont Police Department
ij"JVA
By: ��• ( By:
Its: S AC" • Its: Omer e
PERSONNEL:209:R:11/13