The URL can be used to link to this page

2017-60 fr1! oc?!?. 161 cI-e BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this "Agreement") is entered into, and effective as of January 1, 2017 (the "Effective Date") by and between LifeStream Behavioral Center, Inc. ("LifeStream" or "Covered Entity") and Clermont Police Department ("Business Associate"). The parties to this Agreement if not referred to as Covered Entity or LifeStream or Business Associate may sometimes collectively be referred to "the Parties." The Parties mutually agree as follows: INTRODUCTION The purpose of this Agreement is to comply with the requirements of (i) the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the associated regulations, as may be amended; (ii) the HIPAA Privacy Rule codified at, 45 C.F.R. Parts 160 and 164, Subparts A and E, as may be amended; (iii) the HIPAA Security Rule codified at 45 C.F.R. Part 160 and 164, Subpart C, as may be amended; (iv) the Breach Notification Rule, codified at 45 C.F.R. Part 164, Subpart D, as may be amended; (v) the Enforcement Rule codified at 45 C.F.R. Part 160, Subparts C and D, as may be amended; (vi) the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (the"HITECH Act"); and (vii) the HIPAA Omnibus Final Rule published in the Federal Register at 78 Fed. Reg. 5,566 (Jan. 25, 2013), and effective on March 26, 2013. The HITECH Act provides further protection for the privacy and security of PHI used and disclosed through health information technology: The Privacy, Security, Breach Notification and Enforcement Rules are collectively referred to herein as the "HIPAA Rules." Unless otherwise defined in this Agreement, capitalized terms have the meanings given in the HIPAA Rules and the HITECH Act. In consideration of the new and continuing obligations under the Services Agreement referenced below and other good and valuable consideration, the parties agree to comply with this Agreement and the requirements of the HIPAA Rules and the HITECH Act as follows: 1. Services. LifeStream and Business Associate have entered into an agreement under which Business Associate will perform certain services for LifeStream ("the Services Agreement") Under the Services Agreement, Business Associate may create, receive, use, maintain or transmit PHI from or on behalf of Covered Entity in the course of providing certain services (the "Services") for Covered Entity. The Services Agreement is incorporated herein by reference. In the event of a conflict between the terms of the Services Agreement and this Agreement,this.Agreement shall control. 2. Permitted Uses.and Disclosures. Business Associate may use and/or disclose PHI only as permitted orrequired by this Agreement, or as otherwise required by law. Business Associate may disclose PHI to, and permit the use of PHI by, its employees, contractors, agents, or other representatives only to the extent directly related to and necessary for the performance of Services under the Services Agreement. Business Associate shall make uses and disclosures, and requests for PHI from Covered Entity, only in a manner consistent with HIPAA's minimum necessary requirements, and no more than the minimum PHI necessary to perform under the Services Agreement. Business Associate shall not use or disclose PHI in a manner(i)inconsistent PERSONNEL:209:R:11/13 BUSINESS ASSOCIATE AGREEMENT Page 2 of 8 with Covered Entity's obligations under the HIPAA Rules or the HITECH Act, or(ii) that would violate the HIPAA Rules or the HITECH Act if disclosed or used in such a manner by Covered Entity. Business Associate may use PHI for the proper management and administration of Business Associate's business and to carry out its responsibilities in accordance with 45 C.F.R. § 164.504(e)(4). Business Associate may not de-identify PHI received from, or created on behalf of Covered Entity without the express written authorization of Covered Entity. Business Associate shall make no use or disclosure of PHI in any manner which is contrary to the interest of LifeStream or will cause LifeStream harm. 3. Safeguards-for the Protection of PHI. Business Associate shall conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Electronic PHI held by Covered Entity. Business Associate shall comply with the HIPAA Security Rule codified at 45 C.F.R. Part 160 and 164, Subpart C, as may be amended, and with the applicable provisions of the HIPAA Privacy Rule codified at 45 C.F.R. Parts 160 and 164, Subparts A and E, as may be amended, to the extent Business Associate is to carry out any of Covered Entity's obligations under the Privacy Rule. 4. Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures. If,Business Associate has knowledge of any use or disclosure of PHI not provided for by this Agreement, then Business Associate shall promptly notify Covered Entity in accordance with Section 12. Business Associate shall establish and implement procedures and other reasonable efforts for mitigating, to the extent possible, any harmful effects arising from any improper use and/or disclosure of PHI of which it becomes aware. Furthermore, in the event Business Associate becomes aware of a.Security Incident involving PHI, by itself or any of its agents or { subcontractors, Business Associate shall notify Covered Entity in writing within ten (10) calendar days, of such Security_Incident. Business Associate shall identify the: (i) date of the Security Incident; (ii) scope of the Security Incident; (iii) Business Associate's response to the Security Incident; and (iv) identification of the party responsible for the Security Incident, if known. Covered Entity and Business Associate agree to'act together in good faith to take reasonable steps to investigate and mitigate any harm caused by such unauthorized use or Security Incident. For these purposes, a "Security Incident" shall mean the successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. 5. Data Breach Notification and Mitigation. Business Associate agrees to promptly notify Covered Entity of any"Breach" of"Unsecured PHI" as those terms are defined by 45 C.F.R. §164.402 (hereinafter a "Data Breach"). The Parties acknowledge and agree that 45 C.F.R. §164.404, as described below in this Section, governs the determination of the date of a Data Breach. Business Associate shall, following the discovery of a Data Breach, promptly notify Covered Entity and in no event later than five (5) calendar days after Business Associate discovers such Data Breach, unless Business Associate is prevented from doing so by 45 C.F.R. §164.412 concerning law enforcement investigations. For purposes of reporting a Data Breach to Covered Entity, the discovery of a Data Breach shall occur as of the first day on which such Data Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be considered to have had knowledge of a Data Breach if the Data Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Data Breach) who is an employee, officer or other agent of Business Associate. No later than five(5) calendar days PERSONNEL:209:R:11/13 BUSINESS ASSOCIATE AGREEMENT Page 3 of 8 following a Data Breach, Business Associate shall provide Covered Entity with sufficient information to permit Covered Entity to comply with the Data Breach notification requirements set forth at 45 C.F.R. §164.400 et seq. Specifically, if the following information is known to (or can be reasonably obtained by) Business Associate, Business Associate shall provide Covered Entity with: (i) contact information for Individuals who were or who may have been impacted by the Data Breach (e.g., first and last name, mailing address, street address, phone number, email address); (ii) a brief description of the circumstances of the Data.Breach, including the date of the Data Breach, date of discovery, and number of Individuals affected by the Data Breach; (iii) a description of the types of unsecured PHI involved in the Data Breach (e.g., names, social security number, date of birth, address(es), account numbers of any type, disability codes, diagnosis and/or billing codes and similar information); (iv) a brief description of what the Business Associate has done or is doing to investigate the Data Breach, mitigate harm to the Individual impacted by the Data Breach, and protect against future Data Breaches; and (v) appoint a liaison and provide contact information for same so that the Covered Entity may ask questions and/or learn additional information concerning the Data Breach. Following a Data Breach, Business Associate shall 'have a continuing duty to inform Covered Entity of new information learned by Business-Associate regarding the Data Breach, including but not limited to the information described in the items above. 6. Use and Disclosure of PHI by Subcontractors, Agents, and Representatives. Business Associate shall require any subcontractor, agent, or other representative that is authorized to create, receive, maintain, or transmit PHI on behalf of Business Associate to execute a business-associate agreement to agree in writing to the same terms set forth herein. Business Associate shall terminate its business associate agreement with any subcontractor, agent or other representative if such subcontractor, agent or representative fails to abide by any material term of such agreement. Such business associate agreement shall identify Covered Entity as a third-party beneficiary with rights of enforcement in the event of any HIPAA violations. Any Agreement with any subcontractor, agent or other representative shall specifically include all of the terms of Paragraph 2 of this Agreement. 7. Individual Rights. Business Associate shall comply with the following Individual rights requirements as applicable to PHI used or maintained by Business Associate: 7.1. Right of Access. Business Associate agrees top rovide access to PHI maintained by Business Associate in a Designated Record Set, at the request of Covered Entity, to Covered Entity 'or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. §164.524. Such access shall be provided by Business Associate in the time and manner designated by Covered Entity, including, where applicable, access by electronic means pursuant to Section 13405(e) of the HITECH Act. 7.2. Right of Amendment. Business Associate agrees to make any amendment(s) to PHI maintained by Business Associate in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. 7.3. Right to Accounting of Disclosures. Business Associate agrees to document such disclosures of PHI as would be required for Covered Entity to respond to a PERSONNEL:209:R:11/13 BUSINESS ASSOCIATE AGREEMENT Page 4 of 8 request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Business Associate agrees to provide to Covered Entity or an Individual, in the time and manner designated by Covered Entity, such information collected in order to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528, as amended by Section 13405(c) of the"HITECH Act and any related regulations or guidance issued by HHS in accordance with such provision. 7.4. No Waiver of Privilege. Notwithstanding 7.1, 7.2, and 7.3 above, Business Associate shall not permit access to any record if such access would violate LifeStream's or Business Associate's ethical responsibilities or any privileges which Business Associate or LifeStream may have under Florida or Federal law. To the maximum extent permitted by law, LifeStream hereby reserves and retains any and all privileges which LifeStream may have under Florida or Federal law related to the confidentiality of all patientrecordsof LifeStream or any attorney-client privilege or any attorney-work product privilege- which LifeStream may have with respect to Business Associate's performance of its obligations under this section. The parties acknowledge that LifeStream retains the right to waive its attorney-client privilege with regard to its own records and to expressly instruct Business Associate to provide access to those records as a result of that waiver. In the. event LifeStream determines to waive any privilege which it may have, LifeStream shall provide Business Associate with written notice of that waiver before Business Associate may act on any such decision. 8. Ownership.of PHI. Covered Entity holds all right, title and interest in and to any and all PHI received by Business Associate from, or created or received by Business Associate on behalf of, Covered Entity, and Business Associate does not hold, and shall not acquire by virtue of this Agreement or by virtue of_providing any services or goods to Covered Entity in the course of fulfilling its obligations pursuant to this Agreement, any right, title or interest in or to such PHI. Except as specified in this Agreement, Business Associate shall have no right to compile, distribute, make any statistical analysis, or develop any report utilizing any PHI provided to Business Associate under this Agreement nor may Business Associate release any information about PHI or the PHI to any other governmental or private agency or entity without the express written consent of LifeStream. 9. Prohibition on Sale of PHI. Business Associate shall not sell or receive any remuneration, direct or indirect, of any kind in exchange for PHI or in exchange for the disclosure of PHI to any public or private agency or entity, except as expressly permitted by this Agreement or by the Services Agreement or by written authorization of LifeStream. 10. Inspection of Books and Records. If Business Associate receives a request, made by or on behalf of HHS requiring Business Associate to make available its internal practices, books, and records relating to the use and disclosure of PHI to HHS for the purpose of determining compliance of Covered Entity with the Privacy Standards or the Security Standards, then Business Associate shall promptly notify Covered Entity of such request. Except as otherwise set forth below, Business Associate shall make its books and records relating to the use and disclosure of PHI by Covered Entity available to HHS and its authorized representatives for purposes of determining compliance of Covered Entity with the Privacy Standards and Security Standards. PERSONNEL:209:R:11/13 II ' BUSINESS ASSOCIATE AGREEMENT ' Page 5 of 8 To the extent permitted by law, Covered Entity hereby reserves and retains any and all privileges in which it has an interest under Federal or Florida law including attorney-client privilege or attorney-work product privilege with respect to Business Associate's performance if its obligations under this Agreement and this Section 10. Business Associate, to the maximum extent permitted bylaw, hereby reserves and retains any and all privileges it may have including all work product or other privileges or rights. If the Services Agreement is for legal services, then this section shall not be construed to require Business Associate to disclose or produce communications subject to the attorney-client, work-product, or other privileges or rights with respect' to materials that analyze, evaluate or discuss the legal implication of PHI. Notwithstanding the above, in no event shall Business Associate delay complying with a request of HHS or its authorized representatives if such delay appears reasonably likely to result in any penalty, fine or other liability being levied or imposed upon Covered Entity (such likelihood to be determined in the sole discretion of Covered Entity), and Covered Entity has instructed Business Associate in writing to disclose the information requested by HHS or its authorized representatives. The Parties acknowledge that Covered Entity retains the right to: (i) waive the attorney-client privilege with regard to.books and records, and (ii) expressly instruct Business Associate to provide HHS and its authorized representatives with such books and records in the event of such waiver. 11. Term and Termination. 11.1. Term. This Agreement shall commence on the Effective Date and end with the termination of the Services Agreement unless terminated sooner pursuant to Section 11.2. 11.2. Termination for Breach by Covered Entity. As provided for under 45 C.F.R. § 164.504(e)(2)(iii), Covered Entity may immediately terminate this Agreement, all relevant Services Agreement(s) and any related agreements if Covered Entity determines that Business Associate has breached a material term of this Agreement. Alternatively, and in the sole discretion of Covered Entity, Covered Entity may choose to provide Business Associate with written notice of the existence of the breach and provide Business Associate with thirty (30) calendar days to cure said breach upon mutually agreeable terms. 11.3. Termination by Business Associate. If Business Associate determines that Covered Entity has breached a material term of this Agreement, then Business Associate shall provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with thirty (30) calendar days to cure said breach upon mutually agreeable terms or end the violation within,this thirty(30) day period. Failure by Covered Entity to cure said breach or violation in the manner set forth above shall be grounds for immediate termination of the Services Agreement by Business Associate. 11.4: Effect of Termination. Upon termination of this Agreement, Business Associate shall recover any PHI relating to this Agreement in possession of Business Associate and its subcontractors, agents, or representatives. Business Associate shall return to Covered Entity or destroy all such PHI plus all other PHI relating to this Agreement in its possession, and shall retain no copies. If Business Associate believes that it is not feasible to return or destroy the PHI as described above, Business Associate PERSONNEL:209:R:11/13 ' BUSINESS ASSOCIATE AGREEMENT ' Page 6 of 8 shall notify Covered Entity in writing. The notification shall include: (i) a written statement that Business Associate has determined that it is infeasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination. If the Parties agree that Business Associate cannot feasibly return or destroy the PHI, Business Associate shall ensure that any and all protections, requirements and restrictions contained in this Agreement shall be extended to any PHI retained after the termination of this Agreement, and that any further uses and/or disclosures shall be limited to the purposes that make the return or destruction of the PHI infeasible. If the Parties do not agree that Business Associate cannot feasibly return or destroy the PHI, then Business Associate shall comply with this Paragraph 11.4. If Business Associate refuses to comply with this Paragraph 11.4, then Covered Entity shall treat the refusal as a material breach of this Agreement.. In all events, Business Associate further agrees to comply with other applicable state or federal law, which may require a specific period of retention, redaction, or other treatment of such PHI. It is expressly understood that all limitations, restrictions or prohibitions on the use or disclosure of PHI by Business Associate shall continue to exist and shall survive termination of this Agreement for any reason. 12. Notices. Any and all notices and other communications required or permitted to be given under this Agreement shall be: (a) delivered by personal delivery, provided the person to whom delivered signs &receipt; (b) delivered by commercial courier such as Federal Express, providedthe person to whom delivered signs a receipt or the commercial courier can verify delivery; (c) sent by overnight U.S. express mail, provided the postal service can verify delivery; (d) sent by registered or certified mail, postage prepaid, provided delivery is actually made; or (e) sent by facsimile, provided the person that sent the notice can verify delivery. All notices shall be sent to the following,addresses or to such other addresses as shall be furnished by notice to the other party in accordance with the provisions of this Section 12: If to Covered Entity: P. 0. Box 491000 Leesburg, FL�34 749-1000 Attn: 1 I Lime 0-1/P re t - ti If to Business Associate: 3600 S. Highway 27 Clermont, FL 34711 Attn: le,n4- L'o I vn --r- 13. .Miscellaneous. 13.1. Survival. The respective rights and obligations of the Parties under Section 10 (Inspection of Books and Records), Section 11.4 (Effect of Termination), and Section 13 (Miscellaneous) shall survive termination of this Agreement indefinitely, and those other provisions of this Agreement that,apply to rights or obligation of a Party, PERSONNEL:209:R:11/13 ' BUSINESS ASSOCIATE AGREEMENT ' Page 7 of 8 which continue or arise upon or after the termination of this Agreement shall survive the termination this Agreement to the extent necessary to enforce such rights and obligations and to otherwise effectuate such provisions. It is expressly understood that all limitations, restrictions or prohibitions on the use or disclosure of PHI by Business Associate shall continue to exist and shall survive termination of this Agreement for any reason. 13.2. State Law. In addition to HIPAA and the HITECH Act, Business Associate shall comply with all applicable Florida law related to patient privacy or other privacy restrictions on records of LifeStream and federal security and privacy laws. 13.3. Regulatory References. A citation in this Agreement to the Code of Federal Regulations shall mean the cited section as that section may be amended from time to time. 13.4. Amendment. This Agreement may be amended or modified only in a writing signed by the Parties. The Parties agree that they shall negotiate amendments to this Agreement to conform to any changes in the HIPAA Rules as are necessary for Covered Entity to comply with the current requirements of the HIPAA Rules. In addition, in the event that either Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Rules or any other applicable legislation, then such Party shall notify the other Party of its belief in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such thirty-day period, the Agreement fails to comply with the HIPAA Rules or any other applicable legislation, then either Party has the right to terminate this Agreement and the Services Agreement upon written notice to the other Party. 13.5. Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules and the HITECH Act and permit compliance with requirements of Florida patient confidentiality law to the extent they are more stringent than HIPAA Rules or the HITECH Act. 13.6. Governing Law; Venue. This Agreement shall be governed by and construed in all respects by the laws of the State of Florida. The state court forum for any action commenced under this Agreement shall be in the Circuit Court in and for the Fifth Judicial Circuit of Florida. In the event Federal Court jurisdiction is mandated by some state or federal law, then venue and jurisdiction shall be The United States District Court in the Middle District of Florida, Orlando. 13.7. No Third Party Beneficiaries. Except as provided in Section 6, nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors and permitted assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever. 13.8. Severability. In the event any provision of this Agreement is held to be unenforceable for any reason, such unenforceability shall not affect the remainder of this Agreement, which shall remain in full force and effect. 13.9. Assignment. Neither Party may assign this Agreement without the prior written consent of the other. PERSONNEL:209:R:11/13 • BUSINESS ASSOCIATE AGREEMENT ' Page 8 of 8 13.10. Attorney's Fees and Costs. Should legal action be required to enforce the terms of this Agreement, the prevailing Party will be entitled to receive from the other Party all costs incurred in connection with such action, including reasonable attorney, legal assistant, investigator, and other paralegal and clerical fees and costs, including such costs and fees on appeal,if any. 13.11. Binding Effect. The provisions of this Agreement shall be binding upon and shall inure to the benefit of the Parties and their respective heirs, executors, administrators, legal representatives, successors and assigns. IN WITNESS WHEREOF,the Parties hereto have executed this Agreement effective as of the Effective Date. Covered Entity: Business Associate: LifeStream Behavioral Center, Inc. Clermont Police Department ij"JVA By: ��• ( By: Its: S AC" • Its: Omer e PERSONNEL:209:R:11/13