HomeMy WebLinkAboutDeaf Hard of Hearing Service Center Inc.-HIPAA Business Associate Agreement_P-21-237.pdf Connect_ Inspire_ Succeed.
DHHSC
DEAF & HARD OF HEARING SERVICE CENTER
HIPAA Business Associate Agreement
This Business Associate Agreement is entered into on 8/3/2022 between
County of Fresno and the Deaf and Hard of Hearing Service Center,
hereafter referred to as DHHSC.
This contract shall become effective from the date of execution and shall remain in effect through
June 30, 2024
LRECITALS
A. Covered Entity is a covered entity under the Health Insurance Portability and Accountability
Act of 1996, as amended("HIPAA"), including the HIPAA Rules (as defined below), and the
Health Information Technology for Economic and Clinical Health Act,Title XIII of the
American Recovery and Reinvestment Act of2009 (the "HITECH Act").
B.Covered Entity and DHHSC have entered into a service contract, in which DHHSC provides
communication access to the Covered Entity's Deaf and Hard of Hearing clients.Pursuant to the
Services Agreement, DHHSC will receive limited PHI for the purposes of fulfilling the
assignment and invoicing the Covered Entity for services provided.
C. As a non-medical service provider for the Covered Entity's clients and as described
above, DHHSC will be considered a"Limited Business Associate".
D. The HIPAA Rules include the Standards for Privacy of Individually Identifiable Health
Information(the"Privacy Rule"at 45 CFR Part 160 and Part 164, Subparts A and E. the
Standards for Security of Electronic Protected Health Information (the"Security Rule")at 45
CFR Parts 160 and 164, Subpart C),Breach Notification for Unsecured Protected Health
Information(the"Breach Notification Rule"at 45 CFR Parts 160 and 164),and the Enforcement
Rules at 45 CFR Part 160, Subparts C-E, as each of the foregoing may be amended or
supplemented.
E. DHHSC and Covered Entity are both committed to complying with the HIPAA Rules,
and acknowledge that each has certain obligations to maintain the privacy and security of
the Covered Entity's clients'PHI.
IL THEREFORE
A.The parties, in consideration of the mutual agreements herein contained and for other good
and valuable consideration,the receipt and sufficiency of which are hereby acknowledged, agree
to the following terms and conditions covering how each party's obligations to maintain the
privacy and security of PHI will be satisfied.
III. DEFINITIONS
A. Capitalized terms used, but not otherwise defined, in this BAA have the meanings
ascribed to them in HIPAA,including in the HIPAA Rules and the HITECH Act(with
exception to the HITECH software requirement).-
IV.PROTECTED HEALTH INFORMATION OR PHI
A. Has the same meaning as the term"protected health information" as defined in 45 CFR
164.103 and any amendments thereto, limited to the information DHHSC has access to,receives
from,and maintains for or on behalf of Covered Entity.PHI includes Electronic Protected Health
Information. "Electronic Protected Health Information" or"EPHI" means the subset of PHI that
is transmitted by electronic media or maintained in electronic media.DHHSC acknowledges and
agrees that all Protected Health Information is subject to this BAA.
V.CONFIDENTIALITY REQUIREMENTS
A.Business Associate agrees to use or disclose protected Health Information solely:
(1)For meeting its obligations to provide communication access as set forth in the Service
Agreement, or
(2) For the purpose of billing the Covered Entity for the translation services provided.
B. DHHSC will ensure that its subcontractors are bound by the same terms and conditions that
DHHSC must adhere to in this BAA.
C.In addition,DHHSC agrees to take reasonable steps to ensure that its employees'actions or
omissions do not cause DHHSC to breach the terms of this BAA.
D.Notwithstanding the prohibitions set forth in this BAA,DHHSC will only use and disclose
client's name and location of appointment to its subcontractors and accounting department.
E.DHHSC obtains reasonable assurances from the person to whom the information is disclosed
that it will be held confidentially and used only for the purposes of assigning an interpreter and
invoicing for services. DHHSC will continually ensure and maintain both a confidentiality and
BAA contract with its subcontractors.
VI.SAFEGUARDS
A.DHHSC will implement appropriate safeguards to prevent use or disclosure of Protected
Health Information other than as permitted in this BAA or Service Contract terms.
B.DHHSC will report to Covered Entity any use or disclosure of Protected Health Information
which is not in compliance with the terms of this BAA of which it becomes aware.
C.It is also acknowledged that:
(1)DHHSC has a secure system for sending invoices with limited PHI,
(2) DHHSC does not electronically store PHI,and that
(3)DHHSC will not utilize the standard HITEC software.
VII.OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
A.DHHSC agrees to not use or disclose Protected Health Information other than
fulfilling the interpreting assignments or for invoicing.
B.DHHSC implements administrative,physical, and technical safeguards that
reasonably and appropriately protect the confidentiality,integrity,and availability
ofEPHI.
C.DHHSC agrees to mitigate,to the extent practicable,any harmful effect caused
by inappropriate disclosure or use of Protected Health Information supplied by the
Covered Entity.
D.DHHSC agrees to report to Covered Entity any use or disclosure of the Protected Health
Information not provided for by this BAA of which it becomes aware.
E.DHHSC agrees to ensure that any agent, including a subcontractor,to whom it provides
Protected Health Information received from Covered Entity,agrees to the same restrictions and
conditions that apply through this BAA to Business Associate with respect to such information.
F.Business Associate has policies and procedures for relating to the use and disclosure of
Protected Health Information received from Covered Entity.
G.DHHSC will promptly report to Covered Entity any unauthorized acquisition,access,use,or
disclosure of Protected Health Information in violation of the HIPAA Rules or other applicable
law, or in violation of the terms of this BAA.
Such report will be made as soon as reasonably possible but in no event later than ten business
days after discovery by Business Associate of such breach.Each report of a breach will include,
to the extent possible,the following information:
(1)A description of the facts pertaining to the breach,including without limitation,the date of
the breach and the date of discovery of the breach,
(2) A description of the Protected Health Information involved in the breach,
(5) The names of the individuals,who committed or were involved in the breach,
(4)The names of the unauthorized individuals or entities to which Protected Health Information
has been disclosed,
(6)A description of the action taken or proposed by the Business Associate to mitigate the
financial, reputational, or other harm to the individual who is the subject of the breach,and
H. DHHSC agrees to comply with the administrative requirements imposed on it,in its capacity
as a Business Associate and in compliance with HIPAA Laws.
I. DHHSC agrees to make available to HHS its internal practices, books,and records relating to
the use and disclosure of protected health information received from,or created or received by
DHHSC on behalf of,the covered entity for purposes of HHS determining the covered entity's
compliance with the HIPAA Privacy Rule.
VIIL OBLIGATIONS OF CUSTOMER AS COVERED ENTITY
A.Covered Entity will not request that DHHSC use or disclose PHI in any manner that would
not be permissible under the HIPAA Rules if done by Covered Entity.
B. Covered Entity will notify DHHSC in writing of any limitation in its notice of privacy
practices adopted in accordance with the Privacy Rules,to the extent that such limitation may
affect DHHSC's use or disclosure of Protected Health Information.
D. Covered Entity will provide Business Associate with written notice of any revocations,
amendments,or restrictions in Covered Entity's use or disclosure of Protected Health Information
if such changes affect DHHSC's permitted or required uses and disclosure of Protected Health
Information under this BAA or the Services Agreement.
IX.AVAILABILITY OF PROTECTED HEALTH INFORMATION
A.Covered Entity acknowledges and agrees that DHHSC,due to the nature of the technology
utilized by DHHSC,has no access, direct or indirect,to the Protected Health Information
supplied by Covered Entity to DHHSC.
B. The parties agree that,due to the nature of the technology utilized by DHHSC cannot make
Protected Health Information available to anyone other than the interpreters and the DHHSC
Accounting Department.
X.TERMINATION
A. Termination of Covered Entity's business relationship with DHHSC shall be under the terms
set forth in the Services Agreement,incorporated herein by reference.Notwithstanding anything
in this BAA or in the Services Agreement to the contrary, Covered Entity has the right to
terminate this BAA immediately if Covered Entity determines that DHHSC has violated any of
its material terms.
B. Should DHHSC have any PHI when the Services Agreement is terminated,DHHSC agrees to
return or destroy all PHI in its possession.
XI.MISCELLANEOUS
A. By reference,this BAA incorporates,but does not supersede or replace,the Service Contract
Agreement. Except as expressly stated herein or in the Privacy Rule,the parties to this BAA do
not intend to create any rights in any third parties.
B. This BAA may be amended or modified only in a writing signed by the parties.Neither party
may assign its respective rights or obligations under this BAA without the prior written consent
of the other party.None of the provisions of this BAA are intended to create,nor will they be
deemed to create, any relationship between the parties other than that of independent parties
contracting with each other solely for the purposes of effecting the provisions of this BAA and
the Services Agreement.
C. This BAA will be governed by the laws of the State of California. No change,waiver, or
discharge of any liability or obligation hereunder on any one or more occasions will be deemed a
waiver of performance of any continuing or other obligation, or will prohibit enforcement of any
obligation, on any other occasion.
D. The provisions of this BAA are intended to establish the minimum requirements regarding
Business Associate's use and disclosure of Protected Health Information.
E. In the event that any provision of this BAA is held by a court of competent jurisdiction to be
invalid or unenforceable,the remainder of the provisions of this BAA and the Service Contract
will remain in full force and effect.
XII. IT IS FURTHER UNDERSTOOD THAT:
A.DHHSC is neither a medical facility nor a medical provider,and DHHSC does not file
insurance claims.
B.DHHSC provides communication access(American Sign Language)to the Covered Entity's
Deaf and Hard of Hearing clients.
C.Interpreters are not allowed to take notes of any kind nor disclose the contents or location of
the assignment.
D. The Covered Entity will only extend the following limited PHI to DHHSC:
(1)Patient's name,
(2) DOB,
(3) Location of appointment,
(4) Date and time of appointment,
(5) Authorization or member number,and
(6) Preferred gender of interpreter.
E.DHHSC does not electronically store or otherwise file the limited PHI received from the
Covered Entity once the appointment is completed and invoice has been sent.
F. The Covered Entity agrees that DHHSC can revise any audits in order to reflect more
appropriately its type of services rather than those intended for medical providers.
IN WITNESS WHEREOF,the parties have executed this BAA as of the Effective Date
Gary Cornuelle
Covered Entity Representative's Name(print)
Gary Cornuelle 8/3/22
Covered Entity Representative's Signature(print) Date
rea1,
H SC Repr sentative's Nam (print)
Xf)HMCYp sentative's Signa e(print) bat6
Signature: Awe, 6.4 —
Gary Cornuelle(Aug 3,2022 16:21 PDT)
Email: gcornuelle@fresnocountyca.gov
Fresno Head �a rs: Central Coast Outreach Office: South Valley Outreach Office: Merced Outreach Office:
5340 N.Fresno Street 36 Quail Run Circle,Suite 100-T 113 N.Church Street,Suite 222 855 W.18th Street,Suite A
Fresno,CA 93710 Salinas,CA 93907 Visalia,CA 93291 Merced,CA 95340
(559)225-3323 V•(559)225-0415 (831)753-6540 V• (831)753-6541 (559)334-0134 V•(559)334-0137 (209)726-7783 V• (209)726-7786
TTY TTY TTY TTY
(559)225-0116 FAX- (831)753-6542 FAX- (559)334-0138 FAX (209)726-7717 FAX
info@dhhsc.org ccinfo@dhhsc.org •svoinfo@dhhsc.org minfo@dhhsc.org
1.1 Electronic Signatures. The parties agree that this Agreement may be executed by
electronic signature as provided in this section.
(A) An "electronic signature" means any symbol or process intended by an individual signing
this Agreement to represent their signature, including but not limited to (1) a digital signature; (2)
a faxed version of an original handwritten signature; or(3)an electronically scanned and
transmitted (for example by PDF document) of a handwritten signature.
(B) Each electronic signature affixed or attached to this Agreement(1) is deemed equivalent
to a valid original handwritten signature of the person signing this Agreement for all purposes,
including but not limited to evidentiary proof in any administrative or judicial proceeding, and (2)
has the same force and effect as the valid original handwritten signature of that person.
(C)The provisions of this section satisfy the requirements of Civil Code section 1633.5,
subdivision (b), in the Uniform Electronic Transaction Act(Civil Code, Division 3, Part 2, Title 2.5,
beginning with section 1633.1).
(D) Each party using a digital signature represents that it has undertaken and satisfied the
requirements of Government Code section 16.5, subdivision (a), paragraphs (1)through (5), and
agrees that each other party may rely upon that representation.
(E) This Agreement is not conditioned upon the parties conducting the transactions under it
by electronic means and either party may sign this Agreement with an original handwritten
signature.