HomeMy WebLinkAboutHIPAA Business Associate - Dumont FINAL SIGNED.pdf 1 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
2 BUSINESS ASSOCIATE AGREEMENT
3
4 This BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is made and entered
5 into as this 9 th day of December 2022 (the "Effective Date") and shall terminate on
6 December 8 2023 by and between the COUNTY OF FRESNO and DUMONT PRINTING
7 (the "BUSINESS ASSOCIATE"), in accordance with the meaning given to those terms at 45
8 CFR §164.501). In this Agreement, the County of Fresno and the BUSINESS ASSOCIATE
9 are each a "Party" and, collectively, are the "Parties".
10 WITNESSETH:
11 WHEREAS, BUSINESS ASSOCIATE is assisting with a mass mailing service for
12 Fresno County Department of Behavioral Health ("COVERED ENTITY") that contains
13 confidential protected health information (PHI).
14 WHEREAS, BUSINESS ASSOCIATE is to provide a mass envelope stuffing service to
15 assist with the mass mailing service; and
16 WHEREAS, the Parties have agreed to enter into this Agreement to ensure the
17 protection of any PHI that will be disclosed.
18 NOW, THEREFORE, in consideration of their mutual covenants and conditions, the
19 parties hereto agree as follows:
20 A. The parties to this Agreement shall be in strict conformance with all
21 applicable Federal and State of California laws and regulations, including but not limited to
22 Sections 5328, 10850, and 14100.2 et seq. of the Welfare and Institutions Code, Sections 2.1
23 and 431.300 et seq. of Title 42, Code of Federal Regulations (CFR), Section 56 et seq. of the
24 California Civil Code and the Health Insurance Portability and Accountability Act (HIPAA),
25 including but not limited to Section 1320 D et seq. of Title 42, United States Code (USC) and
26 its implementing regulations, including, but not limited to Title 45, CFR, Sections 142, 160,
27 162, and 164, The Health Information Technology for Economic and Clinical Health Act
28 (HITECH) regarding the confidentiality and security of patient information, and the Genetic
1 - COUNTY OF FRESNO
Fresno, CA
1 Information Nondiscrimination Act (GINA) of 2008 regarding the confidentiality of genetic
2 information.
3 Except as otherwise provided in this Agreement, the BUSINESS
4 ASSOCIATE may use or disclose Protected Health Information (PHI) to perform functions,
5 activities, or services for or on behalf of the COUNTY OF FRESNO provided that such use or
6 disclosure shall not violate the Health Insurance Portability and Accountability Act (HIPAA),
7 USC 1320d et seq. The uses and disclosures of PHI may not be more expansive than those
8 applicable to the COUNTY OF FRESNO under the HIPAA Privacy Rule (45 CFR 164.500 et
9 seq.), except as authorized for management, administrative or legal responsibilities of the
10 BUSINESS ASSOCIATE.
11 B. The BUSINESS ASSOCIATE, including its subcontractors and
12 employees, shall protect PHI, from unauthorized access, use, or disclosure of names and
13 other identifying information, including genetic information, concerning persons receiving
14 services pursuant to this Agreement, except where permitted in order to carry out data
15 aggregation purposes for health care operations [45 CFR Sections 164.504 (e)(2)(i), 164.504
16 (3)(2)(ii)(A), and 164.504 (e)(4)(i)] This pertains to any and all persons receiving services
17 pursuant to a BUSINESS ASSOCIATE funded program. The BUSINESS ASSOCIATE shall
18 not use such identifying information or genetic information for any purpose other than carrying
19 out the BUSINESS ASSOCIATE's obligations under the mass envelope stuffing service to
20 assist with the mass mailing service.
21 C. The BUSINESS ASSOCIATE, including its subcontractors and
22 employees, shall not disclose any such identifying information or genetic information to any
23 person or entity, except as otherwise specifically permitted by this Agreement, authorized by
24 Subpart E of 45 CFR Part 164 or other law, required by the the Secretary of the U.S.
25 Department of Health and Human Services (Secretary), or authorized by the client/patient in
26 writing. In using or disclosing PHI that is permitted by this Agreement or authorized by law, the
27 BUSINESS ASSOCIATE shall make reasonable efforts to limit PHI to the minimum necessary
28 to accomplish intended purpose of use, disclosure, or request.
- 2 - COUNTY OF FRESNO
Fresno, CA
1 D. For purposes of the above sections, identifying information shall include,
2 but not be limited to name, identifying number, symbol, or other identifying data assigned to
3 the individual, such as finger or voice print, or photograph.
4 E. For purposes of the above sections, genetic information shall include
5 genetic tests of an individual or family members of an individual, manifestation of disease or
6 disorder of family members of an individual, or any request for or receipt of, genetic services
7 by individual or family members. Family member means a dependent or any person who is
8 first, second, third, or fourth degree relative.
9 F. The BUSINESS ASSOCIATE shall report to the COVERED ENTITY'S
10 HIPAA Representative, in writing, any knowledge or reasonable belief that there has been
11 unauthorized access, viewing, use, disclosure, security incident, or breach of unsecured PHI
12 not permitted by this Agreement of which it becomes aware, immediately and without
13 reasonable delay and in no case later than two (2) business days of discovery. The
14 notification shall include, to the extent possible, the identification of each individual whose
15 unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used,
16 disclosed, or breached.
17 The BUSINESS ASSOCIATE shall take prompt corrective action to cure any
18 deficiencies and any action pertaining to such unauthorized disclosure required by applicable
19 Federal and State Laws and regulations.
20 The BUSINESS ASSOCIATE shall investigate such breach and is responsible for
21 all notifications required by law and regulation or deemed necessary by the COUNTY OF
22 FRESNO and shall provide a written report of the investigation and reporting required to the
23 COVERED ENTITY'S HIPAA Representative. This written investigation and description of any
24 reporting necessary shall be postmarked within the thirty (30) working days of the discovery of
25 the breach to the addresses below:
26 County of Fresno Department of Behavioral Health
27 Covered Entity's HIPAA Representative
1925 E. Dakota Avenue
28
Fresno, CA 93726
- 3 - COUNTY OF FRESNO
Fresno, CA
1 (559) 600-6798
2 G. The BUSINESS ASSOCIATE shall make its internal practices, books, and
3 records relating to the use and disclosure of PHI received from the COUNTY OF FRESNO or
4 received by the BUSINESS ASSOCIATE on behalf of the COUNTY OF FRESNO, in
5 compliance with HIPAA's Privacy Rule, including, but not limited to the requirements set forth
6 in Title 45, CFR, Sections 160 and 164. The BUSINESS ASSOCIATE shall make its internal
7 practices, books, and records relating to the use and disclosure of PHI received from the
8 COUNTY OF FRESNO or received by the BUSINESS ASSOCIATE on behalf of the COUNTY
9 OF FRESNO, available to the Secretary upon demand.
10 The BUSINESS ASSOCIATE shall cooperate with the compliance and
11 investigation reviews conducted by the Secretary. PHI access to the Secretary must be
12 provided during the BUSINESS ASSOCIATE's normal business hours, however, upon exigent
13 circumstances access at any time must be granted. Upon the Secretary's compliance or
14 investigation review, if PHI is unavailable to the BUSINESS ASSOCIATE and in possession of
15 a subcontractor, it must certify efforts to obtain the information to the Secretary.
16 F. Safeguards
17 The BUSINESS ASSOCIATE shall implement administrative, physical,
18 and technical safeguards as required by the HIPAA Security Rule, Subpart C of 45 CFR 164,
19 that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI,
20 including electronic PHI, that it creates, receives, maintains, or transmits on behalf of the
21 COUNTY OF FRESNO and to prevent unauthorized access, viewing, use, disclosure, or
22 breach of PHI other than as provided for by this Agreement. The BUSINESS ASSOCIATE
23 shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities
24 to the confidential, integrity and availaibility of electronic PHI.
25 The BUSINESS ASSOCIATE shall develop and maintain a written
26 information privacy and security program that includes administrative, technical, and physical
27 safeguards appropriate to the size and complexity of the BUSINESS ASSOCIATE's
28 operations and the nature and scope of its activities. Upon the COUNTY OF FRESNO's
- 4 - COUNTY OF FRESNO
Fresno, CA
1 request, the BUSINESS ASSOCIATE shall provide the COUNTY OF FRESNO with
2 information concerning such safeguards.
3 The BUSINESS ASSOCIATE shall implement strong access controls and other
4 security safeguards and precautions to restrict logical and physical access to confidential,
5 personal (e.g., PHI) or sensitive data to authorized users only. Said safeguards and
6 precautions shall include the following administrative and technical password controls for all
7 systems used to process or store confidential, personal, or sensitive data:
8 1. Passwords must not be:
9 a. Shared or written down where they are accessible or recognizable by
10 anyone else, such as taped to computer screens, stored under
11 keyboards, or visible in a work area
12 b. A dictionary word; or
13 c. Stored in clear text
14 2. Passwords must be:
15 a. Eight (8) characters or more in length
16 b. Changed every ninety (90) days
17 c. Changed immediately if revealed or compromised; and
18 d. Composed of characters from at least three (3) of the following four (4)
19 groups from the standard keyboard:
20 1). Upper case letters (A-Z)
21 2). Lowercase letters (a-z)
22 3). Arabic numerals (0 through 9); and
23 4). Non-alphanumeric characters (punctuation symbols).
24 The BUSINESS ASSOCIATE shall implement the following security controls on
25 each workstation or portable computing device (e.g., laptop computer) containing confidential,
26 personal, or sensitive data:
27 1. Network-based firewall and/or personal firewall
28 2. Continuously updated anti-virus software; and
5 - COUNTY OF FRESNO
Fresno, CA
1 3. Patch management process including installation of all operating
2 system/software vendor security patches.
3 The BUSINESS ASSOCIATE shall utilize a commercial encryption solution that
4 has received FIPS 140-2 validation to encrypt all confidential, personal, or sensitive data
5 stored on portable electronic media (including, but not limited to, compact disks and thumb
6 drives) and on portable computing devices (including, but not limited to, laptop and notebook
7 computers).
8 The BUSINESS ASSOCIATE shall not transmit confidential, personal, or
9 sensitive data via e-mail or other internet transport protocol unless the data is encrypted by a
10 solution that has been validated by the National Institute of Standards and Technology (NIST)
11 as conforming to the Advanced Encryption Standard (AES) Algorithm. The BUSINESS
12 ASSOCIATE must apply appropriate sanctions against its employees who fail to comply with
13 these safeguards. The BUSINESS ASSOCIATE must adopt procedures for terminating
14 access to PHI when employment of employee ends.
15 J. Mitigation of Harmful Effects
16 The BUSINESS ASSOCIATE shall mitigate, to the extent practicable, any
17 harmful effect that is suspected or known to the BUSINESS ASSOCIATE of an unauthorized
18 access, viewing, use, disclosure, or breach of PHI by the BUSINESS ASSOCIATE or its
19 subcontractors in violation of the requirements of these provisions. The BUSINESS
20 ASSOCIATE must document suspected or known harmful effects and the outcome.
21 K. BUSINESS ASSOCIATE's Subcontractors
22 The BUSINESS ASSOCIATE shall ensure that any of its employees,
23 including subcontractors, if applicable, to whom the BUSINESS ASSOCIATE provides PHI
24 received from or created or received by the BUSINESS ASSOCIATE on behalf of the
25 COUNTY OF FRESNO, agree to the same restrictions, safeguards, and conditions that apply
26 to the BUSINESS ASSOCIATE with respect to such PHI and to incorporate, when applicable,
27 the relevant provisions of these provisions into each subcontractor.
28 L. Employee Training and Discipline
- 6 - COUNTY OF FRESNO
Fresno, CA
1 The BUSINESS ASSOCIATE shall train and use reasonable measures to
2 ensure compliance with the requirements of these provisions by employees who assist in the
3 performance of functions or activities on behalf of the COUNTY OF FRESNO under this
4 Agreement and use or disclose PHI and discipline such employees who intentionally violate
5 any provisions of these provisions, including termination of employment.
6 M. Termination for Cause
7 Upon the COUNTY OF FRESNO's knowledge of a material breach of
8 these provisions by the BUSINESS ASSOCIATE, the COUNTY OF FRESNO shall either:
9 1. Provide an opportunity for the BUSINESS ASSOCIATE to cure the
10 breach or end the violation and terminate the Suspension of Competition Acquisition Request
11 if the BUSINESS ASSOCIATE does not cure the breach or end the violation within the time
12 specified by the COUNTY OF FRESNO; or
13 2. Immediately terminate the Suspension of Competition Acquisition
14 Request if the BUSINESS ASSOCIATE has breached a material term of these provisions and
15 cure is not possible.
16 3. If neither cure nor termination is feasible, the FRESNO COUNTY
17 COVERED ENTITY'S HIPAA Representative shall report the violation to the Secretary.
18 N. Judicial or Administrative Proceedings
19 The COUNTY OF FRESNO may terminate this Agreement in accordance
20 with the terms and conditions of this Agreement as written hereinabove, if: (1) the BUSINESS
21 ASSOCIATE is found guilty in a criminal proceeding for a violation of the HIPAA Privacy or
22 Security Laws or the HITECH Act; or (2) a finding or stipulation that the BUSINESS
23 ASSOCIATE has violated a privacy or security standard or requirement of the HITECH Act,
24 HIPAA or other security or privacy laws in an administrative or civil proceeding in which the
25 BUSINESS ASSOCIATE is a party.
26 O. Effect of Termination
27 Upon termination or expiration of this Agreement for any reason, the
28 BUSINESS ASSOCIATE shall return or destroy all PHI received from the COUNTY OF
- 7 - COUNTY OF FRESNO
Fresno, CA
1 FRESNO or received by the BUSINESS ASSOCIATE on behalf of the COUNTY OF FRESNO
2 that the BUSINESS ASSOCIATE still maintains in any form and shall retain no copies of such
3 PHI. If return or destruction of PHI is not feasible, it shall continue to extend the protections of
4 these provisions to such information, and limit further use of such PHI to those purposes that
5 make the return or destruction of such PHI infeasible. This provision shall apply to PHI that is
6 in the possession of subcontractors or agents, if applicable, of the BUSINESS ASSOCIATE.
7 If the BUSINESS ASSOCIATE destroys the PHI data, a certification of date and time of
8 destruction shall be provided to the COUNTY OF FRESNO by the BUSINESS ASSOCIATE.
9 P. Disclaimer
10 The COUNTY OF FRESNO makes no warranty or representation that
11 compliance by the BUSINESS ASSOCIATE with these provisions, the HITECH Act, HIPAA,
12 or the HIPAA regulations will be adequate or satisfactory for the BUSINESS ASSOCIATE's
13 own purposes or that any information in the BUSINESS ASSOCIATE's possession or control,
14 or transmitted or received by the BUSINESS ASSOCIATE, is or will be secure from
15 unauthorized access, viewing, use, disclosure, or breach. The BUSINESS ASSOCIATE is
16 solely responsible for all decisions made by the BUSINESS ASSOCIATE regarding the
17 safeguarding of PHI.
18 Q. Amendment
19 The parties acknowledge that Federal and State laws relating to electronic
20 data security and privacy are rapidly evolving and that amendment of these provisions may be
21 required to provide for procedures to ensure compliance with such developments. The
22 parties specifically agree to take such action as is necessary to amend this agreement to
23 implement the standards and requirements of HIPAA, the HIPAA regulations, the HITECH
24 Act, and other applicable laws relating to the security or privacy of PHI. The COUNTY OF
25 FRESNO may terminate this Agreement upon thirty (30) days written notice if the BUSINESS
26 ASSOCIATE does not enter into an amendment providing assurances regarding the
27 safeguarding of PHI that the COUNTY OF FRESNO in its sole discretion, deems sufficient to
28 satisfy the standards and requirements of HIPAA, the HIPAA regulations and the HITECH
- 8 - COUNTY OF FRESNO
Fresno, CA
1 Act.
2 R. No Third-Party Beneficiaries
3 Nothing express or implied in the terms and conditions of these provisions
4 is intended to confer, nor shall anything herein confer, upon any person other than the
5 COUNTY OF FRESNO or the BUSINESS ASSOCIATE and their respective successors or
6 assignees, any rights, remedies, obligations, or liabilities whatsoever.
7 S. Interpretation
8 The terms and conditions in these provisions shall be interpreted as
9 broadly as necessary to implement and comply with HIPAA, the HIPAA regulations and
10 applicable State laws. The parties agree that any ambiguity in the terms and conditions of
11 these provisions shall be resolved in favor of a meaning that complies and is consistent with
12 HIPAA and the HIPAA regulations.
13 T. Regulatory References
14 A reference in the terms and conditions of these provisions to a section in
15 the HIPAA regulations means the section as in effect or as amended.
16 U. Survival
17 The respective rights and obligations of the BUSINESS ASSOCIATE as
18 stated in this Section shall survive the termination or expiration of this Agreement.
19 V. No Waiver of Obligations
20 No change, waiver or discharge of any liability or obligation hereunder on
21 any one or more occasions shall be deemed a waiver of performance of any continuing or
22 other obligation or shall prohibit enforcement of any obligation on any other occasion.
23
24
25
26
27
28
- 9 - COUNTY OF FRESNO
Fresno, CA
1 In witness whereof, the COUNTY OF FRESNO and the BUSINESS ASSOCIATE have
2 entered into this Agreement as of the Effective Date.
3
4 THE COUNTY OF FRESNO:
5 By: County of Fresno Department of Internal Services
6 Name: Gary Cornuelle
7 Title: Purchasing Manager
8 Date: Dec 9, 2022
9 �E cam__
Signature: Gery�om 'e (Dec9,202214.14 PST)
10
11
12 THE BUSINESS ASSOCIATE:
13 By: Dumont Printing
14 Name: Susan D. Moore
15 Title: President/Owner
16 Date: Dec 9, 2022
17 'Slaf1ge 0 AIVI-9
Signature: S, nDM—,(D—9,202210:30 PST)
18
19
20
21
22
23
24
25
26
27
28
- 10 - COUNTY OF FRESNO
Fresno, CA