The URL can be used to link to this page

Home My WebLink AboutP-23-253 Amend 1 Meridian Healthcare Management LLC.pdf P-23-253 Amend 1 Consultant Services Meridian Healthcare Management LLC 1 AMENDMENT NO. 1 TO SERVICE AGREEMENT 2 This Amendment No. 1 to Service Agreement P-23-253 ("Amendment No. 1") is dated 3 September 20, 2023 and is between Meridian Healthcare Management, LLC, a California 4 limited liability company ("Contractor"), and the County of Fresno, a political subdivision of the 5 State of California ("County"). 6 Recitals 7 A. On July 12, 2023, the County and the Contractor entered into a service agreement, 8 which is County agreement number P-23-253 ("Agreement"), so that Contractor could provide a 9 comprehensive evaluation of a healthcare proposal for County's correctional and juvenile 10 detention facilities, as well as recommendations for reporting and monitoring procedures and 11 practices for the ongoing evaluation of the correctional medicine health care agreement. 12 B. County and Contractor now anticipate that Contractor may need access to County's 13 Protected Health Information (PHI) to perform functions, activities, or services to the County 14 under the terms of the Agreement. 15 C. The County and the Contractor desire to amend the Agreement to include a Health 16 Insurance Portability and Accountability Act (HIPAA) Business Associate, as defined by 45 CFR 17 160.103, agreement to comply with the Business Associate requirements of HIPAA, and to 18 protect the privacy and provide for the security of PHI disclosed by County to Contractor during 19 the term of this Agreement. 20 The parties therefore agree as follows: 21 1. Article 1 of the Agreement shall be revised to add a new subsection 1.6, as follows: 22 1.6 HIPAA Compliance. Contractor agrees to comply with all provisions of Exhibit E, 23 Health Insurance Portability and Accountability Act (HIPAA) Business Associate agreement, 24 attached and incorporated by this reference." 25 COUNTY and CONTRACTOR agree that this First Amendment is sufficient to amend the 26 Agreement and, that upon execution of this First Amendment, the Agreement and this First 27 Amendment together shall be considered the Agreement. 28 1 P-23-253 Amend 1 Consultant Services Meridian Healthcare Management LLC 1 The Agreement, as hereby amended, is ratified and continued. All provisions, terms, 2 covenants, conditions, and promises contained in the Agreement and not amended herein shall 3 remain in full force and effect. 4 The parties are signing this Amendment No. 1 on the date stated in the introductory clause. 5 6 Meridian Healthcare Management, LLC COUNTY OF FRESNO 7 Digitally signed Gary Cornuelle / �a ry ��rn u P.I I P. Date:2023.09.20 12:42:59-07'00' 9 Tyl r Whitezell, Manager Gary Cornuelle, Purchasing Manager 8605 Santa Monica Blvd. 333 W. Pontiac Way 10 PMB 828397 Clovis, CA 93612 West Hollywood, CA 90069-4109 US 11 12 For accounting use only: 13 Org No.: 2540 Account No.: 7295 14 Fund No.: 0001 Subclass No.: 10000 15 16 17 18 19 20 21 22 23 24 25 26 27 28 2 P-23-253 Amend 1 Consultant Services Meridian Healthcare Management LLC Exhibit E Health Insurance Portability and Accountability Act (HIPAA) 1. The County is a "Covered Entity," and the Contractor is a "Business Associate," as these terms are defined by 45 CFR 160.103. In connection with providing services under the Agreement, the parties anticipate that the Contractor will create and/or receive Protected Health Information ("PHI") from or on behalf of the County. The parties enter into this Business Associate Agreement (BAA) to comply with the Business Associate requirements of HIPAA, to govern the use and disclosures of PHI under this Agreement. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164. The parties to this Agreement shall be in strict conformance with all applicable federal and State of California laws and regulations, including, but not limited to California Welfare and Institutions Code sections 5328, 10850, and 14100.2 et seq.; 42 CFR 2; 42 CFR 431; California Civil Code section 56 et seq.; the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), including, but not limited to, 45 CFR Parts160, 45 CFR 162, and 45 CFR 164; the Health Information Technology for Economic and Clinical Health Act ("HITECH") regarding the confidentiality and security of patient information, including, but not limited to 42 USC 17901 et seq.; and the Genetic Information Nondiscrimination Act ("GINA") of 2008 regarding the confidentiality of genetic information. Except as otherwise provided in this Agreement, the Contractor, as a business associate of the County, may use or disclose Protected Health Information ("PHI") to perform functions, activities or services for or on behalf of the County, as specified in this Agreement, provided that such use or disclosure shall not violate HIPAA Rules. The uses and disclosures of PHI may not be more expansive than those applicable to the County, as the "Covered Entity" under the HIPAA Rules, except as authorized for management, administrative or legal responsibilities of the Contractor. 2. The Contractor, including its subcontractors and employees, shall protect from unauthorized access, use, or disclosure of names and other identifying information, including genetic information, concerning persons receiving services pursuant to this Agreement, except where permitted in order to carry out data aggregation purposes for health care operations [45 CFR §§ 164.504(e)(2)(i), 164.504(e)(2)(ii)(A), and 164.504(e)(4)(i)]. This pertains to any and all E-1 P-23-253 Amend 1 Consultant Services Meridian Healthcare Management LLC Exhibit E Health Insurance Portability and Accountability Act (HIPAA) persons receiving services pursuant to a County-funded program. This requirement applies to electronic PHI. The Contractor shall not use such identifying information or genetic information for any purpose other than carrying out the Contractor's obligations under this Agreement. 3. The Contractor, including its subcontractors and employees, shall not disclose any such identifying information or genetic information to any person or entity, except as otherwise specifically permitted by this Agreement, authorized by Subpart E of 45 CFR Part 164 or other law, required by the Secretary of the United States Department of Health and Human Services ("Secretary"), or authorized by the client/patient in writing. In using or disclosing PHI that is permitted by this Agreement or authorized by law, the Contractor shall make reasonable efforts to limit PHI to the minimum necessary to accomplish intended purpose of use, disclosure or request. 4. For purposes of the above sections, identifying information shall include, but not be limited to, name, identifying number, symbol, or other identifying particular assigned to the individual, such as fingerprint or voiceprint, or photograph. 5. For purposes of the above sections, genetic information shall include genetic tests of family members of an individual or individual(s), manifestation of disease or disorder of family members of an individual, or any request for or receipt of genetic services by individual or family members. Family member means a dependent or any person who is first, second, third, or fourth degree relative. 6. The Contractor shall provide access, at the request of the County, and in the time and manner designated by the County, to PHI in a designated record set (as defined in 45 CFR § 164.501), to an individual or to COUNTY in order to meet the requirements of 45 CFR § 164.524 regarding access by individuals to their PHI. With respect to individual requests, access shall be provided within thirty (30) days from request. Access may be extended if the Contractor cannot provide access and provides the individual with the reasons for the delay and the date when access may be granted. PHI shall be provided in the form and format requested by the individual or the County. The Contractor shall make any amendment(s) to PHI in a designated record set at the E-2 P-23-253 Amend 1 Consultant Services Meridian Healthcare Management LLC Exhibit E Health Insurance Portability and Accountability Act (HIPAA) request of the County or individual, and in the time and manner designated by the County in accordance with 45 CFR § 164.526. The Contractor shall provide to the County or to an individual, in a time and manner designated by the County, information collected in accordance with 45 CFR § 164.528, to permit the County to respond to a request by the individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. 7. The Contractor shall report to the County, in writing, any knowledge or reasonable belief that there has been unauthorized access, viewing, use, disclosure, security incident, or breach of unsecured PHI not permitted by this Agreement of which the Contractor becomes aware, immediately and without reasonable delay and in no case later than two (2) business days of discovery. Immediate notification shall be made to the County's Information Security Officer and Privacy Officer and the County's Department of Public Health ("DPH") HIPAA Representative, within two (2) business days of discovery. The notification shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, disclosed, or breached. The Contractor shall take prompt corrective action to cure any deficiencies and any action pertaining to such unauthorized disclosure required by applicable federal and State laws and regulations. The Contractor shall investigate such breach and is responsible for all notifications required by law and regulation or deemed necessary by the County and shall provide a written report of the investigation and reporting required to the County's Information Security Officer and Privacy Officer and the County's DPH HIPAA Representative. This written investigation and description of any reporting necessary shall be postmarked within the thirty (30) working days of the discovery of the breach to the addresses below: County of Fresno County of Fresno County of Fresno Department of Public Health Department of Public Health Department of Internal HIPAA Representative Privacy Officer Services (559) 600-6439 (559) 600-6405 Information Security Officer P.O. Box 11867 P.O. Box 11867 Fresno, (559) 600-5800 Fresno, California 93775 California 9377 2048 North Fine Street Fresno, California 93727 E-3 P-23-253 Amend 1 Consultant Services Meridian Healthcare Management LLC Exhibit E Health Insurance Portability and Accountability Act (HIPAA) 8. The Contractor shall make its internal practices, books, and records relating to the use and disclosure of PHI received from the county, or created or received by the Contractor on behalf of the County, in compliance with Parts the HIPAA Rules. The Contractor shall make its internal practices, books, and records relating to the use and disclosure of PHI received from the County, or created or received by the Contractor on behalf of the County, available to the Secretary upon demand. The Contractor shall cooperate with the compliance and investigation reviews conducted by the Secretary. PHI access to the Secretary must be provided during the Contractor's normal business hours; however, upon exigent circumstances access at any time must be granted. Upon the Secretary's compliance or investigation review, if PHI is unavailable to the Contractor and in possession of a subcontractor of the Contractor, the Contractor must certify to the Secretary its efforts to obtain the information from the subcontractor. 9. Safeguards The Contractor shall implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule, Subpart C of 45 CFR Part 164, that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, that it creates, receives, maintains or transmits on behalf of the County and to prevent unauthorized access, viewing, use, disclosure, or breach of PHI other than as provided for by this Agreement. The Contractor shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI. The Contractor shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its activities. Upon the County's request, the Contractor shall provide the County with information concerning such safeguards. The Contractor shall implement strong access controls and other security safeguards and precautions in order to restrict logical and physical access to confidential, personal (e.g., PHI) or sensitive data to authorized users only. Said safeguards and precautions shall include E-4 P-23-253 Amend 1 Consultant Services Meridian Healthcare Management LLC Exhibit E Health Insurance Portability and Accountability Act (HIPAA) the following administrative and technical password controls for all systems used to process or store confidential, personal, or sensitive data: A. Passwords must not be: (1) Shared or written down where they are accessible or recognizable by anyone else; such as taped to computer screens, stored under keyboards, or visible in a work area; (2) A dictionary word; or (3) Stored in clear text B. Passwords must be: (1) Eight (8) characters or more in length; (2) Changed every ninety (90) days; (3) Changed immediately if revealed or compromised; and (4) Composed of characters from at least three (3) of the following four (4) groups from the standard keyboard: a) Upper case letters (A-Z); b) Lowercase letters (a-z); c) Arabic numerals (0 through 9); and d) Non-alphanumeric characters (punctuation symbols). The Contractor shall implement the following security controls on each workstation or portable computing device (e.g., laptop computer) containing confidential, personal, or sensitive data: 1. Network-based firewall and/or personal firewall; 2. Continuously updated anti-virus software; and 3. Patch management process including installation of all operating system/software vendor security patches. The Contractor shall utilize a commercial encryption solution that has received FIPS 140-2 validation to encrypt all confidential, personal, or sensitive data stored on portable electronic media (including, but not limited to, compact disks and thumb drives) and on portable E-5 P-23-253 Amend 1 Consultant Services Meridian Healthcare Management LLC Exhibit E Health Insurance Portability and Accountability Act (HIPAA) computing devices (including, but not limited to, laptop and notebook computers). The Contractor shall not transmit confidential, personal, or sensitive data via e-mail or other internet transport protocol unless the data is encrypted by a solution that has been validated by the National Institute of Standards and Technology (NIST) as conforming to the Advanced Encryption Standard (AES)Algorithm. The Contractor must apply appropriate sanctions against its employees who fail to comply with these safeguards. The Contractor must adopt procedures for terminating access to PHI when employment of employee ends. 10. Mitigation of Harmful Effects The Contractor shall mitigate, to the extent practicable, any harmful effect that is suspected or known to the Contractor of an unauthorized access, viewing, use, disclosure, or breach of PHI by the Contractor or its subcontractors in violation of the requirements of these provisions. The Contractor must document suspected or known harmful effects and the outcome. 11. The Contractor's Subcontractors The Contractor shall ensure that any of its contractors, including subcontractors, if applicable, to whom the Contractor provides PHI received from or created or received by the Contractor on behalf of the County, agree to the same restrictions, safeguards, and conditions that apply to the Contractor with respect to such PHI and to incorporate, when applicable, the relevant provisions of these provisions into each subcontract or sub-award to such agents or subcontractors. Nothing in this section 11 or this Exhibit E authorizes the Contractor to perform services under this Agreement using subcontractors. 12. Employee Training and Discipline The Contractor shall train and use reasonable measures to ensure compliance with the requirements of these provisions by employees who assist in the performance of functions or activities on behalf of the County under this Agreement and use or disclose PHI, and discipline such employees who intentionally violate any provisions of these provisions, which may include termination of employment. E-6 P-23-253 Amend 1 Consultant Services Meridian Healthcare Management LLC Exhibit E Health Insurance Portability and Accountability Act (HIPAA) 13. Termination for Cause Upon the County's knowledge of a material breach of these provisions by the Contractor, the County will either: A. Provide an opportunity for the Contractor to cure the breach or end the violation, and the County may terminate this Agreement if the Contractor does not cure the breach or end the violation within the time specified by the County; or B. Immediately terminate this Agreement if the Contractor has breached a material term of this Exhibit E and cure is not possible, as determined by the County. C. If neither cure nor termination is feasible, the County's Privacy Officer will report the violation to the Secretary of the U.S. Department of Health and Human Services. 14. Judicial or Administrative Proceedings The County may terminate this Agreement if: (1) the Contractor is found guilty in a criminal proceeding for a violation of the HIPAA Privacy or Security Laws or the HITECH Act; or (2) there is a finding or stipulation in an administrative or civil proceeding in which the Contractor is a party that the Contractor has violated a privacy or security standard or requirement of the HITECH Act, HIPAA or other security or privacy laws. 15. Effect of Termination Upon termination or expiration of this Agreement for any reason, the Contractor shall return or destroy all PHI received from the County (or created or received by the Contractor on behalf of the County) that the Contractor still maintains in any form, and shall retain no copies of such PHI. If return or destruction of PHI is not feasible, the Contractor shall continue to extend the protections of these provisions to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This provision applies to PHI that is in the possession of subcontractors or agents, if applicable, of the Contractor. If the Contractor destroys the PHI data, a certification of date and time of destruction shall be provided to the County by the Contractor. 16. Compliance with Other Laws To the extent that other state and/or federal laws provide additional, stricter and/or more E-7 P-23-253 Amend 1 Consultant Services Meridian Healthcare Management LLC Exhibit E Health Insurance Portability and Accountability Act (HIPAA) protective privacy and/or security protections to PHI or other confidential information covered under this BAA, the Contractor agrees to comply with the more protective of the privacy and security standards set forth in the applicable state or federal laws to the extent such standards provide a greater degree of protection and security than HIPAA Rules or are otherwise more favorable to the individual. 17. Disclaimer The County makes no warranty or representation that compliance by the Contractor with these provisions, the HITECH Act, or the HIPAA Rules, will be adequate or satisfactory for the Contractor's own purposes or that any information in the Contractor's possession or control, or transmitted or received by the Contractor, is or will be secure from unauthorized access, viewing, use, disclosure, or breach. The Contractor is solely responsible for all decisions made by the Contractor regarding the safeguarding of PHI. 18. Amendment The parties acknowledge that Federal and State laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Exhibit E may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to amend this agreement in order to implement the standards and requirements of the HIPAA Rules, the HITECH Act and other applicable laws relating to the security or privacy of PHI. The County may terminate this Agreement upon thirty (30) days written notice in the event that the Contractor does not enter into an amendment providing assurances regarding the safeguarding of PHI that the County in its sole discretion, deems sufficient to satisfy the standards and requirements of the HIPAA Rules, and the HITECH Act. 19. No Third-Party Beneficiaries Nothing expressed or implied in the provisions of this Exhibit E is intended to confer, and nothing in this Exhibit E does confer, upon any person other than the County or the Contractor and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. E-8 P-23-253 Amend 1 Consultant Services Meridian Healthcare Management LLC Exhibit E Health Insurance Portability and Accountability Act (HIPAA) 20. Interpretation The provisions of this Exhibit E shall be interpreted as broadly as necessary implem(mt and comply with the HIPAA Rules, and applicable State laws. The parties agree that any ambiguity in the terms and conditions of these provisions shall be resolved in favor of a meaning that complies and is consistent with the HIPAA Rules. 21. Regulatory References A reference in the terms and conditions of these provisions to a section in the HIPAA Rules means the section as in effect or as amended. 22. Survival The respective rights and obligations of the Contractor as stated in this Exhibit E survive the termination or expiration of this Agreement. 23. No Waiver of Obligation Change, waiver or discharge by the County of any liability or obligation of the Contractor under this Exhibit E on any one or more occasions is not a waiver of performance of any continuing or other obligation of the Contractor and does not prohibit enforcement by the County of any obligation on any other occasion. E-9