The URL can be used to link to this page

Home My WebLink AboutCentral Unified School District-Fresno County Community Information Exchange BAA A-24-626_D-25-401.pdf D-25-401 U BOARD OF'I IS vl� 1'esenia 7 . CENTRAL UNIFIED SCHOOL DISTRICT Naindeep Singh Chan 5652 W. Gettysburg Avenue Natalie chaI U LveryDay Nabil Kherfan Fresno, CA 93722 Karla Kirk LL Phone: (559) 274-4700 Joshua sellers Cn r Jaspreet Sidhu Fax: (559) 271-8200 www.centralunified.org INTERIM SUPERINTENDENT Dr.Eimear O'Brien OL D15 BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement("BAA")is entered into and effective January 1,2025, by and between Central Unified School District, ("Business Associate"), and County of Fresno, a political subdivision of the State of California ("Covered Entity"), on behalf of itself and its affiliates. Both parties hereby agree to this Business Associate Agreement and are referred to in this BAA individually as a("Party") or collectively as the ("Parties"). RECITALS A. County entered into a CIE Participation Agreement(CIE-PA)number A-24-626 with Manifest Medex(MX)and in that Agreement it states that any participants within the Community Information Exchange(CIE)would sign a Business Associate Agreement(BAA). CIE-PA extends only applicable sections to all Business Associates. B. The LEA will collaborate with the County to enhance student safety and improve the coordination of care during the term of this Agreement. The primary objectives include the implementation of real-time notifications for individuals identified as at risk and the development of an early alert infrastructure within Fresno County. LEA may expand into higher levels of coordinated care under this Agreement. Covered Entity and Business Associate have entered into an agreement pursuant to which Business Associate provides to Covered Entity certain services that now or in the future shall include, but not be limited to,the creation,receipt,maintenance, data analysis and/or transmission of Protected Health Information(defined below)(as defined in Health Insurance Portability and Accountability Act ("HIPAA") and related regulations), on behalf of Covered Entity, for a function or activity regulated by HIPAA (defined below). In consideration of the foregoing recitals and the promises set forth herein, the Parties agree as follows: I. Definitions. All capitalized terms used in this BAA not specifically defined otherwise below or in the CIE-PA shall have the same definitions as given to them under HIPAA. a. "Breach of Privacy or Security" means any access, use, receipt or disclosure of PHI (including electronic PHI)that is not in compliance with Law. b. "HIPAA" means the Health Insurance Portability and Accountability Act and related regulations. c. "Protected Health Information" or "PHI" has the meaning as the term is defined at 45 C.F.R. § 160.103, except that as used herein, the term shall refer only to Protected District Administration Tami Boatright Ed.D.,Assistant Superintendent,Educational Services Amer/gbal,Assistant Superintendent,Chief Business Officer Marilyn Lopez,Ed.D.,Assistant Superintendent—Student and Family Services i Page 2 Information that Business Associate creates, receives, maintains or transmits on behalf of or from Covered Entity pursuant to the CIE-PA. II. Obligations of Business Associate. a. Compliance with Regulatory Obligations of Business Associate. Business Associate shall perform and comply with all the applicable obligations and requirements imposed upon business associates pursuant to HIPAA. b. Permitted Receipt, Use and Disclosure of PHI. Business Associate may receive, Use and Disclose PHI to the minimum extent necessary to perform Business Associate's obligations, functions, activities and/or services under the CIE-PA, and as otherwise permitted or required by this BAA,the CIE-PA, or Law. Business Associate shall not Use or Disclose PHI in any manner that would violate the requirements of HIPAA if done by Covered Entity. c. Specified Permitted Uses of PHI. Without limiting the generality of Section II.b Permitted Use and Disclosure of PHI), Business Associate may Use PHI as follows: (A)For the proper management and administration of Business Associate. (B)To carry out the legal responsibilities of Business Associate. (C)To provide Data Aggregation services relating to the Health Care Operations of Covered Entity or, if applicable, an organized health care arrangement of which the Covered Entity is a member if and to the extent provided by the CIE-PA or other agreement. (D)To perform services related to the creation of De-Identified Data. (E)To perform quality improvement activities by the Covered Entity and to assist in identifying appropriate additional care alternatives. d. Specified Permitted Disclosures of PHI. Without limiting the generality of Section II.b (Permitted Receipt, Use and Disclosure of PHI), Business Associate may Disclose PHI as follows: (A)Pursuant to the direction of the Covered Entity; and (B)For the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate if. i. If the disclosure is required by law; or ii. If Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will be held confidentially and Used or further Disclosed only as required by law or for the purposes for which it was Disclosed to the person, and if the person promptly notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been Breached. e. Specified Permitted Receipt of PHI. Without limiting the generality of Section 2(b) (Permitted Receipt. Use and Disclosure of PHI), and in addition to Business Associate being permitted to disclose PHI to its Subcontractors subject to section(h)below,Business Associate may receive PHI from another business associate of Covered Entity pursuant to the direction of the Covered Entity. f. Safeguards. Business Associate shall Use appropriate safeguards and comply, where applicable, with 45 C.F.R. §§ 164.302 through 164.316 with respect to electronic PHI and District Administration Dr.Eimear O'Brien,Interim Superintendent Tami Boatright Ed.D.,Assistant Superintendent-Educational Services•Amer Igbal,Assistant Superintendent-Chief Business Officer Marilyn Lopez,Ed.D.,Assistant Superintendent—Student and Family Services 5652 W.Gettysburg,Fresno,CA 93722 Page 2 will apply appropriate safeguards to prevent the Use or Disclosure of the PHI in any form, including electronic form other than as provided for by this BAA. g. Reporting Unauthorized Uses and Disclosures. Business Associate shall report to Covered Entity, without unreasonable delay, and in accordance with the deadlines provided below, any Use or Disclosure of PHI not permitted by this BAA of which Business Associate becomes aware, including any Breach of Privacy or Security as defined in the CIE-PA. Without limiting the generality of the foregoing: i. Reporting of Breaches of Privacy or Security. (A)Following the discovery of(i) any access to, Use or Disclosure of PHI which is not permitted by the CIE-PA Agreement or (ii) any Security Incident, Business Associate shall notify Covered Entity by contacting Covered Entity's designated privacy contact person without unreasonable delay,and in no case later than forty-eight(48)hours after discovery of the Breach of Privacy or Security or Security Incident;provided,however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents(as defined below) for which notice to Covered Entity by Business Associate shall be required only upon request. "Unsuccessful Security Incidents" shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, Use or Disclosure of PHI. Covered Entity will advise Business Associate of any subsequent changes to the privacy contact person's contact information. (B)In the event of a Breach of Privacy or Security, Business Associate shall without unreasonable delay carry out an investigation and shall provide reasonably frequent updates to'Covered Entity as to the results of the investigation, including, as soon as reasonably possible, the identification of each Patient whose PHI has been, or is reasonably believed to have been, accessed, acquired, or Disclosed during any Breach of Privacy or Security. (C)Business Associate shall cooperate with Covered Entity and shall provide that assistance as Covered Entity may reasonably request so that Covered Entity may comply with any obligations it may have to investigate,remediate,mitigate,report,and or otherwise notify third parties of that Breach of Privacy or Security. h. Arrangements with Subcontractors. Business Associate shall enter into a BAA with any Subcontractor of Business Associate that creates, receives, maintains, or transmits PHI on behalf of Business Associate, pursuant to which the Subcontractor shall agree to comply with the applicable requirements of HIPAA and the same (or more stringent) restrictions and conditions that apply to Business Associate with respect to that PHI pursuant to this BAA, and pursuant to which Business Associate shall obtain satisfactory assurances that the Subcontractor shall appropriately safeguard that PHI. i. Site Training. Business Associate shall comply with all training requirements with respect to handling PHI and will ensure that all sites within Business Associate's purview will similarly comply so that PHI is only being handled by individuals with proper training regarding HIPAA and other applicable laws. District Administration Dr.Eimear O'Brien,Interim Superintendent Tami Boatright Ed.D.,Assistant Superintendent-Educational Services•Amer Iqbal,Assistant Superintendent-Chief Business Officer Marilyn Lopez,Ed.D.,Assistant Superintendent—Student and Family Services 5652 W.Gettysburg,Fresno,CA 93722 Page 2 j. Individuals' Access to PHI. Business Associate shall make available PHI in a designated record set as necessary to satisfy the requirements of 45 C.F.R. § 164.524. k. Individuals' Request for Amendments to PHI. Business Associate shall incorporate amendments to PHI as and to the extent required for compliance with 45 C.F.R. § 164.526. 1. Individuals' Requests for Accountings of Disclosures. Business Associate shall document Disclosures of PHI and provide information sufficient to respond to a request by a Patient for an Accounting of Disclosures in compliance with 45 C.F.R. § 164.528. m. Other Obli ations. To the extent that Business Associate is,pursuant to the CIE-PA or this BAA, responsible to carry out an obligation of Covered Entity under HIPAA, Business Associate shall comply with the requirements of HIPAA that apply to Covered Entity in the performance of that obligation. n. Books and Rccords. Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of PHI received from or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of determining Covered Entity's or Business Associate's compliance under HIPAA. II. Obligations of Covered Entity. a. Notice of Change in Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity's Notice of Privacy Practices in accordance with 45 C.F.R. §164.520, to the extent that that limitation may affect Business Associate's Use or Disclosure of PHI, as soon as reasonably practicable, and in no case more than ten (10) business days after the change to the notice of privacy practices containing such limitation. b. Notice of Change in Permissions. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to Use or Disclose PHI, to the extent that that change may affect Business Associate's Use or Disclosure of PHI, as soon as reasonably practicable, and in no case more than ten (10) business days after the date when Covered Entity learns of the change in permissions. Business Associate shall abide by each change in, or revocation of, permission described above in this clause (b). c. Notice of Change in Use. Covered Entity shall notify Business Associate of any restriction to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. §164.522, to the extent that that restriction may affect Business Associate's Use or Disclosure of PHI, as soon as reasonably practicable, and in no case more than ten (10) business days after the date when Covered Entity learns of the restriction. Business Associate shall abide by each restriction described above in this clause (c). d. Appropriate Requests. Covered Entity shall not request that Business Associate Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity. III. Term and Termination. a. Term. Subject to the other provisions of this Section IV (Term and Termination), the term of this BAA shall be coextensive with that of the CIE-PA. b. Breach Pattern of Practice. If a Party knows of a pattern of activity or practice by the other Parry that constitutes a material breach or violation of its obligations under HIPAA or this BAA, such Party shall notify the other Party of that breach. If such other Party is unsuccessful in curing that breach within a reasonable time period specified by the notifying Party, the notifying Party may terminate this BAA and the CIE-PA, if feasible, upon written notice to the other Party. District Administration Dr.Eimear O'Brien,Interim Superintendent Tami Boatright Ed.D.,Assistant Superintendent-Educational Services•Amer Igbal,Assistant Superintendent-Chief Business Officer Marilyn Lopez,Ed.D.,Assistant Superintendent—Student and Family Services 5652 W.Gettysburg,Fresno,CA 93722 Page 2 c. Conduct Upon Cennination. Upon termination or expiration of this BAA, Business Associate and Covered Entity acknowledge that return or destruction of PHI is not feasible. Accordingly, Business Associate shall extend the protections of this BAA, including Section 2(e)(Safeguards),to any that PHI for so long as it is not destroyed,and limit further uses and Disclosures of that PHI to those purposes that make the return or destruction not feasible, for as long as Business Associate or any Subcontractor of Business Associate maintains that PHI. Upon the expiration of this period of infeasibility, if any, Business Associate shall destroy all PHI that it has retained. If PHI is to be destroyed pursuant to this Section 4(c) (Conduct Upon Termination) or pursuant to the Partieipafiefl Agreement, Business Associate shall certify in writing to Covered Entity that that PHI has been destroyed. IV.Relationship to CIE-PA. In the event that a provision of this BAA is contrary to a provision of the CIE-PA pertaining to Business Associate's performance of its obligations as a business associate,the provisions of BAA shall control. V. Cooperation. The Parties acknowledge that certain breaches or violations of this BAA may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties. Each Party shall cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry. VI.Amendment. The Parties agree to take that action from time to time as is necessary to amend this BAA for Covered Entity and Business Associate to comply with HIPAA or other applicable law. The Parties agree that this BAA may only be modified by mutual written amendment, signed by both Parties, effective on the date set forth in the amendment. VII. Interpretation.Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA. In witness whereof, Covered Entity and Business Associate have entered into this BAA as of the Effective Date. Business Associate Covered :Entity By: f�-- By: Name: Amer, Igbal Name: avid Luchini Assistant Superintendent Title: Title: Public Health Director Executive Services Date: S — I �—_ �S Date: —� 5 2 0 ZS' District Administration Dr.Eimear O'Brien,Interim Superintendent Tami Boatright Ed.D.,Assistant Superintendent-Educational Services•Amer Igbal,Assistant Superintendent-Chief Business Officer Marilyn Lopez,Ed.D.,Assistant Superintendent—Student and Family Services 5652 W.Gettysburg,Fresno,CA 93722