The URL can be used to link to this page

Home My WebLink About29078CONTRACT INFORMATION SHEE"F ------------------------------~~ DATE: 1/11/17 Contract No.: P-17-012-1 Vendor Number: 0000278136 Contract Title: County Claim Reports Name/Address: Dimension Reports LLC Subscription 6261 Hazel Ave Orangevale , CA 95662 Contract Period: 1/1/17-12/3 1/17 Representative: Orri Rail Using Agencies: DBH Phone No.: 916-524-8080 Email: orri@dimensionreports .com Terms: NET 45 Total Contract Amt.: $33,500 Buyer Name: Nick Chin Requisition No: 5631700399 -----------------------Org: 56302005 Supersedes: OO NEW L__ _ _,l RENEWAL L....._ _ _JI AMENDMENT 00 TICKDATE 10/1 /17 D REFERENCE (RFQ# I RFP#) DESCRIPTION : 1 year subscription. No Renewals . SPECIAL INSTRUCTIONS: DISTRIBUTION : Completed By: Date: Completed By : Date DEPARTMENT: _D_SS ________ _ REQUISITIONER: Sean Patterson Tan im ara Puent e Rev 1/3/20 17 ? -\":1---0.1. ?-.. -:r.. COUNTY CLAIM REPORTS Subscription Agreement Dimension Reports LLC COUNTY CLAIM REPORTS SUSCRIPTION AGREEMENT THIS COUNTY CLAIM REPORTS SUBSCRIPTION AGREEMENT (the "Agreement") is entered into effective the 1st day of January, 2017 by and between County of Fresno, Dept. of Behavioral Health, a county public agency hereinafter referred to as "Client", located at 4441 E Kings Canyon Rd, Fresno, CA, 93702, and DIMENSION REPORTS LLC, a California Limited Liability Company, hereinafter referred to as "Dimension Reports", located at 6261 Hazel Ave, Orangevale, CA, 95662. SUMMARY Behavioral Health claims processed through The California Department of Health Care Services (DHCS) use 837 and 835 X12 HIPAA formatted files to communicate with county entities. 837 X12 HIPAA are submitted by the county entity and DHCS in return sends the 835 X12 HIPAA response. Client wishes to contract with Dimension Reports to perform reporting on the 837 and 835 X12 HIPAA files. NOW THEREFORE, in consideration of the covenants, conditions, agreements, and stipulations hereinafter expressed, the parties agree as follows: ASSUMPTIONS • 350,000-400,000 claims annually (for all payers combined) • DMH and ADP payers • 5010 837 and 835 Transactions • Internet Explorer 9+, Firefox 4+, Chrome 5+ and Safari 5+ browser support REPORT TYPES The Core Reports are Provider and 835 Claim Response based; these are the primary reports. The Supplemental Reports are specialized for denied claims and fiscal Aid Code categories; these are optional reports. REFRESH FREQUENCY The Refresh Frequency refers to the number of times 837/835 EDI files are processed and new reports published. Dimension Reports provides the following refresh frequency: • • • • QUARTERLY -Once every 3 months MONTHLY -One day per month WEEKLY -One day per week Core Reports 1. By Provider (Program Code) Users will be able to view claim data by provider within a fiscal year (by service date). Provider groups (Program Codes) will let providers (reporting units) to be grouped and viewed individually. Data can be viewed at a summary level (sum of all provider groups within a fiscal year) as well as at claim level details. All data can be viewed in Excel. 2. By Claim Response (835) Users will be able to view claim data by 835 response within a fiscal year (by warrant date). Selecting individual warrants will show all claim information related to warrant. Users w i ll be able to filter by approved and denied responses. Data can be viewed at a summary level (sum of claim within an 835 response) as well as claims details. All data can be viewed in Excel. • Supplemental Reports 1. Den ial Reports Users will be able to view denied claim data by denial r eason. Denial reasons will be grouped by CO Reasons 1-4 and Remark Codes. User will be able to filter the denials by Provider Group {Program Code). Data can be viewed at a summary level (sum of all denial reasons within a fiscal yea r ) as well as at claim level details . All data can be viewed in Excel. 2. Fiscal Reports Users will be able to view claim data by Aid Code Category (i.e. FFP, Refugee). The Aid Code categories will be cross-walked using the member aid code (from 835 file). Payments will be shown in the appropriate bucket (i.e. County vs . Federal). Data can be viewed at a summary level (sum by Aid Code Category) to service date details. All data can be viewed in Excel. 3 . 276/277 Reports Users will be able to view pending claim data with state reasons fo r why a cla i m is st i ll pend i ng. This involves generating a 276 file every 120 days with claims being in pending status for longer than six mont hs. County will need to submit the 276 file to DHCS. DHCS will in return generate a 277 with reason codes that will be processed into the report. The report will update all pending claims that get an 835 status . COST The following cost sheet is based on an annual subscription. Choose ONE. REFRESH FREQUENCY REPORT TYPES MONTHLY WEEKLY DAILY Core $29,000/year D $33,000/year D $44,000/year D Core+ Supplemental $33,500/year ~ $38,000/year D $48,500/year D One Time cost to process historical4010 files: $3,500 0 INCLUDED IN COST • All historical fiscal years of 5010 837 and 835 files (optional 401 0) • Claim detail reporting • Full support for any issues that may occur due to the reporting software • 5 hours per month of any additional consulting support • HIPAA Secure Server (SFTP) for all file transfers (EDI and report files) • Web Portal to manage issues and tasks PAYMENT OPTIONS Based on the selected cost option; invoicing will be issued for one of the following installment p l ans. Choose ONE. D Annual D Semi-Annual D Quarterly D Monthly FREE TRIAL REPORTS As part of a providing free trial reports, Dimension Reports shall process 837/835 files spanning one or more fiscal years and provide reports with up to three (3) service months of claim line data Choose ONE. ~ Yes, we elect trial reports D No, we don't wish for trial reports Services Provided by Dimension Reports; Standard of Performance Dimension Reports shall obtain 5010 837 and 835 files through Secure File Transport (SFTP) server. The EDI files should be provided or obtained to Dimension Reports in the same format in which it is processed from The Department of Healthcare Services (DHCS}, which should be electronic downloadable format. As a product of this service, Dimension Reports shall produce report files using claim information stored in the EDI files All services provided by Dimension Reports shall meet or exceed professionally recognized industry standards for quality, completeness, accuracy, timeliness, security and confidentiality and shall be performed in compliance with all applicable law, regulatory agency guidelines and Client's Government Contracts, including but not limited to the requirements summarized in Exhibit 1 of this Agreement, which is attached hereto and incorporated herein by reference. Deliverables Dimension Reports shall deliver the report files to Client in electronic downloadable format. The product will be delivered either on Client's Secure File Transfer Protocol (SFTP) server or on the Service Provider's public SFTP server. In case of use of Client's SFTP server for deliverable, Client shall provide Dimension Reports necessary access rights for SFTP server. Dimension Reports will copy the deliverables in standard ASCII format. In case of use of Dimension Reports public SFTP server, Dimension Reports will provide Client necessary access right on the SFTP server to download the deliverables. Free Trial In the event Client elects trial reports, Dimension Reports shall process 837/835 files spanning one or more fiscal years and provide reports with up to three (3) service months of claim line data. After client completes review of trial reports and elects not to move ahead with a subscription, no payments will be invoiced and this agreement shall terminate. Confidentiality During the course of this Agreement, each party may be given access to information in tangible, electronic downloadable/non-downloadable, or online form that relates to the other's past, present, and future research, development, business activities, products, services, technical knowledge, and customer information, including but not limited to protected health information, which is identified by the discloser as confidential or which would be understood to be confidential by a reasonable person under the circumstances ("Confidential Information"). Each party will protect the confidentiality of the Confidential Information of the other in the same manner that it protects the confidentiality of its own similar information, but in no event using less than a reasonable standard of care. Each party will restrict access to the Confidential Information to those of its personnel (including such personnel employed by its affiliates) and subcontracts engaged in the performance, management, receipt or use of the Services under this Agreement, provided that such parties are bound by obligations of confidentiality substantially similar to the terms of this Agreement. Dimension Reports shall execute and maintain during the course of this Agreement the Business Associate Agreement at Exhibit 2, which is attached hereto and incorporated by reference herein. A breach of the Business Associate Agreement shall constitute a material breach of this Agreement. Warranties This is a subscription agreement. In providing professional services, Dimension Reports warrants that it will perform such services in good faith and in a professional manner that the report files it sends to Client will contain information from the 5010 837/835 files, and that services will be provided in compliance with all applicable federal, state, and local laws and regulations. Dimension Reports disclaims all other warranties, either express, implied or statutory, including, without limitation, warranties of merchantability and fitness for any purpose other than the purpose for which the report files would normally be used. Non-Exclusivity This agreement shall not preclude or limit in any way (i) the right of Dimension Reports to provide consulting or other services of any kind or nature whatsoever to any individual or entity as Dimension Reports in its sole discretion deems appropriate, as long as such services do not breach the confidentiality of Client confidential information; or (ii) developing for itself or for others, materials that are competitive with those produced as a result of the services provided, irrespective of their similarity to the Deliverables. Proprietary Rights This is an Agreement for services and Client is not granted any license hereunder. All technical/non-technical materials, tools, methodologies, and/or analytical models that Dimension Reports will use to produce tangible, downloadable or online products for this service are and shall remain the sole and exclusive property of Dimension Reports. Termination This Agreement does not enforce any long term commitment or contract between the two parties. This Agreement will be enforceable on a one (1) year basis and may be terminated at any time by giving at least thirty (30) days prior written termination notice to the other party. Client agrees to pay all pending service cost due and payable within thirty days after termination of the Agreement. Data Disclosures Dimension Reports shall not disclose, sell or rent Client information and health claim information (the Data) stored in the 837/835 EDI files provided by Client unless required by order or other requirement of a court, administrative agency, or other governmental body or applicable law. Notwithstanding the above, Client expressly permits Dimension Reports to use and/or disclose the Data to personnel who access, process, and manage the Data in connection to provide the services to meet the obligation set forth in this Agreement. Dimension Reports shall not retain or store the Data in any form for its research, marketing, or financial/non- financial purposes, however, Dimension Reports shall retain such books, records and papers concerning its performance of duties hereunder that will enable regulatory agencies and/or Client to monitor and oversee such performance. Password In case Client agrees to use Dimension Reports' SFTP server, the Dimension Reports will provide Client necessary user name, password, and access rights to connect and download the electronic files from the server. It will be Client's responsibility to ensure strict confidentiality of the password. Any unauthorized use of the Password by Client will constitute a material breach of this Agreement. In result of such incident, Dimension Reports will not be responsible for loss of data or its confidentiality and Client will be solely responsible for all actions and fees incurred as a result of such incident. Limitation of Liability In no event other than breaches of confidentiality of protected health information will either party or any of its representatives be liable to the other party for any special, indirect, incidental, exemplary, consequential or punitive damages arising from or related to the Services, or to this Agreement, including but not limited to, damages for loss of data, loss of use, or loss of profits, . Further, in no event will either party or any of its representative's total cumulative liability to the other party for claims, losses, or damages of any kind, whether based on contract, tort, negligence, indemnity or otherwise, arising out of or related in any way to this Agreement or the Service, exceed the limits of liability insurance retained by such party, which shall not be less than $1 million per claim and $2 million in the aggregate. Indemnification Except as otherwise provided in, and subject to, the privileges and immunities provisions that apply to Client as a county public agency under the Government Code and Welfare and Institutions code, each party agrees to indemnify, defend and hold harmless the other party and its the Representatives, and its respective affiliates, subsidiaries, officers, directors, stockholders, employees, consultants, representatives, agents, successors and assigns from and against any and all claims, losses, liabilities, sums of money, damages, expenses, costs (including, but not limited to, reasonable attorneys' fees) and/or actions arising from: (i) indemnifying party's acts or omissions; (ii) indemnifying party's violation of any applicable law; (iii) Indemnifying party's breach of any term or condition set forth in this Agreement; (iv) the indemnifying party's breach of any of its representations or warranties set forth herein; (v) the indemnifying party's infringement or misappropriation of any intellectual property rights or other rights of any person or entity; and/or (vi) the indemnifying party's breach of confidentiality of protected health information or other confidential information of the other party or of a Client customer. Entirety This Agreement constitutes the entire agreement between the parties with respect to the subject matter and supersedes and previous understandings, representations, commitments or agreements, oral or written. No provision of this Agreement may be waived except by a writing signed by the party to be charged nor may this Agreement be amended except by a writing executed by both parties. If any provision, or portion thereof, of this Agreement is, or becomes, invalid under any applicable statute or rule of law, it is to be deemed stricken and the rest of this Agreement shall remain in full force and effect. Dispute Resolution The parties will make good faith efforts to first resolve internally any dispute under this Agreement by escalating it to higher levels of management. Any dispute, controversy, or claim arising out of, relating to, involving, or having any connection with this Agreement, including any question regarding the validity, interpretation, scope, performance, or enforceability of this dispute resolution provision, will be exclusively and finally settled by state or federal courts in Fresno County, Dept. of Behavioral Health, California and that venue for any action brought pursuant to or arising from this Agreement shall reside exclusively in the courts of Fresno County, California. Governing law This agreement is subject to all state and federal laws and regulations pertaining thereto and shall be governed by and construed in accordance with the laws of California without regard to the conflict of law rules. Dimension Reports LLC /"~ -~/ -/; ;;·~22 -2db Authorized Signature and date 04-~\ \2o.: ( 1 P,c5;{-J -e./[~·+· Print Name and Title Fresno County, Dept. of Behavioral Health /if!Ye .~/f P~i lf:Jf't EXHIBIT 1 KEY REGULATORY PROVISIONS APPLICABLE TO Fresno County, Dept. of Behavioral Health AND WITH WHICH DIMENSION REPORTS MUST COMPLY PART 1: MEDI-CAL PROVISIONS REQUIRED BY MEDI-CAL LAW OR CONTRACT TO BE IN ALL SUBCONTRACTS AND SUB- SUBCONTRACTS Regulatory/DHCS Descri~tion of Reguirements. Subcontractors {including <ASO> ) and Provider's Contract Section Subcontractors must: 22 CCR §53250(c}(5) & Reports. Agree to submit reports as required by Fresno County, Dept. of §53867; DHCS Contract Behavioral Health and/or DHCS. Exh . A, Att. 6, §13 B (6) 22 CCR §53250(e}(3) & Access to Subcontracts. Make subcontracts available to DHCS upon request and (4) & §53867; DHCS comply with the same terms and conditions as DHCS requires of the Plan. Contract Exh. A, Att. 6, §13 B (9), (12) & (20) 22 CCR §53250(e}(5) & No Assignment without DHCS Approval. Not assign or delegate this Agreement or §53867; DHCS Contract, any subcontract hereunder-if such assignment or delegation is permitted under Exh. A, Att. 6, §13 B (13) the Agreement itself--unless prior approval is obtained by Fresno County, Dept. of Behavioral Health from DHCS, to the extent required. Any attempted assignment or delegation without prior DHCS and Fresno County, Dept. of Behavioral Health approval will be void. 22 CCR §53250(e}(3) & DHCS Review. Agree to make all sub-subcontracts available to DHCS upon request §53867; DHCS Contract, and require the sub-subcontractor to comply with the same terms and conditions Exh . A, Att. 6, §13 B (9) & DHCS requires of subcontractors. (20) 42 CFR §438.230; DHCS Accountability. Agree that Fresno County, Dept. of Behavioral Health will oversee, Contract, Exh. A, Att. 4, and may be held accountable by the State, for any functions and responsibilities it §§ 1 & 6 delegates to subcontractor. 22 CCR §53250(c}(2) & Governing Contract. Understand that all subcontracts shall be governed by and §53867; DHCS Contract construed in accordance with the contractual obligations of Fresno County, Dept. Exh. A, Att. 6, §13 B (2) of Behavioral Health to DHCS. 22 CCR §53250(a) & (c}(3) Effective Upon Approval. Specify that the terms of the subcontract or any & §53867; DHCS subsequent amendment shall become effective only after Departmental approval, Contract, Exh. A, Att. 6, to the extent required by the contract. §13 B (3) PROVISIONS REQUIRED BY MEDI-CAL LAW OR CONTRACT TO BE IN ALL SUBCONTRACTS AND SUB- SUBCONTRACTS Regulatory/DHCS Descri~tion of Reguirements. Subcontractors (including Provider} and Provider's Contract Section Subcontractors must: 22 CCR §53250(e)(1) & Government Access. Provide access to books, records, papers, encounter data, §53867; DHCS Contract, facilities to DHCS, DHHS, DOJ and DMHC at all reasonable times at Subcontractor's Exh. A, Att. 6, §13 B (7) & place of business or other mutually agreeable location in California. All such (9) & Exh. E, Att. 2, §20 records shall be in a form maintained in accordance with general standards applicable to such book and record keeping. Records, including but not limited to encounter data shall be maintained for at least 5 years from the end of the year of service or such longer period as is required by law or this Agreement. DHCS has a right to monitor, not just audit, all aspects of Fresno County, Dept. of Behavioral Health's operations and those of its participating providers, for compliance with applicable requirements. 42 CFR §438.608; DHCS Fraud Prevention. Cooperate with Fresno County, Dept. of Behavioral Health's Contract, Exh. E, Att. 2, program for fraud and abuse detection, investigation, reporting and taking §26 corrective action . 22 CCR §53250(c)(2) & State and Federal Law. Draft the subcontracts and sub-subcontracts in accordance §53867; DHCS Contract, with the Knox Keene Act and Regulations, the applicable provisions of the Welfare Exh. A, Att. 6, §13 A and Institutions Code and associated Medi-Cal regulations, and other applicable federal and state laws and regulations. 22 CCR §§ 51007 and Compliance. Comply with applicable law and the contract. (The DHCS contract 53250(c)(2); DHCS specifies several laws that must be specifically mentioned, such as the ADA, the Contract, Exh. A, Att. 6, Veteran's Preference laws, fraud and abuse laws, etc. §13 B (20) & Exh. E, Att. 2, §§27-30 & Exh. D(F), §1 DHCS Contract, Exh. A, Ql Oversight. Allow Fresno County, Dept. of Behavioral Health to monitor the Att. 4 quality of services delivered. DHCS Contract, Exh. A, Member Rights. Comply with the Plan's written policies on member rights, Att. 7, §5 & Att. 13, §1A including but are not limited to, right to: confidentiality; file a grievance; participate in health care decisions; right to choose their participating PCP; access to their medical records; cultural and linguistic sensitivity; and continuity of care. DHCS Contract, Exh. A, Availability and Accessibility. Make services available and accessible to members, Att. 4 & Att. 9 consistent with the terms of the Contract. DHCS Contract, Exh. A, Third Party Liability. Notify Fresno County, Dept. of Behavioral Health so that Att. 6, §13 B (15) & Exh. E, Fresno County, Dept. of Behavioral Health can notify DHCS's Third Party Liability Att. 2, §§23, 24 & 25 Branch and Fresno County, Dept. of Behavioral Health within ten (10) calendar days of learning of any illness or injury compensable under Workers compensation insurance, any casualty cases or third party tort cases. DHCS has the right to coordinate benefits and/or pursue other recovery of the value of Covered Services in these cases and to retain the costs of Covered Services for any such compensable illness or injury. Neither Fresno County, Dept. of Behavioral Health, nor Provider nor any of its subcontracting providers shall collect on any such claim. PROVISIONS REQUIRED BY MEDI-CAl lAW OR CONTRACT TO BE IN All SUBCONTRACTS AND SUB- SUBCONTRACTS Regulatory/DHCS Descrij:!tion of Reguirements. Subcontractors (including Provider} and Provider's Contract Section Subcontractors must: 42 CFR §§438.610 & Debarment. Terminate any subcontract or sub-subcontract with a debarred or 455.106; DHCS Contract, suspended person (i.e., someone who has been barred or suspended from Exh. D(F), § 19 participation in federally funded programs). Not initially contract with any such person. 22 CCR § 51007; DHCS No Discrimination. Prohibit discrimination on the basis of age, race, color, creed, Contract, Exh. A, Att. 9, religion, sex, sexual preference, national origin, health status, genetic §§10 & 11; Exh. E, Att. 2, characteristics, physical and/or mental disability, income level or on the basis that §§28-30. they are Enrollees of a prepaid health care plan. 22 CCR §53250 (b); DHCS Services. Meet the requirements of subchapters 3 & 4 of Subdivision 1 ("California Contract, Exh. A, Att. 10 Medical Assistance Program", 22 CCR §§ 51000.1 et seq .) related to the services the subcontractor is to perform. 22 CCR §§53250(c) & DHCS Contract binding on Subcontractors. Subcontract shall be governed by and 53867; DHCS Contract construed in accordance with the all laws, regulations and contractual obligations Exh. A, Att. 6, §13 B (2) & incumbent upon the plan . (20) 22 CCR §53250 (a), (c) & Subcontract Terms Reguired by Regulations. (e) & §53867; DHCS Subcontracts must specify: Contract, Exh . A, 0 The services to be provided. Attachment 6, §13B 0 That the subcontract shall be governed by and construed in accordance with the all laws, regulations and contractual obligations incumbent upon the plan. 0 That the subcontract and/or amendment shall become effective only after approval by DHCS. 0 The terms of the contract, including the beginning and ending dates as well as any methods of extension, renegotiation and termination. 0 The subcontractor's agreement to submit reports as required by the Contractor. 0 The subcontractor's agreement to make all of its books and records pertaining to the goods and services furnished under the terms of the subcontract, available for inspection, examination or copying by the DHHS, DMHC and DHCS at all reasonable times at the subcontractor's place of business or at another mutually agreeable location in California, and in a form maintained in accordance with generally accepted standards. 0 The subcontractor's agreement to maintain books and records for a term of at least five years from the close of the fiscal year in which the contract was last in effect. Full disclosure of the method and amount of compensation or other consideration received by the subcontractor. PROVISIONS REQUIRED BY MEDI-CAL LAW OR CONTRACT TO BE IN ALL SUBCONTRACTS AND SUB- SUBCONTRACTS Regulatory/DHCS Descri~tion of Reguirements. Subcontractors {including Provider} and Provider's Contract Section Subcontractors must: 22 CCR §53250 (c) & (e) & Subcontracts must also specify: §53867 0 Subcontractor's agreement to maintain and make available to DHCS upon request copies of all sub-subcontracts and to ensure that all sub- subcontracts are in writing and require that the subcontractor: • Make available all applicable books and records at all reasonable times for inspection, examination and copying by DHCS. • Retain such books and records for a term of at least five years from the close of the fiscal year in which the contract was last in effect. 0 Subcontractor's agreement to hold harmless both the State and plan members in the event the plan cannot or will not pay for services performed by the subcontractor pursuant to the subcontract. EXHIBIT 2 Fresno County, Dept. of Behavioral Health BUSINESS ASSOCIATE AGREEMENT WITH TRADING PARTNER LANGUAGE THIS BUSINESS ASSOCIATE AGREEMENT is entered into effective the l't day of January, 2017 by and between Fresno County, Dept. of Behavioral Health ("Covered Entity") and Dimension Reports LLC, a corporation. RECITALS Whereas, Fresno County, Dept. of Behavioral Health ("Covered Entity"), in its capacity as a Covered Entity under the Health Information Portability and Accountability Act of 1996 ("HIPAA") is required to enter into this Agreement to obtain satisfactory assurances that Business Associate will appropriately safeguard all Protected Health Information ("PHI") as defined herein, disclosed, used, created or received by Business Associate on behalf of Covered Entity. Whereas, Covered Entity desires to engage Business Associate to perform certain functions for, or on behalf of, Covered Entity involving the disclosure of PHI by Covered Entity to Business Associate, or the creation or use of PHI by Business Associate on behalf of Covered Entity, and Business Associate desires to perform such functions. Now therefore, in consideration of the mutual promises found in the Underlying Agreement and the exchange of information pursuant to this Agreement and in order to comply with all legal requirements for the protection of this information, Business Associate hereby agrees as follows: A. Definitions of Terms The terms in this Agreement shall have the meaning given them in the Privacy Rule except as otherwise indicated. 1. Agreement means this Business Associate Agreement. 2. Breach or Breached shall mean the acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under 45 C.F.R. Section 164.402 which Compromises the Security or Privacy of PHI. 3. Business Associate shall have the meaning given to such term in 45 C.F.R. section 160.103. 4. C.F.R. shall mean the Code of Federal Regulations. 5. Compromises the Security or Privacy of PHI shall have the meaning given to it in 45 C.F.R. Section 164.402, an includes, but is not necessarily limited to an unauthorized acquisition, access, use or disclosure that poses a significant risk of financial, reputational or other harm to the Individual. 6. Covered Entity shall have the meaning given to such term in 45 C.F.R. Section 160.103 and includes the Covered Entity 7. Designated Record Set shall have the meaning given to such term in 45 C.F.R. Section 164.501. 8. HIPAA means the Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104- 191), as amended. 9. Individual shall have the meaning given to such term in 45 CFR section 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR section 164.502(g). 10. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E, as amended from time to time, and applicable State privacy laws to the extent that they are not federally preempted. 11. Protected Health Information or PHI shall have the meaning given to such term in 45 C.F.R. section 164.501. 12. Underlying Agreement shall mean the agreement, contract, or invoice under which Business Associate is disclosing, using, creating, or receiving PHI on Covered Entity's behalf. 13. Unsecured PHI shall have the meaning given to it in 45 C.F.R. Section 164.402 and includes, but is not necessarily limited to PHI has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the Guidance issued on April 27, 2009 at 74 Fed. Reg. No. 79, pp. 19006 et seq. B. Obligations of Business Associate. 1. Permitted Uses and Disclosures. Business Associate may not use or disclose PHI received or created pursuant to this Agreement except as follows: a. As indicated in Exhibit I, attached hereto and incorporated herein by reference, or as required by law. b. If necessary for the proper management and administration of the Business Associate or to carry out the legal responsibilities of Business Associate, provided that: i. Uses or disclosures are required or permitted by law; or ii. Business Associate obtains reasonable assurances from the person/entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person/entity; and iii. The person/entity notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. c. Notwithstanding provisions a. and b. above, any use or disclosure of PHI shall be consistent with the Privacy Rule. 2. Ownership of PHI. The PHI and any related information created or received from or on behalf of Covered Entity is and shall remain the property of Covered Entity. Business Associate agrees that it acquires no title or rights to the PHI and any related information, including any de- identified information. 3. Disclosure Accounting . In the event that Business Associate makes any disclosures of PHI that are subject to the accounting requirements of 45 C.F.R. section 164.528, Business Associate promptly shall report such disclosures to Covered Entity. The notice by Business Associate to Covered Entity of the disclosure shall include the name of the person and Covered Entity affiliation to whom the PHI was disclosed and the date of the disclosure. Business Associate shall maintain a record of each such disclosure, including the date of the disclosure, the name and, if available, the address of the recipient of the PHI, a brief description of the PHI disclosed and a brief description of the purpose of the disclosure. Business Associate shall maintain this record for a period of six (6) years and make available to Covered Entity upon request in an electronic format so that Covered Entity may meet its disclosure accounting obligations under 45 C.F.R . section 164.528. 4 . Access to PHI by Individuals. Business Associate shall cooperate with Covered Ent ity to fulfill all requests by Individuals for access to the Individual's PHI t hat are approved by Covered Entity. Business Associate shall cooperate with Covered Entity in all respects necessary for Covered Entity to comply with 45 C.F.R. section 164.524. If Business Associate r eceives a request from an Individual for access to PHI, Business Associate immediately shall forward such request to Covered Entity. Covered Entity shall be solely responsible for determining the scope of PHI and Designated Record Set with r espect to each request by an Individual for access to PHI. If Business Associate maintains PHI in a Designated Record Set on behalf of Covered Entity, Business Associate shall permit any Individual, upon notice by Covered Entity, to access and obtain copies of the Individual's PHI in accordance with 45 C.F.R . 164.524. Business Associate shall make the PHI available in the format requested by the Individual and approved by Covered En t ity, unless the PHI is not readily producible in such fo r mat, in which case the PHI shall be produced in hard copy format. Business Associate may not charge the Individual any fees for such access to PHI. 5. Access to Business Associate's Books and Records. Business Associate shall make its internal practices, books and records re lating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary of the Department of Health and Human Services for purposes of determin i ng Covered Entity's compliance w ith the HIPAA laws and regulations. Upon reasonable notice to Bus i ness Associate and during Business Associate's normal business hours, Business Associate shall make such i nternal practices, books and records available to Covered Entity to inspect for purposes of determin i ng compliance with this Agreement. 6. Amendment of PHI. Should Business Associate maintain PHI in a Designated Record Set, Business Associate shall i nco r porate all amendments to PHI in a Designated Record Set, as directed and in accordance with the time frames specified by Covered Entity. Within five (5) business days following Business Associate's amendment of PHI as directed by Covered Entity, Business Associate shall provide written notice t o Covered Entity co nfirming that Business Associate has made the amendments to PH I as directed by Covered Ent ity and containing any other info r mation as may be necessary for Covered Ent ity to provide adequate notice to the Individual in accordance with 45 C.F .R. section 164.526. 7. Security and Privacy Safegua r ds. Business Associate shall: 8. (a) Implement safeguards, policies and procedures that reasonably and appropriately protect the confidentiality, security, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity. (b) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate safeguards. (c) Make its policies and procedures, and documentation required by this subpart relating to such safeguards, available to the Covered Entity and to the Secretary for purposes of determining the Covered Entity's compliance with this subpart. And (d) Authorize termination of the contract by the Covered Entity if the Covered Entity determines that the Business Associate has violated a material term of the contract . (e) Not sell or receive payment for, or permit its employees, agents, representatives or sub- Business Associates to sell or receive payment for PHI or other electronic health records of an Individual without the written authorization of the individual and of the Covered Entity. (f) Comply with the provisions of HIPAA, HIPAA security standards and the Privacy Rule to the extent required by 42 USC 17931. The terms of this Section and Section 8 of the Agreement will survive the termination or expiration of this Agreement. Reporting. (a) As required in 45 C.F.R. Section 164.410, Business Associate shall notify the Covered Entity of any security incident or Breach of Unsecured PHI of which it has knowledge as soon as possible but in no event later than sixty (60) days after discovery of the breach, unless such notice is delayed for no longer than thirty (30) days at the request of law enforcement due to the potential to impede a criminal investigation or damage national security. In the notice provided to Covered Entity by Business Associate regarding unauthorized uses and/or disclosures of PHI, security incidents or Breaches of Unsecured PHI, Business Associate shall describe the remedial or other actions undertaken or proposed to be undertaken regarding the unauthorized use or disclosure of PHI. (b) Business Associate understands that, pursuant to the Privacy Rule, Covered Entity must send written notice to the Individual of any Breach of PHI that Compromises the Security or Privacy of PHI. If the Breach affects the PHI of more than 500 Individuals, the Covered Entity must also notify the Secretary of the US Department of Health and Human Services and one or more prominent media outlets in the State or jurisdiction of the Breach. Business Associate shall provide any information needed by Covered Entity to prepare that notice. (c) Business Associate shall also report to the Covered Entity any complaints by an Individual about the privacy policies of the Covered Entity or Business Associate. Business Associate may not retaliate or discriminate against, coerce, intimidate, or take any action against an Individual who exercises his/her rights under the Privacy Rule, including but not limited to the right to complain about Business Associate's privacy practices and/or policies. Nor may Business Associate require an Individual to waive his or her rights under the Privacy Rule as a condition of treatment or eligibility for benefits. 9. Mitigating Unauthorized Uses and Disclosures of PHI. Business Associate shall use its best efforts to mitigate the deleterious effects of any use or disclosure of PHI not authorized by this Agreement. 10. Affiliates, Agents, Subsidiaries and Sub-Business Associates. Business Associate shall require that any agents, affiliates, subsidiaries or sub -Business Associates, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agree in writing to the same use and disclosure restrictions imposed on Business Associate by this Agreement and by HIPAA. 11. Trading Partners. (a) If Business Associate is also a trading partner of Covered Entity, Business Associate shall conduct all or part of a transaction on behalf of the covered entity, the business associate must: (i) Comply with all applicable requirements of HIPAA, including but not limited to Part 162, Subpart I concerning standard transactions; and (ii) Require any agent or subcontractor to comply with HIPAA, including but not limited to, all applicable requirements pertaining to standard transactions. (b) Neither party shall be required under this Agreement or any other agreement to do any of the following that affects the Transaction Rules implementation specifications: (i) Change the definition, data condition, or use of a data element or segment in a standard. (ii) Add any data elements or segments to the maximum defined data set. (iii) Use any code or data elements that are either marked "not used" in the standard's implementation specification or are not in the standard's implementation specification(s). (iv) Change the meaning or intent of the standard's implementation specification(s). C. Term and Termination . 1. Term. The term of this Agreement coincides with the term of the Underlying Agreement. Upon termination of the Underlying Agreement, this Agreement shall become of no further force or effect whatsoever and each of the parties hereto shall be relieved and discharged here from, unless otherwise provided in this Agreement. 2. Termination by Breach. Covered Entity, at its sole option and without offering an opportunity to cure, may terminate immediately this Agreement and the Underlying Agreement if Covered Entity determines that Business Associate has violated a material term of this Agreement. 3. Effects of Terminationi Disposa l of PHI. Upon termination of this Agreement, Business Associate shall recover all PHI that is in the possession of Business Associate's agents, affiliates, subsidiaries or sub-Business Associates. Business Associate shall return to Covered Entity or destroy all PH I that Business Associate obtained or maintained pursuant to this Agreement on behalf of Covered Entity. If the parties agree at that time that the return or destruction of PHI is not feasible, Business Associate shall extend the protections provided under this Agreement to such PHI, and limit further use or disclosure of the PHI to those purposes that make the return or destruction of the PHI infeasible . If the parties agree at the time of termination of this Agreement that it is infeasible for the Business Associate to r ecover all PHI in the possession of Business Associate's agents, affiliates, subsidiaries or sub-Business Associates, Business Associate shall provide written notice to Covered Entity regarding the nature of the unfeasibility and Business Associate sha ll require that its agents, affiliates, subsidiaries and sub-Business Associates agree to the extension of all protections, limitations and restrictions required of Business Associate hereunder. The terms of this paragraph will survive the termination or expiration of this Agreement. 4. Remedies. Notwithstanding any rights or remedies under the Agreement or provided by law, Covered Entity retains all rights to seek injunctive relief to prevent or stop the unauthorized use or disclosure of PHI by Business Associate, or any of its agents, affiliates, subsidiaries or sub -Business Associates. D. Miscellaneous. 1. Business Associate's Compliance with HIPAA. Covered Entity makes no warranty or representation that compliance by Business Associate with this Agreement, HIPAA or the HIPAA regulations will be adequate or satisfactory for Business Associate's own purposes or that any information in Business Associate's possession or control, or transmitted or received by Business Associate, is or will be secure from unauthorized use or disclosure . Business Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI and shall indemnify and shall hold the Covered Entity harmless from any loss occasioned as a result of Business Associate's failure to meet its obligations under this Agreement. 2. Change in Law. In the event that there are subsequent changes or clarifications of federal or state statutes, regulations or rules relating to Agreement the parties agree to comply with such changes or clarifications without the need for formal amendment to the Agreement. In the event that there shall be a change in the federal or state statutes, regulations, or rules of any interpretation or any such statute, regulation or rule, or general instructions which may render any of the material terms of this Agreement unlawful or unenforceable, or materially affects the financial arrangement contained in this Agreement, Business Associate may, by providing advanced written notice, propose an amendment to this Agreement addressing such issues. If, within fifteen (15) days following the notice, the parties are unable to agree upon such amendments, either party may terminate this Agreement by giving the other party at least thirty (30) days written notice. 3. Severability. In the event any provision of this Agreement is held to be unenforceable for any reason, the unenforceability thereof shall not affect the remainder of this Ag r eement, which shall remain in ful l force and effect and enforceab le i n accordance with its terms. 4. Governing Law. This Agreement shall be construed broadly to implement and comply with the requirements relating to the federal and state privacy statutes and regulations, including but not limited to Health Insurance Portability and Accountability Act and California Confidentiality of Medical Information Act. All other aspects of this Agreement shall be governed under the laws of the State of California and venue for any actions relating to this Agreement shall be in Fresno County, California. 5. Assignment/Subcontracting. Business Associate may not assign or subcontract the rights or obligations under this Agreement without the express written consent of Covered Entity. Covered Entity may assign its rights and obligations under this Agreement to any successor or affiliated entity. 6. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever. 7. Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself and any agents, affiliates, subsidiaries, sub-Business Associates or employees assisting Business Associate in the fulfillment of its obligations under this Agreement, available to Covered Entity, at no cost to Covered Entity, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against Covered Entity, its directors, officers or employees based upon claimed violation of HIPAA, the HIPAA regulations or other laws relating to security and privacy, except where Business Associate or its agents, affiliates, subsidiaries, sub-Business Associates or employees are a named adverse party. IN WITNESS WHEREOF, the authorized representative of the Parties have executed this Agreement on the date(s) specified below. Fresno County, Dept. of Behavioral Health: DIMENSION REPORTS LLC: /2-2-Z -20 16 Orri Rail, President Date