The URL can be used to link to this page

Home My WebLink AboutSan Diego Regional Health Information Exchange dba San Diego Health Connect; 2022-09-01; San Diego Regional Health Information Exchange Business Associate Agreement, Form Version June, 2016 Page 1 of 5: HIPAA BUSINESS ASSOCIATE AGREEMENT - COVERED ENTITY - This HIPAA Business Associate Agreement ("BA AGREEMENT"), is entered into by and between San Diego Regional Health Information Exchange, dba San Diego Health Connect, (“SDHC”) and the Covered Entity identified on the signature page below, collectively the “Parties.” This BA Agreement shall be effective on the date indicated at the signature page hereto, or the date commensurate with the effective date the Parties execute the SDHC Participation Agreement or Direct Services Agreement, (“Agreement”), if at all, (whichever is earlier). RECITALS Whereas, SDHC operates a regional Health Information Exchange ("Exchange") to facilitate sharing and aggregation of protected health information for use by Covered Entities or other Participants of the Exchange for Permitted Uses including, but not limited to patient “Treatment,” “Payment,” “Health Care Operations,” public health reporting and surveillance, emergency medical services, and the determination of eligibility for Social Security disability and other public benefits. Whereas, at various times, SDHC may provide Services to Covered Entity that requires Covered Entity to disclose electronic PHI (“ePHI”) to SDHC and to other Exchange Participants, and in doing so, it is the intent of each of the Parties to this BA Agreement to observe and faithfully perform the duties and obligations of a Covered Entity, or Business Associate, as the context may require, to protect the security and privacy of ePHI in accordance with the Privacy Laws and the following Terms and Conditions. Now therefore, in light of the foregoing Recitals and for valuable consideration, the sufficiency of which is hereby acknowledged, the Parties hereto hereby agree as follows: TERMS AND CONDITIONS ARTICLE I DEFINITIONS: 1.1. Parties. At all times, the Parties hereto shall observe and comply with the duties and obligations of a Covered Entity, or Business Associate, (as such terms may pertain to them from time to time), in compliance with Applicable Laws. 1.2. Definition of Capitalized Terms. Unless otherwise defined in this BA Agreement, the following terms shall have the same meaning given by the HIPAA regulations, including those set forth at 45 CFR 160.103, 45 CFR 164.304 or 45 CFR 164.402 as applicable; Business Associate, Business Associate Subcontractor, Breach, Covered Entity, Data Aggregation, Designated Record Set, Disclosure, Electronic PHI, i.e. “ePHI,” Encryption, Health Care, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information or “PHI,” Payment, Required by Law, Secretary, Security Incident, Treatment, Unsecured PHI, and Permitted Use. 1.3. Interpretation. To the extent the definitions stated in this BA Agreement conflict with the Privacy Laws, the Privacy Laws shall govern. To the extent the terms, conditions and definition of Capitalized Terms set forth in this BA Agreement shall govern over any contradictory terms, conditions or Definitions set forth in the Participation Agreement or Direct Services Agreement to which this BA Agreement is attached, if any. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended. Use of the term “including” shall mean “including without limitation” “Applicable Laws” or Privacy Laws" includes, but is not limited to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the regulations promulgated thereunder by the U.S. Department of Health and Human Services (45 CFR Parts 160, 162 and Subparts A, C, D and E of Part 164, the "HIPAA Regulations"), the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), the HHS regulations promulgated on January 25, 2013, entitled the “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health DocuSign Envelope ID: F5F97C43-3504-4EB1-BD34-2F8DC3F17BF9DocuSign Envelope ID: 6908ECFA-1C78-4E87-8217-E68FF48A5864DocuSign Envelope ID: 7B94E387-7077-4BFB-98AB-01459E76116C ... .. : :::SAN DIEGO ~.:: _ HEALTH CONNECT ~ ~ Better Information • Better Care· San Diego Regional Health Information Exchange Business Associate Agreement, Form Version June, 2016 Page 2 of 5: Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, and the California Medical Information Act (“CMIA”), California Civil Code Section 56 et seq., and other applicable laws and regulations, particularly those that pertain to the privacy and security of personally identifiable healthcare information. “Permitted Use” means any use or disclosure of protected healthcare information permitted by Applicable Laws, including use and disclosure for purposes of treatment, payment, healthcare operations, public health reporting and surveillance, emergency medical services, and health oversight activities including the determination of eligibility for Social Security disability and other public benefits. "Services" includes services to be performed by the Business Associate for or on behalf of a Covered Entity, to the extent they involve access to, the receipt of, use, storage, transmission, encryption, destruction, modification, transformation, analysis or disclosure of ePHI for a Permitted Use by Business Associate or Business Associate’s Subcontractor. ARTICLE II OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE: 2.0. Business Associate agrees as follows: (a) Not to use, access and/or disclose PHI other than as permitted by the Participation Agreement, or the Direct Services Agreement or as required by Applicable Law. In this regard, Business Associate will limit such use, access, requests or disclosure of ePHI to the extent practicable and to the minimum extent necessary to accomplish the intended purpose of such use, access or disclosure consistent with the Covered Entity’s minimum necessary policies and procedures as conveyed to Business Associate in writing, (b) To implement and use appropriate administrative, physical and technical safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent use or disclosure of ePHI other than as provided for by the Participation Agreement or Applicable Law, (c) To report to Covered Entity, any use or disclosure of ePHI not provided for by the Participation Agreement, of which the Business Associate becomes aware, including Breaches of Unsecured ePHI as required at 45 CFR 164.410, and any Security Incident of which it becomes aware, (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any of Business Associate’s subcontractors, employees or agents that access, create, use, receive, disclose, maintain, or transmit ePHI on behalf of the Business Associate, agree in writing to substantially the same restrictions, conditions, and requirements, including the implementation specifications of 45 C.F.R. 164.314, 164.410, 164.502, and 164.504(e) and requirements for reporting any Breaches or Security Incidents that apply to the Business Associate with respect to PHI, (e) To the extent ePHI is stored or maintained by Business Associate on behalf of the Covered Entity, Business Associate will make ePHI available to Covered Entity or Individual or Individual’s Designee in a Designated Record Set as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524, and may, but shall not be required to make amendments to ePHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. Business Associate may modify existing ePHI maintained to which it has been granted access in order to correct data corruption caused by technological disruption or malfunctions. (f) Business Associate will forward any written request it receives from an Individual for access or amendment of the Designated Record to Covered Entity within five (5) business days of receipt. To the extent Business Associate maintains ePHI, Business Associate will make available the information required to provide an accounting of disclosures to Covered Entity as necessary to assist Covered Entity satisfy Covered Entity’s obligations under 45 CFR 164.528 to make an accounting of disclosures to an Individual. Such accounting is limited to disclosures made within six (6) years of the date of the request (not including disclosures made prior to the compliance date of the Privacy Rule). Business Associate may, but shall not be required to provide an accounting of disclosures to Individuals directly. Covered Entity shall communicate directly with the Individual regarding the Accounting of Disclosures, unless Business Associate and Covered Entity agree otherwise. (g) To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations. (h) Make its internal practices, books, and records available to the Secretary and/or Covered Entity for purposes of determining compliance with the HIPAA Rules, (j) Business Associate will take reasonable steps, at its sole cost and expense, to trace lost ePHI, or translate and recreate indecipherable transmissions of ePHI, where such loss or corruption is the direct result of a disruption or malfunction of Business Associate’s Information System. ARTICLE III PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE: 1. Business Associate may only use or disclose PHI if necessary and only to the extent necessary; (a) To perform the services set forth in the Participation Agreement to which this BA Agreement is attached, and as permitted or required in this BA Agreement, (b) To perform a function or activity it is required or permitted to perform on behalf of the Covered Entity, including, without limitation, facilitating the exchange of ePHI to and between the DocuSign Envelope ID: F5F97C43-3504-4EB1-BD34-2F8DC3F17BF9DocuSign Envelope ID: 6908ECFA-1C78-4E87-8217-E68FF48A5864DocuSign Envelope ID: 7B94E387-7077-4BFB-98AB-01459E76116C ... .. : :::SAN DIEGO ~.:: _ HEALTH CONNECT ~ ~ Better Information • Better Care· San Diego Regional Health Information Exchange Business Associate Agreement, Form Version June, 2016 Page 3 of 5: Covered Entity and other Covered Entities or Business Associates participating in the Health Information Exchange, (c) To properly manage and administer Business Associate's business, or to carry out Business Associate's legal responsibilities or for any other permissible purpose, (d) To provide data aggregation services relating to the health care operations of the Covered Entity, or other Covered Entities who are Participants of the Exchange, (e) To de-identify any and all ePHI received or created by Business Associate, which De-identified information shall not be subject to this BA Agreement and may be used and disclosed on Business Associate’s own behalf, all in accordance with the De- identification requirements of 45 CFR 164.514(a)-(c) and Applicable Law, and (f) As required by Applicable Laws. 2. Business Associate will not: (a) Subject to the limitations set forth in Section 13405(d)(2) of the HITECH Act, Business Associate will not sell PHI or receive any direct or indirect remuneration in exchange for PHI; however, this prohibition shall not apply to payment by Covered Entity to Business Associate for Services provided pursuant to the Participation Agreement, Direct Services Agreement or this BA Agreement; or (b) Use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except that Business Associate may use or disclose PHI as provided elsewhere herein. ARTICLE IV COVERED ENTITIES OBLIGATIONS: 1. Covered Entity Agrees: (a) To immediately Notify Business Associate of any changes in, or revocation of, the permission given by an Individual to use or disclose his or her ePHI to Business Associate and/or the Exchange Participants, to the extent that such changes may affect Business Associate’s access, use, transmission or disclosure of ePHI, and (b) To immediately Notify Business Associate of any restriction on the use or disclosure of ePHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s access, use, transmission, storage, maintenance or disclosure of ePHI. (c) To immediately notify Business Associate of any limitations in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520 to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. (b) To be responsible for using administrative, physical and technical safeguards at all times to maintain and ensure the confidentiality, privacy and security of ePHI transmitted to Business Associate, and (c) To provide Notice of Privacy Practices to Individuals and obtain an Individual’s consent or authorization to disclose the Individual’s ePHI to Business Associate or other Exchange Participants, if and to the extent required by its Privacy Practices or Applicable Laws. Covered Entity shall not disclose ePHI to Business Associate if the Individual revokes or refuses to consent or authorize the disclosure of ePHI to Business Associate or Business Associate’s subcontractors or Exchange Participants. ARTICLE V BREACH AND SECURITY INCIDENTS: 1. Security Documentation. Each Party shall adopt, implement and update policies and procedures and physical and technical safeguards to protect the privacy and security of ePHI that comply with the HIPAA Security Rule, HHS technical guidance and any privacy and security guidelines or standards issued by the National Institute for Standards and Technology (“NIST”). Business Associate shall ensure that each Subcontractor that accesses or may access ePHI implements similar Security Standards. If an action, activity or assessment is required to be documented by a Party, such Party shall maintain a written record (paper or electronic) of the same for a period of seven (7) years or other timeframe required by Applicable Law and make such documentation available upon the written request of the other or of a governmental agency pursuant to due process of law. 2. Notification of Breaches and Security Incidents. Each Party shall notify the other in writing as soon as possible, but no later than two (2) business days after such Party becomes aware of any Breach or Security Incident involving ePHI. A Party shall be deemed to be aware of a Breach or Security Incident as of the first day on which such Breach or Security Incident is actually known or reasonably should have been known by any of its officers, employees, agents or subcontractors. The Party shall identify as soon as practicable each individual whose Unsecured ePHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such Breach or Security Incident. The Parties will cooperate with each other in good faith in the investigation of the Breach or Security Incident. 3. Prompt Corrective Action and Provision of Policies. A Party who experiences a Breach or Security Incident shall Notify the other, no later than twenty (20) days after discovery of the Breach or Security Incident of; (i) the actions taken by such Party to mitigate any harmful effect of such Breach or Security Incident, and (ii) the corrective action such Party has taken or shall take to prevent future similar Breaches or Security Incidents, and (iii) any other action required by Applicable Laws pertaining to the Breach or Security Incident. ARTICLE VI DISCLOSURES REQUIRED BY LAW: 1. Notice and Opportunity to Oppose Disclosure. In the event Business Associate is required by law to disclose ePHI, Business Associate shall promptly Notify Covered Entity of such DocuSign Envelope ID: F5F97C43-3504-4EB1-BD34-2F8DC3F17BF9DocuSign Envelope ID: 6908ECFA-1C78-4E87-8217-E68FF48A5864DocuSign Envelope ID: 7B94E387-7077-4BFB-98AB-01459E76116C ... .. : :::SAN DIEGO ~.:: _ HEALTH CONNECT ~ ~ Better Information • Better Care· San Diego Regional Health Information Exchange Business Associate Agreement, Form Version June, 2016 Page 4 of 5: requirement so as to afford (if possible) Covered Entity sufficient time to take appropriate action to oppose the disclosure. ARTICLE VII TERM AND TERMINATION 1. Term. The Term of this BA Agreement shall commence on the Effective Date and terminate on the date that is commensurate with the Termination Date of the Participation Agreement or Direct Services Agreement, or the date Business Associate ceases to perform services for the Covered Entity, whichever is later. 2. Termination. A Party may terminate this BA Agreement upon not less than ten (10) days Notice for "Cause." "Cause" shall mean and refer to (i) a Party's failure to cure a breach of a material provision of this BA Agreement within twenty (20) days of Notice of such breach; (ii) any act or omission of a Party resulting in a Breach or Security Incident, (iii) failure of Business Associate to provide the Accounting of Disclosures or audit as required herein, in a timely manner, (iv) failure of a Party to take reasonable corrective action to prevent Breaches or Security Incidents. Either Party may terminate this BA Agreement for any reason upon three (3) months Notice. The termination of this BA Agreement shall automatically terminate the Participation Agreement or Direct Services Agreement and the Services. 3. Obligations of Business Associate Upon Termination. Upon termination of this BA Agreement for any reason, Business Associate shall: (a) Retain only that PHI that is necessary for Business Associate to continue the proper management and administration of its business, perform Services and fulfill its obligations to other Participants of the Exchange, and comply with Applicable Laws; and (b) Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to ePHI to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as business associate retains the ePHI; and (c) Not use or disclose the ePHI retained by Business Associate other than for the purposes for which such ePHI was retained and subject to the same conditions set out above, which applied prior to termination; and (d) Return to Covered Entity or destroy (if agreed to by Covered Entity) the ePHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to perform Services, or to perform Services and fulfill its obligations to other Participants of the Exchange or to Comply with Applicable Laws; ARTICLE VIII: MISCELLANEOUS PROVISIONS. 1. Amendment. This BA Agreement shall be amended from time to time as is necessary in order for a Party to comply with the requirements of the Privacy Laws. 2. No Agency. Nothing in this BA Agreement is intended to create or imply an employment relationship, partnership or joint venture between the Covered Entity and Business Associate. 3. Survival. Those obligations of a Party, which by their meaning are intended to survive Termination shall continue in effect for a period of seven (7) years following Termination. 4. Notice. Any Notice required to be given to the other Party shall be in writing and shall be sent by first class certified U.S. Mail, return receipt requested, or by overnight courier and delivered to the address provided by such Party below, or to such change of address as a Party may specify by Notice. 5. Counterparts. This BA Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same document. Signatures transmitted by facsimile or electronic mail in portable document format (“.pdf”) or similar means shall have the same force and effect the execution and delivery of an original. DocuSign Envelope ID: F5F97C43-3504-4EB1-BD34-2F8DC3F17BF9DocuSign Envelope ID: 6908ECFA-1C78-4E87-8217-E68FF48A5864DocuSign Envelope ID: 7B94E387-7077-4BFB-98AB-01459E76116C ... .. : :::SAN DIEGO ~.:: _ HEALTH CONNECT ~ ~ Better Information • Better Care· San Diego Regional Health Information Exchange Business Associate Agreement, Form Version June, 2016 Page 5 of 5: IN WITNESS WHEREOF, the Parties identified below have executed this Business Associate Agreement. EFFECTIVE DATE: 9/01/2022 BUSINESS ASSOCIATE: SAN DIEGO REGIONAL HEALTH INFORMATION EXCHANGE, DBA, SAN DIEGO HEALTH CONNECT By: ______________________________________ Stephanie Renick Its: Director of Operations Address For Notice: 3525A Del Mar Heights Road #1863 San Diego, CA 92130 COVERED ENTITY/ AGENCY: By: ____________________________________ Name: Title: Address For Notice: Street: City/State: Telephone: Email: CITY OF CARLSBAD FIRE DEPARTMENT Michael CalderwoodFire Chief 2560 Orion WayCarlsbad, CA 92010 442-339-2141 Michael.Calderwood@carlsbadca.gov Approved as to form: Allegra Frost By: _____________________ Deputy City Attorney DocuSign Envelope ID: F5F97C43-3504-4EB1-BD34-2F8DC3F17BF9DocuSign Envelope ID: 6908ECFA-1C78-4E87-8217-E68FF48A5864DocuSign Envelope ID: 7B94E387-7077-4BFB-98AB-01459E76116C ... .. :• :::SAN DIEG O ~.:: _ HEALTH CONNECT ~~ Better Information • Better Care·