HomeMy WebLinkAboutThurston-Mason Behavioral Health Administrative Service Organization (TMBH-ASO) Exchibit C - Interlocal Agreement ,.-�:a-�i
Business Associate Agreement ''a OLYMPICHEALTH&
®Thurston Mason Behavioral Health Administrative Service Organization
❑Olympic Health and Recovery Services
THIS BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is effective this 1st day of January
2024 (the "Effective Date") between Thurston-Mason Behavioral Health Administrative
Service Organization ("TMBH-ASO") and/or Olympic Health and Recovery Services ("OHRS")
as identified above("Covered Entity"), and Mason County ("Business Associate").
WHEREAS, Covered Entity and Business Associate are parties entering into one or more
agreements orcontracts, incorporated herein by reference (the "Underlying Agreement" and
collectively "Agreements") pursuant to which Business Associate will perform the services as outlined
in Agreements and such services involve the use and disclosure of Individually Identifiable Health
Information that is subject to protection under HIPAA and the HIPAA Rules (all as hereinafter defined);
WHEREAS, Business Associate has created and maintains security safeguards for the protection
fromunlawful disclosure of Protected Health Information (as hereinafter defined); and
WHEREAS, Covered Entity and Business Associate are committed to complying with the
Standards forPrivacy of Individually Identifiable Health Information set forth under the HIPAA and
HITECH Act and any regulations promulgated thereunder the "HIPAA Privacy Rule";
WHEREAS, this BAA, in conjunction with the HIPAA Rules, sets forth the terms and conditions
pursuantto which protected health information (in any format)that is created, received, maintained, or
transmitted by,the Business Associate from or on behalf of the Company, will be handled between the
Business Associate andthe Company and with third parties during the term of the Agreement(s) and
after its termination.
NOW, THEREFORE, for and in consideration of the recitals above and the mutual covenants
and conditions herein contained, Covered Entity and Business Associate enter into the following
Agreement toprovide a full statement of their respective responsibilities as more fully described
Unless otherwise provided herein terms used shall have the same meaning as set forth in HIPAA and
theHIPAA Rules.
1.1. Agreement means this Business Associate Agreement.
1.2. Business Associate as used in this Agreement means the Business Associate named in
this Agreement and generally has the same meaning as the term "business associate"
at 45 CFR §
160.103. Any reference to Business Associate in this Agreement includes Business
Associate'semployees, agents, officers, subcontractors, volunteers, or directors.
TMBH-ASO/OHRS Business Associate Agreement Page 1 of 11
\/Prcinn 1 n ngn1,)1
1.3. CFR means and refers to the Code of Federal Regulations.
1.4. Covered Entity means TMBH-ASO and/or OHRS, as specified above, which are each a
Covered Entity as defined at 45 CFR § 160.103, in its conductof covered functions by its
health care components.
1.5. Designated Record Set means a group of records maintained by or for the Covered Entity
that is: the medical records and billing records about Individuals maintained by or for a
covered health care provider; the enrollment, payment, claims adjudication, and case or
medical management record systems maintained by or for a health plan; or used, in whole
or in part, by or for the Covered Entity to make decisions about Individuals.
1.6. Electronic Protected Health Information or "EPHI" means Protected Health Information
that istransmitted by electronic media or maintained in electronic media.
1.7. HIPAA means the Health Insurance Portability and Accountability Act of 1996, Pub.L. No.
104-191,as amended by the Health Information Technology for Economic and Clinical
Health (HITECH) Act,enacted as Title XIII of The American Recovery and Reinvestment Act
of 2009, H.R. 1, Pub.L. 111-5(February 17, 2009), as amended or superseded, and any
current and future regulations promulgated under HIPAA.
1.8. HIPAA Rules means the Privacy, Security, Enforcement, and Breach Notification Rules at 45
CFR Part160 and Part 164, in effect or as amended.
1.9. Individual means the person who is the subject of Protected Health Information and
includes aperson who qualifies as a personal representative in accordance with 45 CFR §
1.10. Material Alteration means any addition, deletion or change to the PHI of any subject other
than theaddition of indexing, coding and other administrative identifiers for the purpose of
facilitating the identification or processing of such information.
1.11. Privacy Rule means the Privacy Standards at 45 CFR Part 164, Subpart E, in effect or as amended.
1.12. Protected Health Information or "PHI" means individually identifiable health information
created, received, maintained or transmitted by Business Associate on behalf of a health care
component of the Covered Entity that relates to the provision of health care to an Individual;
the past, present, or future physical or mental health or condition of an Individual; or the
past, present, or future payment for provision of health care to an Individual. 45 CFR §
160.103. PHI includes demographic information that identifies the Individual or about which
there is reasonable basis to believe can be used to identify the Individual. 45 CFR § 160.103.
PHI is information transmitted or held in any form or medium and includes Electronic
Protected Health Information. 45 CFR § 160.103. PHI does not include education records
covered by the Family Educational Rights and Privacy Act, as amended, 20USCA 1232g
(a)(4)(B)(iv) or employment records held by the Covered Entity in its role as employer.
1.13. Security Rule means the Security Standards at 45 CFR Part 164, Subparts A and C, in
effect or asamended.
1.14. Subcontractor as used in this Agreement means a person to whom a business
associate delegates a function, activity, or service, other than in the capacity of a
member of the workforce of such business associate.
1.15. Underlying Agreement means one or more agreements or contracts, incorporated herein by
reference pursuant to which Business Associate will perform the services as outlined in
TMBH-ASO/OHRS Business Associate Agreement Page 2 of 11
Varcinn 1 n n4n1,)1
Agreementsand all accompanying documents.
2.1. Services
2.1.1. Except as otherwise specified herein,the Business Associate may use PHI solely
to perform its duties as set forth in the Underlying Agreement. Except as
otherwise limitedin this Agreement, Business Associate may use and disclose PHI
for the proper management and administration of the Business Associate,to
carry out the legal responsibilities of the Business Associate and to provide any
data aggregation services pursuant to the Underlying Agreement. Business Associate may disclose PHI for the purposes pursuant to
the Underlying Agreement only to its employees, subcontractors
and agents, inaccordance with Section as directed by the
Covered Entity. Except as otherwise limited in this Agreement, Business Associate may
disclosePHI for the proper management and administration of the
Business Associate, provided that such disclosures are required by law
or Business Associate obtains reasonable assurances from the person to
whom the PHI is disclosed that the PHI will remain confidential and
used or further disclosed only as required by law or for the purpose for
which the PHI was disclosed to the person, the person implements
reasonable and appropriate security measuresto protect the PHI, and
the person notifies the Business Associate of any instances of which it is
aware where the confidentiality of the PHI has been breached.
2.2. Breach or Misuse of PHI
Business Associate recognizes that any breach of confidentiality or misuse of information
found in and/or obtained from records may result in the termination of the Underlying
Agreement and this Agreement and/or legal action. Unauthorized disclosure of PHI may give
rise to irreparable injury tothe Individual or to the owner of such information, and the
Individual or owner of such informationmay seek legal remedies against Business Associate.
2.3. Responsibilities of Business Associate
2.3.1. With regard to its use and/or disclosure of PHI, the Business Associate hereby
agrees todo the following: Use or disclose PHI only to perform functions, activities, or services for,
or on behalf of, Covered Entity, as expressly permitted or required by
this Agreement or the Underlying Agreement or as otherwise required
by applicable law. Further, BusinessAssociate agrees that it will not use
or disclose PHI in any manner that violates federal law, including but not
limited to HIPAA and any regulations enacted pursuant to its provisions,
or applicable provisions of Washington State law. The Business
Associate agrees that it is subject to and directly responsible for full
compliance with the Privacy Rule that applies to the Business Associate
to the same extent as the Covered Entity, Use commercially reasonable efforts to maintain the security of the PHI
TMBH-ASO/OHRS Business Associate Agreement Page 3 of 11
\/arcinn 1 n nc)nl?l
and toprevent unauthorized use and/or disclosure of such PHI,
including, but not limited to the following: Any physical files on location at the agency must be kept in locked
cabinets. Any PHI transported must be safeguarded against
unauthorized access at all times. In addition, the Business Associate agrees to implement and maintain
administrative, physical, and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of all
Electronic Protected Health Information that it creates, receives,
maintains, or transmits on behalf of the Covered Entity in accordance
with 45 CFR Part 164, subpart C for as long as the PHI is within its
possession and control, even after the termination or expiration of this
Agreement. The Business Associate agrees that it is subject toand
directly responsible for full compliance with the HIPAA Security Rule
that applies to Business Associates, including sections 164.308, 164.310,
164.312, and 164.316 of title 45 CFR, to the same extent as the Covered
Entity. Business Associate shall apply the HIPAA Minimum Necessary
standard to any use or disclosure of PHI necessary to achieve the
purposes of the Underlying Agreement. See 45 CFR 164.514(d)(2)
through (d)(5). Require all of its employees, representatives, subcontractors and
agents thatcreate, receive, maintain, or transmit PHI or use or have
access to PHI under the Underlying Agreement to agree in writing to
adhere to the same restrictions and conditions on the use and/or
disclosure of PHI that apply herein, including the obligation to return
or destroy the PHI if feasible, as provided under Sections 5.4 and 5.5
of this Agreement. Promptly report to the designated privacy officer of the Covered Entity,
any useand/or disclosure of the PHI that is not permitted or required by
this Agreement, or any Security Incident involving Covered Entity's PHI,
by telephoning the privacy officer within twenty-four (24) hours of
becoming aware of it and providing a written report of the unauthorized
disclosure within five (5) business days. The name and contact information for the Covered Entity's privacy
officer is asfollows:
Contact Officer: Chris Foster
Telephone: 360.763.5798
E-mail: chris.foster@tmbho.or�
Address: 612 Woodland Square Loop SE Ste 401
Lacey, WA 98503 Mitigate, to the extent practicable, any harmful effect that is
known to Business Associate of a use or disclosure of PHI by
Business Associate inviolation of the requirements of this
Agreement or the law.
TMBH-ASO/OHRS Business Associate Agreement Page 4 of 11
\/arcinn 1 n ngnl?1 Within twenty-four (24) hours of the discovery of a breach as defined at 45
§ 164.402, notify the Covered Entity's privacy officer of any breach of
unsecured PHI and take actions as may be necessary to identify, mitigate
and remediate the cause of the breach. A breach shall be treated as
discovered by the Business Associate in accordance with the terms of 45
CFR § 164.410. The notification shall include the following information
which shall be updated promptly and provided to the Covered Entity as
requested by the Covered Entity: The identification of each individual whose unsecured PHI
has been, or is reasonably believed by the Business
Associate to havebeen accessed, acquired, used, or
disclosed during such breach; A brief description of what happened, including the date
of thebreach and the date of the discovery of the breach,
if known; A description of the types of unsecured PHI that were involved in the breach
(such as whether full name, social security number, dateof
birth, home address, account number, diagnosis, disability
code, or other types of information were involved); Any steps individuals should take to protect themselves
frompotential harm resulting from the breach; A brief description of what the Business Associate is
doing toinvestigate the breach, to mitigate harm to
individuals, and toprotect against any further breaches; Contact procedures of the Business Associate for individuals
to ask questions or learn additional information, which shall
include atoll-free telephone number, an e-mail address,
web site, or postal address; and Any other information required to be provided to the
individual by the Covered Entity pursuant to 45 CFR §
164.404, as amended.
2.3.2. To the extent the Covered Entity deems warranted, the Covered Entity may
provide notice or may, in its sole discretion, require Business Associate to provide
notice at Business Associate's expense to any or all individuals whose unsecured
PHI has been or is reasonably believedby the Business Associate to have been,
accessed, acquired, used, or disclosed as a result of such breach. In such case, the
Business Associate shall consult with the Covered Entityregarding appropriate
steps required to notify third parties. The Business Associate shall reimburse the
Covered Entity, without limitation, for all costs of investigation, dispute
resolution, notification of individuals,the media, and the government, and
expenses incurred in responding to any audits or other investigation relating to or
arising out of a breach of unsecured PHI by the Business Associate.
TMBH-ASO/OHRS Business Associate Agreement Page 5 of 11
\/arcinn 1 n ngnl91
2.4. Covered Entity Obligations
2.4.1. With regard to the use and/or disclosure of PHI by the Business Associate, the
Covered Entity hereby agrees to: Upon request, provide the Business Associate with a copy of the notice
of privacy practices that theCovered Entity provides to Individuals
pursuant to 45 CFR § 164.520, and inform the Business Associate of any
changes in the form of the notice that materially affects the Business
Associate's uses and disclosures of PHI under this Agreement; Inform the Business Associate of any changes in, or withdrawal of, the
authorization provided to the Covered Entity by Individuals that
materially affects Business Associate's ability to use and/or disclose
PHI under this Agreement; and Notify the Business Associate, in writing and in a timely manner, of any
restrictions on the use and/or disclosure of PHI agreed to by the
Covered Entityin accordance with 45 CFR § 164.522, to the extent that
such restriction materially affects Business Associate's use or disclosure
of PHI under this Agreement.
3.1. Amendments by Business Associate
Should Business Associate make any Material Alteration to PHI, Business Associate shall
provide Covered Entity with notice of each Material Alteration to any PHI and shall promptly
cooperate withCovered Entity in responding to any request made by any subject of such
information to Covered Entity to inspect and/or copy such information. Business Associate
shall not deny Covered Entity access to any such information if, in Covered Entity's sole
discretion, such information must be made available to the subject seeking access to it. To
the extent that Business Associate maintains PHI in a Designated Record Set, Business
Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the
Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 within ten (10) days of the
request of Covered Entity or an Individual, and in the time and manner designated by
Covered Entity.
4.1. Availability of PHI
To the extent Business Associate maintains PHI in a Designated Record Set, Business
Associate agrees to make PHI available to Covered Entity or, as directed by Covered Entity,
to an Individual,within ten (10) days of the request of the Covered Entity and in the
manner designated by Covered Entity in accordance with 45 CFR § 164.524.
4.2. Accounting of Disclosures
Business Associate agrees to make available the information required for Covered Entity to
provide an accounting of disclosures in accordance with 45 CFR § 164.528. Business
Associate will provide such accounting ofdisclosures to Covered Entity as soon as possible,
but no more than ten (10) days from request by Covered Entity. Each accounting shall
provide (i) the date of each disclosure; (ii) the name and address of the organization or
person who received the PHI; (iii) a brief description of the PHI.disclosed; and (iv) the
TMBH-ASO/OHRS Business Associate Agreement Page 6 of 11
\/arcinn 1 n ngnl,)1
purpose for which the PHI was disclosed, including the basis for such disclosure, or a copy of
a written request for disclosure under §§ 164.502(a)(2)(ii) or 164.512.
Business Associate shall maintain a process to provide the accounting of disclosures for as
long asBusiness Associate maintains PHI received from or on behalf of Covered Entity.
4.3. Access to Department of Health and Human Services
Business Associate shall make its facilities, internal practices, books, records, documents,
electronicdata and all other business information relating to the use and disclosure of PHI
received from, or created or received by Business Associate on behalf of Covered Entity
available to the Secretary of the Department of Health and Human Services, governmental
officers and agencies for purposes of determining Covered Entity's compliance with HIPAA.
Business Associate shall promptly, and in no event later than five (5) business days after a
request by the Secretary, notify Covered Entity in writing of any request made by the
Secretary and provide Covered Entity with copies of any documents produced in response to
such request..
4.4. Access to Covered Entity
Upon written request, Business Associate agrees to make its facilities, internal practices,
books, records, documents, electronic data and all other business information available to
Covered Entitywithin five (5) business days during normal business hours so that Covered
Entity can monitor compliance with this Agreement.
5.1. Term
This Agreement is valid as of the Effective Date and remains effective for the entire
term of theUnderlying Agreement, or until terminated as set forth herein.
5.2. Termination
This Agreement may be terminated by Covered Entity for convenience upon the same
number of days prior written notice to the Business Associate as set out in the Underlying
Agreement, otherwise upon thirty (30) days prior written notice. The notice will specify the
date of termination.
5.3. Termination for Cause
Covered Entity may immediately terminate this Agreement and the Underlying Agreement
without penalty if Covered Entity, in its sole discretion, determines that Business Associate
has: (a) improperly used or disclosed PHI in breach of this Agreement; or (b) violated a
material provision of this Agreement. Alternatively, the Covered Entity may choose to
provide the Business Associate with written notice of the existence of an alleged material
breach and a period of fifteen (15) days inwhich to cure the alleged material breach upon
mutually agreeable terms. Failure to cure in the manner set forth in this paragraph is grounds
for the immediate termination of this Agreement and the Underlying Agreement.
5.4. Alternative to Termination
If termination is not feasible, the Covered Entity shall report the breach to the
Secretary of theDepartment of Health and Human Services.
5.5. Return/Destruction of PHI
Business Associate agrees that, upon termination of the Underlying Agreement, for whatever
TMBH-ASO/OHRS Business Associate Agreement Page 7 of 11
Varcinn 1 n nc)n1,)1
reason, it will return or destroy, in Covered Entity's sole discretion, all PHI, if feasible,
received from, or created or received by it on behalf of Covered Entity which Business
Associate maintains in any form, and retain no copies of such information. This provision
shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
An authorized representative of Business Associate shall certify in writing to Covered Entity,
within five (5) days from the date of termination or other expiration of the Underlying
Agreement, that all PHI has been returned or disposed of as provided above and that
Business Associate no longer retains any such PHI in any form.
5.6. No Feasible Return/Destruction of PHI
If Business Associate determines that the return or destruction of PHI is not feasible,
Business Associate shall notify Covered Entity of the conditions that make return or
destruction infeasible. To the extent that Covered Entity agrees that the return or destruction
ofPHl is not feasible, Business Associate shall extend the protections of this Agreement to the
PHI retained and limit further uses and disclosures to those purposes that make the return or
destruction of the information infeasible. Business Associate shall remain bound by the
provisions of this Agreement notwithstanding termination of the Underlying Agreement,
until such time as all PHI has been returned or otherwise destroyed as provided in this
6.1. Defense and Indemnification
Business Associate shall defend, indemnify and hold Covered Entity harmless from and
against all claims, liabilities,judgments, fines, assessments, penalties, awards or other
expenses, of any kind ornature whatsoever, including, without limitation attorney's fees,
expert witness fees, and costs of investigation, litigation, or dispute resolution, relating to or
arising out of any use or disclosure of PHI in a manner not permitted by HIPAA or breach of
this Agreement by Business Associate, its employees, officers, agents, or subcontractors.
6.2. Disclaimer
Covered Entity makes no warranty or representation that compliance by Business Associate
with the Agreement or HIPAA or the HIPAA Rules will be adequate or satisfactory for
Business Associate'sown purposes or that any information in the possession of Business
Associate or Business Associate's control, or transmitted or received by Business Associate, is
or will be secure from unauthorized use or disclosure; nor shall Covered Entity be liable to
Business Associate for any claim, loss or damage relating to the unauthorized use or
disclosure of any information received by Business Associate from Covered Entity or from
any other source. Business Associate is solely responsible for all decisions made by Business
Associate regarding the safeguarding of PHI.
6.3. Insurance
Business Associate shall obtain and maintain cyber liability insurance coverage against
improper uses and disclosures of PHI by Business Associate naming Covered Entity as an
additional named insured. Promptly following a request by Covered Entity for the
maintenance of such insurance coverage, Business Associate shall provide a certificate
evidencing such insurance coverage.
TMBH-ASO/OHRS Business Associate Agreement Page 8 of 11
\/arcinn 1 n ngn171
In the event that Business Associate is also considered to be a Qualified Service
Organization ("QSO") under the federal regulations governing the Confidentiality of
Substance Use Disorder Patient Records found at 42 C.F.R. Part 2 ("Part 2"), with access to
PHI that is protected by Part 2, Business Associate agrees to the following:
a) In receiving, storing, processing, or otherwise dealing with any PHI protected by
Part 2 from Covered Entity, Business Associate is fully bound by the provisions of
Part 2; and
b) If necessary, Business Associate will resist in judicial proceedings any efforts to
obtain access to such PHI covered by Part 2 unless such access is expressly
permitted under Part 2.
8.1. Construction
This Agreement shall be construed as broadly as necessary to implement and comply with
HIPAAand the HIPAA Rules. The parties agree that any ambiguity in this Agreement shall
be resolved infavor of a meaning that complies and is consistent with the HIPAA Rules.
8.2. Notice
All notices and other communications required or permitted pursuant to this Agreement
shall be inwriting, addressed to the party at the address set forth in the Underlying
Agreement, or to such other address as either party may designate from time to time. All
notices and other communications shall be mailed by registered or certified mail, return
receipt requested, postage prepaid, or transmitted by hand delivery or telegram. All notices
shall be effective as of the date ofdelivery of personal notice or on the date of receipt,
whichever is applicable.
8.3. Modification of Agreement
The parties agree to take such action as is necessary to modify this Agreement to ensure
consistencywith amendments to and changes in the applicable federal and state laws and
regulations, including, but not limited to, HIPAA and the HIPAA Rules. This Agreement shall
not be waived or altered, in whole or in part, except in writing signed by the parties.
8.4. Invalid Terms
In the event that any provision of the terms and conditions are held by a court of
competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of
this Agreement willremain in full force and effect.
8.5. Transferability
Covered Entity has entered into this Agreement in specific reliance on the expertise and
qualifications of Business Associate. Consequently, Business Associate's interest under this
Agreement may not be transferred or assigned or assumed by any other person, in whole
or part,without the prior written consent of Covered Entity.
8.6. Governing Law and Venue
This Agreement shall be governed by and interpreted in accordance with the laws of the
State of Washington in accordance with HIPAA and the HIPAA Rules without giving effect
TMBH-ASO/OHRS Business Associate Agreement Page 9 of 11
\/Prcinn 1 n ngn171
to the conflict oflaws provisions. Thurston County, Washington, shall be the sole and
exclusive venue for any litigation, special proceeding or other proceeding as between the
parties that may be brought under, or arise out of, this Agreement.
8.7. No Third-Party Beneficiaries
Nothing express or implied in this Agreement is intended to confer, nor anything herein shall
confer,upon any person other than the parties hereto any rights, remedies, obligations or
liabilities whatsoever.
8.8. Binding Effect
This Agreement shall be binding upon, and shall inure to the benefit of, the parties hereto
and theirrespective permitted successors and assigns.
8.9. Execution
This Agreement may be executed in multiple counterparts, each of which shall
constitute anoriginal, all of which shall constitute but one agreement.
8.10. Gender and Number
The use of the masculine, feminine or neuter genders, and the use of the singular and plural,
shall not be given an effect of any exclusion or limitation herein. The use of the word
"person" or "party"shall mean and include any individual, trust, corporation, partnership or
other entity.
8.11. Priority of Agreements
If any portion of the Agreement is inconsistent with the terms of the Underlying
Agreement, theterms of this Agreement shall prevail. Except as set forth above, the
remaining provisions of theUnderlying Agreement are ratified in their entirety.
8.12. Survival
The obligations of Business Associate shall survive the termination of this Agreement
and theUnderlying Agreement.
8.13. Recitals
The preamble to this Agreement is not a mere recital of facts but consists of binding agreed
uponstatements that form the basis of this Agreement.
[Signature Page Follows]
TMBH-ASO/OHRS Business Associate Agreement Page 10 of 11
\/arcinn 1 n n4n1?1
IN WITNESS WHEREOF, the parties hereto have signed this Agreement effective the day and
year firstabove written.
Name: Mark Nea>y Name: Mark Freedman
Title: County Administrator Title: TMBH-ASO Administrator
Address: 411 N 5`i' Street Address: 670 Woodland Square Loop SE Ste 301
City, ST,Zip: Shelton,WA 98584 City, ST,Zip: Lacey WA 98506
Email: 'mneary@masoncounIMa.gov Email: marl<.freedman@tmbho.org
Phone: (360) 427-9670 ext. 530 Phone: 360.763.5828
�� ---- TMBH-ASO Executive Director
Signature(Authorized Representative) Signature
Date Date
TMBH-ASO/OHRS Business Associate Agreement Page 11 of 11
\/arcinn 1 n n4n1?1