Loading...
HomeMy WebLinkAboutThurston-Mason Behavioral Health Administrative Service OrganizationPage 1 of 11 TMBH-ASO/OHRS Business Associate Agreement Version 1.0_090121 Business Associate Agreement ☒Thurston Mason Behavioral Health Administrative Service Organization ☐Olympic Health and Recovery Services THIS BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is effective this 1st day of January 2022 (the "Effective Date") between Thurston-Mason Behavioral Health Administrative Service Organization (“TMBH-ASO”) and/or Olympic Health and Recovery Services (“OHRS”) as identified above ("Covered Entity"), and Mason County Public Defense ("Business Associate"). RECITALS WHEREAS, Covered Entity and Business Associate are parties entering into one or more agreements or contracts, incorporated herein by reference (the "Underlying Agreement" and collectively “Agreements”) pursuant to which Business Associate will perform the services as outlined in Agreements and such services involve the use and disclosure of Individually Identifiable Health Information that is subject to protection under HIPAA and the HIPAA Rules (all as hereinafter defined); and WHEREAS, Business Associate has created and maintains security safeguards for the protection from unlawful disclosure of Protected Health Information (as hereinafter defined); and WHEREAS, Covered Entity and Business Associate are committed to complying with the Standards for Privacy of Individually Identifiable Health Information set forth under the HIPAA and HITECH Act and any regulations promulgated thereunder the “HIPAA Privacy Rule”; WHEREAS, this BAA, in conjunction with the HIPAA Rules, sets forth the terms and conditions pursuant to which protected health information (in any format) that is created, received, maintained, or transmitted by, the Business Associate from or on behalf of the Company, will be handled between the Business Associate and the Company and with third parties during the term of the Agreement(s) and after its termination. NOW, THEREFORE, for and in consideration of the recitals above and the mutual covenants and conditions herein contained, Covered Entity and Business Associate enter into the following Agreement to provide a full statement of their respective responsibilities as more fully described below: ARTICLE 1 – DEFINITIONS Unless otherwise provided herein terms used shall have the same meaning as set forth in HIPAA and the HIPAA Rules. 1.1. Agreement means this Business Associate Agreement. 1.2. Business Associate as used in this Agreement means the Business Associate named in this Agreement and generally has the same meaning as the term “business associate” at 45 CFR § 160.103. Any reference to Business Associate in this Agreement includes Business Associate’s employees, agents, officers, subcontractors, volunteers, or directors. Page 2 of 11 TMBH-ASO/OHRS Business Associate Agreement Version 1.0_090121 1.3. CFR means and refers to the Code of Federal Regulations. 1.4. Covered Entity means TMBH-ASO and/or OHRS, as specified above, which are each a Covered Entity as defined at 45 CFR § 160.103, in its conduct of covered functions by its health care components. 1.5. Designated Record Set means a group of records maintained by or for the Covered Entity that is: the medical records and billing records about Individuals maintained by or for a covered health care provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or used, in whole or in part, by or for the Covered Entity to make decisions about Individuals. 1.6. Electronic Protected Health Information or “EPHI” means Protected Health Information that is transmitted by electronic media or maintained in electronic media. 1.7. HIPAA means the Health Insurance Portability and Accountability Act of 1996, Pub.L. No. 104-191, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as Title XIII of The American Recovery and Reinvestment Act of 2009, H.R. 1, Pub.L. 111-5 (February 17, 2009), as amended or superseded, and any current and future regulations promulgated under HIPAA. 1.8. HIPAA Rules means the Privacy, Security, Enforcement, and Breach Notification Rules at 45 CFR Part 160 and Part 164, in effect or as amended. 1.9. Individual means the person who is the subject of Protected Health Information and includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). 1.10. Material Alteration means any addition, deletion or change to the PHI of any subject other than the addition of indexing, coding and other administrative identifiers for the purpose of facilitating the identification or processing of such information. 1.11. Privacy Rule means the Privacy Standards at 45 CFR Part 164, Subpart E, in effect or as amended. 1.12. Protected Health Information or “PHI” means individually identifiable health information created, received, maintained or transmitted by Business Associate on behalf of a health care component of the Covered Entity that relates to the provision of health care to an Individual; the past, present, or future physical or mental health or condition of an Individual; or the past, present, or future payment for provision of health care to an Individual. 45 CFR § 160.103. PHI includes demographic information that identifies the Individual or about which there is reasonable basis to believe can be used to identify the Individual. 45 CFR § 160.103. PHI is information transmitted or held in any form or medium and includes Electronic Protected Health Information. 45 CFR § 160.103. PHI does not include education records covered by the Family Educational Rights and Privacy Act, as amended, 20 USCA 1232g (a)(4)(B)(iv) or employment records held by the Covered Entity in its role as employer. 1.13. Security Rule means the Security Standards at 45 CFR Part 164, Subparts A and C, in effect or as amended. 1.14. Subcontractor as used in this Agreement means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate. 1.15. Underlying Agreement means one or more agreements or contracts, incorporated herein by reference pursuant to which Business Associate will perform the services as outlined in Agreements and all accompanying documents. Page 3 of 11 TMBH-ASO/OHRS Business Associate Agreement Version 1.0_090121 ARTICLE 2 – SCOPE OF USE OF PHI 2.1. Services 2.1.1. Except as otherwise specified herein, the Business Associate may use PHI solely to perform its duties as set forth in the Underlying Agreement. Except as otherwise limited in this Agreement, Business Associate may use and disclose PHI for the proper management and administration of the Business Associate, to carry out the legal responsibilities of the Business Associate and to provide any data aggregation services pursuant to the Underlying Agreement. 2.1.1.1. Business Associate may disclose PHI for the purposes pursuant to the Underlying Agreement only to its employees, subcontractors and agents, in accordance with Section 2.3.1.5. as directed by the Covered Entity. 2.1.1.2. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that such disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will remain confidential and used or further disclosed only as required by law or for the purpose for which the PHI was disclosed to the person, the person implements reasonable and appropriate security measures to protect the PHI, and the person notifies the Business Associate of any instances of which it is aware where the confidentiality of the PHI has been breached. 2.2. Breach or Misuse of PHI Business Associate recognizes that any breach of confidentiality or misuse of information found in and/or obtained from records may result in the termination of the Underlying Agreement and this Agreement and/or legal action. Unauthorized disclosure of PHI may give rise to irreparable injury to the Individual or to the owner of such information, and the Individual or owner of such information may seek legal remedies against Business Associate. 2.3. Responsibilities of Business Associate 2.3.1. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following: 2.3.1.1. Use or disclose PHI only to perform functions, activities, or services for, or on behalf of, Covered Entity, as expressly permitted or required by this Agreement or the Underlying Agreement or as otherwise required by applicable law. Further, Business Associate agrees that it will not use or disclose PHI in any manner that violates federal law, including but not limited to HIPAA and any regulations enacted pursuant to its provisions, or applicable provisions of Washington State law. The Business Associate agrees that it is subject to and directly responsible for full compliance with the Privacy Rule that applies to the Business Associate to the same extent as the Covered Entity. 2.3.1.2. Use commercially reasonable efforts to maintain the security of the PHI and to prevent unauthorized use and/or disclosure of such PHI, including, but not limited to the following: Page 4 of 11 TMBH-ASO/OHRS Business Associate Agreement Version 1.0_090121 2.3.1.3. Any physical files on location at the agency must be kept in locked cabinets. Any PHI transported must be safeguarded against unauthorized access at all times. 2.3.1.4. In addition, the Business Associate agrees to implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of all Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity in accordance with 45 CFR Part 164, subpart C for as long as the PHI is within its possession and control, even after the termination or expiration of this Agreement. The Business Associate agrees that it is subject to and directly responsible for full compliance with the HIPAA Security Rule that applies to Business Associates, including sections 164.308, 164.310, 164.312, and 164.316 of title 45 CFR, to the same extent as the Covered Entity. Business Associate shall apply the HIPAA Minimum Necessary standard to any use or disclosure of PHI necessary to achieve the purposes of the Underlying Agreement. See 45 CFR 164.514(d)(2) through (d)(5). 2.3.1.5. Require all of its employees, representatives, subcontractors and agents that create, receive, maintain, or transmit PHI or use or have access to PHI under the Underlying Agreement to agree in writing to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply herein, including the obligation to return or destroy the PHI if feasible, as provided under Sections 5.4 and 5.5 of this Agreement. 2.3.1.6. Promptly report to the designated privacy officer of the Covered Entity, any use and/or disclosure of the PHI that is not permitted or required by this Agreement, or any Security Incident involving Covered Entity’s PHI, by telephoning the privacy officer within twenty-four (24) hours of becoming aware of it and providing a written report of the unauthorized disclosure within five (5) business days. 2.3.1.7. The name and contact information for the Covered Entity's privacy officer is as follows: 2.3.1.8. Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement or the law. 2.3.1.9. Within twenty-four (24) hours of the discovery of a breach as defined at 45 CFR § 164.402, notify the Covered Entity’s privacy officer of any breach of Contact Officer: Chris Foster Telephone: 360.763.5798 E-mail: chris.foster@tmbho.org Address: 612 Woodland Square Loop SE Ste 401 Lacey, WA 98503 Page 5 of 11 TMBH-ASO/OHRS Business Associate Agreement Version 1.0_090121 unsecured PHI and take actions as may be necessary to identify, mitigate and remediate the cause of the breach. A breach shall be treated as discovered by the Business Associate in accordance with the terms of 45 CFR § 164.410. The notification shall include the following information which shall be updated promptly and provided to the Covered Entity as requested by the Covered Entity: 2.3.1.9.1. The identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, used, or disclosed during such breach; 2.3.1.9.2. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; 2.3.1.9.3. A description of 2.3.1.9.4. the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); 2.3.1.9.5. Any steps individuals should take to protect themselves from potential harm resulting from the breach; 2.3.1.9.6. A brief description of what the Business Associate is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; 2.3.1.9.7. Contact procedures of the Business Associate for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address; and 2.3.1.9.8. Any other information required to be provided to the individual by the Covered Entity pursuant to 45 CFR § 164.404, as amended. 2.3.2. To the extent the Covered Entity deems warranted, the Covered Entity may provide notice or may, in its sole discretion, require Business Associate to provide notice at Business Associate’s expense to any or all individuals whose unsecured PHI has been or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed as a result of such breach. In such case, the Business Associate shall consult with the Covered Entity regarding appropriate steps required to notify third parties. The Business Associate shall reimburse the Covered Entity, without limitation, for all costs of investigation, dispute resolution, notification of individuals, the media, and the government, and expenses incurred in responding to any audits or other investigation relating to or arising out of a breach of unsecured PHI by the Business Associate. 2.4. Covered Entity Obligations 2.4.1. With regard to the use and/or disclosure of PHI by the Business Associate, the Covered Entity hereby agrees to: Page 6 of 11 TMBH-ASO/OHRS Business Associate Agreement Version 1.0_090121 2.4.1.1. Upon request, provide the Business Associate with a copy of the notice of privacy practices that the Covered Entity provides to Individuals pursuant to 45 CFR § 164.520, and inform the Business Associate of any changes in the form of the notice that materially affects the Business Associate’s uses and disclosures of PHI under this Agreement; 2.4.1.2. Inform the Business Associate of any changes in, or withdrawal of, the authorization provided to the Covered Entity by Individuals that materially affects Business Associate’s ability to use and/or disclose PHI under this Agreement; and 2.4.1.3. Notify the Business Associate, in writing and in a timely manner, of any restrictions on the use and/or disclosure of PHI agreed to by the Covered Entity in accordance with 45 CFR § 164.522, to the extent that such restriction materially affects Business Associate's use or disclosure of PHI under this Agreement. ARTICLE 3 – AMENDMENT OF PHI 3.1. Amendments by Business Associate Should Business Associate make any Material Alteration to PHI, Business Associate shall provide Covered Entity with notice of each Material Alteration to any PHI and shall promptly cooperate with Covered Entity in responding to any request made by any subject of such information to Covered Entity to inspect and/or copy such information. Business Associate shall not deny Covered Entity access to any such information if, in Covered Entity's sole discretion, such information must be made available to the subject seeking access to it. To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 within ten (10) days of the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. ARTICLE 4 – AVAILABILITY, ACCOUNTING OF DISCLOSURES, AUDITS AND INSPECTIONS 4.1. Availability of PHI To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make PHI available to Covered Entity or, as directed by Covered Entity, to an Individual, within ten (10) days of the request of the Covered Entity and in the manner designated by Covered Entity in accordance with 45 CFR § 164.524. 4.2. Accounting of Disclosures Business Associate agrees to make available the information required for Covered Entity to provide an accounting of disclosures in accordance with 45 CFR § 164.528. Business Associate will provide such accounting of disclosures to Covered Entity as soon as possible, but no more than ten (10) days from request by Covered Entity. Each accounting shall provide (i) the date of each disclosure; (ii) the name and address of the organization or person who received the PHI; (iii) a brief description of the PHI disclosed; and (iv) the purpose for which the PHI was disclosed, including the basis for such disclosure, or a copy of a written request for disclosure under §§ 164.502(a)(2)(ii) or 164.512. Business Associate shall maintain a process to provide the accounting of disclosures for as long as Business Associate maintains PHI received from or on behalf of Covered Entity. Page 7 of 11 TMBH-ASO/OHRS Business Associate Agreement Version 1.0_090121 4.3. Access to Department of Health and Human Services Business Associate shall make its facilities, internal practices, books, records, documents, electronic data and all other business information relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary of the Department of Health and Human Services, governmental officers and agencies for purposes of determining Covered Entity’s compliance with HIPAA. Business Associate shall promptly, and in no event later than five (5) business days after a request by the Secretary, notify Covered Entity in writing of any request made by the Secretary and provide Covered Entity with copies of any documents produced in response to such request.. 4.4. Access to Covered Entity Upon written request, Business Associate agrees to make its facilities, internal practices, books, records, documents, electronic data and all other business information available to Covered Entity within five (5) business days during normal business hours so that Covered Entity can monitor compliance with this Agreement. ARTICLE 5 – TERM AND TERMINATION 5.1. Term This Agreement is valid as of the Effective Date and remains effective for the entire term of the Underlying Agreement, or until terminated as set forth herein. 5.2. Termination This Agreement may be terminated by Covered Entity for convenience upon the same number of days prior written notice to the Business Associate as set out in the Underlying Agreement, otherwise upon thirty (30) days prior written notice. The notice will specify the date of termination. 5.3. Termination for Cause Covered Entity may immediately terminate this Agreement and the Underlying Agreement without penalty if Covered Entity, in its sole discretion, determines that Business Associate has: (a) improperly used or disclosed PHI in breach of this Agreement; or (b) violated a material provision of this Agreement. Alternatively, the Covered Entity may choose to provide the Business Associate with written notice of the existence of an alleged material breach and a period of fifteen (15) days in which to cure the alleged material breach upon mutually agreeable terms. Failure to cure in the manner set forth in this paragraph is grounds for the immediate termination of this Agreement and the Underlying Agreement. 5.4. Alternative to Termination If termination is not feasible, the Covered Entity shall report the breach to the Secretary of the Department of Health and Human Services. 5.5. Return/Destruction of PHI Business Associate agrees that, upon termination of the Underlying Agreement, for whatever reason, it will return or destroy, in Covered Entity’s sole discretion, all PHI, if feasible, received from, or created or received by it on behalf of Covered Entity which Business Associate maintains in any form, and retain no copies of such information. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. An authorized representative of Business Associate shall certify in writing to Covered Entity, Page 8 of 11 TMBH-ASO/OHRS Business Associate Agreement Version 1.0_090121 within five (5) days from the date of termination or other expiration of the Underlying Agreement, that all PHI has been returned or disposed of as provided above and that Business Associate no longer retains any such PHI in any form. 5.6. No Feasible Return/Destruction of PHI If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall notify Covered Entity of the conditions that make return or destruction infeasible. To the extent that Covered Entity agrees that the return or destruction of PHI is not feasible, Business Associate shall extend the protections of this Agreement to the PHI retained and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. Business Associate shall remain bound by the provisions of this Agreement notwithstanding termination of the Underlying Agreement, until such time as all PHI has been returned or otherwise destroyed as provided in this section. ARTICLE 6 – INDEMNIFICATION/INSURANCE 6.1. Defense and Indemnification Business Associate shall defend, indemnify and hold Covered Entity harmless from and against all claims, liabilities, judgments, fines, assessments, penalties, awards or other expenses, of any kind or nature whatsoever, including, without limitation attorney’s fees, expert witness fees, and costs of investigation, litigation, or dispute resolution, relating to or arising out of any use or disclosure of PHI in a manner not permitted by HIPAA or breach of this Agreement by Business Associate, its employees, officers, agents, or subcontractors. 6.2. Disclaimer Covered Entity makes no warranty or representation that compliance by Business Associate with the Agreement or HIPAA or the HIPAA Rules will be adequate or satisfactory for Business Associate's own purposes or that any information in the possession of Business Associate or Business Associate's control, or transmitted or received by Business Associate, is or will be secure from unauthorized use or disclosure; nor shall Covered Entity be liable to Business Associate for any claim, loss or damage relating to the unauthorized use or disclosure of any information received by Business Associate from Covered Entity or from any other source. Business Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI. 6.3. Insurance Business Associate shall obtain and maintain cyber liability insurance coverage against improper uses and disclosures of PHI by Business Associate naming Covered Entity as an additional named insured. Promptly following a request by Covered Entity for the maintenance of such insurance coverage, Business Associate shall provide a certificate evidencing such insurance coverage. ARTICLE 7 – COMPLIANCE WITH 42 CFR PART 2 REQUIREMENTS In the event that Business Associate is also considered to be a Qualified Service Organization (“QSO”) under the federal regulations governing the Confidentiality of Substance Use Disorder Patient Records found at 42 C.F.R. Part 2 (“Part 2”), with access to PHI that is protected by Part 2, Business Associate agrees to the following: a) In receiving, storing, processing, or otherwise dealing with any PHI protected by Part 2 from Covered Entity, Business Associate is fully bound by the provisions of Page 9 of 11 TMBH-ASO/OHRS Business Associate Agreement Version 1.0_090121 Part 2; and b) If necessary, Business Associate will resist in judicial proceedings any efforts to obtain access to such PHI covered by Part 2 unless such access is expressly permitted under Part 2. ARTICLE 8 – MISCELLANEOUS 8.1. Construction This Agreement shall be construed as broadly as necessary to implement and comply with HIPAA and the HIPAA Rules. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with the HIPAA Rules. 8.2. Notice All notices and other communications required or permitted pursuant to this Agreement shall be in writing, addressed to the party at the address set forth in the Underlying Agreement, or to such other address as either party may designate from time to time. All notices and other communications shall be mailed by registered or certified mail, return receipt requested, postage prepaid, or transmitted by hand delivery or telegram. All notices shall be effective as of the date of delivery of personal notice or on the date of receipt, whichever is applicable. 8.3. Modification of Agreement The parties agree to take such action as is necessary to modify this Agreement to ensure consistency with amendments to and changes in the applicable federal and state laws and regulations, including, but not limited to, HIPAA and the HIPAA Rules. This Agreement shall not be waived or altered, in whole or in part, except in writing signed by the parties. 8.4. Invalid Terms In the event that any provision of the terms and conditions are held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. 8.5. Transferability Covered Entity has entered into this Agreement in specific reliance on the expertise and qualifications of Business Associate. Consequently, Business Associate's interest under this Agreement may not be transferred or assigned or assumed by any other person, in whole or part, without the prior written consent of Covered Entity. 8.6. Governing Law and Venue This Agreement shall be governed by and interpreted in accordance with the laws of the State of Washington in accordance with HIPAA and the HIPAA Rules without giving effect to the conflict of laws provisions. Thurston County, Washington, shall be the sole and exclusive venue for any litigation, special proceeding or other proceeding as between the parties that may be brought under, or arise out of, this Agreement. 8.7. No Third-Party Beneficiaries Nothing express or implied in this Agreement is intended to confer, nor anything herein shall confer, upon any person other than the parties hereto any rights, remedies, obligations or liabilities whatsoever. Page 10 of 11 TMBH-ASO/OHRS Business Associate Agreement Version 1.0_090121 8.8. Binding Effect This Agreement shall be binding upon, and shall inure to the benefit of, the parties hereto and their respective permitted successors and assigns. 8.9. Execution This Agreement may be executed in multiple counterparts, each of which shall constitute an original, all of which shall constitute but one agreement. 8.10. Gender and Number The use of the masculine, feminine or neuter genders, and the use of the singular and plural, shall not be given an effect of any exclusion or limitation herein. The use of the word "person" or "party" shall mean and include any individual, trust, corporation, partnership or other entity. 8.11. Priority of Agreements If any portion of the Agreement is inconsistent with the terms of the Underlying Agreement, the terms of this Agreement shall prevail. Except as set forth above, the remaining provisions of the Underlying Agreement are ratified in their entirety. 8.12. Survival The obligations of Business Associate shall survive the termination of this Agreement and the Underlying Agreement. 8.13. Recitals The preamble to this Agreement is not a mere recital of facts but consists of binding agreed upon statements that form the basis of this Agreement. [Signature Page Follows] Page 11 of 11 TMBH-ASO/OHRS Business Associate Agreement Version 1.0_090121 IN WITNESS WHEREOF, the parties hereto have signed this Agreement effective the day and year first above written. FOR BUSINESS ASSOCIATE: FOR TMBH-ASO and/or OHRS: Name: Peter Jones Name: Mark Freedman Title: Director Title: TMBH-ASO Administrator Address: 410 N. 4th Street Address: 612 Woodland Square Loop SE Ste 401 City, ST, Zip: Shelton, WA 98584 City, ST, Zip: Lacey WA 98506 Email: Peterj@co.mason.wa.us Email: mark.freedman@tmbho.org Phone: 360-427.9670 Phone: 360.763.5828 Signature (Authorized Representative) Signature Date Date 8-8-22 8/8/2022