BUSINESS ASSOCIATE AGREEMENT BuSINEss AssociAll-i.AGREEMENT
This Business Associate Agreement (the -Agreement") by and between the City of Clearwater,
("*Client"), and 'rhe Gehring Group, Inc. ("Gehring Group") is made and entered into effective
August 15, 20 14.
RECITALS
WHL`IRE.N.S. Client is a "covered entity" as those terms are defined in 45 C.RR §
160.103; and
WI-IFIRF"AS, Gehring Group provides CojjSultjn(! services to Client, and
WHE'REIAS, as as resuh of such functions. Client has identified Gehring Group as a
"bLisiiiessassc)ciatc," asdefined in 45 C.F-R- § 160.103. of Client for purposes of'the privacy and
security requirements under the Health Insurance Portability and Accountability Act of 199�6,
(I I I PAA) as amended by the l fealth Information Technology fbr Economic and C1 inical Health
Act(1-11TECH) and the regulations issued thereunder, and
WHEREAS, Gehring Group acknowledges that it is a business associate, as defined in 45
C.RR. § 160.103, of` Client that may create, use, or disclose Protected Health friformation or
['.."llectronic Protected Health Information on behall'of Client; and
I
WI-IF'REAS, Client desires to obtain written assurances that Gehring Group will
safeguard Protected Health hil"ormation or Electronic Protected Health Information created or
received by or on bcha1fof Client.
NO'"7, "rui ERE l ORE. the parties agree.. as follows:.
1. DEFTNI VIONS
Li -'Breach" shall have the meaning set -forth in 45 C.F.R. §164A02.
1.2 "Data Agoregation" shall have the meaning as the term "data aggregation" in 45 C.F. R.
§ 164,501
1. "Designated Record Set" shall mean a group of health-related records about an Individual
as provided In 45 C.F.R. § 164.501.
1.4 "Electronic Health Record" shall mean an electronic record of health-related information
with respect to an individual that. is created, gathered, managed and consulted b),
authorized healthcare clinicians and staff'.
1.5 -Elccu-onic Protected Health Information" or "Electronic PHI" means inCorrnation that
Gehring O-OL111 Or itS agent, including a subcontractor, creates, receives, maintains or
L-e Ln
transmns l`rorn or on behalf of Client that comes within paragraphs 1(i) or 1(ii) of the
definition of-protected health information" at 45 C1K § 160,103,
Page I of 8
75-1541 kj� r
1.6 "Genetic Information" shall have the rneaning assigned to such terin in 45 CYR
§ 160-103).
1.7 -HiFOAA- shall mean the health infonnition privacy provisions Under the Health
hISLirance Portability and Accountability Act of 1,996, and regulations issued thereunder
at 45 C F'.R Parts I�0 and 164, as amended by FUTECH,
1.8 "IETECI F shall inean the Health Information Technology for Economic and Clinical
I lealth Act and the regulations issued thereunder.
1.9 -IndiVidl-ial- shall mean as person who is the subject to the Protected Health Information
of the (.1ent, and shall include a person who qualiftes as the lndjvldualls personal
represernalive in accordance\vith 45 CY.R. § 1 64.502(g).
l.1 -L.imited Data Set" shall have the meaning assigned to such term in 45 C.RR,
§164.5 14(e)(2)-
Ll I -Protcctc.i I-Iealth Information" or -111-11" shall hive the same meaning as the term
.6protected health information" in 45 C.FR § 160.103, limited to the information created
or received by 6chring Group frorn or on behalf of Client. Genetic Information shall be
consider�ed
1.12 -'required by Law- shall incan a niandAte contained in an applicable state, federal, or
local law that compels Client (or business associates actin; on, behalf of Client) to make a
use or d2s6-,)-<,;urc of PHI that is enlbrceable in a court of law.
L 1 3) -Security Incident" rneans the attenipted or SUCCesSfill Unauthorized access, use,
disclosur��. modification, or destruction of informad"on or interference with system
operatic iis in sin information system, as defined at 45 CYR § 164.304. However,
certain lmv i-.,�k atternpi:s to breach nctwork security, such as the incidents listed below,
shall not constitute a Security Incident under this Agreement, provided they do not
penetrate the perimeter, do not reWt in an actual breach of security and remain within the
nc)m-ial kiJdcnt level:
pings on the firev�,all:
port scans*-
auellipts to log on to a system or enter a database "Ith an invalid passNvord
or username:
deniLd-of-service attacks that do not result in a server being taken off-line;
and
maiware such as wornis or viruses,
1.14 "Subcontractor- shall have the meaning as the term in 45 C]LF.R. § 1.60.10').
rage 2 of 9
1.15 "Unsecured Protected Health Information" or "Unsecured PHF shall have the meaning
assigned to Such terra in 45 C ✓ R. § 164.402 and guidance issued thereunder.
2. OB HGATI ON'S_tit 111 IE PARTIES
2.1 Gehring Group shall safeguard all PI-11 and Electronic 11111 created or received by
Gehring Group on behalf of' Client in accordance with HIP.AA. Gehring Group shall
irriplernent administrative, physical and technical saf+ guards that prevent use or
diSCIOSUI•C of the 1"Jectronic Protected health Information other than as permitted by the
Security RUICS. Specifically, Gehring Group agrees to implement policies and
procedures in accordance with 45 C.FR. § l64,316 that-.
i,
revent, detect, contain and correct security violations in accordance with the
Uhll in I Ml-aliVe S,rtfcguards set forth in 45 C.F.R. § 164.308,
ii. !Jmit physical access to electronic information systems and the I'acility or
fbcilities in which they are housed. while ensuring that properly authorized access
allowed in accordance vvith the physical safeguards set forth in 45 C.F.R.
164.310-- and
iii. .-Mlow 'access to electronic information systems that maintain I Jectronic PHI to
only Lhosc Persons 01' software prograrns that have been granted access rights in
z�iccoi i Ll
, -dance w'th the technical safeauards set forth in 45 C.FA. § 1643 12,
2.2 Gehring Group shall not USC Or disclose PHI or Electronic 0I-11 except as permitted or
requires b,
y Article 3 of this Agreement or as Required by Law. Gehring Group shall
notify C"!'cna of all requests for the disclosure of 11141 and Electronic PHI from a law
cid'orcernent or govt arr°ment off cia.. or pursuant to a subpoena, court or administrative
order, or other legal request as soon as possible prior to making the requested disclosure,
(36U-iny GrOLlp shall provide to Client all 111-11 and Electronic PI-11 necessary to respond
L(! thesc requests as soon as possiNc, but no later than ten (10) business days following its
C
receipt 01"! request from I'Ji
OJIL
2.3 Client shag provide to Gehring Group, and Gehring Group shall request from Client,
disclose to its afld iates, subsidiaries. agents and subcontractors or other third parties, only
1L.i n-,ii en' Data Se-i or, it' necessary or otherwise permitted by I-IFIS regulations, the
minin-[um PHi or 1--'tectronic PHI .accessary to perform or fulfill a specific function
required or pernnited under the A-reernent. * Minimum necessary- shall be interpreted in
accordance v,v4h 'CH, and in any event shall not include any direct identifiers of
ia,-�dividuals SUch as names, street addresses, phone numbers or social Security numbers,
except o'Ora Liniql.IC identifier assigned by Client as necessary fear the strategic analysis.
2.4 &OU13 shall Comply with all granted restrictions oil tile use and/or disclosure of
P1 !I. plzs,rw-,L to 45 C. § 164.522(a), LIPOTI written notice from Client„ provided,
hov,,cve:. AILL Ojest shall not orani any resirictk-)n that affects Giehring Groups LlSe. Or
d'is&)surc 11 kv1,1out First COnSL!h:in- �,vith Gehring 151•01.1p.
Page 3 01`8
2.5 Gehring Group shall comply with all granted requests for confidential communication of
PHI, Pun-Aiant to 45 C+A, § 164,522(b), upon written notice ri-orn Client.
2.6 Gehring Group shall report to Client any use or disclosure of PHI not permitted by this
Agreement of which Crehring Group becomes aware within fifteen (15) business days of
Z
its becoming aware. and will take such corrective action necessary, or as reasonably
directed by Client. in order to prevent and minimize damage to any Individual and to
prevent any further such Occurrences.
2.7 Follow inc, the discovery ol'a Breach of Unsecured PHI, Gehring Group shall notify the
Client without unreasonable delay and in 110 ClIrSe no later than Fifteen (15) days after
C.'scove -ioliflcatiori shall include the identification of' each
ry 01 the 13�eac h. The i
Individual whose Unsecured 11111 has been or is reasonably believed by Gehring Group to
have been accessed, acquired. used or disclosed during the Breach. Gehring Group shall
pmv-ide L'-,c Client with any other available information that the Client requires to notify
affected indiv ideals under the Privacy RLde.
2.8 Gefirin, 'iroup shay: make reasonal7fle efforts to mitigate, to the extent practicable or as
:easorUdo'y, b
directed �,,, (:'Bent. any harmful clTect that is known to Gehring Group
I-CSUltinLl :'romi a bra ouch of this Agreement or HIPAA that is directly caused by Gehring
C. roupa.
ShE.11 I-eport to Clierit any Security Incident within five (5) business days
2.9 Cehrin,c, I- _
6'when :t becomes aware OFSUCh .`security Incident. Gehring Group shall rnitioV ate to the
extent i. -acticahle. (w as reasonably directed by Client any harmful effect that is known to
Gehring Group Ofl Security incident, by Gehring Group.
2.10 �,"rcip slia] 'take reasonah e steps to ensure that any Subcontractor performing
services . ar C_,Iient agrees in writino to tile same restrictions and conditions that apply to
_roj,. uw itl reward to its cr�:amion, use, and diSCIOSUre ot'111-11 and Electronic 1:11-11
in accordam e vvit:i 45 LFA. 164309(b)(2), 164.502(e)(1)(ii) and 164.504(e)(5).
Gehring GrOUJI Shall, upon written request frorn Client. provide a list of any
Subcor-l-ractors with whom Gehrino Group has contracted to perforim services for Client.
Gehrinu GrOL11) shall advise Cliew. if any 'subcontractor breaches its agreement with
Gehring �sroup with respect to the disclosure or use of PHI or Electronic PI-11. If
(.',chrjnl '15roop ki-,ovvs of a pattern of activity or practice of its Subcontractor that
CCMSLitUtCS a material breach or v:Oiation of the Subcontractor's duties and obligations
under its agreement with the Subcontractor ("Subcontractor Material BreaQh"), Gehring
Group shaii cure the b;each or provide a reasonable period for Subcontractor to Cure the
Subc(..)r�rw.:Lcr Material Breach; provided. hovwvcr, that if Gehring Group cannot, or
�ubcord-acior does not, Cure the Subcontractor Material Breach vvithin such period,
chrimg '_'Jrc`,up sh&i tei"minatc the aorcernent with Subcontractor, if feasible, at tile end of
SUCh PC!'IC,C...
2.G 1 (j6-H-hIL '_'11-01AJD Upon written CeqUest from Client, provide to Client a copy of any.
P 0 1 ":., ic "HI in a Desi(_)nated Record Set- is defined in 45 C1A. § l64.501,
-�Clron
�Iage 4 of'8
175',,d
created or maintained by Gehring Group, and not also maintained by Client, within thirty
(30) days ofreceipi ofthe request,
2.12 Gehring GrOUP shall. upon written I-C,qUeSt 1-rorn Client, make any amendment to P111 in a
Designated Record Set maintained by Gehring Group within thirty (30) days of receipt of
Designated Z�
the I-CqAICSt unless Gehring Group can establish to Client's satisfaction that the PHI at
issue is accurate and complete,
2.13 If an J!IdiVidUal's 1111f is held in an Electronic Health Record, Gehring Group shall
provide requested copies in electronic fbi-nnat to the individual or to an entity or person
designated by the Individual. provided such designation is clearly and COnSpiCUOUSly
In
made by ihe individual or Client.
114 Gehrin tc p shall n-:ake its internal practices, written policies, and procedures, books,
,cords, other- Jo�.Urrients to the use and disclosure of' 1)[U and/or Electronic
F-M crzMateci or maM--rained by Gahring Group on behalf* of' Client available to the
SI-cretacy of`the Department of Ficalth and 11unian ServriCeS, or his or her designee, for
purposes of the Secretary detcri-nining C Client's compliance with ITPAA.
115 s•ouo shall make availabl the information required to provide an accounting of
�JiSCIOSUC�,, niade cn and after the Date. as necessary For Client. to comply with
45 CIFI,�. §, j 64.5° ➢, %vithin twenvv
(20) business days of receipt of the request. Gehring
Croup ,h',111 )-ovide one Such accounting within a twelve month period without oharge,
but may make a reasonable charge tsar any additional such accountings within the same
c6w;elve ,north peric,)C'.
2.16 (..aehxinc Crc)ti,p maintain records, other than those records that are also
malrrlalr,cd by Client. -.-or six (6) yeu.:s from the date created or last in effect, whichever is
.ter, as ne"Cssa..'y ::or Client to cornply with 45 C.F.R. § 1 64.530(j)(2).
3, P 1.R rr r r i-:1) ES 0 F P H I
11 use and disclose PHI and Electronic I'M as necessary to provide
SLIbJect to Sec!.i:)n 2.3 of this Agreement and consistent with the
rc'quiremems of I IIFIAA
3.?
Gehring Group may use and disclose 111-11 and Electronic 1I-11 as necessary for the proper
n
.nanagLii"Li-a and aciniinistration of' �ichrin- Group or to carry, out Gehring Group's legal
s0bj:;u to Section 2.4 of' this Agreement and consistent with the
(.)f' I LPA!k; pre vided. however, that Gehring Group may disclose the PHI
atr�d ldeCIMMC Pl-P lbl-Such purposes only if:
i. -�-dls,,,JoszN is Required b, Law, or
,ir'ng (Jr-.ip obtains reascnable asSUNInCeS that the party to whom the 1111 or
u
71-o n � Pi 1 is disclose,-!, (a) will protect the confidentiality of the PHI and
7
-Ic-,n:conic N (,b) will no-L f'urthcr disclose the PIN or Electronic PI-11 except as
or for thC ,.RII-POSeS lor %,01ich it was disclosed to the other party,
Pad-e 5 f 8
I 7 3'i.I-I
and (c) Nvill report any improper use or disclosure of the PHI and/or Electronic
P11'1 U) Cjehriu(t�� Group.
13 Except as otherwise limited in this Agreement, and to the extent provided 176T Linder this
ikgreement Ochdng Croup rnay use PHI and T'lectronic PHI to provide Data
Aggmgnbn suvices co, Client, as peimAtted by 42 C.F.R. § I6 .504(e)(2)(i)(B).
4. J-ERMINATIONOF AGREEMENT
4.1 Except as describW in Section 4.3. this Agreement shall continue 0 efilct so long as
Gehring Choup provides service to Clim involving maintaining. using or disclosing PHI
or Electronic PHI, cm- other",ke retains a carp y of P]]I or Electronic PHI provided to
GCI-XiML C_11'3. _) by Clcnt.
4 2 Client n-.Ly ienminave Ns Agreernwit at any time it'Client discovers that Gehring Group
has mnefali., WaAcd any larrovkOn of this Agreement or upon \vritten notice with
thiny (30) caWndar days if Client no %gerrequires services of Gehring Group.
43 If' Ckhrhg Woup beconws aware of pattern of activity or practice of the Client that
constituies to materhA hweadi or Voldon of the Client's duties and obligations under the
C;'ehrh Oroup shall reasonable steps and provide a period ofthirly (30)
calendar, kys 1`6r ,.he Client to CW-� the material breach or violation. If the Client does
not CUrC ','hC materid breach or violadon NvAhin such 30-day period, Gehring Group shall
terminme -.he Agreernznt, if feasible. at the end Of such 30-day period.
4.4 L'Jpon cxpWan A CAnCs relujonship with Gehring Group, and contingent upon the
jOYMOU Yhi OLWanding fees. Uhring Group shall return PHI and Electronic PI-11 to
Chient or Client's Jesignated agcnt upon ChenVs request. 117 return of all PI-11 and
Flectron.r: Pi4,` is nc,,, 6easible. the provisions ol•this Agreement shall continue to apply to
Ciehring, ,.jroup Liki such One as all PHI and Electronic P1 If is either returned to Client
or rest ss c ci 1.);e•suanz to Gehring Group! document retention policy, provWed that
I'Ll_c7,4p innii further verse of PHI and I-Electronic PHI only to those purposes
shat ma� or return ofthe PHI and Electronic, PFI[ infeasible. Following
We exphadon oC Me relationship, Clehrhig Group agrees not to disclose PHI and
Electandc N . except to Client or as Required by Law.
Whenever' undo y As ikgretment. Gehring '_iroup is required to give notice to Client, such notice
shall be sen", v�, "'first ',!ass to:
L
Attention: Privacy Officer
Whenevw% un&r AN Qrternenn Client is Uke• to JC notice to Gehring Group, such notice
shall be sent %,ia F`irst Class "/fail to:
Age 6 OPS
Katherine Bellantoni, Privacy Officer
("Jehring Group, Inc.
11505 Fairchild Gardens Ave,
Suite 202
Palm Beach Gardens, FL 33410
6. IN 1)EM N I FIC.-All ON
Gehring Group agrees to hideninify Clie!,a and any employees, directors. offlicers of Client
(collectively rit Indeniniiecs"), apainst all aMLMI and direct posses re sulting ti-orn or in
connection �\,ifli any breach of'this Agteej-flont by Gehring GMUP, or its partners, employees or
other rnt:mbers o,` 'ts uvorkforce. Actual and direct losses shall include.' Dirt shall not be limited
to, judgments. liabilities, firics, penalties, costs, and expenses (including reasonable attorneys"
fees) %vhich are upon or incur•ec� lays Client Indernnitees by reason ol'any suit, claim,
action, investioation. or ciernand by any individual, government entity, or third party. This
obli-ation LO inderrinify sha I SUrvive the ac-cinination of this Agreement.
Client a&-noes 10 Gehring GroUlD and any employees, directors, officers of (3ehring
Group G'coup Indem:Jtees") against all actual and direct losses resulting
from or "J-a %vitk, ar , breach o�' A-reernent by Client, or and violation of 141PAA
reAlltillO l'i-0111 :rS" or disciosure of PHI and Electronic PHI pursuant to C.7fient's
C L
direction. AOLLIZd find direct losses shaii include, but shalt not be limited to, judgments,
liabilities, ir-Mes.l pen4aitleS, COSIS, and exp&-,ses (including reasonable attorneys' fees) which are
imposers UPOA 'H- klUirred ).y, Gehring Gro.rp Indernnitees by reason of`any suit, claim, action,
inveSti_ad(Al, 601IMid z,ny IndividLUAL 20VC1711MCrit entity. or third party. This obligation to
S'$141, -,LX V,� 11-�, io,-nninatlon oj':ois A-reement. 'Notwithstanding anything contained
M In
herein to the COMM[")-, this ',ndemnification provision shall not be construed as a waiver of any
imrtrurai to 1 Aicnt is entitled oi- the extent of' any limitation of' liability Pur-suant tO §
76828. i,1oi-16a Suaa es. I-Lil-thermorc, (I-,:s Provision is not :intended to nor shall be interpreted
as limiting or li', afly any dcf`�nsc Client may have under § 768,28, Florida Statutes
or as consent Lc' succ, b\ thh-ci parties.
7.
This -.a!� K .ned by ane. , ----r-preted in accordance with the laws of Florida.
dispute 1'el -nent shall rest exclus'vely vvith the
2t�il to this Aureci
M
state courts col'I'lorida and tine f'ederal courLs oftbe Middle District offlorida, as applicable.
81. ANi i--,N c Ni
The pa:w*_Sl r :.'Is 1,IeL,waze in (Yooj iaith am, amendments necessary to conform this
Agrecn-,rj;-. cl r. w idr)!icable lmv. '_iehrino Group further agrees to promptly attempt to
an-rend \Nldih its subcontractors and agents to conform to the terms of this
.\,-Cnt OChFill" GrOUJ) :S Unable to arriend this Agreement or its agreements
with its 111 L ay that is suff-Icient to sausf-y the requirements under HIPAA, Client
in accorclanc�," %\,4h Section 4 upon thirty(30) days written notice.
gaze 7 (0"8
9. T E R M s o ia'A(;ii L LN1 E NT Gv 0 V E 11 N
Any ambiguity in this Aoreernent shall be resolved in a way that permits compliance with
Hll'-'AAA In the event ofa conflict between the terms of'this Agreement and any other contract or
agreement between Client and Gehring GrOUP, this Agreement shall govern.
10. REGL"LATORY REFERENCES
A reference in !-Jq Agreement to a section in the Privacy }pules or Security Rules means the
section as in cl f'cc-t cr as arrended, and for v,hich cornpd iance is required,
lN " ,-7RFOF, parties ha,,--e executed this Agreement by their respective duly
-r,,taJves.
C FTY F C L RIuk)A f I--i,'� GEHRING GROUP, INC.
By: By:
Al
(v
Date: Date:
-1"e 8 cif`