ALS FIRST RESPONDER BUSINESS ASSOCIATE AGREEMENTALS First Responder
Business Associate Agreement
This G EMENT made this day of Feb rUal , 2015, between
City Of Ceairy r ( "Business Associate "), and the /PINELLAS COUNTY
EMERGENCY MEDICAL SERVICES AUTHORITY, a special district ( "Covered Entity ") (collectively,
"Parties ").
RECITALS
WHEREAS, Covered Entity believes that the pertinent regulations of the Health Insurance
Portability and Accountability Act of 1996 ( "HIPAA ") as outlined in 45 C.F.R. Parts 160 and 164
require the Parties enter into a Business Associate Agreement which shall govern the use and/or
disclosure of Protected Health Information ( "PHI ") and the security of PHI; and
WHEREAS, the Parties mutually desire to outline their individual responsibilities with respect to
the use and/or disclosure of PHI as mandated by HIPAA including all pertinent regulations issued by the
U.S. Department of Health and Human Services as outlined in 45 C.F.R. Parts 160 and 164.
NOW, THEREFORE, in consideration of the promises and covenants contained herein, the
Parties agree as follows:
ARTICLE I
DEFINITIONS
1.1 Definitions: When used in this Agreement and capitalized, the following terms have the
following meanings:
1.1.1 "Underlying Agreement" means the Emergency Medical ervices ALS First Responder
Agreement entered into by the Parties on or about 0
1.1.2 "Services" means the services provided by Business Associate pursuant to the
Underlying Agreement.
1.1.3 "Protected Health Information" or "PHI" shall have the same meaning as the term
"protected health information" in 45 C.F.R. Sect. 160.103, limited to the information
created or received by Business Associate from or on behalf of Covered Entity while
performing Services pursuant to the Underlying Agreement.
1.1.4 "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement
Rules at 45 C.F.R. Parts 160 and 164.
1.1.5 "Secretary" shall mean the Secretary of the Department of Health and Human Services or
his or her designee.
1.2 Terms used but not defined in this Agreement shall have the same meaning as those terms in the
H1PAA regulations.
ARTICLE II
OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
2.1 Business Associate agrees to:
2.1.1 Not use or disclose PHI other than as permitted or required by this Agreement or as required
by law;
2.1.2 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect
to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this
Agreement;
2.1.3 Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement
of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR
164.410, and any security incident of which it becomes aware, and Covered Entity will
handle breach notifications to individuals and the HHS Office for Civil Rights ( "OCR "),
and potentially the media;
2.1.4 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that
any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business
Associate agree to the same restrictions, conditions, and requirements that apply to the
Business Associate with respect to such information;
2.1.5 Make available PHI in a designated record set to the Covered Entity as necessary to satisfy
Covered Entity's obligations under 45 CFR 164.524;
2.1.6 Requests received by the Business Associate directly from an individual seeking access to
PHI in a designated record set will be timely responded to by the Business Associate;
2.1.7 Make any amendment(s) to PHI in a designated record set as directed or agreed to by the
Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy
Covered Entity's obligations under 45 CFR 164.526;
2.1.7.1 If the Covered Entity accepts the requested amendment, in whole or in part, the Covered
Entity will make the appropriate amendment to the PHI, and Business Associate agrees to
incorporate any amendments to the PHI in the designated record set within five (5) business
days following the date on which Business Associate receives written notice from Covered
Entity of Covered Entity's approval of the requested amendment;
2.1.8 Maintain and make available the information required to provide an accounting of
disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under
45 CFR 164.528;
2.1.9 For each disclosure that requires an accounting, Business Associate shall track the
information required by 45 C.F.R. 164.528 and shall securely maintain the information for
the time period contained therein;
2.1.10 To the extent the Business Associate is to carry out one or more of Covered Entity's
obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart
E that apply to the Covered Entity in the performance of such obligation(s); and
2.1.11 Make internal practices, books, and records relating to the use and disclosure of PHI
available to the Secretary, in a reasonable time and manner as designated by Business
Associate or Secretary, for purposes of Secretary determining Covered Entity's compliance
with the HIPAA Rules.
2.2 Permitted Uses and Disclosures of PHI by Business Associate.
2.2.1 Business Associate may use or disclose PHI as necessary to perform Services in
accordance with the Underlying Agreement provided that such use or disclosure would not
violate the Privacy Rule if done by Covered Entity;
2.2.2 Business Associate may use PHI to create aggregated or de- identified information (in
accordance with the requirements of the Privacy Regulations);
2.2.3 Business Associate may use or disclose PHI (including aggregated or de- identified
information) as otherwise directed by Covered Entity consistent with Covered Entity's
minimum necessary policies and procedures, provided that Covered Entity shall not request
Business Associate to use or disclose PHI in a manner that would not be permissible if
done by Covered Entity;
2.2.4 Business Associate may use or disclose PHI as required by law or as provided for in 45
C.F.R. 164.508;
2.2.5 Business Associate may use PHI for the proper management and administration of
Business Associate or to carry out the legal responsibilities of Business Associate; and
2.2.6 Business Associate may disclose PHI for the proper management and administration of
Business Associate or to carry out the legal responsibilities of Business Associate, provided
the disclosure is required by law, or Business Associate obtains reasonable assurances from
the person to whom the information is disclosed that the information will remain
confidential and used or further disclosed only as required by law or for the purposes for
which it was disclosed to the person, and the person notifies Business Associate of any
instances of which it is aware in which the confidentiality of the information has been
breached.
2.3 Adequate Safeguards for Health Information. Business Associate agrees that it shall implement
and maintain appropriate safeguards to prevent the use or disclosure of PHI in any manner other
than as permitted by this Agreement.
2.4 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that
is known to Business Associate of a use or disclosure of PHI by Business Associate in violation
of the requirements of this Agreement.
ARTICLE III
OBLIGATIONS OF COVERED ENTITY
3.1 Covered Entity shall provide Business Associate with the notice of privacy practices that
Covered Entity produces in accordance with 45 C.F.R. 164.520, as well as any changes to such notice.
3.2 Covered Entity shall notify Business Associate of any changes in, or revocation of, the
permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect
Business Associate's permitted or required uses and disclosures of PHI.
3.3 Covered Entity shall notify Business Associate of any restriction on the use or disclosure
of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. 164.522, to the extent
that such restriction may affect Business Associate's permitted or required uses and disclosures of PHI.
3.4 Covered Entity shall require all of its employees, agents and representatives to be
appropriately informed of its legal obligations pursuant to this Agreement and the HIPAA Rules required
by HIPAA and will reasonably cooperate with Business Associate in the performance of the mutual
obligations under this Agreement.
ARTICLE IV
TERM AND TERMINATION
4.1 Term. Subject to the provisions of Sections 4.2 and 4.3, the term of this Agreement shall
be the duration of the period in which the Business Associate provides Services involving the use of PHI
to the Covered Entity pursuant to the Underlying Agreement.
4.2 Termination for Cause. Upon either Party's knowledge of a material breach of this
Agreement by the other Party, that Party shall provide an opportunity for the other Party to cure the breach.
If the Party does not cure the breach within 15 days from the date that the Party is provided notice of such
breach, the other Party shall have the right to immediately terminate this Agreement.
4.3 Disposition of Health Information Upon Termination or Expiration. Upon termination or
expiration of this Agreement for any reason, Business Associate, with respect to PHI received from Covered
Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
4.3.1 Retain all PHI necessary for Business Associate to continue its proper management
and administration or to carry out its legal responsibilities;
4.3.2 Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R.
Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided
for in this section, for as long as Business Associate retains the PHI;
4.3.3 Not use or disclose the PHI retained by Business Associate other than for the
purposes for which such PHI was retained and subject to the same conditions set out at Article II above
which applied prior to termination;
4.4 Survival. The obligations of Business Associate under this Article IV shall survive the
termination of this Agreement.
ARTICLE V
MISCELLANEOUS
5.1 Amendment to Comply with Law. The Parties agree to take such action as is necessary to
amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA
Rules or any other applicable law.
5.2 Relationship to Underlying Agreement. In the event that a provision of this Agreement is
contrary to a provision of the Underlying Agreement, the provision of this Agreement shall control.
5.3 Modification of Agreement. No alteration, amendment, or modification of the terms of
this Agreement shall be valid or effective unless in writing and signed by Business Associate and Covered
Entity.
5.4 Non - Waiver. A failure of any party to enforce at any time any term, provision or condition
of this Agreement, or to exercise any right or option herein, shall in no way operate as a waiver thereof, nor
shall any single or partial exercise preclude any other right or option herein. In no way whatsoever shall a
waiver of any term, provision or condition of this Agreement be valid unless in writing, signed by the
waiving party, and only to the extent set forth in such writing.
5.5 Agreement Drafted By All Parties. This Agreement is the result of arm's length
negotiations between the parties and shall be construed to have been drafted by all parties such that any
ambiguities in this Agreement shall not be construed against either party.
5.6 Severability. If any provision of this Agreement is found to be invalid or unenforceable
by any court, such provision shall be ineffective only to the extent that it is in contravention of applicable
laws without invalidating the remaining provisions hereof.
5.7 Section Headings. The section headings contained herein are for convenience in
reference and are not intended to define or limit the scope of any provision of this Agreement.
5.8 No Third Party Beneficiaries. There are no third party beneficiaries to this Agreement.
5.9 Counterparts. This Agreement may be executed in one or more counterparts, each of
which shall be deemed an original, and will become effective and binding upon the parties as of the
effective date at such time as all the signatories hereto have signed a counterpart of this Agreement.
5.10 Notices. Any notices required or permitted to be given hereunder by either party to the
other shall be given in writing: (1) by personal delivery; (2) by electronic facsimile with confirmation
sent; (3) by bonded courier or by a nationally recognized overnight delivery service; or (4) by United
States first class registered or certified mail, postage prepaid, return receipt requested, in each case,
addressed to:
If to Business Associate:
If to Covered Entity:
1140 C(u
C(eclrwa+er, FL 33756
Pinellas County EMS Authority
c/o EMS & Fire Administration
Attn: HIPAA Compliance Officer
12490 Ulmerton Road
Largo, FL 33774 -2700
ue
or to such other addresses as the parties may request in writing by notice given pursuant to this Section
5.10. Notices shall be deemed received on the earliest of personal delivery; upon delivery by electronic
facsimile with confirmation from the transmitting machine that the transmission was completed; twenty -
four (24) hours following deposit with a bonded courier or overnight delivery service; or seventy -two (72)
hours following deposit in the U.S. Mail as required herein.
5.11 Applicable Law and Venue. This Agreement shall be governed by and construed in
accordance with the laws of the State of Florida (without regard to principles of conflicts of laws).
5.12 Liability. Each party hereto agrees to be fully responsible for their own acts or omissions or
their respective agents' acts of negligence when acting within the scope of their employment under this
Agreement, and agree to be liable for any damages resulting from said negligence. Nothing herein shall
be construed as consent by either Party to be sued by third parties in any manner arising out of this
Agreement. In addition, nothing herein is intended to waive any applicable sovereign immunity or the
liability limits of Florida Statutes s. 768.28.
5.13 Interpretation. Any ambiguity in this Agreement shall be resolved to permit
with the HIPAA Rules.
IN WITNESS WHEREOF the parties hereto, by and through th it undersigned authorized
officers have caused this Agreement to be executed on this !I4 day of F bruory , 2015.
COVERED ENTITY BUSINESS ASSOCIATE
Print Name: grace 1/41. Moeller
Title: C h 1 # OT S
Dated:
Office of the County Attorney
Title:
Dated:
;,?
APPROVED AS TO CONTENT AND FORM
v iN'1
A; City Attoiie' (designee
H: \USERS\ATYKB41 \WPDOCS \Public Safety Services\HIPAA\2014 ALSFR HIPAA BAAs\Draft ALSFR BAA 082214.docx