HomeMy WebLinkAboutExhibit17EXHIBIT "H"
HIPPA Business Associate Agreement
Page 34 of 35
Customer:
OPEN, Incorporated
Business Associate Agreement
Effective Date:
DRAFT
This Business Associate Agreement (this "BA Agreement"), dated as of the Effective Date , is entered into by and
between OPEN, Incorporated (OPEN) and the City of Miami, a municipal corporation of the State of Florida (Customer).
WHEREAS, OPEN, Inc has entered into a SAFETYPAD ePCR SYSTEM AND SERVICE AGREEMENT
("SafetyPAD ePCR Agreement") with Customer as a consequence of which OPEN, Inc may be entrusted with PHI (as
defined below);
WHEREAS, both parties desire to meet their obligations under federal privacy regulations issued pursuant to
the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Privacy Rule (as defined below) and the
Security Rule (as defined below);
WHEREAS, the purpose of this BA Agreement is to set forth the obligations of the Parties with respect to PHI in
accordance with the Privacy Rule and Security Rule;
NOW, THEREFORE, in consideration of the foregoing and for other good and valuable consideration, the
receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
1. DEFINITIONS.
1.1 Unless otherwise specified in this BA Agreement, all capitalized terms used in this BA Agreement have the meaning
established for purposes of Title 45 parts 160 and 164 of the United States Code of Federal Regulations.
1.2 "Electronic PHI" means Electronic Protected Health Information, as defined in 45 CFR § 160.103, limited to the
information received from or created or received on behalf of Customer by OPEN, Inc in its capacity as Customer's Business
Associate.
1.3 "PHI" means Protected Health Information, as defined in 45 CFR § 160.103, limited to the information received
from or created or received on behalf of Customer by OPEN, Inc in its capacity as a Business Associate of Customer.
1.4 "Privacy Rule" means the federal standards for privacy of individually identifiable health information codified at
45 CFR 160 and 164 subparts (a) and (e).
1.5 "Security Rule" means the federal security standard regulations codified at 45 CFR 160 and 164 subparts (a) and
(c).
1.6 "Services" means the services related to OPEN, Inc's SafetyPAD EMS System including support and maintenance
service provided by OPEN, Inc to Customer.
2. RESPONSIBILITIES OF BUSINESS ASSOCIATE.
2.1 OPEN, Inc agrees to:
(a) Use and/or Disclose PHI only as permitted or required by this BA Agreement or required by law;
(b) use appropriate safeguards to prevent Use or Disclosure of PHI other than as permitted or required by
this BA Agreement;
(c) (i) implement administrative, physical, and technical safeguards that reasonably and appropriately
protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains or transmits
Page 1
on behalf of Customer; and (ii) make its policies and procedures, and documentation required by the Security Rule
relating to such safeguards, available to the Secretary of the Department of Health and Human Services ("HHS") for
purposes of determining Customer's compliance with the Security Rule;
(d) report to Customer any Use or Disclosure of PHI of which it becomes aware that is not permitted by
this BA Agreement;
(e) report to Customer any Security Incident with respect to Electronic PHI of which it becomes aware;
(f) require all its subcontractors and agents that create, receive, Use, Disclose or have access to PHI to
perform Services for Customer to agree, in writing, to the same restrictions and conditions on the Use and/or Disclosure
of PHI that apply to OPEN, Inc;
(g) ensure that all of its subcontractors and agents to whom it provides Electronic PHI agree to implement
reasonable and appropriate safeguards to protect such Electronic PHI;
(h) Use and Disclose PHI consistent with the minimum necessary requirements of the Privacy Rule;
(i) make available its internal practices, books, and records relating to the Use and Disclosure of PHI to the
Customer and /or HHS for purposes of determining Customer's compliance with the Privacy Rule;
(j) document such Disclosures of PHI and information related to such Disclosures as would be required by
Customer to respond to a request for an accounting of Disclosures of PHI about an individual in accordance with 45 CFR
164.528.;
(k) within 30 days of receiving a written request from Customer, make available information necessary for
Customer to make an accounting of Disclosures of PHI about an individual; and
(1) mitigate, to the extent practicable, any harmful effect that is known to OPEN, Inc of a Use or Disclosure
of PHI by OPEN, Inc in violation of the requirements of this BA Agreement.
2.2 If any PHI in OPEN, Inc's possession constitutes a Designated Record Set, OPEN, Inc agrees as follows with
regard to such PHI:
(a) within 15 days of receiving a written request from Customer, to make available the PHI necessary. for
Customer to respond to individuals' requests for access to PHI about them; and
(b) within 30 days of receiving a written request from Customer, to incorporate any amendments or
corrections to the PHI in accordance with the Privacy Rule.
3. PERMITTED USES AND DISCLOSURES OF PHI.
3.1 Unless otherwise limited herein, in addition to any other Uses and/or Disclosures permitted or required by this
BA Agreement or required by law, OPEN, Inc may:
(a) make any and all Uses and Disclosures of PHI necessary to provide the Services to Customer;
(b) Use the PHI in its possession for its proper management and administration and to fulfill any legal
responsibilities of OPEN, Inc;
(c) Disclose the PHI in its possession to a third party for the purpose of OPEN, Inc's proper management
and administration or to fulfill any legal responsibilities of OPEN, Inc; provided, however, that the Disclosures are
required by law or OPEN, Inc has received from the third party written assurances that (i) the information will be held
confidentially and Used or further Disclosed only as required by law or for the purpose for which it was Disclosed to the
third party; and (ii) the third party will notify OPEN, Inc of any instances of which it becomes aware in which the
confidentiality of the information has been breached;
(d) perform Data Aggregation for Customer's Health Care Operations;
Page 2
(e) de -identify any and all PHI created or received by OPEN, Inc under this BA Agreement; provided,
however, that the de -identification conforms to the requirements of the Privacy Rule. Such resulting de -identified
information is not subject to the terms of this BA Agreement; and
(f) create Limited Data Sets and use such Limited Data Sets pursuant to Section 3.2.
3.2 Limited Data Sets. OPEN, Inc may Use the PHI to create Limited Data Sets that satisfy the requirements of 45
CFR § 164.514(e)(2) of the Privacy Rule ("LDS"). OPEN, Inc may Use the LDSs for OPEN, Inc's Research, health care
operations, and/or public health activities. Any LDS OPEN, Inc creates under this BA Agreement will include the
minimum necessary data fields required to accomplish OPEN, Inc's Research, health care operations and/or public health
activities. OPEN, Inc will comply with Section 2.1(a)-(g) of this Agreement with respect to the LDSs and will not Use
the LDSs to identify or contact the individuals who are the data subjects.
4. RESPONSIBILITIES OF CUSTOMER.
Customer agrees to:
(a) obtain any consent, authorization or permission that may be required by the Privacy Rule or any other
applicable laws and/or regulations prior to furnishing OPEN, Inc the PHI pertaining to an individual; and
(b) inform OPEN, Inc of any PHI that is subject to any arrangements permitted or required of Customer
under the Privacy Rule that may materially impact in any manner the Use and/or Disclosure of PHI by OPEN, Inc under
this BA Agreement, including, but not limited to, restrictions on the Use and/or Disclosure of PHI as provided for in 45
CFR § 164.522 and agreed to by Customer.
5. BA AGREEMENT EFFECTIVE DATE. Each term and condition of this BA Agreement shall be effective on
the date stated above (the "BAA Effective Date"); provided, however, that any such terms or conditions that relate to
Electronic PHI only shall be effective on the compliance date applicable to Customer under the Security Rule.
6. CONFIDENTIALITY AGREEMENT. The Parties acknowledge that Customer may disclose Individually
Identifiable Health Information ("I1HI") to OPEN, Inc that is not PHI under the terms of this Agreement because it was not
provided to OPEN, Inc as Customer's Business Associate. For example, this could include IIHI OPEN, Inc receives from
Customer for public health activities, when providing technical support as a part of Treatment, or as a part of Research.
OPEN, Inc will use and disclose any such IIHI in accordance with applicable laws. OPEN, Inc shall also implement
reasonable safeguards to prevent inappropriate access to and disclosure of such IIHI.
7. TERM AND TERMINATION.
7.1 Term. The term of this BA Agreement shall be effective as of the BAA Effective Date, and shall continue in
effect until terminated in accordance with the provisions of this Section 7.
7.2 Termination.
(a) Upon Customer's determination of a breach of a material term of this BA Agreement by OPEN, Inc,
Customer shall provide OPEN, Inc written notice of that breach in sufficient detail to enable OPEN, Inc to understand the
specific nature of that breach and afford OPEN, Inc an opportunity to cure the breach; provided, however, that if OPEN,
Inc fails to cure the breach within 30 days, Customer may terminate this BA Agreement. If Customer terminates this BA
Agreement, OPEN, Inc shall have no continuing obligation to provide any Services.
(b)
Either party may terminate this BA Agreement upon 60 days prior written notice to the other Party.
(c) This BA Agreement shall terminate immediately upon the termination of OPEN, Inc's obligations to
provide Services to Customer.
7.3 Effect of Termination or Expiration. Because of regulatory requirements and other business reasons, it will not
be feasible for OPEN, Inc to return or destroy the PHI at termination of this BA Agreement. OPEN, Inc shall extend any
and all protections, limitations and restrictions contained in this BA Agreement to OPEN, Inc's Use and/or Disclosure of
PHI retained after the termination of this BA Agreement, and to limit any further Uses and/or Disclosures to the purposes
that make return or destruction of the. PHI infeasible. Customer agrees to comply with its obligations under Section 4 (b)
with respect to any PHI retained by OPEN, Inc after the termination or expiration of this BA Agreement. This Section
7.3 shall survive any termination or expiration of this BA Agreement.
Page 3
8. REFERENCES AND SUPERSEDING AGREEMENT. This BA Agreement shall not apply to any Business
Associate relationship other than the relationship created by OPEN, Inc providing Services to Customer. To the extent any
other Business Associate relationship exists between OPEN, Inc or any of its affiliates and Customer, such relationship shall
be documented in a separate agreement.
In the event that OPEN, Inc and an organization that directly or indirectly owns a controlling interest of Customer
("Customer's Parent"), sign a business associate agreement that includes Customer, this BA Agreement is superseded and
replaced by the business associate agreement between Customer's Parent and OPEN, Inc.
9. INDEMNIFICATION. Open, Inc. shall indemnify, defend and hold harmless the Customer and its officials,
employees, and its designated third -party administrator for claims (collectively referred to as "Indemnitees") and each of
them from and against all loss, costs, penalties, fines, damages, claims, expenses (including attomey's fees) or liabilities
(collectively referred to as "Liabilities") by reason of any injury to or death of any person or damage to or destruction or
loss of any property arising out of, resulting from, or in connection with (i) the negligent performance or non-performance
of the Services contemplated by this Agreement (whether active or passive) of Open, Inc. or its employees or
subcontractors (collectively referred to as "Open, Inc.") which is directly caused, in whole or in part, by any act,
omission, default or negligence (whether active or passive or in strict liability) of the Indemnities, or any of them, or (ii)
the failure of the Open, Inc. to comply materially with any of the requirements herein, or the failure of the Open, Inc. to
conform to statutes, ordinances, or other regulations or requirements of any governmental authority, local, federal or state,
in connection with the performance of this Agreement. Open, Inc. expressly agrees to indemnify, defend and hold
harmless the Indemnitees, or any of them, from and against all liabilities which may be asserted by an employee or former
employee of Open, Inc., or any of its subcontractors, as provided above, for which the Open, Inc.'s liability to such
employee or former employee would otherwise be limited to payments under state Workers' Compensation or similar
laws. Open, Inc. further agrees to indemnify, defend and hold harmless the Indemnitees form and against (i) any and all
Liabilities imposed on account of the violation of any law, ordinance, order, rule, regulation, condition, or requirement,
related directly to Open, Inc.'s negligent performance under this Agreement, compliance with which is left by this
Agreement to Open, Inc., and (ii) any and all claims, and/or suits for labor and materials furnished by Open, Inc. or
utilized in the performance of this Agreement or otherwise.
In the event that any third party asserts claims against the Open, Inc. and/or the Indemnitees for which Open, Inc.
is defending the Indemnitees relating to the Services, Open, Inc. shall have the right to select its legal counsel for such
defense, subject to the approval of the Customer, which approval shall not be unreasonably withheld. It is understood and
agreed that in the event that counsel selected by Open, Inc. charges rates greater than those customarily paid by the
Customer at the time that such claim is asserted, but in no event less than $250.00 per hour, the parties shall, in good
faith, attempt to agree upon such rates or upon an allocation of payment of such rates. In the event that the third party
claim for which Open, Inc. has provided or paid Indemnitees defense results in a finding of fault on the part of the
Indemnitees, then the Customer shall reimburse Open, Inc. the cost of the Indemnitees defense to the extent of such
finding of fault.
Open, Inc. understands and agrees that any and all liabilities regarding the use of any subcontractor for Services
related to this Agreement shall be borne solely by Open, Inc. throughout the duration of this Agreement and that this
provision shall survive the termination of this Agreement.
10. INSURANCE.
10.1 Open, Inc. shall, at all times during the term hereof, maintain such insurance coverage(s) as may be
required by the Customer. The insurance coverage(s) required as of the Effective Date of this Agreement are attached
hereto as Exhibit D and incorporated herein by this reference... The Customer RFP number and title of the RFP must
appear on each certificate of insurance. The Open, Inc. shall add the City of Miami as an additional named insured to its
commercial general liability and auto policies and as a named certificate holder on all policies. Open, Inc. shall correct
any insurance certificates as requested by the Customer's Risk Management Administrator. All such insurance, including
renewals, shall be subject to the approval of the Customer for adequacy of protection and evidence of such coverage(s)
and shall be furnished to the Customer's Risk Management Administrator on Certificates of Insurance indicating such
insurance to be in force and effect and providing that it will not be canceled, modified, or changed during the performance
of the Services under this Agreement without thirty (30) calendar days prior written notice to the Customer's Risk
Management Administrator. Completed Certificates of Insurance shall be filed with the Customer prior to the
performance of Services hereunder, provided, however, that Open, Inc. shall at any time upon request file duplicate
copies of the policies of such insurance with the Customer.
10.2 If, in the reasonable judgment of the Customer, prevailing conditions in the insurance marketplace
warrant the provision by Open, Inc. of additional One Million Dollars ($1,000,000) of professional liability insurance
Page 4
coverage, the Customer reserves the right to require the provision by Open, Inc. of up to such additional amount of
professional liability coverage, and shall afford written notice of such change in requirements thirty (30) days prior to the
date on which the requirements shall take effect. Should the Open, Inc. fail or refuse to satisfy the requirement of
additional coverage within thirty (30) days following the Customer's written notice, this Agreement shall be considered
terminated on the date the required change in policy coverage would otherwise take effect.
10.3 Open, Inc. understands and agrees that any and all liabilities regarding the use of any of Open, Inc.'s
employees or any of Open, Inc.'s subcontractors for Services related to this Agreement shall be borne solely by Open,
Inc. throughout the term of this Agreement and that this provision shall survive the termination of this Agreement. Open,
Inc. further understands and agrees that insurance for each employee of Open, Inc. and each subcontractor providing
Services related to this Agreement shall be maintained in good standing and approved by the Customer's Risk
Management Administrator throughout the duration of this Agreement.
10.4 Open, Inc. shall be responsible for assuring that the insurance certificates required under this
Agreement remain in full force and effect for the duration of this Agreement, including any extensions hereof. If
insurance certificates are scheduled to expire during the term of this Agreement and any extension hereof, Open, Inc. shall
be responsible for submitting new or renewed insurance certificates to the Customer's Risk Management Administrator at
a minimum of ten (10) calendar days in advance of such expiration. In the event that expired certificates are not replaced,
with new or renewed certificates which cover the term of this Agreement and any extension thereof:
(a) the Customer shall suspend this Agreement until such time as the new or renewed certificate(s) are
received in acceptable form by the Customer's Risk Management Administrator; or
(b) the Customer may, at its sole discretion, terminate the Agreement for cause and seek re -procurement
damages from Open, Inc. in conjunction with the violation of the terms and conditions of this Agreement.
10.5 Compliance with the foregoing requirements shall not relieve Open, Inc. of its liabilities and obligations
under this Agreement.
11. NOTICES. All notices pursuant to this BA Agreement must be given in writing and shall be effective when
received if hand -delivered or upon dispatch if sent by reputable overnight delivery service, facsimile or U.S. mail to the
appropriate address or facsimile number as set forth on the last page of this BA Agreement.
12. CHANGE IN LAW; AMENDMENT. The Parties agree to negotiate to amend this BA Agreement as
necessary to comply with any amendment to any provision of HIPAA or its implementing regulations set forth at 45 CFR
parts 160 and 164, including, but not limited to, the Privacy Rule and the Security Rule, which materially alters either
Party's or both Parties' obligations under this BA Agreement. This BA Agreement may not be amended, altered or
modified except by written agreement signed by Customer and OPEN, Inc.
13. CONTRADICTORY TERMS;
CONSTRUCTION OF TERMS. Any provision of an agreement regarding the Services between the Parties that is
directly contradictory to one or more terms of this BA Agreement ("Contradictory Term") shall be superseded by the
terms of this BA Agreement as of the BAA Effective Date to the extent and only to the extent of the contradiction, only
for the purpose of Customer's compliance with the Privacy Rule and/or Security Rule only to the extent that it is
reasonably impossible to comply with both the Contradictory Term and the terms of this BA Agreement. The terms of
this BA Agreement shall be construed in light of any applicable interpretation or guidance on HIPAA, the Privacy Rule
and/or the Security Rule issued by HHS, the Office for Civil Rights, or the Centers for Medicare and Medicaid Services
from time to time.
14. APPLICABLE LAW AND VENUE. This Agreement shall be governed by and construed in accordance
with the internal laws of the State of Florida (without regard to principles of conflicts of laws). The parties agree that all
actions or proceedings arising in connection with this Agreement shall be tried and litigated exclusively in the state or
federal (if permitted by law and a party elects to file an action in federal court) courts located in Miami -Dade County.
This choice of venue is intended by the parties to be mandatory and not permissive in nature, and to preclude the
possibility of litigation between the parties with respect to, or arising out of, this Agreement in any jurisdiction other than
that specified in this Section 12.
15. MISCELLANEOUS. Nothing in this BA Agreement shall confer upon any person other than the parties and
their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. In the event that any
provision of this BA Agreement violates any applicable statute, ordinance or rule of law in any jurisdiction that governs
this BA Agreement, such provision shall be ineffective to the extent of such violation without invalidating any other
provision of this BA Agreement. No provision of this BA Agreement may be waived except by an agreement in writing
signed by the waiving party. A waiver of any term or provision shall not be construed as a waiver of any other term or
Page 5
provision. The persons signing below have the right and authority to execute this Agreement for their respective entities
and no further approvals are necessary to create a binding agreement.
CUSTOM ER
By:
Print Name:
Print Title:
Date:
Address for Notices:
Attn:
Street Address:
Phone:
Fax:
OPEN, INC
By:
Print Name:
Print Title:
Date:
Address for Notices:
Attn: OPEN, Inc
Michael Vukovich, President
11283 Eagle View Blvd
Woodbury, MN 55129
Customer"
CITY OF MIAMI, a municipal
ATTEST: corporation
By:
Priscilla A. Thompson, City Clerk Pedro G. Hernandez, City Manager
APPROVED AS TO FORM AND APPROVED AS TO INSURANCE
CORRECTNESS: REQUIREMENTS:
Maria J. Chiaro LeeAnn Brehm
Interim City Attorney Risk Management Director
Page 6