This Agreement is made effective choose date, by and between the Fulton County Ryan White Part A Program, “FCRW”, and insert agency name , hereinafter referred to as “Business Associate” or “Associate”, (individually, a “Party” and collectively, the “Parties”).

WITNESSETH:

WHEREAS, Fulton County and insert agency name have entered into a contract for the provision of services supported by the Fulton County Ryan White Part A Program “FCRW” whereby Contractor (Subrecipient) will provide functions, activities, or services to Fulton County involving the use of Protected Health Information (“PHI”) as defined by Health Insurance Portability and Accountability Act of 1996 (“HIPAA”);

WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, known as “the Administrative Simplification provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and

WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services has issued regulations modifying 45 CFR Parts 160 and 164 (the “HIPAA Privacy Rule”); and

WHEREAS, the Parties wish to enter into or have entered into an arrangement whereby Business Associate will provide certain services to FCRW, and, pursuant to such arrangement, Business Associate may be considered a “business associate” of a Covered Entity as defined in the HIPAA Privacy Rule.

WHEREAS, Business Associate may have access to Protected Health Information (as defined below) in fulfilling its responsibilities under such arrangement;

THEREFORE, in consideration of the Parties’ continuing obligations under this Agreement, compliance with the HIPAA Privacy Rule, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree to the provisions of this Agreement in order to address the requirements of the HIPAA Privacy Rule and to protect the interests of both Parties.

Definitions

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in HIPAA and Title XIII of the American Recovery and Reinvestment Act of 2009 (the Health Information Technology for Economic and Clinical Health Act, or “HITECH”), and in the implementing regulations of HIPAA and HITECH, now and as they may be amended in the future. Together HIPAA, HITECH, and their implementing regulations are referred to in this Agreement as the “Privacy Rule and the Security Rule.” In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Privacy Rule, as amended, the HIPAA Privacy Rule shall control. Where provisions of this Agreement are different than those mandated in the HIPAA Privacy Rule, but are nonetheless permitted by the HIPAA Privacy Rule, the provisions of this Agreement shall control.

  • Business Associatemeans an entity that performs or assists in the performance of a function on behalf of a Covered Entity, which involves the use, or disclosure of Individually Identifiable Health Information as defined in 45 C.F.R § 160.103. The terms “Business Associate”, “Contractor”, and “Subrecipient” are synonymous.Notwithstanding this definition, if Subrecipient does not have access to or create Protected Health Information under this Agreement, Subrecipient is not a Business Associate, and the terms of this Agreement do not apply to Subrecipient.
  • Designated Record Setmeans a group of records maintained by or for a covered entity that is: (A) The medical records and billing records about individuals maintained by or for a covered health care provider; (B) The enrollment, payment, claims adjudication, and client management record system, and case management record system, and client management record system including CAREWare; or, (C) Used, in whole or in part, by or for the covered entity to make decisions about individuals. For purposes of this Agreement, the term record means any item, collection, or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for a covered entity.
  • Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside of the entity holding the information.
  • HIPAA Privacy and Security Rulesmeans standards for privacy, security, breach, notification, and enforcement at 45 CFR Parts 160, 162, and 164.
  • Individual means the person who is the subject of PHI, and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
  • Individually Identifiable Health Informationmeans information that is a subset of health information, including demographic information collected from an individual, and: (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and, (B) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and, (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
  • Privacy Officermeans the individual designated by the County or Covered Entity pursuant to 45 CFR §164.530, who is responsible for the development and implementation of the Covered Entity’s policies and procedures as they relate to the HIPAA Privacy and Security Rules.
  • Protected Health Information(PHI) means individually identifiable health information that is or has been created, received, transmitted, or maintained in any form or medium, on or on behalf of the Covered Entity, with the exception of education records covered by the Family Educational Rights and Privacy Act, as amended, 20 USC 1232g, and the health care records of students at post-secondary educational institutions or of students eighteen years of age or older, used exclusively for their health care treatment which have not been disclosed to anyone other than a health care provider at the student’s request.
  • Security Incident or Incident means the attempted or successful unauthorized, access, use, disclosure, modification, or destruction of PHI contained in any form or interference with system operations in an information system that contains PHI.
  • Use, with respect to individually identifiable health information, means the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

Agreement

It is agreed concerning:

  1. The parties agree that Contractoris a “Business Associate” to FCRW within the meaning of the Privacy and Security Rule. Contractor shall comply with all obligations of the Privacy Rule and Security Rule that apply to FCRW, and shall comply with all Privacy Rule and Security Rule requirements that apply to Business Associates. Contractor further warrants that it maintains and follows written policies and procedures to achieve and maintain compliance with the Privacy and Security Rules that apply to Business Associates, and that it will update such policies and procedures as necessary in order to comply with the and changes to the Privacy and Security Rules. These policies and procedures, and evidence of their implementation, shall be provided to FCRW upon request.
  1. Uses and Disclosures of PHI. Associate will use or disclose any Protected Health Information solely: (1) for meeting its obligations as set forth in any agreements between the Parties evidencing their business relationship or (2) as required by applicable law, rule or regulation, or by accrediting or credentialing organization to whom FCRW is required to disclose such information or as otherwise permitted under this Agreement, (if consistent with the HIPAA Privacy Rule), and (3) as would be permitted by the HIPAA Privacy Rule if such use or disclosure were made by FCRW; Associate will not use or further disclose any PHI in violation of this Agreement; Associate may use PHI to perform data aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B); and, that any time it provides PHI received from FCRW to a subcontractor or agent to perform Services for FCRW, Associate first will enter into a contract with such subcontractor or agent that contains the same terms, conditions, and restrictions on the use and disclosure of PHI as contained in this Agreement.
  1. Associate Use or Disclosure of Protected Health Information for its Own Purposes. Associate may use or disclose PHI received from FCRW for Associate’s management and administration, or to carry out Associate’s legal responsibilities. Associate may disclose PHI received from FCRW to a third party for such purposes only if:
  1. The disclosure is required by law; or
  2. Associate secures written assurance from the receiving party that the receiving party will: (i) hold the PHI confidentially; (ii) use or disclose the PHI only as required by law or for the purpose for which it was disclosed to the recipient; and (iii) notify the Associate of any breaches in the confidentiality of the PHI.
  1. Safeguards. Associate will implement and maintain appropriate administrative, physical, and technicalsafeguards to prevent any use or disclosure of PHI not otherwise permitted in this Agreement. Associate also will implement administrative, physical and technical safeguards to protect the confidentiality, integrity, and availability of any electronic protected health information (“e-PHI’), if any, that Associate creates receives, maintains, and transmits on behalf of FCRW. Upon request of FCRW, Associate will provide evidence to FCRW that these safeguards are in place and properly managed.Contractor will password-protect and encrypt all electronic PHI for transmission and for storage on portable computers and media devices.
  1. Reports of Improper Use or Disclosure of Protected Health Information and of Security Incidents and Breaches. Contractor will immediately (within two business days of Associate’s learning of such use or disclosure) report to FCRW any “Breach” as defined by 45 CFR 164.402, and any known or suspected loss, use, or disclosure of PHI that is not authorized by this Agreement, the Contract, or law.

Associate also will report in writing to FCRW any Security Incident of which Associate becomes aware within three business days of Associate learning of such use or disclosure. Specifically, Associate will report to FCRW any successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in an information system containing PHI of which Associate becomes aware. Associate also will report the aggregate number of unsuccessful, unauthorized attempts to access, use, disclose, modify, or destroy PHI or interfere with system operations in an information system containing PHI, of which Associate becomes aware, provided that: (i) such reports will be provided only as frequently as the parties mutually agree, but no more than once per month; and (ii) if the definition of “Security Incident” under the Security Standards is amended to remove the requirement for reporting “unsuccessful” attempts to use, disclose, modify or destroy PHI, the portion of this Section 4 addressing the reporting of unsuccessful, unauthorized attempts will no longer apply as of the effective date of such amendment. The written report shall include:

  • The nature of the loss, use, or disclosure, a brief description of what happened, the date it occurred, and the date Contractor discovered the incident;
  • The specific data points of PHI involved in the loss, use, or disclosure;
  • The names of all persons with knowledge of the loss, use, or disclosure, and the names or categories of persons who may have obtained access to the PHI as a result;
  • The corrective or investigative actions taken or to be taken in order to mitigate harmful effects, and to prevent further losses, uses, or disclosures;
  • Recommended protective actions to be taken by individuals whose PHI may have been lost, used, or disclosed; and,
  • Whether Contractor believes that the loss, use, or disclosure constitutes a Breach.

Contractor will, upon request by FCRW, the Fulton County Privacy Officer or the Fulton County DPH Information Security Officer, provide a complete report of the Breach to FCRW including a root cause analysis and a proposed corrective action plan. Upon request by FCRW, Contractor shall implement the corrective action plan and provide proof of implementation.

Contractor will cooperate with FCRW and provide assistance necessary for FCRW to determine whether a Breach has occurred, and whether notification of the Breach is legally required or otherwise appropriate.

If FCRW determines that a Breach has occurred as a result of Contractor’s/Subrecipient’s loss, use, or disclosure of PHI or failure to comply with obligations set forth in this Agreement or in the Privacy or Security Rule, then Contractor will provide all required notices to affected individuals, the Secretary of the U. S. Department of Health and Human Services, and the media, at Contractor’s/Subrecipient’s expense and in accordance with 45 C.F.R. Part 164 subpart D. Such notices shall be submitted in advance to the Fulton County Privacy Officer for approval.

  1. Mitigation.Contractor will mitigate, to the extent practicable, any harmful affect that result from a loss, use, or disclosure of PHI by Contractor in violation of the requirements of this Agreement, the Contract, or law. Contractor shall bear the costs of mitigation, which shall include the reasonable costs of credit monitoring or credit restoration when the use or disclosure results in exposure of information commonly used in identity theft (including name, date of birth, and Social Security Number.)
  1. Obligations Regarding Associate Personnel. Associate will appropriately inform all of its employees, agents, representatives and members of its workforce (“Associate Personnel”), whose services may be used to satisfy Associate’s obligations under the Contract and this agreement of the terms of this Agreement. Associate represents and warrants that the Associate Personnel are under legal obligation to Associate, by contract or otherwise, sufficient to enable Associate to fully comply with the provisions of this Agreement. Associate will maintain a system of sanction for any Associate Personnel who violates this Agreement.
  1. Access to Protected Health Information.

Contractor will honor requests by FCRW or by an individual for access to the individual’s own PHI in accordance with 45 CFR 164.524; to make PHI available for amendment, and to incorporate such amendments into a designated record set in accordance with 45 CFR 164.526; to provide an accounting of all disclosures of the individual’s PHI in accordance with 45 CFR 164.528; to document any such requests and the Contractor’s response; and to notify FCRW as soon as practicable of any such requests.

  1. FCRW Access. Within five business days of a request by FCRW for access to PHI received from FCRW, Associate will make requested PHI available to FCRW.
  2. Patient Access. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Sections 164.524; 164.526 and 164.528 of the HIPAA Privacy Rule which permit the patient/client to access rights, amendment rights and an accounting of disclosures of his/her Protected Health Information. If a patient requests access to PHI directly from Associate, Associate can provide the requested PHI to the patient, provided the Associate created or maintains the PHI. The Associate will note in the patient’s record whether the requested PHI was provided, per the Associate’s privacy policy and procedure. However, if the patient requests PHI related to services provided by another Ryan White Part A provider, Associate will, within five business days, forward such request in writing to the FCRW. FCRW will be responsible for making all determinations regarding the grant or denial of a patient’s request for PHI, and Associate will make no such determinations. Under the direction of the FCRW, the Associate that maintains the requested PHI will be responsible to prepare and deliver the requested PHI records to the patient, provided Associate has possession of the requested records. Alternatively, the client may request the PHI from the other Ryan White Part A Provider and sign a release of information allowing the PHI to be released.
  1. Accounting of Disclosures; Requests for Disclosure.
  1. Disclosure Records. Associate will keep a record of any disclosure of PHI received from FCRW that Associate makes to its agents, subcontractors or other third parties other than:

(1)Disclosures to health care providers to assist in the treatment of patients;

(2)Disclosures to others to assist FCRW in paying claims;

(3)Disclosures to others to assist FCRW in conducting its health care operations as

defined in 45 C.F.R. § 164.501; or

(4)Disclosures made pursuant to an individual’s Authorization.

Associate will maintain this disclosure record for six years from the termination of this Agreement.

  1. Data Regarding Disclosures. For reach disclosure for which it is required to keep a record, Associate will record and maintain the following information:

(1)The date of disclosure;

(2)The name of the entity or person who received the PHI and the address of such

entity or person, if known.

(3)A description of the PHI disclosed; and

(4)A brief statement of the purpose of the disclosure.

  1. Access to Books and Records.
  2. FCRW Access. Associate will, within five business days FCRW written request, make available during normal business hours at Associate’s offices, all records, books, agreements, policies and procedures relating to the use or disclosure of PHI received from FCRW for the purpose of allowing FCRW or its agents or auditors to determine Associate’s compliance with this Agreement.
  1. Government Access. Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Associate on behalf of, FCRW available to the Secretary of the Department of Health and Human Services (or the Secretary’s designee) to the extent required for determining compliance with the Privacy Standards. Notwithstanding this provision, no attorney-client, accountant-client or other legal privilege will be deemed waived by Associate or FCRW as a result of this Section.
  1. Return or Destruction of Protected Health Information.
  1. Return of PHI; Destruction. Within thirty business days of termination of the Contract or this Agreement, Associate will return to FCRW all PHI received from FCRW or created or received by Associate on behalf of FCRW Program that Associate maintains in any form or format. Associate will not maintain or keep in any form or format any portion of such PHI. Alternatively, Associate may, upon FCRW written consent, destroy all such PHI and provided written documentation of such destruction. The requirement to return or destroy such PHI will apply to all agents or subcontractors of Associate. Associate will be responsible for recovering any PHI from such agents or subcontractors. If Associate cannot obtain the PHI from any agent or subcontractor, Associate will so notify FCRW and will require that such agents or subcontractors directly return PHI to FCRW or otherwise destroy such PHI, subject to the terms of this Section.
  1. Alternative Measures. If Associate believes that returning or destroying PHI at the termination of the Contract or this Agreement is infeasible, it will provide written notice to FCRW within five business days of the effective date of termination of this Agreement. Such notice will set forth the circumstances that Associate believes makes the return or destruction of PHI infeasible and the alternative measures that Associate recommends for assuring the continued confidentiality and security of the PHI. FCRW promptly will notify Associate of whether it agrees that the return of destruction of PHI is infeasible. If FCRW agrees that return or destruction of PHI is infeasible, Associate agrees to extend all protections, limitations and restrictions of this Agreement to Associate’s use or disclosure of PHI retained after termination of this Agreement and to limit further uses or disclosures to those purposes that make the return or destruction of the PHI infeasible. Any such extended protections, limitations and restrictions will apply to any agents or subcontractors of Associate for whom return or destruction of PHI is determined by FCRW to be infeasible. If FCRW does not agree that the return or destruction of PHI from Associate or its agents or subcontractors is infeasible, FCRW will provide Associate with written notice of its decision, and Associate, its agents and subcontractors will proceed with the return or destruction of the PHI pursuant to the terms of this Section within fifteen business days of the date of FCRW notice.
  1. Termination.Notwithstanding anything in this Agreement to the contrary, FCRW shall have the right to terminate this Agreement immediately if FCRW determines that Business Associate has violated any material term of this Agreement. If FCRW reasonably believes that Business Associate will violate a material term of this Agreement and, where practicable, FCRW gives notice to Business Associate of such belief, and Business Associate fails to provide adequate written assurances to FCRW that it will not breach the cited term of this Agreement then FCRW shall have the right to terminate this Agreement immediately. The obligations imposed upon Contractor with respect to its care, use, and disclosure of PHI, and its duty to comply with the Privacy and Security Rule with regard to such PHI, shall survive the expiration, termination, or cancellation of this Agreement and/or the business relationship of the parties, and shall continue to bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein.
  1. Miscellaneous.This Agreement may be amended or modified only in a writing signed by the Parties. No Party may assign its respective rights and obligations under this Agreement without the prior written consent of the other Party. None of the provisions of this Agreement is intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship. This Agreement will be governed by the laws of the State of Georgia. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect.

Signatures