The URL can be used to link to this page

Home My WebLink AboutTK Software Business Associate Agreement/FIRE/BUSINESS ASSOCIATE AGREEMENT .r°1/tt This agreement (the "Agreement "), effective as set forth below, is between the covered entity listed below (the "Covered Entity ") and TKSoftware, Inc. (the "Business Associate "). I. DEFINITIONS For purposes of this Agreement, the following terms shall have the following prescribed meanings. "Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA privacy rule which compromises the security or privacy of the Protected Health Information. "Data Aggregation Services" means, with respect to Protected Health Information created or received by the Business Associate, the combining of such Protected Health Information by the Business Associate with Protected Health Information (as defined in HIPAA) received by the Business Associate in its capacity as a business associate (as defined in HIPAA) of another covered entity (as defined in HIPAA), to permit data analyses that relate to the health care operations of the respective covered entities, including the Covered Entity. "Electronic Media" means electronic storage material on which data is or may be recorded electronically, including, for example, devices on computers (hard drives) and any removable /transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card, and transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet (wide - open), extranet or intranet, leased lines, dial -up lines, private networks, and the physical movement of removable /transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission. "Electronic Protected Health Information" means Protected Health Information that is (i) transmitted by Electronic Media, or (ii) maintained in any medium described as Electronic Media. "HIPAA" means the security and privacy requirements as reflected in 42 U.S.C. 1320d et.seq. and such regulations as may be promulgated thereunder from time to time (currently, 45 CFR 164.102 through 164.534). "HITECH" means the Health Information Technology for Economic and Clinical Health Act of 2009 as reflected in 42 U.S.C. 17921 et. seq. and such regulations as may be promulgated thereunder from time to time. "Protected Health Information" means individually identifiable health information created by, for or on behalf of the Covered Entity that is (i) transmitted by Electronic Media, (ii) maintained in any medium described as Electronic Media, or (iii) transmitted or maintained in any other form or medium. "Protected Health Information" does not include individually identifiable health information (i) in education records covered by the Family Educational Right and Privacy Act (20 U.S.C. section 1232g(a)(4)(B)(iv)), (ii) in records described at 20 U.S.C. section 1232g(a)(4)(B)(iv), or (iii) regarding a person who has been deceased for more than fifty (50) years. "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. "Underlying Agreement" means the contract or agreement, whether in writing or otherwise, between the Covered Entity and the Business Associate, pursuant to which the Business Associate provides services to the Covered Entity of the type that require the parties to enter into this Agreement pursuant to HIPAA. "Unsecured Protected Health Information" means Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued under section 13402(h)(2) of HITECH. II. PERMITTED AND REQUIRED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION The Business Associate shall be permitted and required to use Protected Health Information only as provided in the Underlying Agreement and this Agreement. The Business Associate shall not use or further disclose Protected Health Information in any manner that: (a) would violate the terms of this Agreement; or (b) if done by the Covered Entity, would violate HIPAA, except that (i) the Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, and (ii) the Business Associate may provide Data Aggregation Services relating to the health care operations of the Covered Entity. The Business Associate may disclose Protected Health Information for the purposes described in item (b)(i) of this Section II only if the disclosure is required by law or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person and that the person will notify the Business Associate of any instance where the confidentiality of the Protected Health Information has been breached. III. RESTRICTIONS ON THE USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION Notwithstanding anything in the Underlying Agreement to the contrary, the Business Associate shall: (a) Not use or further disclose Protected Health Information other than permitted or required by this Agreement or required by law; (b) Use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than provided for by this Agreement; -2- (c) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by HIPAA and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as provided for in this Agreement; (d) Report to the Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement, or any Security Incident of which it becomes aware; (e) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors, that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate with respect to such Protected Health Information; (f) Make available to any individual Protected Health Information about that individual only to the extent required by, and in accordance with, HIPAA; (g) Make available an individual's Protected Health Information for amendment by that individual and incorporate any amendments to that individual's Protected Health Information to the extent required by, and in accordance with, HIPAA; (h) Make available Protected Health Information required to provide an accounting of disclosures of an individual's Protected Health Information to the extent such accounting is required by, and in accordance with, HIPAA; (i) Make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by, the Business Associate on behalf of the Covered Entity available to the Secretary of Health and Human Services (or its delegate) for purposes of determining the Covered Entity's compliance with HIPAA; (j) Report to Covered Entity any Breach of Unsecured Protected Health Information discovered by Business Associate. Notice shall be in writing and provided to the Covered Entity without unreasonable delay, but in no event more than thirty (30) business days after discovery of such Breach. Such notice will include, to the extent possible, the identification of each individual whose Protected Health Information has been or is reasonably believed by Business Associate to have been accessed, acquired, used, or disclosed during the Breach. Such notice shall also include the following information: (i) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) a description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (iii) any steps individuals should take to protect themselves from potential harm resulting from the Breach; (iv) a brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further breaches; and (v) contact procedures for obtaining additional information; -3- (k) At termination of this Agreement, if feasible, return or destroy (at the Covered Entity's option) all Protected Health Information received from, or created or received by the Business Associate on behalf of the Covered Entity that the Business Associate still maintains in any form and retain no copies of such Protected Health Information; or, if such return or destruction is not feasible, extend the protections of this Agreement to the Protected Health Information and limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information infeasible; and (1) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). IV. OBLIGATIONS OF COVERED ENTITY (a) The Covered Entity shall notify the Business Associate of any limitation(s) in the Covered Entity's notice of privacy practices in accordance with 45 CFR 164.520, to the extent that such limitation may affect the Business Associate's use or disclosure of Protected Health Information. (b) The Covered Entity shall notify the Business Associate of any changes in, or revocation of, permission by an individual to use or disclose Protected Health Information, to the extent that such changes may affect the Business Associate's use or disclosure of Protected Health Information. (c) The Covered Entity shall notify the Business Associate of any restriction to the use or disclosure of Protected Health Information that the Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect the Business Associate's use or disclosure of Protected Health Information. (d) The Covered Entity shall not request the Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by the Covered Entity. Notwithstanding the foregoing language, the Business Associate may use or disclose Protected Health Information for Data Aggregation Services to the Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B) or the management and administrative activities of the Business Associate in accordance with this Agreement. V. AMENDMENT This Agreement may be amended only in writing and only by the mutual consent of the parties. Notwithstanding the foregoing, this Agreement shall automatically be amended to the extent minimally necessary to comply with any changes to HIPAA, including any changes as a result of HITECH. VI. TERM AND TERMINATION This Agreement shall become effective as of the date that both parties have signed this Agreement. This Agreement shall remain in effect until the earlier of: (i) the date the parties mutually agree in writing to terminate this Agreement, or (ii) the date the Underlying Agreement -4- is terminated. No separate notice shall be required to terminate this Agreement upon termination of the Underlying Agreement. Notwithstanding anything in the Underlying Agreement to the contrary, if either party determines that the other party has violated a material provision of this Agreement, the non - breaching party may terminate this Agreement upon written notice to the breaching party and after an opportunity of thirty (30) days to cure the material breach. VII. RELATIONSHIP TO UNDERLYING AGREEMENT It is the intent of the parties that the terms of this Agreement be interpreted so as to cause the Underlying Agreement to comply with the privacy and security requirements of HIPAA and the requirements of HITECH. Accordingly, this Agreement shall amend the Underlying Agreement to the extent provided herein regardless of whether this Agreement formally satisfies the requirements of the Underlying Agreement for amendment of the Underlying Agreement. To the extent any provisions of this Agreement conflict with the terms of the Underlying Agreement, this Agreement shall govern. VIII. MISCELLANEOUS (a) Assignment. This Agreement may not be assigned by either party without the prior written consent of the other party; provided, however, that Business Associate may assign its rights and obligations under this Agreement to a successor -in- interest (due to a merger, sale, etc.) without the written consent of the Covered Entity. This Agreement shall be binding upon and inure to the benefit of the successors and permitted assigns hereof. (b) Further Assurances. Each party will cooperate with the other and execute and deliver to the other party such other instruments and documents and take such other actions as may be reasonably requested from time to time by the other party to carry out, evidence and confirm the intended purposes of this Agreement. (c) Survival. Notwithstanding any contrary provision in this Agreement, the provisions of this Agreement shall continue in force beyond the term of this Agreement to the extent necessary or appropriate to give such provisions their intended effect, unless and until the parties specifically agree in writing to the contrary. (d) Waiver. The rights and remedies of the parties are cumulative and not alternative. Neither the failure nor any delay on the part of any party in exercising any right, power, or privilege under this Agreement shall operate as a waiver thereof, nor shall any single or partial exercise of any such right, power or privilege preclude any other or further exercise thereof or exercise of any other right, power or privilege. (e) Governing Law. This Agreement shall be governed by the laws of the jurisdiction provided in the Underlying Agreement. If the Underlying Agreement does not specify such a jurisdiction, this Agreement shall be governed by the laws of the State of Indiana. The parties agree to submit to the jurisdiction of the courts within the State of Indiana. (f) Force Majeure. Neither party shall be liable or deemed to be in default for any delay or failure in performance under this Agreement or other interruption of services deemed resulting, directly or indirectly, from acts of God, civil or military authority, acts of public enemy, war, accidents, fires, explosions, earthquakes, floods, or strikes, or similar cause beyond the reasonably control of either party. (g) Relationship of Parties. None of the provisions of this Agreement is intended to create nor shall be deemed or construed to create any relationship between the parties hereto other than that of independent entities contracting with each other hereunder solely for the purpose of effecting the provisions of this Agreement. (h) No Third Party Beneficiaries. Nothing herein is intended to give, nor shall have the effect of giving, any enforceable rights to any third parties who are not parties hereto or successors or permitted assigns of the parties hereto, whether such claims are asserted as third party beneficiary rights or otherwise. Counterparts. This Agreement may be executed in one or more counterparts each of which shall be deemed to be an original and all of which together shall constitute one and the same instrument. Notice. Notices required under this Agreement shall be sent by regular mail to the address of each party set forth below or such other address as that party may designate in a notice properly delivered to the other parties. Entire Agreement. This Agreement constitutes the entire understanding and agreement between the parties concerning the subject matter of this Agreement, and supersedes all prior negotiations, agreements, and understandings between the parties, whether oral or in writing, concerning its subject matter. [The remainder of this page is left blank intentionally — signatures appear on next page] IN WITNESS WHEREOF, the Covered Entity and the Business Associate, each by their duly authorized representatives, have caused this Agreement to be executed and delivered as of the last date written below. Signature Covered Entity: Address: City, State, Zip: Date TKSoftware, Inc. aRli/ 474r/e-ef Na e and Title Business Associate Name: Address: Date TKSoftware, Inc. 11495 Pennsylvania St., Suite 220 Carmel, IN 46032 Approved and Adopted this 14-111 day of f'vaU. f� 1 CITY OF CARMEL, INDIANA By and through its Board of Public Works and Safety BY�lam/ Jaixies Brainard, Presiding Officer No r Pri2LS2 Mary Ann Bur -ke, Membe , 20 lc u7�i1 cif Date: a ` 5 / 5- Lori S. Watson ber Date: Date: • i� ` 7it Date: iana Cordray, IMCA, Clerk Tr:. urer -7-