The URL can be used to link to this page

Home My WebLink AboutIU Health/CFD/ Business Associate Agreement 2025All Business Associate Agreements must be reviewed and approved by the IU Health Privacy Office. Do not edit this document without permission of the Privacy Office or the Chief Privacy Officer. To contact the Privacy Office, please call 317-963-1940 or email HIPAA@iuhealth.org. Page 1 of 11 IU Health ACE ver 8.2021 BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (“BAA”), by and between Carmel Fire Department (“Business Associate”), of The City of Carmel, and Indiana University Health, Inc. and its then current participants under common ownership or control that have been designated as an Affiliated Covered Entity (individually and collectively referred to herein “Covered Entity”), of Fairbanks Hall, Suite 6100, 340 West 10th Street, Indianapolis, Indiana 46202, is made and effective as of January 13, 2025 . RECITALS WHEREAS, Business Associate and Covered Entity have entered into, and may in the future enter into, one or more agreements, that requires access, creation, receipt, maintenance and/or transmission of PHI (individually and collectively referred to herein “Service Agreement”); and WHEREAS, Business Associate agrees to provide certain services (“Services”) for or on behalf of Covered Entity in accordance with the parties’ Service Agreement; and WHEREAS, in connection with those Services, Covered Entity plans to disclose to Business Associate certain Protected Health Information (“PHI” – used to refer specifically to data controlled or owned by Covered Entity), including electronic PHI or ePHI, (as defined in 45 C.F.R. § 160.103) that is subject to protection under the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104- 191 (“HIPAA”) Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”, 45 C.F.R. Parts 160 and 162 and Part 164, Subparts A and E); and 45 C.F.R. Parts 160 and 162 and Part 164, Subparts A and C, the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”); Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), also known as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Public Law No. 111-005 (“ARRA”); and 45 C.F.R. Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule - all together, as amended from time to time, herein referred to as the "Privacy and Security Rules"; and WHEREAS, Covered Entity and Business Associate acknowledge that each has obligations in its respective role as Covered Entity and Business Associate under the Privacy and Security Rules, as well as regulations promulgated thereunder; and WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI accessed by or disclosed to Business Associate pursuant to their Service Agreement in compliance with this BAA and the Privacy and Security Rules; and WHEREAS, the purpose of this BAA is to satisfy certain standards and requirements of the Privacy and Security Rules, including the requirement of an appropriate agreement between Covered Entity and Business Associate that meets the applicable requirements of the Privacy and Security Rules. NOW THEREFORE, in consideration of the mutual promises and covenants, herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows: 1.Definitions. Page 1 of 12By Benjamin J Legge at 8:35 am, Jan 15, 2025 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 All Business Associate Agreements must be reviewed and approved by the IU Health Privacy Office. Do not edit this document without permission of the Privacy Office or the Chief Privacy Officer. To contact the Privacy Office, please call 317-963-1940 or email HIPAA@iuhealth.org. Page 2 of 11 IU Health ACE ver 8.2021 Capitalized terms used in this BAA and not otherwise defined herein shall have the same meanings set forth in the Privacy and Security Rules which definitions are incorporated in this BAA by this reference. For the purposes of this BAA, the definition of “Covered Entity” shall include those participants under common ownership or control of Indiana University Health, Inc. (“IU Health”) that have been designated as a single Affiliated Covered Entity pursuant to the Privacy Rule, 45 C.F.R. §164.105(b). The IU Health Privacy Office maintains a list of the participant members of the IU Health Affiliated Covered Entity, which are deemed incorporated herein by reference as “Covered Entity” the same as if copied at length, which may include, but not be limited to, those listed online at https://iuhealth.org/patient-family-support/privacy-policy. Business Associate may request a copy of the IU Health Affiliated Covered Entity participant list at any time by contacting the Privacy Office via phone: 317-963-1940, e-mail: HIPAA@iuhealth.org or mail at the address set forth in Section 5. below. 2.Permitted Uses and Disclosures by Business Associate. a.Performance of Services. Minimum Necessary. Except as otherwise limited in this BAA, Business Associate may only use or disclose PHI to perform the Services set forth in the Service Agreement, as permitted or required by this BAA, or as Required by Law. Business Associate agrees to limit its uses, disclosures and requests for PHI to the minimum amount necessary to perform its obligations. b.Proper Management and Administration. Except as otherwise limited in this BAA, Business Associate may use or disclose PHI as necessary for Business Associate’s proper management and administration or to fulfill its legal responsibilities, provided that: (1) the disclosures are Required by Law, or (2) Business Associate obtains reasonable assurances from the third party to whom the PHI is disclosed in the form of a written agreement with terms similar to and consistent with this BAA that the PHI will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the third party, and the third party notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached. c.Data Aggregation. Except as the parties might otherwise agree in writing, Business Associate shall only provide data aggregation services on Covered Entity’s behalf if specifically directed to do so in writing. d.De-Identified Information. Business Associate may create, use and disclose de-identified information if required for purposes of providing Services or as agreed in the Service Agreement. Other than these uses, Business Associate shall not use Covered Entity’s de- identified information for its own purposes, except on a case by case basis with Covered Entity’s separate prior written agreement for a proposed use. De-identification must comply with 45 C.F.R. § 164.502(d), and any such de-identified information must meet the standard and implementation specifications for de-identification under 45 C.F.R. § 164.514(a) and (b), or as they may be amended from time to time. 3.Prohibition on Certain Uses and Disclosures and Compliance with Transaction Standards. a.As Permitted in this BAA. Business Associate shall not use or disclose Covered Entity’s PHI other than as permitted or required by this BAA or as Required by Law. This BAA Page 2 of 12 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 All Business Associate Agreements must be reviewed and approved by the IU Health Privacy Office. Do not edit this document without permission of the Privacy Office or the Chief Privacy Officer. To contact the Privacy Office, please call 317-963-1940 or email HIPAA@iuhealth.org. Page 3 of 11 IU Health ACE ver 8.2021 does not authorize the Business Associate to request, use, disclose, maintain or transmit PHI in any manner that violates the Privacy and Security Rules if done by Covered Entity. b.Electronic Transactions. Business Associate hereby represents and warrants that to the extent it is transmitting any HIPAA Transactions for Covered Entity, the format and structure of such transmissions shall be in compliance with the Standards for Electronic Transactions under 45 C.F.R. § 164.501 provided that it is Covered Entity’s responsibility to ensure that appropriate Code Sets are used in the coding of services and supplies. 4.Safeguards, Subcontractors, Training and Enforcement. a.Safeguards. In accordance with Subpart C of 45 C.F.R. Part 164, Business Associate shall implement and use appropriate and industry best practice technical, administrative and physical safeguards to prevent unauthorized use or disclosure of Covered Entity’s PHI. Agents/Subcontractors. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), before disclosing any PHI received from Covered Entity or created on behalf of Covered Entity, Business Associate will enter into a written agreement with any agents and subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate, and the terms of such agreement shall be at least as stringent as the restrictions and conditions with respect to the use, protection and disclosure of such PHI that apply to Business Associate pursuant to this BAA. Business Associate will ensure that any agents and subcontractors to whom it provides PHI agree to implement reasonable and appropriate safeguards to protect such information. b.Training. Business Associate shall provide all of its employees and members of its workforce who will have access to PHI with general HIPAA-related training and education prior to allowing the employees and members of its workforce access to PHI. c.Audit, Inspection and Enforcement. Business Associate agrees that upon reasonable notice of at least ten (10) business days, Covered Entity may audit Business Associate’s security and privacy policies and procedures, including its security safeguards, to ensure the appropriate protections are in place for Covered Entity’s data. Such audit by Covered Entity may be performed by Covered Entity or a third party of Covered Entity’s choosing at Covered Entity’s sole cost and expense. If the audit reveals any deficiencies, Business Associate shall promptly address. 5. Obligation of Business Associate. a.Access to Information. Within ten (10) business days of request from Covered Entity, Business Associate shall make available PHI in a Designated Record Set, to Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524, including providing or sending a copy to a designated third party and providing or sending a copy in electronic format, to the extent that the PHI in Business Associate’s possession constitutes a Designated Record Set. Business Associate will not respond directly to an Individual’s request for access to their PHI held in the Business Associate’s Designated Record Set. Business Associate will direct the Individual to the Covered Entity so that Covered Entity can coordinate and prepare a timely response to the Individual. Page 3 of 12 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 All Business Associate Agreements must be reviewed and approved by the IU Health Privacy Office. Do not edit this document without permission of the Privacy Office or the Chief Privacy Officer. To contact the Privacy Office, please call 317-963-1940 or email HIPAA@iuhealth.org. Page 4 of 11 IU Health ACE ver 8.2021 b.Amendment of PHI. Within ten (10) business days of request from Covered Entity, Business Associate shall make any amendment(s) to PHI in a Designated Record Set, as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526. Business Associate will not respond directly to an Individual’s request for an amendment of his PHI held in the Business Associate’s Designated Record Set. Business Associate will direct the Individual to the Covered Entity so that Covered Entity can coordinate and prepare a timely response to the Individual. c.Accounting of Disclosures. Business Associate agrees to document all disclosures of PHI which would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. § 164.528 and the HITECH Act. Within ten (10) business days of notice by Covered Entity to Business Associate that Covered Entity has received a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity information to permit Covered Entity to respond to the request. Business Associate will not respond directly to an Individual’s request for an accounting of disclosures and will direct Individual to Covered Entity. Business Associate will direct the Individual to the Covered Entity so that Covered Entity can coordinate and prepare a timely accounting for the Individual. d.Remuneration. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 45 C.F.R. § 164.502(a)(5)(ii). e.U.S. Department of Health and Human Services. Business Associate shall make available its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining Covered Entity's compliance with the Privacy and Security Rules. Unless the Secretary directs otherwise or it is otherwise prohibited by law, Business Associate shall promptly notify Covered Entity of Business Associate’s receipt of such request, so that Covered Entity can assist in compliance with that request. f.Judicial and Administrative Proceedings. In the event Business Associate receives a subpoena, court or administrative order or other discovery request or official mandate for release of PHI, Business Associate shall notify Covered Entity in writing prior to responding to such request to enable Covered Entity to object. Business Associate shall notify Covered Entity of the request as soon as reasonably practicable, but in any event, within two (2) business days of receipt of such request. g.Reporting. Time is of the essence. Business Associate shall immediately notify, no later than two (2) business days from Discovery of a potential event affecting Covered Entity’s data, the designated Chief Privacy Officer of the Covered Entity of: (1) any use or disclosure of PHI by Business Associate not permitted by this BAA; (2) any Security Incident; (3) any Breach of Unsecured Protected Health Information as defined in the HITECH Act; or (4) any other security breach of an electronic system, or the like, as such may be defined under applicable state law, including but not limited to Indiana Code 24-4.9. For purposes of this BAA, “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Covered Entity requires prompt notification from Business Associate if Business Associate experiences any Security Incident that compromises the confidentiality, integrity or availability of Covered Entity’s data or information systems. This section serves as notice of any unsuccessful Security Page 4 of 12 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 All Business Associate Agreements must be reviewed and approved by the IU Health Privacy Office. Do not edit this document without permission of the Privacy Office or the Chief Privacy Officer. To contact the Privacy Office, please call 317-963-1940 or email HIPAA@iuhealth.org. Page 5 of 11 IU Health ACE ver 8.2021 Incident which includes, but is not limited to: pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, and does not result in unauthorized access, use or disclosure of PHI. h.Breach. Within two (2) business days of Discovery of a reportable Security Incident as described above or Breach of Unsecured PHI, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within ten (10) business days of Discovery shall provide to Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including: 1)the date of the Breach; 2)the date of the Discovery of the Breach; 3)a description of the types of PHI that were involved; 4)identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed; and 5)any other details necessary to complete a risk assessment in accordance with the HITECH Act. Reporting and other communications made to the Covered Entity under this section must be made to the Covered Entity’s Chief Privacy Officer at: Indiana University Health ATTN: Privacy Office 340 W. 10th Street Fairbanks Hall - Suite #3100 Indianapolis, IN 46202 Phone: 317-963-1940 Email: HIPAA@iuhealth.org Business Associate shall cooperate with Covered Entity in investigating a Breach and in meeting Covered Entity’s obligations under the HITECH Act, and any other security breach notification laws or regulatory obligations. The parties shall review the circumstances surrounding each reportable Breach and determine whether Covered Entity or Business Associate will send or cause notifications to be sent directly to affected Individuals; provided, however, Business Associate shall remain responsible for the mandatory reporting of a Breach for which Business Associate is responsible to the Office of Civil Rights. All breach notifications will comply with the requirements of 45 C.F.R. § 164.404, and in the event Business Associate is providing the breach notification to affected Individuals, Business Associate will provide Covered Entity with an advance copy of the proposed letter for review and comment. i.Incident Costs. To the extent a Breach of Unsecured PHI was proximately caused by Business Associate for which HIPAA requires notice to be provided to individuals pursuant to 45 C.F.R. §§ 164.404 and 164.406, Business Associate shall be responsible for all costs associated with the incident, including but not limited to: (i) costs to print and mail the notification letters to affected individuals; (ii) media notification costs to the extent such media notification is required by applicable law; (iii) costs for Business Associate to set up a call center if Business Associate reasonably determines that such is necessary to handle inquiries; and (iv) credit monitoring costs if reasonably necessary to Page 5 of 12 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 All Business Associate Agreements must be reviewed and approved by the IU Health Privacy Office. Do not edit this document without permission of the Privacy Office or the Chief Privacy Officer. To contact the Privacy Office, please call 317-963-1940 or email HIPAA@iuhealth.org. Page 6 of 11 IU Health ACE ver 8.2021 mitigate harm for affected individuals. Covered Entity may, but shall not be obligated to, perform Business Associate’s obligations required by this section; and whenever Covered Entity so elects, all costs and expenses thereby incurred by Covered Entity shall be paid by Business Associate to Covered Entity within thirty (30) days of receipt of an invoice for same from Covered Entity. j.Mitigation. Business Associate will cooperate with Covered Entity’s efforts to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate not provided for in the Service Agreement or this BAA or that is not in accordance with HIPAA and the HITECH Act or other applicable law. k.Notice of Privacy Practices. Business Associate will abide by the limitations of any Notice of Privacy Practices (“Notice”) published by Covered Entity of which Covered Entity provides notice to Business Associate in accordance with the Covered Entity Obligations section of this BAA. The Notice is available on-line at https://iuhealth.org/patient-family-support/privacy-policy. l.Security Requirements. Business Associate shall comply and shall cause its workforce to comply (to the extent applicable to individuals) with the terms and conditions set forth in Covered Entity’s information security requirements available on-line at https://iuhealth.org/about-our-system/vendor-relations, subject to change from time to time by Covered Entity, with the then current version deemed incorporated herein by reference the same as if copied at length (“Security Requirements”). Business Associate shall promptly, fully and accurately complete Covered Entity’s Information Technology Risk Assessment (ITRA) and other documents or requests for information regarding Business Associate’s information security practices. m.Additional Requirements for Part 2 Records. To the extent Business Associate is a “Qualified Service Organization” as defined under 42 CFR §2.11 rendering services to a Part 2 “Program” as defined under 42 CFR §2.11 (i.e. providing substance use disorder treatment) within a division of Covered Entity, then Business Associate agrees to the following: (i) in receiving, storing, processing or otherwise dealing with any PHI from the Part 2 Program within Covered Entity, Business Associate is fully bound by the provisions of the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2; and (ii) if necessary, Business Associate will resist in judicial proceedings any efforts to obtain access to PHI from the Part 2 Program except as expressly permitted in 42 CFR Part 2. 6. Obligations of Covered Entity. a.Notification of Changes Regarding Individual Permission. Covered Entity will notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. Covered Entity will provide such notice to Business Associate who shall implement the change no later than fifteen (15) business days after such notice. Covered Entity will obtain any consent or authorization that may be required by the Privacy or Security Rules, or applicable state law, prior to furnishing Business Associate with PHI. If the use or disclosure of PHI in this BAA is based upon an Individual’s specific authorization for the use of his PHI, and the Individual revokes such authorization in writing, or the effective date of such authorization has expired, or Page 6 of 12 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 All Business Associate Agreements must be reviewed and approved by the IU Health Privacy Office. Do not edit this document without permission of the Privacy Office or the Chief Privacy Officer. To contact the Privacy Office, please call 317-963-1940 or email HIPAA@iuhealth.org. Page 7 of 11 IU Health ACE ver 8.2021 authorization is found to be defective in any manner that renders it invalid, Business Associate agrees, upon receipt of notice from Covered Entity of such revocation or invalidity, to cease the use and disclosure of any such Individual’s PHI except to the extent it has relied on such use or disclosure, or where an exception under the Privacy and Security Rules expressly applies. b.Notification of Restrictions to Use or Disclosure of PHI. Covered Entity will notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522 or 42 U.S.C. § 17935(a), to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. If Business Associate reasonably believes that any restriction agreed to by Covered Entity pursuant to this Section may materially impair Business Associate’s ability to perform its obligations under the Service Agreement or this BAA, the parties will mutually agree upon any necessary modification of Business Associate’s obligations under such agreements. 7.Insurance and Indemnification. a.Insurance. Business Associate represents and warrants that during the term of the Service Agreement, it shall maintain commercially reasonable and sufficient insurance to adequately underwrite the potential risks associated with the Services, including but not limited to regulatory or administrative investigations or fines and maintaining appropriate cybersecurity insurance coverage for privacy and security risks. Upon request, Business Associate shall provide evidence of the aforesaid insurance coverage to Covered Entity. b.Indemnification. The indemnification provisions set forth in the parties’ Service Agreement are incorporated herein by reference such that Business Associate will indemnify and hold Covered Entity harmless for any use or disclosure of PHI by Business Associate that violates the Privacy and Security Rules or other breach of this BAA. 8.Term and Termination. a.Term. The term of this BAA shall be coterminous with that of the Service Agreement and shall terminate at the expiration or termination of that Agreement or when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. b.Termination for Breach. Upon either party’s knowledge of a material breach by the other party of this BAA, the non-breaching party will provide written notice to the breaching party detailing the nature of the breach and provide an opportunity for the breach to be cured within thirty (30) business days. Upon expiration of such thirty (30) day cure period, the non-breaching party may terminate this BAA and, at its election, the Service Agreement or other underlying agreement if cure has not been affected or is not possible. c.Effect of Termination. Upon termination of the Service Agreement or this BAA, for any reason, Business Associate shall return or destroy (as directed by Covered Entity) all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate maintains in any form. Business Associate shall retain no copies of the PHI unless otherwise specifically agreed in writing Page 7 of 12 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 All Business Associate Agreements must be reviewed and approved by the IU Health Privacy Office. Do not edit this document without permission of the Privacy Office or the Chief Privacy Officer. To contact the Privacy Office, please call 317-963-1940 or email HIPAA@iuhealth.org. Page 8 of 11 IU Health ACE ver 8.2021 by the parties. Business Associate shall also be responsible for ensuring the return or destruction of PHI in the possession of Business Associate’s subcontractors or agents in accordance with this Section. Business Associate shall certify in writing to Covered Entity the proper and timely return or destruction of PHI within ten (10) days of the termination of this BAA. If it is not feasible to return or destroy such PHI upon termination of this BAA, then Business Associate shall: i.so inform Covered Entity, and Business Associate shall extend the protections of this BAA to the PHI and limit any further uses and disclosures; ii.retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out Business Associates’ legal responsibilities; iii.continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI; iv. not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out above which applied prior to termination; and v. when it becomes feasible, return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities. The terms and conditions of this section shall survive the expiration or termination of the Service Agreement. 9.Miscellaneous Provisions. a.Notices. Any notices pertaining to this BAA shall be given in writing and shall be deemed duly given to a party or a party's authorized representative identified in the Service Agreement in accordance with the Agreement’s notice provision or, if no such provision exists, within three days of having sent the mail via certified USPS mail or via e-mail with electronic return-receipt received. b.Privacy and Security Responsible Individuals. Business Associate shall provide to Covered Entity the contact information for primary individuals responsible for privacy and security compliance for Business Associate’s organization. c.Amendments. This BAA may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the parties hereto. The parties acknowledge that the Privacy and Security Rules and the HITECH Act may be modified from time to time. In the event of any such change, both parties agree to immediately enter into good faith negotiations to amend this BAA, through a written document signed by the parties, to conform to any new or revised legislation, rules and regulations to which the parties are subject. d.Interpretation. Any ambiguity in this BAA shall be interpreted to permit the Covered Entity to comply with the Privacy and Security Rules and the HITECH Act. Page 8 of 12 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 All Business Associate Agreements must be reviewed and approved by the IU Health Privacy Office. Do not edit this document without permission of the Privacy Office or the Chief Privacy Officer. To contact the Privacy Office, please call 317-963-1940 or email HIPAA@iuhealth.org. Page 9 of 11 IU Health ACE ver 8.2021 e.Geographic Prohibitions. Business Associate shall not create, receive, maintain, transmit, store, process, use or disclose PHI outside of the United States without the written consent of Covered Entity. f.Choice of Law. This BAA and the rights and the obligations of the parties hereunder shall be governed by and construed under the laws of the State of Indiana, agreeing not to apply the conflict of laws principles. g.Assignment of Rights and Delegation of Duties. This BAA is binding upon and inures to the benefit of the parties hereto. Neither party may assign any of its rights or delegate any of its obligations under this BAA without the prior written consent of the other party, which consent shall not be unreasonably withheld or delayed. h.Data Ownership. Unless otherwise specifically set forth in the Service Agreement, Covered Entity owns or controls, and shall continue to own or control, any and all data and PHI shared with Business Associate in order to allow Business Associate to perform its Services under the Service Agreement. i.Nature of BAA. Nothing in this BAA shall be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, (ii)any fiduciary duty owed by one party to another party or any of its affiliates, or (iii) a relationship of employer and employee between the Parties. j.No Waiver. Failure or delay on the part of either party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. No provision of this BAA may be waived by either party except by a writing signed by an authorized representative of the party making the waiver. k.Severability. The provisions of this BAA shall be severable, and if any provision of this BAA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein. l.No Third Party Beneficiaries. Nothing in this BAA shall be considered or construed as conferring any right or benefit on a person not party to this BAA or imposing any obligations on either party hereto to persons not a party to this BAA. m.Headings. The descriptive headings of the articles, sections, subsections, exhibits and schedules of this BAA are inserted for convenience only, do not constitute a part of this BAA and shall not affect in any way the meaning or interpretation of this BAA. n.Independent Contractors / No Agents. Nothing contained in this BAA is intended to be, nor shall be deemed or construed to constitute Covered Entity and Business Associate as partners, joint ventures, co-principals, agents, or associates in connection with the Services and sharing of PHI, and Business Associate shall perform its duties and obligations hereunder as an independent contractor and not as an agent. o.Entire Agreement. This BAA, together with any attached exhibits, statements of work, riders and amendments constitutes the entire agreement between the parties hereto with respect to the subject matter hereof and supersedes all previous written or oral Page 9 of 12 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 All Business Associate Agreements must be reviewed and approved by the IU Health Privacy Office. Do not edit this document without permission of the Privacy Office or the Chief Privacy Officer. To contact the Privacy Office, please call 317-963-1940 or email HIPAA@iuhealth.org. Page 10 of 11 IU Health ACE ver 8.2021 understandings, agreements, negotiations, commitments, and any other writing and communication by or between the parties with respect to the subject matter hereof. In the event of any inconsistency between the provisions of this BAA and the provisions of the Service Agreement, the provisions of this BAA shall control as to the protection, use or disclosure of PHI. In the event of inconsistency between the provisions of this BAA and any mandatory provisions of the Privacy and Security Rules, as amended, or their interpretation by any court or regulatory agency with authority over Business Associate or Covered Entity, such interpretation or rule will control; provided, however, that if any relevant provision of or amendment to the Privacy and Security Rules changes the obligations of Business Associate or Covered Entity that are embodied in the terms of this BAA, then the parties agree to operate in compliance with the amendment, interpretation or provision and to negotiate in good faith appropriate non-financial terms or amendments to this BAA to give effect to such revised obligations. Where provisions of this BAA are different from those mandated in the Privacy and Security Rules but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this BAA will control. p.Regulatory References. A citation in this BAA to the Code of Federal Regulations or the Privacy and Security Rules shall mean the cited section or rule as it may be amended from time to time. q.Reciprocal Obligations. In the event that Covered Entity acts as a “business associate” to Business Associate, then Covered Entity shall provide the same protections as Business Associate hereunder to Business Associate and agrees to be bound by the terms of this BAA the same as Business Associate with respect to such PHI of Business Associate. r.Authorizations. The individual signing this BAA on behalf of Covered Entity represents and warrants that the participant covered entity members of the IU Health Affiliated Covered Entity have agreed to be bound by the terms of this BAA and that he/she is authorized to execute this BAA. The individual signing this BAA on behalf of the Business Associate represents and warrants that he/she is signing this BAA in his/her official capacity and that he/she is authorized to execute this BAA. IN WITNESS WHEREOF, the parties have executed this BAA contemporaneously with the effective dates of the Service Agreement. Carmel Fire Department The City of Carmel IU Health Affiliated Covered Entity Indiana University Health, Inc. (Business Associate) (Covered Entity) Signed Click or tap here to enter text. Signed Printed Printed Page 10 of 12 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 All Business Associate Agreements must be reviewed and approved by the IU Health Privacy Office. Do not edit this document without permission of the Privacy Office or the Chief Privacy Officer. To contact the Privacy Office, please call 317-963-1940 or email HIPAA@iuhealth.org. Page 11 of 11 IU Health ACE ver 8.2021 BUSINESS ASSOCIATE LISTING INFORMATION – Complete at BAA Signature: In order to comply with the OCR request to provide detailed information about business associates, please provide the following information: Business Associate Privacy Officer : Business Associate Security Officer: Name: Andrew Young Name: Kevin Cusimano Phone: 317-571-2600 Phone: 317-714-3195 E-mail: asyoung@carmel.in.gov E-mail: kcusimano@carmel.in.gov Address: 210 Veterans Way Carmel, IN 46032 Address: 10701 N College Ave, Suite A Carmel, IN 46280 Page 11 of 12 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 Approved and Adopted this day of , 20 . CITY OF CARMEL, INDIANA By and through its Board of Public Works and Safety BY: Laura Campbell, Presiding Officer Date: James Barlow, Member Date: Alan Potasnik, Member Date: ATTEST: Jacob Quinn, Clerk Date: Page 12 of 12 Docusign Envelope ID: 239618E8-F7E6-4969-8BC1-06C7CCFB0F74 1/23/2025 25 1/23/2025 NOT PRESENT January 1/23/2025 22