The URL can be used to link to this page

Home My WebLink AboutSt. Vincent Carmel Hospital Inc., dba Ascension St Vincent Carmel/CFD/HIPPA Business Associate AgreementPage 1 of 6 HIPAA Business Associate Agreement THIS HIPAA BUSINESS ASSOCIATE AGREEMENT (the “Agreement”) is entered into effective as of the date of last signature below (the “Effective Date”) by and between St. Vincent Carmel Hospital, Inc. d/b/a Ascension St. Vincent Carmel, (“Business Associate”) and City of Carmel Fire Department on behalf of itself and its affiliates, if any (individually and collectively, the “Covered Entity”). A. Business Associate may create, receive, maintain or transmit protected health information or electronic protected health information on behalf of Covered Entity in connection with Business Associate’s performance of functions or activities for or on behalf of Covered Entity. B. Covered Entity and Business Associate acknowledge their respective obligations to protect the privacy and provide for the security of PHI in compliance with the HIPAA as defined below. For purposes of compliance with HIPAA, the parties agree to the terms and conditions set forth in this Agreement. 1. Definitions. i.HIPAA. The Health Insurance Portability and Accountability Act of 1996, and the regulations related to Privacy, Security, Breach Notification and Enforcement promulgated thereunder by the U.S. Department of Health and Human Services (“HHS”) at 45 CFR Part 160 and Part 164, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Final Omnibus Rule shall collectively be referred to herein as “HIPAA”. ii.PHI. Protected health information (“PHI”) is individually identifiable health information that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium and that is created or received by a covered entity and relates to the provision of health care to an individual or the past, present, or future physical or mental health or condition of any individual, or the past, present or future payment for the provision of health care to an individual. iii.Security Incident. A “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Notwithstanding anything to the contrary in this Agreement, the parties acknowledge that Security Incident as used herein does not include activities such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI. By Benjamin J Legge at 9:49 am, Mar 26, 2025 Docusign Envelope ID: C3212DD8-A9A8-47F6-8A3A-5BA12F707C77 Page 2 of 6 The terms used herein, unless otherwise defined, shall have the same meanings as those terms are defined under the HIPAA. 2. Compliance with Applicable Law. The parties acknowledge and agree that, beginning with the relevant effective dates, the parties shall comply with its obligations under this Agreement and with all related obligations under HIPAA and other applicable state and federal laws and regulations, as they exist at the time this Agreement is executed and as they are amended or superseded, for so long as this Agreement is in place. 3. Permitted Use and Disclosure of PHI. Business Associate may use and disclose PHI as necessary and appropriate to carry out the purposes specified in this Agreement, as reasonably necessary to provide the services contemplated by a services agreement or any other arrangement between the parties (if applicable, “Underlying Agreement”) and for such other purposes as permitted by HIPAA and as required by law. Business Associate may also use PHI to perform data aggregation services relating to Covered Entity’s health care operations and to de-identify any PHI subject to this Agreement as permitted by HIPAA. 4. Management, Administration and Legal Responsibilities. Business Associate may use or disclose PHI received in its capacity as a Business Associate for the proper management and administration of Business Associate, or as necessary to carry out the legal responsibilities of Business Associate if such use or disclosure is required by law, or Business Associate obtains, prior to making any such disclosure, reasonable assurances from the person to whom the information is disclosed: (i) that the PHI will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (ii) that the Business Associate will be immediately notified of any known breaches of the confidentiality or security of the PHI. 5. Limitations on Use and Disclosure of PHI. Neither party shall, request, use or disclose PHI in a manner that is not permitted by this Agreement or would violate Subpart E of 45 CFR 164 (“Privacy Rule”). All uses and disclosures of, and requests by, the parties for PHI are subject to the minimum necessary limitations set forth in HIPAA. 6. Safeguarding PHI. Business Associate shall use appropriate safeguards and shall comply with Subpart C of 45 CFR Part 164 (“Security Rule”) with respect to electronic PHI, to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of by the Underlying Agreement or this Agreement. 7. Reporting to Covered Entity. Business Associate shall report to Covered Entity: (i) any use or disclosure of PHI not provided for by the Underlying Agreement or this Agreement of which it becomes aware; (ii) any breach of unsecured PHI in accordance with Subpart D of 45 CFR 164 (“Breach Notification Rule”); and (iii) any Security Incident of which it becomes aware. 8. Agreements with Third Parties. Business Associate shall enter into an agreement with a subcontractor of Business Associate that creates, receives, maintains, or transmits PHI on behalf of Business Associate. Pursuant to such agreement, the subcontractor shall agree to Docusign Envelope ID: C3212DD8-A9A8-47F6-8A3A-5BA12F707C77 Page 3 of 6 be bound by substantially the same restrictions, conditions and requirements that apply to Business Associate under this Agreement with respect to such PHI. 9. Access to PHI. To the extent Business Associate maintains information in a Designated Record Set, Business Associate shall make available to Covered Entity such PHI as required by 45 C.F.R. § 164.524. 10. Amendment of PHI. To the extent Business Associate maintains information in a Designated Record set, Business Associate shall provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI as required by 45 C.F.R. § 164.526. 11. Accounting of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to an individual’s request for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. 12. Other Business Associate Obligations. To the extent that Business Associate is required to carry out one or more of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with such requirements that apply to Covered Entity in the performance of such obligations. 13. Covered Entity Obligations. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. 14. Availability of Books and Records. Business Associate agrees to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with HIPAA. 15. Termination. In addition to any other rights the parties may have in the Underlying Agreement, this Agreement or by operation of law or in equity, either party may terminate the Underlying Agreement if the other party has violated a material term of this Agreement that is not cured within a reasonable amount of time after written notice has been provided. 16. Effect of Termination. Upon the termination of the Underlying Agreement or this Agreement, Business Associate shall return, de-identify, or destroy the PHI. If such return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to the retained PHI, and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible. Business Associate’s obligations under this Section shall survive the termination of this Agreement. Docusign Envelope ID: C3212DD8-A9A8-47F6-8A3A-5BA12F707C77 Page 4 of 6 17. Third Party Rights. The terms of this Agreement do not grant any rights to any party other than Business Associate and Covered Entity. 18. Indemnification. Each party shall be legally and financially responsible for the acts and omissions of itself and its employees, directors, officers, representatives and agents and will pay all losses and damages attributable to such acts or omissions for which it is legally liable. This Agreement shall not be construed to create a contractual obligation for one party to indemnify the other party for loss or damage resulting from any act or omission of such other party or its employees, directors, officers, representatives or agents, nor to constitute a waiver by either party of any rights to indemnification, contribution or subrogation that the party may have by operation of law. 19. No Agency. For the purposes of this Agreement, Business Associate is an independent contractor of Covered Entity and nothing in this Agreement shall be construed to create an agency relationship between the parties. 20. Changes in the Law. The parties agree to amend either the Underlying Agreement or this Agreement, as appropriate, to the extent necessary to conform to any new or revised legislation, rules and regulations to which either party is subject now or in the future including, without limitation, HIPAA. 21. Conflicts. If there is a direct conflict between the Underlying Agreement and this Agreement, the terms and conditions of this Agreement shall control. 22. Notice. Service of all notices under this Agreement shall be sufficient if sent electronically to the other party at their respective e-mail addresses set forth below, or at such address as such Party may provide in writing from time to time: If to Business Associate: BAACompliance@ascension.org If to Covered Entity: Attn: Carmel Fire Department - Division Chief of EMS Address: 210 Veterans Way City, State, Zip: Carmel IN 46032 Docusign Envelope ID: C3212DD8-A9A8-47F6-8A3A-5BA12F707C77 Page 5 of 6 BUSINESS ASSOCIATE: Signed Printed Title Date COVERED ENTITY: Signed Printed Title Date Chad Dilley President, ASV Carmel Docusign Envelope ID: C3212DD8-A9A8-47F6-8A3A-5BA12F707C77 COVERED ENTITY CITY OF CARMEL FIRE DEPARTMENT By and through the Carmel Board of Public Works and Safety By: Laura Campbell, Presiding Officer Date: James Barlow, Member Date: Alan Potasnik, Member Date: ATTEST: Jacob Quinn, City Clerk Docusign Envelope ID: C3212DD8-A9A8-47F6-8A3A-5BA12F707C77 4/2/2025 4/2/2025 4/2/2025