ESO Solutions/FIRE/HIPAA AcountabilityBUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (`Agreement') dated September 15. 2014 ( "Effective Date "), is entered into by
and between ESO Solutions. Inc. ("Vendor"), a Texas corporation. and Carmel Fire Department ( "Covered Entity"), for the
purpose of setting forth Business Associate Agreement terms between Covered Entity and Vendor. Covered Entity and Vendor
each are referred 10 as a "Party" and collectively as the "Parties." This Agreement shall commence on the Effective Date set
forth above.
WHEREAS. Covered Entity, owns, operates. manages, performs servicts for, otherwise are affiliated with or are
themselves a Covered Entity as defined in the federal regulations at 45 C.F.R. Parts 160 and 164 (the "Privacy Standards')
promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ( "HIPAA ") and the Health Information
Technology for Economic and Clinical Health Act of 2009 ( "HITECIT'):
WHEREAS, pursuant to HIPAA and HITECH, the U.S. Department of health & Human Services ("NHS')
promulgated the Privacy Standards and the security standards at 45 C.F.R. Parts 160 and 164 (the "Seatrity Standards ")
requiring certain individuals and entities subject to the Privacy Standards and/or the Security Standards to protect the privacy and
security of certain individually identifiable health information ( "Protected Health Information" or "PNT'), including electronic
protected health information ("EPHI");
WHEREAS, the Parties wish to comply with Privacy Standards and Security Standards as amended by the HHS
regulations promulgated on January 25, 2013. entitled the "Modifications to the HIPAA Privacy, Security, Enforcement, and
Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic
Information Nondiscrimination Act." as such may be revised or amended by HHS from time to time:
WHEREAS. in connection with Vendor's performance under its agreement(s) or other documented arrangements
between Vendor and Covered Entity, whether in effect as of the Effective Date or which become effective at any time during the
term of this Agreement (collectively "Business Arrangements "). Vendor may provide services for, or on behalf of, Covered
Entity that require Vendor to use. disclose, receive, access, curate, maintain and/or transmit health infomtation that is protected
by state andlor federal law; and
WHEREAS, Vendor and Covered Entity desire that Vendor obtain access to PHI and EPHI in accordance with the
terms specified herein;
NOW THEREFORE, in consideration of the mutual promises set forth in this Agreement and the Business
Arrangements. and other good and valuable consideration, the sufficiency and receipt of which are hereby severally
acknowledged. the Parties agree as follows:
Vendor Obligations.
In accordance with this Agreement and the Business Arrangements. Vendor may use, disclose, access, create, maintain,
transmit, and/or receive on behalf of Covered Entity health information that is protected under applicable state and/or federal law,
including without limitation, PHI and EPHI. All capitalized terms not otherwise defined in this Agreement shall have the
meanings set forth in the regulations promulgated by IBIS in accordance with HIPAA and HITECH, including the Privacy
Standards and Security Standards (collectively referred to hereinafter as the "Confidentiality Requirements "). All reference to
PHI herein shall be construed to include EPHI. PHI shall mean only that PHI Vendor uses, discloses, accesses, creates,
maintains, transmits and/or receives for or on behalf of Covered Entity pursuant to the Business Arrangements. The Parties
hereby acknowledge that the definition of PHI includes "Genetic Information" as set forth at 45 C.F.R. *160.103. To the extent
Vendor is to carry out an obligation of Covered Entity under the Confidentiality Requirements, Vendor shall comply with the
provision(s) of the Confidentiality Requirements that would apply to Covered Entity (as applicable) in the performance of such
obligations(s).
2. Use of PHI.
Except as otherwise required by Inv. Vendor shall use PHI in compliance with this Agreement and 45 C.F.R.
§164.504(e). Vendor agrees not to use PHI in a manner that would violate the Confidentiality Requirements if the PHI were used
by Covered Entity in the same manner. Furthermore, Vendor shall use Plil for the purpose of performing services for, or on
behalf of, Covered Entity as such services are defined in the Business Arrangements. In addition, Vendor may use PHI (i) as
necessary for the proper management and administration of Vendor or to carry out its legal responsibilities: provided that such
ESO Solutions. Inc.
BAA v.20140922
Page 1 an
uses are permincd under federal and applicable state law. and (ii) to provide data aggregation services relating to the health pre
operations of the Covered Entity as defined by 45 C.F.R. § 164.501 provided that, Vendor will not identify Covered Entity
without consent. Covered Entity authorizes Vendor to de- identify PH1 it receives from Covered Entity. All de- identification of
PHI must be performed in accordance with the Confidentiality Requirements, specifically 45 C.F.R. § 164.514(b).
3. Disclosure of Plll.
3.1 Subject to any limitations in this Agreement. Vendor may disclose PHI to any third party as necessary to
perform its obligations under the Business Arrangements and as permitted or required by applicable law.
Vendor agrees not to disclose P111 in a manner that would violate the Confidentiality Requirements if the PHI
was disclosed by the Covered Entity in the same manner. Further, Vendor may disclose PH1 for the proper
management and administration of Vendor: provided that: (1) such disclosures are required by law; or (ii)
Vendor. (a) obtains reasonable assurances from any third party to whom the PHI is disclosed that the P111
will be held confidential and used and disclosed only as required by law or for the purpose for which it was
disclosed to third party. and (b) requires the third party to agree to immediately notify Vendor of any
instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided
for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Vendor
shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement of which it
becomes aware. Such report shall be made within five (5) business days of Vendor becoming aware of such
use or disclosure.
3.2 If Vendor uses or contracts with any agent, including a subcontractor (collectively "Subcontractors) that
uses, discloses, accesses, creates, receives. maintains or transmits PHI on behalf of Vendor, Vendor shall
require all Subcontractors to agree in writing to the same restrictions and conditions that apply to Vendor
under this Agreement. In addition to Vendor's obligations under Section 9, Vendor agrees to mitigate, to the
extent practical and unless otherwise requested by the Covered Entity, any harmful effect that is known to
Vendor and is the result of a use or disclosure of PHI by Vendor or any Subcontractor in violation of this
Agreement. Additionally, Vendor shall ensure that all disclosures of PHI by Vendor and its Subcontractors
comply with the principle of "minimum necessary use and disclosure,' (i.e., in accordance with 45 C.F.R.
§164.502(b), only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed).
4. Individual Rights Retarding Designated Record Sets.
If Vendor maintains a Designated Record Set on behalf of Covered Entity. Vendor shall: (1) provide access to and
permit inspection and copying of PHI by Covered Entity under conditions and limitations required under 45 C.F.R. §I64.524, as
it may be amended from time to lime; and (ii) amend PHI maintained by Vendor as required by Covered Entity. Vendor shall
respond to any request from Covered Entity for access by an individual within ten (10) business days of such request and shall
make any amendment requested by Covered Entity within twenty (20) business days of such request. Any information requested
under this Section 4 shall be provided in a form or format requested. if it is readily producible in such form or format. Vendor
may charge a reasonable fee based upon Vendor's labor costs in responding to a request for electronic information (or a cost-
based fee for the production of nonelectronic media copies). Vendor shall notify Covered Entity within ten (10) business days
of receipt of any request for access or amendment by an individual.
5. Accounting of Disclosures.
Vendor shall make available to Covered Entity within ten (10) business days of a request by Covered Entity the
information required for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528 (or such shorter time as may
be required by state or federal law). Such accounting must be provided without cost if it is the first accounting requested within
any twelve (12) month period. For subsequent accountings within the same twelve (12) month period, Vendor may charge a
reasonable fee based upon Vendor's labor costs in responding to a request for electronic information (or a cost -based fee for the
production of nonelectronic media copies) only after Vendor informs Covered Entity and Covered Entity informs the individual
in advance of the fee, and the individual is afforded an opportunity to withdraw or modify the request. Such accounting
obligations shall survive termination or expiration of this Agreement and with respect to any disclosure, whether on or before the
termination of this Agreement, shall continue for a minimum of seven (7) years following the date of such disclosure.
6. Withdraw al of Authorization.
If the use or disclosure of P111 under this Agreement is based upon an individual's specific authorization regarding the
use of his or her P111, and: (i) the individual revokes such authorization in writing; (ii) the effective date of such authorization has
ESO Solutions. Inc.
BAA v.20140922
Page 2 of 6
expired; or (iii) the authorization is found to be defective in any manner that renders it invalid for whatever reason, then Vendor
agrees, if it has received notice from Covered Entity of such revocation or invalidity, to cease the use and disclosure of any such
individual's PHI except to the extent Vendor has relied on such use or disclosure. or where an exception under the
Confidentiality Requirements expressly applies.
7. Records and Audit.
Vendor shall make available to HHS or its agents its internal practices, books, and records relating to the compliance of
Vendor and Covered Entity with the Confidentiality Requirements. such internal practices, books and records to be provided in
the time and manner designated by HHS or its agents.
8. Implementation of Security Standards; Notice of Security Incidents.
Vendor will comply with the Security Standards and. by way of example and not limitation, use appropriate safeguards
to prevent the use or disclosure of PIII other than as expressly permined under this Agreement. In accordance with the Security
Standards, Vendor will implement administrative. physical, and technical safeguards that protect the confidentiality, integrity and
availability of the P111 that it uses. discloses, accesses, creates. receives, maintains or transmits. To the extent feasible, Vendor
will use commercially reasonable efforts to ensure that the technology safeguards used by Vendor to secure PHI will render such
P141 unusable. unreadable and indecipherable to individuals unauthorized to acquire or otherwise have access to such P141.
Vendor will promptly report to Covered Entity any Security Incident of which it becomes aware: provided. however, that
Covered Entity acknowledges and shall be deemed to have received notice from Vendor that there are routine occunences of: (i)
unsuccessful attempts to penetrate computer networks or services maintained by Vendor, and (ii) immaterial incidents such as
"pinging" or "denial of services" attacks. At the request of Covered Entity, Vendor shall identify: the date of the Security
Incident. the scope of the Security Incident, Vendor's response to the Security Incident. and to the extent permitted by law, the
identification of the party responsible for causing the Security Incident if known.
9. Data Breach Notification and Mitigation.
9.1 HIPAA Data Breach Notification and Mitigation. Vendor agrees to implement reasonable systems for the
discovery and prompt reporting of any "breach" of unsecured PHI" as those terms are defined by 45 C.F.R. § 164.402 ( "HIPAA
Breach'). The Parties acknowledge and agree that 45 C.F.R. § §164.404 and 164.410, as describe below in this Section 9.1,
govem the determination of the date of a HIPAA Breach. In the event of any conflict between this Section 9.1 and the
Confidentiality Requirements, the more stringent requirements shall govern. Following the discovery' of a HIPAA Breach,
Vendor will notify Covered Entity immediately and in no event later than five (5) business days after Vendor discovers such
HIPAA Breach unless Vendor is prevented from doing so by 45 C.F.R. §164.412 concerning law enforcement investigations.
For purposes of reporting a HIPAA Breach to Covered Entity. the discovery of a HIPAA Breach shall occur as of the first day on
which such HIPAA Breach is known to Vendor or. by exercising reasonable diligence, would have been known to Vendor.
Vendor will be considered to have had knowledge of a HIPAA Breach if the HIPAA Breach is known, or by exercising
reasonable diligence would have been known, to any person (other than the person committing the HIPAA Breach) who is an
employee, officer or other agent of Vendor. No later than ten (10) business days following a HIPAA Breach. Vendor shall
provide Covered Entity with sufficient information to permit Covered Entity to comply with the HIPAA Breach notification
requirements set forth at 45 C.F.R. §164.400 et. seq. This Section 9.1 shall survive the expiration or termination of this
Agreement and shall remain in effect for so long as Vendor maintains PHI.
9.2 Data Breach Notification and Mitigation Under Other Lawg. In addition to the requirements of Section 9.1,
Vendor agrees to implement reasonable systems for the discovery and prompt reporting of any breach of individually identifiable
information (including, but not limited lo. P141 and referred to hereinafter as' Indvvidaally Identifiable Information") that, if
misused. disclosed, lost or stolen would trigger an obligation under one or more State data breach notification laws (each a "State
Breach') to notify the individuals who are the subject of the information. Vendor agrees that in the event any Individually
Identifiable information is lost, stolen, used or disclosed in violation of one or mom State data breach notification laws, Vendor
shall promptly: (1) notify Covered Entity within five (5) business days of such misuse, disclosure, loss or theft: and (ii) cooperate
and assist Covered Entity with any investigation into any State Breach or alleged State Breach. This Section 9.2 shall survive the
expiration or termination of this Agreement and shall remain in effect for so long as Vendor maintains PHI or Individually
Identifiable Information.
10. Obligations of Covered Entity.
10.1 Notification Requirement. Covered Entity shall notify Vendor of:
ESO Solutions, Inc.
AAA v.20140922
Page 3 of 6
a. Any limitation(s) in Covered Entity's notice of privacy practices in accordance with 45 CFR 164.520 to
the extent that such changes may affect Vendor's use or disclosure of PHI;
b. Any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such
changes may affect Vendor's use or disclosure of PHI; and
c. Any restriction to the use or disclosure if PHI that Covered Entity has agreed to in accordance with 45
CFR 164.521 to the extent that such restriction may affect Vendor's use or disclosure of PHI.
10.2 Permissible Reaucsts. Covered Entity agrees that it will not request Vendor to use or disclose PHI in any
manner that would not be permissible under the Confidentiality Requirements if done by Covered Entity.
II. Terms and Termination.
11.1 Termination. This Agreement shall remain in effect until terminated in accordance with the terns of this
Section 11; provided. however, that termination shall not affect the respective obligations or rights of the Parties arising under
this Agreement prior to the effective date of termination. all of which shall continue in accordance with their terms.
11.2 Termination with Cause. Either Parry may immediately terminate this Agreement if either of the following
events have occurred and are continuing to occur:
a. Vendor or Covered Entity fails to observe or perfonn any material covenant or obligation contained in
this Agreement for ten (10) business days after written notice of such failure has been given; or
b. Vendor or Covered Entity violates any provision of the Confidentiality Requirement or applicable
federal or state privacy law relating to its obligations under this Agreement.
11.3 May Terminate Business Arrangements in Event of for Cause Termination. Termination of this Agreement
for either of the two reasons set forth in Section 11.2 above shall be cause for immediate termination of any Business
Arrangement pursuant to which Vendor uses. discloses, accesses, receives. creates, or transmits PHI for or on behalf of Covered
Entity.
11.4 Termination Upon Conclusion of Business Arrangements. Upon the expiration or termination of all Business
Arrangements. either Covered Entity or Vendor may terminate this Agreement by providing written notice to the other Party.
11.5 Return of PHI Uoon Termination. Upon termination of this Agreement for any reason. Vendor agrees either
to return all PHI or to destroy all Pill received from Covered Entity that is in the possession or control of Vendor or its
Subcontractors. In the case of PHI for which it is not feasible to return or destroy. Vendor shall extend the protection of this
Agreement to such PHI and limit further uses and disclosure of such PHI. Vendor shall comply with other applicable state or
federal law, which may require a specific period of retention. redaction, or other treatment of such PHI. This Section 11.5 shall
survive the expiration or termination of this Agreement and shall remain in effect for so long as Vendor maintains PHI.
12. No Warranty.
PHI IS PROVIDED SOLELY ON AN "AS IS" BASIS. THE PARTIES DISCLAIM ALL OTHER WARRANTIES,
EXPRESS OR IMPLIED. INCLUDING BUT NOT LIMITED TO. IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE.
13. Ineligible Personq.
Vendor represents and warrants to Covered Entity that its directors, officers, and key employees: (i) are not currently
excluded. debarred, or otherwise ineligible to participate in the federal health care programs as defined in 42 U.S.C. § 1320a-
7b(f) of any state healthcare program (collectively, the "Healthcare Programs'); (ii) have not been convicted of a criminal
offense related to the pmvision of healthcare items or services but have not yet been excluded, debarred, or otherwise declared
ineligible to participate in the Healthcare Programs; and (iii) are not under investigation or otherwise aware of any circumstances
which may result in Vendor being excluded from participation in the Healthcare Programs (collectively, the "Warranty of Non-
exclusion"). Vendor representations and warranties underlying the Warranty of Non - exclusion shall be ongoing during the tens,
ESO Solutions. Inc
BAA v.20140922
Page 4 of 6
and Vendor shall immediately notify Covered Entity of any change in the status of the representations and warranties set forth in
this Section 13. Any breach of this Section 13 shall give Covered Entity the right to terminate this Agreement immediately.
14. Waiver.
No provision of this Agreement or any breach thereof shall be deemed waived unless such waiver is in writing and
signed by the Party claimed to have waived such provision or breach.
15. Assignment.
Neither Party may assign (whether by operation of law or otherwise) any of its rights any of its obligations under this
Agreement without the prior written consent of the other Party. Notwithstanding the foregoing. a Party shall have the right to
assign its rights and obligations hereunder to any entity that is an affiliate or successor entity, whether by merger, acquisition,
change in control, or other transaction involving the sale of all or substantially all of that Party's assets, without prior approval of
the other Party.
16. Severability.
Any provision of this Agreement that is delemtined to be invalid or unenforceable will be ineffective to the extent of
such determination without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of
such remaining provisions.
17. Equitable Relier.
The Parties understand and acknowledge that any disclosure or misappropriation of any PHI in violation of this
Agreement will cause irreparable harm, the amount of which may be difficult to ascertain, and therefore agree that either Party
shall have the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and
enjoining any such further disclosure or breach and for such other relief deemed appropriate. Such right shall be in addition to
the remedies otherwise available at law or in equity.
18. Nature otAgreement; Independent Contractor.
Nothing in this Agreement shall be construed to create: (i) a partnership, joint venture or other joint business
relationship between the Parties or any of their affiliates; or (ii) a relationship of employer and employee between the Parties.
Vendor is an independent contractor and not an agent of Covered Entity. This Agreement does not express or imply any
commitment to purchase or sell goods or services.
19. Counterparts; Execution.
This Agreement and any amendments hereto may be executed by the Parties individually or in any combination. in one
or more counterparts. each of which shall be an original and all of which shall together constitute one and the same agreement.
Execution and delivery of this Agreement and any amendments by the Parties shall be legally valid and effective through: (i)
executing and delivering the paper copy of the document, (ii) transmitting the executed paper copy of the documents by facsimile
transmission or electronic mail in `portable document format" ( ".pdf') or other electronically scanned format, or (iii) creating,
generating, sending, receiving or storing by electronic means this Agreement and any amendments, the execution of which is
accomplished through use of an electronic process and executed or adopted by a Party with the intent to execute this Agreement
(i.e. "electronic signature" through a process such as DocuSign ®). In making proof of this Agreement, it shall not be necessary
to produce or account for more than one such counterpart executed by the party against whom enforcement of this Agreement is
sought.
20. Entire Agreement.
This Agreement constitutes the complete agreement between Vendor and Covered Entity relating to the matters
specified in this Agreement and supersedes all prior representations or agreements, whether oral or written with respect to such
matters. In the event of any conflict between the temps of this Agreement and Lite terms of the Business Arrangements or any
such later agreement(s), the terms of this Agreement shall control unless the tenns of such Business Arrangements are more strict
with respect to PHI and comply with the Confidentiality Requirements, or the Parties specifically otherwise agree in writing. No
oral modification or waiver of any of the provisions of this Agreement shall be binding on either Party to this Agreement;
provided, however that upon the enactment of any law, regulation. court decision or relevant government publication and/or
interpretive guidance or policy that a Party believes in good faith will adversely impact the use or disclosure of PHI under this
ESO Solutions, Inc.
BAA v 20140922
Page 5 of 6
AgreenenL that Party may amend the Agreement to comply with such law, regulation, court decision or government publication,
guidance or policy by delivering a written amendment to the other Party which shall be effective thirty (30) calendar days after
receipt. No obligation on either Party to enter into any transaction is to be implied from the execution or delivery of this
Agreement. This Agreement is for the benefit of and shall be binding upon the Parties, their affiliates and respective successors
and assigns.
21. Notice.
All notices, requests, demands and other communications required or permitted to be given or made under this
Agreement shall be in writing, shall be effective upon receipt or attempted delivery, and shall be sent by (i) personal delivery; (ii)
certified or registered United States mail, return receipt requested; (iii) overnight delivery service with proof of delivery, or (iv)
electronic mail. Notices shall be sent to the addresses below. If no address is listed below. then the Parties agree that sending a
notice to the last known address of said Party is a valid form of notice. No Party to this Agreement shall refuse delivery of any
notice hereunder.
(Please fill in the best way to contact your agency belowl
Vendor.
Covered Entity:
ESO Solutions. Inc.
9020 N. Capital of Texas Highway'
Bldg. 11 -300
Austin. Texas 78759
Attention: Legal
Tel. No: (866) 766-9471
Email: contractsnesosolutions.com
Entity Name:
Address 1:
Address 2:
City/State/Zip:
Attention:
TeL No:
Email:
IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.
Vendor (Legal Name):
ESO , ons. Inc.
Covered Entity (Legal Name):
Cannel Fire Department
Sign:
�7
Name: Clr_5% -yd 0t Name:
Title: Preside t tndCEQ C Title:
Date: 1 2- / cj l / ! Date:
ESO Solutions, Inc.
BAA v.20140922
Page 6 of 6
h
Approved and Adopted this 17 day of
CITY OF CARMEL, INDIANA
By and through its Board of Public Works and Safety
BY:
rr
Ja(tes Brainard Presieing Officer
Date: /
M
Date:
Ann e, mber
Lori S. Waisor, Member
Date:
14-1 14
4 rr
WI Ild
D�rdray, IM Tr asurer
. te: