TK Software Business Associate Agreement/FIRE/BUSINESS ASSOCIATE AGREEMENT
.r°1/tt
This agreement (the "Agreement "), effective as set forth below, is between the covered
entity listed below (the "Covered Entity ") and TKSoftware, Inc. (the "Business Associate ").
I. DEFINITIONS
For purposes of this Agreement, the following terms shall have the following prescribed
meanings.
"Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a
manner not permitted under the HIPAA privacy rule which compromises the security or privacy
of the Protected Health Information.
"Data Aggregation Services" means, with respect to Protected Health Information created or
received by the Business Associate, the combining of such Protected Health Information by the
Business Associate with Protected Health Information (as defined in HIPAA) received by the
Business Associate in its capacity as a business associate (as defined in HIPAA) of another
covered entity (as defined in HIPAA), to permit data analyses that relate to the health care
operations of the respective covered entities, including the Covered Entity.
"Electronic Media" means electronic storage material on which data is or may be recorded
electronically, including, for example, devices on computers (hard drives) and any
removable /transportable digital memory medium, such as magnetic tape or disk, optical disk, or
digital memory card, and transmission media used to exchange information already in electronic
storage media. Transmission media include, for example, the Internet (wide - open), extranet or
intranet, leased lines, dial -up lines, private networks, and the physical movement of
removable /transportable electronic storage media. Certain transmissions, including of paper, via
facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic
media if the information being exchanged did not exist in electronic form immediately before the
transmission.
"Electronic Protected Health Information" means Protected Health Information that is (i)
transmitted by Electronic Media, or (ii) maintained in any medium described as Electronic
Media.
"HIPAA" means the security and privacy requirements as reflected in 42 U.S.C. 1320d et.seq.
and such regulations as may be promulgated thereunder from time to time (currently, 45 CFR
164.102 through 164.534).
"HITECH" means the Health Information Technology for Economic and Clinical Health Act of
2009 as reflected in 42 U.S.C. 17921 et. seq. and such regulations as may be promulgated
thereunder from time to time.
"Protected Health Information" means individually identifiable health information created by,
for or on behalf of the Covered Entity that is (i) transmitted by Electronic Media, (ii) maintained
in any medium described as Electronic Media, or (iii) transmitted or maintained in any other
form or medium. "Protected Health Information" does not include individually identifiable
health information (i) in education records covered by the Family Educational Right and Privacy
Act (20 U.S.C. section 1232g(a)(4)(B)(iv)), (ii) in records described at 20 U.S.C. section
1232g(a)(4)(B)(iv), or (iii) regarding a person who has been deceased for more than fifty (50)
years.
"Security Incident" means the attempted or successful unauthorized access, use, disclosure,
modification, or destruction of information or interference with system operations in an
information system.
"Underlying Agreement" means the contract or agreement, whether in writing or otherwise,
between the Covered Entity and the Business Associate, pursuant to which the Business
Associate provides services to the Covered Entity of the type that require the parties to enter into
this Agreement pursuant to HIPAA.
"Unsecured Protected Health Information" means Protected Health Information that is not
rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of
a technology or methodology specified by the Secretary of Health and Human Services in the
guidance issued under section 13402(h)(2) of HITECH.
II. PERMITTED AND REQUIRED USES AND DISCLOSURES
OF PROTECTED HEALTH INFORMATION
The Business Associate shall be permitted and required to use Protected Health Information only
as provided in the Underlying Agreement and this Agreement. The Business Associate shall not
use or further disclose Protected Health Information in any manner that: (a) would violate the
terms of this Agreement; or (b) if done by the Covered Entity, would violate HIPAA, except that
(i) the Business Associate may use Protected Health Information for the proper management and
administration of the Business Associate or to carry out the legal responsibilities of the Business
Associate, and (ii) the Business Associate may provide Data Aggregation Services relating to the
health care operations of the Covered Entity. The Business Associate may disclose Protected
Health Information for the purposes described in item (b)(i) of this Section II only if the
disclosure is required by law or the Business Associate obtains reasonable assurances from the
person to whom the information is disclosed that it will be held confidentially and used or further
disclosed only as required by law or for the purpose for which it was disclosed to the person and
that the person will notify the Business Associate of any instance where the confidentiality of the
Protected Health Information has been breached.
III. RESTRICTIONS ON THE USE AND DISCLOSURE
OF PROTECTED HEALTH INFORMATION
Notwithstanding anything in the Underlying Agreement to the contrary, the Business Associate
shall:
(a) Not use or further disclose Protected Health Information other than permitted or required
by this Agreement or required by law;
(b) Use appropriate safeguards to prevent use or disclosure of the Protected Health
Information other than provided for by this Agreement;
-2-
(c) Implement administrative, physical, and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of the Electronic
Protected Health Information that it creates, receives, maintains, or transmits on behalf of
the Covered Entity as required by HIPAA and comply with Subpart C of 45 CFR Part
164 with respect to Electronic Protected Health Information, to prevent use or disclosure
of Protected Health Information other than as provided for in this Agreement;
(d) Report to the Covered Entity any use or disclosure of the Protected Health Information
not provided for by this Agreement, or any Security Incident of which it becomes aware;
(e) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any
subcontractors, that create, receive, maintain, or transmit Protected Health Information on
behalf of the Business Associate agree to the same restrictions and conditions that apply
to the Business Associate with respect to such Protected Health Information;
(f) Make available to any individual Protected Health Information about that individual only
to the extent required by, and in accordance with, HIPAA;
(g) Make available an individual's Protected Health Information for amendment by that
individual and incorporate any amendments to that individual's Protected Health
Information to the extent required by, and in accordance with, HIPAA;
(h) Make available Protected Health Information required to provide an accounting of
disclosures of an individual's Protected Health Information to the extent such accounting
is required by, and in accordance with, HIPAA;
(i) Make its internal practices, books and records relating to the use and disclosure of
Protected Health Information received from, or created or received by, the Business
Associate on behalf of the Covered Entity available to the Secretary of Health and
Human Services (or its delegate) for purposes of determining the Covered Entity's
compliance with HIPAA;
(j) Report to Covered Entity any Breach of Unsecured Protected Health Information
discovered by Business Associate. Notice shall be in writing and provided to the Covered
Entity without unreasonable delay, but in no event more than thirty (30) business days
after discovery of such Breach. Such notice will include, to the extent possible, the
identification of each individual whose Protected Health Information has been or is
reasonably believed by Business Associate to have been accessed, acquired, used, or
disclosed during the Breach. Such notice shall also include the following information: (i)
a brief description of what happened, including the date of the Breach and the date of the
discovery of the Breach, if known; (ii) a description of the types of Unsecured Protected
Health Information that were involved in the Breach (such as whether full name, social
security number, date of birth, home address, account number, diagnosis, disability code,
or other types of information were involved); (iii) any steps individuals should take to
protect themselves from potential harm resulting from the Breach; (iv) a brief description
of what Business Associate is doing to investigate the Breach, to mitigate harm to
individuals, and to protect against any further breaches; and (v) contact procedures for
obtaining additional information;
-3-
(k) At termination of this Agreement, if feasible, return or destroy (at the Covered Entity's
option) all Protected Health Information received from, or created or received by the
Business Associate on behalf of the Covered Entity that the Business Associate still
maintains in any form and retain no copies of such Protected Health Information; or, if
such return or destruction is not feasible, extend the protections of this Agreement to the
Protected Health Information and limit further uses and disclosures to those purposes that
make the return or destruction of the Protected Health Information infeasible; and
(1) To the extent the Business Associate is to carry out one or more of Covered Entity's
obligation(s) under Subpart E of 45 CFR Part 164, Business Associate agrees to comply
with the requirements of Subpart E that apply to the Covered Entity in the performance of
such obligation(s).
IV. OBLIGATIONS OF COVERED ENTITY
(a) The Covered Entity shall notify the Business Associate of any limitation(s) in the
Covered Entity's notice of privacy practices in accordance with 45 CFR 164.520, to the
extent that such limitation may affect the Business Associate's use or disclosure of
Protected Health Information.
(b) The Covered Entity shall notify the Business Associate of any changes in, or revocation
of, permission by an individual to use or disclose Protected Health Information, to the
extent that such changes may affect the Business Associate's use or disclosure of
Protected Health Information.
(c) The Covered Entity shall notify the Business Associate of any restriction to the use or
disclosure of Protected Health Information that the Covered Entity has agreed to in
accordance with 45 CFR 164.522, to the extent that such restriction may affect the
Business Associate's use or disclosure of Protected Health Information.
(d) The Covered Entity shall not request the Business Associate to use or disclose Protected
Health Information in any manner that would not be permissible under HIPAA if done by
the Covered Entity. Notwithstanding the foregoing language, the Business Associate
may use or disclose Protected Health Information for Data Aggregation Services to the
Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B) or the management and
administrative activities of the Business Associate in accordance with this Agreement.
V. AMENDMENT
This Agreement may be amended only in writing and only by the mutual consent of the parties.
Notwithstanding the foregoing, this Agreement shall automatically be amended to the extent
minimally necessary to comply with any changes to HIPAA, including any changes as a result of
HITECH.
VI. TERM AND TERMINATION
This Agreement shall become effective as of the date that both parties have signed this
Agreement. This Agreement shall remain in effect until the earlier of: (i) the date the parties
mutually agree in writing to terminate this Agreement, or (ii) the date the Underlying Agreement
-4-
is terminated. No separate notice shall be required to terminate this Agreement upon termination
of the Underlying Agreement.
Notwithstanding anything in the Underlying Agreement to the contrary, if either party
determines that the other party has violated a material provision of this Agreement, the non -
breaching party may terminate this Agreement upon written notice to the breaching party and
after an opportunity of thirty (30) days to cure the material breach.
VII. RELATIONSHIP TO UNDERLYING AGREEMENT
It is the intent of the parties that the terms of this Agreement be interpreted so as to cause the
Underlying Agreement to comply with the privacy and security requirements of HIPAA and the
requirements of HITECH. Accordingly, this Agreement shall amend the Underlying Agreement
to the extent provided herein regardless of whether this Agreement formally satisfies the
requirements of the Underlying Agreement for amendment of the Underlying Agreement. To the
extent any provisions of this Agreement conflict with the terms of the Underlying Agreement,
this Agreement shall govern.
VIII. MISCELLANEOUS
(a) Assignment. This Agreement may not be assigned by either party without the prior
written consent of the other party; provided, however, that Business Associate may assign
its rights and obligations under this Agreement to a successor -in- interest (due to a
merger, sale, etc.) without the written consent of the Covered Entity. This Agreement
shall be binding upon and inure to the benefit of the successors and permitted assigns
hereof.
(b) Further Assurances. Each party will cooperate with the other and execute and deliver
to the other party such other instruments and documents and take such other actions as
may be reasonably requested from time to time by the other party to carry out, evidence
and confirm the intended purposes of this Agreement.
(c) Survival. Notwithstanding any contrary provision in this Agreement, the provisions of
this Agreement shall continue in force beyond the term of this Agreement to the extent
necessary or appropriate to give such provisions their intended effect, unless and until the
parties specifically agree in writing to the contrary.
(d) Waiver. The rights and remedies of the parties are cumulative and not alternative.
Neither the failure nor any delay on the part of any party in exercising any right, power,
or privilege under this Agreement shall operate as a waiver thereof, nor shall any single
or partial exercise of any such right, power or privilege preclude any other or further
exercise thereof or exercise of any other right, power or privilege.
(e) Governing Law. This Agreement shall be governed by the laws of the jurisdiction
provided in the Underlying Agreement. If the Underlying Agreement does not specify
such a jurisdiction, this Agreement shall be governed by the laws of the State of Indiana.
The parties agree to submit to the jurisdiction of the courts within the State of Indiana.
(f) Force Majeure. Neither party shall be liable or deemed to be in default for any delay or
failure in performance under this Agreement or other interruption of services deemed
resulting, directly or indirectly, from acts of God, civil or military authority, acts of
public enemy, war, accidents, fires, explosions, earthquakes, floods, or strikes, or similar
cause beyond the reasonably control of either party.
(g)
Relationship of Parties. None of the provisions of this Agreement is intended to create
nor shall be deemed or construed to create any relationship between the parties hereto
other than that of independent entities contracting with each other hereunder solely for
the purpose of effecting the provisions of this Agreement.
(h) No Third Party Beneficiaries. Nothing herein is intended to give, nor shall have the
effect of giving, any enforceable rights to any third parties who are not parties hereto or
successors or permitted assigns of the parties hereto, whether such claims are asserted as
third party beneficiary rights or otherwise.
Counterparts. This Agreement may be executed in one or more counterparts each of
which shall be deemed to be an original and all of which together shall constitute one and
the same instrument.
Notice. Notices required under this Agreement shall be sent by regular mail to the
address of each party set forth below or such other address as that party may designate in
a notice properly delivered to the other parties.
Entire Agreement. This Agreement constitutes the entire understanding and agreement
between the parties concerning the subject matter of this Agreement, and supersedes all
prior negotiations, agreements, and understandings between the parties, whether oral or in
writing, concerning its subject matter.
[The remainder of this page is left blank intentionally — signatures appear on next page]
IN WITNESS WHEREOF, the Covered Entity and the Business Associate, each by their duly
authorized representatives, have caused this Agreement to be executed and delivered as of the
last date written below.
Signature
Covered Entity:
Address:
City, State, Zip:
Date
TKSoftware, Inc.
aRli/ 474r/e-ef
Na e and Title
Business Associate Name:
Address:
Date
TKSoftware, Inc.
11495 Pennsylvania St., Suite 220
Carmel, IN 46032
Approved and Adopted this 14-111 day of f'vaU. f� 1
CITY OF CARMEL, INDIANA
By and through its Board of Public Works and Safety
BY�lam/
Jaixies Brainard, Presiding Officer
No r Pri2LS2
Mary Ann Bur -ke, Membe
, 20 lc
u7�i1 cif
Date: a ` 5 / 5-
Lori S. Watson ber
Date:
Date:
• i� ` 7it Date:
iana Cordray, IMCA, Clerk Tr:. urer
-7-