Business Associat Agreement aolo- c2'7
�� y
BUSINESS ASSOCIATE AGREEMENT
This is a Business Associates Agreement dated *as of January 18, 2011 (the. "Effective Date ") by
and between. The City of Miami Beach, Florida ( "Client "), a municipal corporation and Claim
Technologies Incorporated. ( "CTI "), an Iowa corporation having its principal place of business at
100 Court Avenue, Suite. 306, Des Moines, Iowa, 50309.
ARTICLE I — DEFINITIONS
1.1 Unless otherwise provided in this Business Associates Agreement ( "BAA "), capitalized
terms shall have the same meaning as set forth in the HIPAA regulations, 45 C.F.R. Parts
160 and 164 as amended, if applicable, by the Health Information. Technology for
Economic and Clinical Health ( "HITECH) Act.
ARTICLE II — SCOPE OF USE OF PHI
2.1 All PHI (to include ePHI by reference) disclosed to CTI by Client shall be retained in
confidence by CTI, shall not be disclosed to any third parties other than those authorized
by this BAA, or as permitted or required by law, - without prior written permission of
Client, and shall not be used by CTI for any purpose except as necessary to perform CTI
Services. CTI acknowledges that the PHI provided by Client may :also be protected by
law and that public disclosure could be a violation of law potentially resulting in fines
and other penalties against CTI and Client. CTI shall treat all PHI in accordance with
HIPAA, applicable provisions of the HITECH Act and any .applicable state .laws and
regulations, as such state laws and regulations have been communicated in writing by
Client to CTI. CTI may use PHI received from the Client for the purpose of meeting its
obligations under its contract for claims auditing services ( "Contract ").
2.2 CTI agrees that it shall (a) , protect and safeguard from any unauthorized oral or written
use or disclosure ofall PHI regardless of the type of media on which it is stored (e.g.,
paper, fiche, etc.), with which it may come into contact; (b) implement and maintain
appropriate policies and procedures to protect and safeguard the PHI; and (c) use
_appropriate safeguards to prevent use or disclosure of PHI other than the minimum
amount necessary as permitted by this BAA or as permitted by applicable law.
2.3 Except as otherwise limited in this BAA, CTI may disclose PHI for the. proper
management and administration of the PHI, provided that CTI obtains reasonable
assurances from the person to whom the information is disclosed that it shall remain
confidential and used or further disclosed only for the purpose for which it was disclosed
to the person, and the person notifies CTI of any instances of which it is aware in which
the confidentiality of the information has been breached.
2.4 Except as otherwise limited in this BAA, CTI may use PHI to provide Data Aggregation
services to a Covered Entity as permitted by 45 CFR § 164.504 (e)(2)(i)(B).
2.5 CTI may use PHI to report violations of law to the appropriate Federal and State
Authorities, consistent with § 164/5020)(1).
2.6 Upon completion of its performance of CTI Services and the termination of the Contract,
CTI agrees to return to Client all original data provided by the Client, or to destroy such
original data, upon Client's request. CTI shall retain no copies of the PHI except for one
copy that CTI will use solely for archival purposes and to defend its work product,
provided the documents and data remain strictly confidential and subject to this BAA.
2.7 CTI shall not use or include the PHI, nor any extrapolations or normative versions
- thereof, ' in any database or other application or program that CTI publishes or makes
available to a third party or otherwise use PHI received for the purpose of developing
information or statistical compilations for use by third parties or for any � other
commercial exploitation or enterprise without first obtaining Client's specific written
permission, which permission Client may withhold in the exercise of its sole discretion.
2.8 CTI shall not reproduce PHI in any form, except as is required for, use as authorized
herein, without the prior written permission of Client. Each such reproduction shall
include the ownership and confidentiality legends of Client.
2.9 To the extent CTI uses one or more agents, including subcontractors, to provide services
and such subcontractors or agents receive or have access to PHI, CTI agrees that each
such subcontractor or agent shall agree to all of the same restrictions and conditions to
which CTI is bound. Each subcontractor or agent shall sign a Business Associates
Agreement with CTI containing substantially the same provisions as this BAA.
2.10 CTI shall report in writing to Client any unauthorized use or disclosure of PHI promptly
upon discovery.
2.11 CTI shall take appropriate action, including but not limited to, instruction to or agreement
with, its employees, agents and subcontractors, to maintain the confidentiality of the PHI.
ARTICLE III — AMENDMENT OF PHI
3.1 CTI agrees to make any .amendments to PHI in a designated record set that the Client
directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request .of the Client or an
individual.
3.2 CTI shall promptly incorporate all amendments or corrections to PHI when requested by
Client to do so.
ARTICLE IV — AVAILABILITY, AUDITS AND INSPECTIONS
4.1 CTI agrees that it shall (a) make available PHI in a designated record set to the Client in
order to meet the requirements of 45 C.F.R. § 164.524 and (b) make available the
information to Client in order for the Client to provide an accounting of disclosures in
accordance with 45 C.F.R. § 164.528. CTI shall provide such accounting to Client as
soon as possible, but not more than thirty (3.0) days from the date of request by Client.
Each accounting shall provide (i) the date of each disclosure; (ii) the name and address of
the organization or person who received the PHI; (iii) a brief description of the
information disclosed; and (iv) for disclosures other than those made at the request of the
subject, the purpose for which the information was disclosed and a copy of the request or
authorization for disclosure.
4.2 CTI shall make its internal practices, books and records relating to the use and disclosure
of PHI, received from Client, or created or received by CTI on behalf of Client, available
to the Secretary of Health and Human Services, governmental officers and agencies for
purposes of determining compliance with 45 C.F.R. Parts 160 and .164. Any audit
conducted hereunder shall be conducted during CTI's normal business hours; shall not
cause disruption to CTI's other business activities; and shall be circumscribed to the
extent other customers' PHI might be disclosed.
ARTICLE V - TERM /TERMINATION
- 5.1 As for under 45 C.F.R. § 164.504(e)(2)(iii), Client may terminate the Contract,
in whole or in part, in writing if CTI has breached a material term of this BAA and fails
to cure such breach within thirty (30) days of written notification. Alternatively, Client
may choose to; (i) provide CTI with written notice of the existence of an alleged material
breach; and (ii) afford CTI an opportunity to cure said alleged material breach upon
mutually - agreeable terms. Termination shall be in accordance with the terms of the
Contract.
5.2 CTI may terminate its Contract with the Client, if after notice to and consultation with the
Client, CTI determines that the Client has breached a material term of this BAA and.upon
written notice fails to cure the breach with thirty (3 0) days after receipt of such notice.
5.3 In the event of a breach of this BAA by either party, if neither termination nor cure is
feasible, the non - breaching party shall report the violation to the Secretary of Health and
Human Services.
5.4 CTI agrees that,..upon termination of the Contract, for whatever reason, it shall return or
destroy all PHI as directed by Client, if feasible, received from, or created by Client, or
created or . received by CTI on behalf of Client, which CTI maintains in any form, and
retain no copies of such information. This provision . shall apply to PHI in the possession
of agents or subcontractors of CTI. Upon written request from Client, an authorized
representative of CTI shall certify in writing to Client within twenty (20) business days
from the date of termination or expiration of the Contract, that all PHI- has been returned
or disposed of as provided above and that CTI no longer retains such PHI in any form.
5.5. To the extent such return or destruction of PHI is not feasible, CTI shall provide Client
with notice of the conditions and reasons why the return or destruction of the PHI is not
feasible and shall extend the precautions of this BAA to the PHI and limit further uses
and disclosures to those purposes-that make the return or destruction of the information
infeasible. CTI-shall remain bound by the provisions of this BAA even after termination,
until such time as all PHI has been returned or otherwise destroyed as provided in this
Section, and for as long as CTI -maintains such PHI.
5.6 All rights, duties and obligations .established in Section 5.4 of this BAA shall survive
termination or expiration of the Contract for as long as CTI maintains such PHI..
ARTICLE VI - SECURITY
6.1 Security Standards. Effective as of February 17, 2010, CTI shall:
• Implement administrative, physical, and technical safeguards in accordance with the
HITECH Act and annual guidance issued by the Department of Health and Human
Services that reasonably and appropriately protect the confidentiality, integrity-, and
availability of electronic PHI that it creates, receives, maintains, or transmits on
behalf of . Client as required by the Security Rules;
• Ensure that any agent, including a subcontractor, to whom CTI provides such
electronic PHI agrees in writing to implement reasonable and appropriate safeguards
to protect it; and
• Report to Client any security incident of which CTI becomes aware in accordance
with the Security Rules as well as report any breach of this BAA.
• Report to the Client any breach of unsecured PHI in accordance with the terms of the
HITECH Act
ARTICLE VII — MISCELLANEOUS
7.1 CTI agrees to mitigate, to the extent practicable, any harmful effect that is known to CTI
of a use or disclosure of PHI by CTI in violation of the requirements of this BAA.
7.2 The parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning
that complies and is consistent with HIPAA, the HITECH Act and implementing
regulations of either Act as applicable.
7.3 All notices and other communications required or permitted pursuant to this BAA shall
be in writing, addressed to the party at the address set forth in the Contract, or to' such
other address as either party may designate from time to time.
7.4 CTI's interest under this BAA may not be transferred or assigned or assumed by any
other person, in whole or in part, without the prior written permission of Client.
7.5 The parties acknowledge that monetary remedies may be inadequate to protect their
rights with respect to PHI and that, in addition to legal remedies otherwise available,
injunctive relief is an appropriate judicial - remedy to protect such rights..
7.6 CTI agrees to reasonably cooperate and participate with Client in its defense of a lawsuit
or administrative action of HIPAA violations or in connection with any litigation against
third parties to protect the PHI, at Client's request and expense.
7.8 The terms of this BAA are not intended, nor should they be construed, to grant any
beneficiary rights to parties other than the Client and . CTI.
7.9 The provisions of this BAA will be deemed severable, and the unenforceability of any
one or more of its provisions will not affect the enforceability of any other provision.. If
any provision is unenforceable, the parties will substitute an enforceable provision that
preserves the original intentions and economic positions of the parties to the maximum
extent legally possible. This BAA is the entire agreement between the parties relating to
its subject matter. Neither party may assign or otherwise transfer this BAA or any of
the rights that it grants, .without the prior written consent of the other party, which
consent will not be unreasonably withheld or delayed. Any purported assignment in
violation of the preceding sentence will be void. This BAA will be binding upon the
parties' respective successors and permitted assigns. No failure or delay by a party in
f
I
exercising any right, power or remedy will operate as a waiver of that right, power or
.remedy, and no waiver will be effective unless it is in writing and signed by the waiving
party.
Each party has caused its authorized representative to execute. this BAA as of the Effective Date.
CTt Claim Audit Technologies. Corp. The City of Miami Beach
dba Claim Technologies Incorporated
By: By: ,W
0 0
;._
bCAM (e • c Name: Name: _--V , Matti Herrera Bower
Title: V Title:
' Mayor
f (k
e
ATTEST
APPROVED AS TO
FORM & LANGUAGE
& FOR EXECUTION
4 orneDate