Business Associate Agreement aolo- c 7 3�:�
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into between CITY OF
MIAMI BEACH ("Covered Entity") and 1NTERMEDIX CORPORATION, a DELAWARE
CORPORATION, on behalf of itself and its subsidiaries and affiliates ("Business Associate"),
effective as of September 23, 2013, or such earlier date as the Agreement is executed by both parties
(the "Effective Date").
WHEREAS, Covered Entity and Business Associate have entered into, or plan to enter into,
an arrangement pursuant to which Business Associate may provide services for Covered Entity that
require Business Associate to access, create and use Protected'Health Information ("PHI") that is
confidential under state and/or federal law; and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and
provide for the security of PHI disclosed by Covered Entity to Business Associate, or collected or
created by Business Associate, in compliance with the Health Insurance Portability and
Accountability Act of 1996, Public Law 104-191 ("HIPAA"), and the regulations promulgated there
under, including, without limitation, the regulations codified at 45 CFR Parts 160 and 164 ("HIPAA
Regulations"); the Health Information Technology for Economic and Clinical Health Act, as
incorporated in the American Recovery and Reinvestment Act of 2009, and its implementing
regulations and guidance issued by the Secretary of the Department of Health and Human Services
(the "Secretary") (the "HITECH Act"); and other applicable state and federal laws, all as amended
from time to time, including as amended by the Final Rule issued by the Secretary on January 17,
2013 titled "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification
Rules under the Health Information Technology for Economic and Clinical Health Act and the
Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules"; and
WHEREAS, the HIPAA Regulations require Covered Entity to enter into an agreement with
Business Associate meeting certain requirements with respect to the Use and Disclosure of PHI,
which are met by this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein and the
exchange of information pursuant to this Agreement,the parties agree as follows:
1. Definitions.
Capitalized terms used herein without definition shall have the meanings ascribed to
them in the HIPAA Regulations or the HITECH Act, as applicable unless otherwise defined herein.
2. Obligations of Business Associate.
a. Permitted Uses and Disclosures. Business Associate shall only Use or
Disclose PHI for the purposes of(i) performing Business Associate's obligations under Exhibit A of
this Agreement ("Exhibit A'') and as permitted by this Agreement; or (ii) as permitted or Required
By Law; or (iii) as otherwise permitted by this Agreement. Business Associate shall not Use or
further Disclose PHI other than as permitted or required by this Agreement or as Required By Law.
EMS
Further, Business Associate shall not Use or Disclose PHI in any manner that would constitute a
violation of the HIPAA Regulations or the HITECH Act if so used by Covered Entity, except that
Business Associate may Use PHI (i) for the proper management and administration of Business
Associate; and (ii) to carry out the legal responsibilities of Business Associate. Business Associate
may Disclose PHI for the proper management and administration of Business Associate, to carry out
its legal responsibilities or for payment purposes as specified in 45 CFR § 164.506(c)(1) and (3),
including but not limited to Disclosure to a business associate on behalf of a covered entity or health
care provider for payment purposes of such covered entity or health care provider, with the
expectation that such parties will provide reciprocal assistance to Covered Entity, provided that with
respect to any such Disclosure either: (i) the Disclosure is Required By Law; or (ii) for permitted
Disclosures when Required By Law, Business Associate shall obtain a written agreement from the
person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will
not use and further disclose such PHI except as Required By Law and for the purpose(s) for which it
was Disclosed by Business Associate to such person, and that such person will notify Business
Associate of any instances of which it is aware in which the confidentiality of the PHI has been
breached.
b. Appropriate Safeguards. Business Associate shall implement administrative,
physical and technical safeguards that (i) reasonably and appropriately protect the confidentiality,
integrity and availability of electronic PHI that it creates, receives, maintains or transmits on behalf
of Covered Entity; and (ii) prevent the Use or Disclosure of PHI other than as contemplated by
Exhibit A and this Agreement.
C. Compliance with Security Provisions. Business Associate shall: (i)
implement and maintain administrative safeguards as required by 45 CFR § 164.308, physical
safeguards as required by 45 CFR § 164.310 and technical safeguards as required by 45 CFR
§ 164.312; (ii) implement and document reasonable and appropriate policies and procedures as
required by 45 CFR § 164.316; and (iii) be in compliance with all requirements of the HITECH Act
related to security and applicable as if Business Associate were a "covered entity," as such term is
defined in HIPAA.
d. Compliance with Privacy Provisions. Business Associate shall only Use and
Disclose PHI in compliance with each applicable requirement of 45 CFR § 164.504(e). Business
Associate shall comply with all requirements of the HITECH Act related to privacy and applicable as
if Business Associate were a "covered entity," as such term is defined in HIPAA. To the extent
Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of
45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to
Covered Entity in the performance of such obligation(s).
e. Duty to Mitigate. Business Associate agrees to mitigate, to the extent
practicable and mandated by law, any harmful effect that is known to Business Associate of a Use or
Disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
f. Encryption. To facilitate Business Associate's compliance with this
Agreement and to assure adequate data security, Covered Entity agrees that all PHI provided or
transmitted to Business Associate pursuant to Exhibit A shall be provided or transmitted in a manner
which renders such PHI unusable, unreadable or indecipherable to unauthorized persons, through the
use of a technology or methodology specified by the Secretary in the guidance issued under section
13402(h)(2) of the HITECH Act. Covered Entity acknowledges that failure to do so could contribute
to or permit a Breach requiring patient notification under the HITECH Act and further agrees that
Business Associate shall have no liability for any Breach caused by such failure.
3. Reporting.
a. Security Incidents and/or Unauthorized Use or Disclosure. Business
Associate shall report to Covered Entity a successful Security Incident or any Use and/or Disclosure
of PHI other than as provided for by this Agreement or permitted by applicable law within a
reasonable time of becoming aware of such Security Incident and/or unauthorized Use or Disclosure
(but not later than ten (10) days thereafter), in accordance with the notice provisions set forth herein.
Business Associate shall take (i) prompt action to cure any such deficiencies as reasonably requested
by Covered Entity, and (ii) any action pertaining to such Security Incident and/or unauthorized Use
or Disclosure required by applicable federal and state laws and regulations. If such successful
Security Incident or unauthorized Use or Disclosure results in a Breach as defined in the HITECH
Act, then Covered Entity shall comply with the requirements of Section 3.b below.
b. Breach of Unsecured PHI. The provisions of this Section 3.b are effective
with respect to the Discovery of a Breach of Unsecured PHI occurring on or after September 23,
2009. With respect to any unauthorized acquisition, access, Use or Disclosure of Covered Entity's
PHI by Business Associate, its agents or subcontractors, Business Associate shall (i) investigate such
unauthorized acquisition, access, Use or Disclosure; (ii) determine whether such unauthorized
acquisition, access, Use or Disclosure constitutes a reportable Breach under the HITECH Act; and
(iii) document and retain its findings under clauses (i) and (ii). If Business Associate Discovers that
a reportable Breach has occurred, Business Associate shall notify Covered Entity of such reportable
Breach in writing within thirty (30) days of the date Business Associate Discovers such Breach.
Business Associate shall be deemed to have discovered a Breach as of the first day that the Breach is
either known to Business Associate or any of its employees, officers or agents, other than the person
who committed the Breach, or by exercising reasonable diligence should have been known to
Business Associate or any of its employees, officers or agents, other than the person who committed
the Breach. To the extent the information is available to Business Associate, Business Associate's
written notice shall include the information required by 45 CFR § 164.410(c). Business Associate
shall promptly supplement the written report with additional information regarding the Breach as it
obtains such information. Business Associate shall cooperate with Covered Entity in meeting
Covered Entity's obligations under the HITECH Act with respect to such Breach.
4. Business Associate's Ate. To the extent that Business Associate uses one or more
subcontractors or agents to provide services under Exhibit A, and such subcontractors or agents
receive or have access to PHI, Business Associate shall sign an agreement with such subcontractors
or agents containing substantially the same provisions as this Agreement.
5. Rights of Individuals.
a. Access to PHI. Within ten (10) days of receipt of a request by Covered
Entity, Business Associate shall make PHI maintained in a Designated Record Set available to
Covered Entity or, as directed by Covered Entity, to an Individual to enable Covered Entity to fulfill
its obligations under 45 CFR § 164.524. Subject to Section 5.b below, (i) in the event that any
Individual requests access to PHI directly from Business Associate in connection with a routine
billing inquiry, Business Associate shall directly respond to such request in compliance with 45 CFR
§ 164.524; and (ii) in the event such request appears to be for a purpose other than a routine billing
inquiry, Business Associate shall forward a copy of such request to Covered Entity and shall fully
cooperate with Covered Entity in responding to such request. In either case, a denial of access to
requested PHI shall not be made without the prior written consent of Covered Entity.
b. Access to Electronic Health Records. If Business Associate is deemed to use
or maintain an Electronic Health Record on behalf of Covered Entity with respect to PHI, then, to the
extent an Individual has the right to request a copy of the PHI maintained in such Electronic Health
Record pursuant to 45 CFR § 164.524 and makes such a request to Business Associate, Business
Associate shall provide such Individual with a copy of the information contained in such Electronic
Health Record in an electronic format and, if the Individual so chooses, transmit such copy directly
to an entity or person designated by the Individual. Business Associate may charge a fee to the
Individual for providing a copy of such information, but such fee may not exceed Business
Associate's labor costs in responding to the request for the copy. The provisions of 45 CFR
§ 164.524, including the exceptions to the requirement to provide a copy of PHI, shall otherwise
apply and Business Associate shall comply therewith as if Business Associate were the "covered
entity," as such term is defined in HIPAA. At Covered Entity's request, Business Associate shall
provide Covered Entity with a copy of an Individual's PHI maintained in an Electronic Health
Record in an electronic format and in a time and manner designated by Covered Entity in order for
Covered Entity to comply with 45 CFR § 164.524, as amended by the HITECH Act.
C. Amendment of PHI. Business Associate agrees to make any amendment(s)to
PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR
§ 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated
by Covered Entity.
d. Accounting Ri hg_ts. This Section 5.d is subject to Section 5.e below. Business
Associate shall make available to Covered Entity, in response to a request from an Individual,
information required for an accounting of disclosures of PHI with respect to the Individual, in
accordance with 45 CFR § 164.528, incorporating exceptions to such accounting designated under
such regulation. Such accounting is limited to disclosures that were made in the six (6) years prior to
the request and shall not include any disclosures that were made prior to the compliance date of the
HIPAA Regulations. Business Associate shall provide such information as is necessary to provide an
accounting within ten (10) days of Covered Entity's request. Such accounting must be provided
without cost to the Individual or to Covered Entity if it is the first accounting requested by an
Individual within any twelve (12) month period; however, a reasonable, cost-based fee may be
charged for subsequent accountings if Business Associate informs Covered Entity and Covered
Entity informs the Individual in advance of the fee, and the Individual is afforded an opportunity to
withdraw or modify the request. Such accounting obligations shall survive termination of this
Agreement and shall continue as long as Business Associate maintains PHI.
e. Accounting of Disclosures of Electronic Health Records. The provisions of
this Section 5.e shall be effective on the date specified in the HITECH Act. If Business Associate is
deemed to use or maintain an Electronic Health Record on behalf of Covered Entity, then, in addition
to complying with the requirements set forth in Section 5.d above, Business Associate shall maintain
an accounting of any Disclosures made through such Electronic Health Record for Treatment,
Payment and Health Care Operations, as applicable. Such accounting shall comply with the
requirements of the HITECH Act. Upon request by Covered Entity, Business Associate shall
provide such accounting to Covered Entity in the time and manner specified by Covered Entity and
in compliance with the HITECH Act. Alternatively, if Covered Entity responds to an Individual's
request for an accounting of Disclosures made through an Electronic Health Record by providing the
requesting Individual with a list of all business associates acting on behalf of Covered Entity, then
Business Associate shall provide such accounting directly to the requesting Individual in the time and
manner specified by the HITECH Act.
f. Agreement to Restrict Disclosure. If Covered Entity is required to comply
with a restriction on the Disclosure of PHI pursuant to Section 13405 of the HITECH Act, then
Covered Entity shall, to the extent necessary to comply with such restriction, provide written notice
to Business Associate of the name of the Individual requesting the restriction and the PHI affected
thereby. Business Associate shall, upon receipt of such notification, not Disclose the identified PHI
to any health plan for the purposes of carrying out Payment or Health Care Operations, except as
otherwise required by law. Covered Entity shall also notify Business Associate of any other
restriction to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45
CFR § 164.522.
6. Remuneration and Marketing.
a. Remuneration for PHI. This Section 6.a shall be effective with respect to
exchanges of PHI occurring six (6) months after the date of the promulgation of final regulations
implementing the provisions of Section 13405(d) of the HITECH Act. On and after such date,
Business Associate agrees that it shall not, directly or indirectly, receive remuneration in exchange
for any PHI of Covered Entity except as otherwise permitted by the HITECH Act.
b. Limitations on Use of PHI for Marketing Purposes. Business Associate shall
not Use or Disclose PHI for the purpose of making a communication about a product or service that
encourages recipients of the communication to purchase or use the product or service, unless such
communication: (1) complies with the requirements of subparagraph (i), (ii) or (iii) of paragraph (1)
of the definition of marketing contained in 45 CFR § 164.501, and (2) complies with the
requirements of subparagraphs (A), (B) or (C) of Section 13406(a)(2) of the HITECH Act, and
implementing regulations or guidance that may be issued or amended from time to time. Covered
Entity agrees to assist Business Associate in determining if the foregoing requirements are met with
respect to any such marketing communication.
7.; Governmental Access to Records. Business Associate shall make its internal
practices, books and records relating to the Use and Disclosure of PHI available to the Secretary for
purposes of determining Covered Entity's compliance with the HIPAA Regulations and the HITECH
Act. Except to the extent prohibited by law, Business Associate agrees to notify Covered Entity of
all requests served upon Business Associate for information or documentation by or on behalf of the
Secretary. Business Associate shall provide to Covered Entity a copy of any PHI that Business
Associate provides to the Secretary concurrently with providing such PHI to the Secretary.
8. Minimum Necessary. To the extent required by the HITECH Act, Business
Associate shall limit its Use, Disclosure or request of PHI to the Limited Data Set or, if needed, to
the minimum necessary to accomplish the intended Use, Disclosure or request, respectively.
Effective on the date the Secretary issues guidance on what constitutes "minimum necessary" for
purposes of the HIPAA Regulations, Business Associate shall limit its Use, Disclosure or request of
PHI to only the minimum necessary as set forth in such guidance.
9. State Privacy Laws. Business Associate shall comply with state laws to extent that
such state privacy laws are not preempted by HIPAA or the HITECH Act.
10. Termination.
a. Breach by Business Associate. if Covered Entity knows of a pattern of
activity or practice of Business Associate that constitutes a material breach or violation of Business
Associate's obligations under this Agreement, then Covered Entity shall promptly notify Business
Associate. With respect to such breach or violation, Business Associate shall take reasonable steps to
cure such breach or end such violation, if possible. If such steps are either not possible or are
unsuccessful, upon written notice to Business Associate, Covered Entity may terminate its
relationship with Business Associate.
b. Breach by Covered Entity. If Business Associate knows of a pattern of
activity or practice of Covered Entity that constitutes a material breach or violation of Covered
Entity's obligations under this Agreement, then Business Associate shall promptly notify Covered
Entity. With respect to such breach or violation, Covered Entity shall take reasonable steps to cure
such breach or end such violation, if possible. If such steps are either not possible or are
unsuccessful, upon written notice to Covered Entity, Business Entity may terminate its relationship
with Covered Entity.
C. Effect of Termination. Upon termination of this Agreement for any reason,
Business Associate shall either return or destroy all PHI, as requested by Covered Entity, that
Business Associate or its agents or subcontractors still maintain in any form, and shall retain no
copies of such PHI. If Covered Entity requests that Business Associate return PHI, such PHI shall be
returned in a mutually agreed upon format and timeframe. If Business Associate reasonably
determines that return or destruction is not feasible, Business Associate shall continue to extend the
protections of this Agreement to such PHI, and limit further uses and disclosures of such PHI to
those purposes that make the return or destruction of such PHI not feasible. If Business Associate is
asked to destroy the PHI, Business Associate shall destroy PHI in a manner that renders the PHI
unusable, unreadable or indecipherable to unauthorized persons as specified in the HITECH Act.
11. Amendment. The parties acknowledge that state and federal laws relating to data
security and privacy are rapidly evolving and that amendment of this Agreement may be required to
ensure compliance with such developments. The parties specifically agree to take such action as is
necessary to implement any new or modified standards or requirements of HIPAA, the HIPAA
Regulations, the HITECH Act and other applicable laws relating to the security or confidentiality of
PHI. Upon the request of Covered Entity, Business Associate agrees to promptly enter into
negotiation concerning the terms of an amendment to this Agreement incorporating any such
changes.
12. No Third Party Beneficiaries. Nothing express or implied in this Agreement is
intended to confer, nor shall anything herein confer, upon any person other than Covered Entity,
Business Associate and their respective successors or assigns, any rights, remedies, obligations or
liabilities whatsoever.
13. Effect on Underlying Arrangement. In the event of any conflict between this
Agreement and any underlying arrangement between Covered Entity and Business Associate, the
terms of this Agreement shall control.
14. Survival. The provisions of this Agreement shall survive the termination or
expiration of any underlying arrangement between Covered Entity and Business Associate.
15. Interpretation. This Agreement shall be interpreted as broadly as necessary to
implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act. The parties
agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and
is consistent with such laws.
16. Governing Law. This Agreement shall be construed in accordance with the laws of
the State of Florida.
17. Notices. All notices required or permitted under this Agreement shall be in writing
and sent to the other party as directed below or as otherwise directed by either party, from time to
time, by written notice to the other. All such notices shall be deemed validly given upon receipt of
such notice by certified mail, postage prepaid, facsimile transmission, e-mail or personal or courier
delivery:
If to Covered Entity: City of Miami Beach
2300 Pine Tree Dr
Miami Beach, FL 33139
Attn: Fire Rescue Division Chief
Telephone no:
Facsimile no:
If to Business Associate: Intermedix Corporation
6451 N. Federal Highway, Suite 1000
Ft. Lauderdale, FI 33308
Attn: Gregg Bloom, Chief Compliance Officer
Telephone no: 954-308-8702
Facsimile no: 954-308-8725
IN WITNESS WHEREOF, the parties hereto have duly executed this as of the Effective
Date.
COVERED ENTITY INTERMEDIX CORPORATION, a
DELAWARE CORPORATION, on behalf of
itself and and affiliates
By: By:
Name: iNt Ma/{Ic1 Name: Gre to m
Title: Title: Chie Compliance Officer
Date: o Date: April 24, 2013
APPROVED AS TO
C `� F-9 - - - - FORM & GUAGE
�Q. C� Fr) X CUTION
2a
INC. *PRATE � R 5 ,LO
�/ ATTES ttorn Date
CH 2
EXHIBIT A
The following services to be performed by Business Associate require Business Associate to
access, create and use PHI on behalf of Covered Entity in accordance with the Agreement:
> Prepare and submit initial claims and bills for Covered Entity promptly upon receipt thereof,
and prepare and submit secondary claims and bills promptly after identification of the need to
submit a secondary claim.
➢ Assist Covered Entity in identifying necessary documentation in order to process and bill the
accounts.
> Direct payments to a lockbox or bank account designated by Covered Entity, to which
Covered Entity alone will have signature authority.
> Pursue appeals of denials, partial denials and rejections when deemed appropriate by
Business Associate.
> Respond to and follow up with payors and respond to messages or inquiries from a payor.
> Provide appropriate storage and data back-up for records pertaining to Covered Entity's bills
and collections, accessible to Covered Entity at reasonable times.
> Maintain records of services performed and financial transactions.
> Meet, as needed, with representatives of Covered Entity to discuss results, problems and
recommendations.
> Provide any Covered Entity-designated collection agency with the data necessary for
collection services to be performed when an account is referred to such agency.
➢ Support the provider in filing and maintaining required documentation and agreements with
commonly-used payors (e.g., Medicare, Medicaid, Champus, etc.).
> Provide reasonably necessary training periodically, as requested by Covered Entity, to
Covered Entity's emergency medical personnel regarding the gathering of the necessary
information and proper completion of run reports.
> Utilize up-to-date knowledge and information with regard to coding requirements and
standards, to comply with applicable federal, state and local regulations.
> Provide a designated liaison for Covered Entity, patient and other payor concerns.
➢ Provide a toll free telephone number for patients and other payors to be answered as
designated by Covered Entity.
➢ Facilitate proper security of confidential information and proper shredding of disposed
materials containing such information.
➢ Establish arrangements with hospitals to obtain/verify patient insurance and contact
information.
➢ Respond to any Covered Entity, payor or patient inquiry or questions promptly.
➢ Maintain appropriate accounting procedures for reconciling deposits, receivables, billings,
patient accounts, adjustments and'refunds.
➢ Provide reasonable access to Covered Entity for requested information in order for Covered
Entity to perform appropriate and periodic audits.
➢ Provide timely reports facilitating required aspects of monitoring, evaluating, auditing and
managing the services provided.
➢ Process refund requests and provide Covered Entity with documentation substantiating each
refund requested.
➢ Assign billing to patient account numbers providing cross-reference to Covered Entity's
assigned transport numbers.
➢ Maintain responsibility for obtaining missing or incomplete insurance information.
➢ Provide accurate coding of medical claims based on information provided by Covered Entity.
➢ Negotiate and arrange modified payment schedules for individuals unable to pay full amount
when billed.
➢ Retain accounts for a minimum of twelve (12) months (unless otherwise specified by mutual
agreement) and after twelve (12) months turn over accounts for which no collection has been
made (unless insurance payment is pending)to an agency designated by Covered Entity.
➢ Permit real-time read only electronic look-up access by Covered Entity to Business
Associate's billing system and SaaS Service, if applicable, to obtain patient data and billing
information.
➢ Maintain records in an electronic format that is readily accessible by Covered Entity's
personnel and that meets federal and state requirements for maintaining patient medical
records.
➢ If Covered Entity has purchased Business Associates TripTix® product, Business Associate
shall provide TripTix® based reporting extract of data required by state or local regulatory
authorities connectivity/interface in a format reasonably required by such authorities.