The URL can be used to link to this page

Home My WebLink AboutMINUTES - 06242003 - C.100 TO: BOARD OF SUPERVISORS ° Contra ,w FROM: Steven L. Bautista, County Probation Officer •` >I�r Costa DATE: June 24, 2003 SUBJECT: DELEGATION OF AUTHORITY TO THE COUNTY _- County PROBATION OFFICER OR HIS DESIGNEE TO EXECUTE GROUP HOME HIPAA BUSINESS ASSOCIATE AGREEMENTS SPECIFIC REQUEST(S)OR RECOMMENDATION(S)&BACKGROUND AND JUSTIFICATION RECOMMENDATION: APPROVE and AUTHORIZE the County Probation Officer, or designee, to execute HIPAA Business Associate Agreements with group homes in which the County places juveniles, subject to County Counsel approval as to form. BACKGROUND: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations require that individually identifiable health information ("protected health information" or "PHI") be safeguarded to protect an individual's privacy. Covered entities (health care providers, health plans and health care clearinghouses) must ensure that other entities with whom they exchange PHI comply with certain HIPAA provisions by means of a legally-enforceable agreement, known as a "Business Associate Agreement." Presently, upon court order, juveniles may be placed in a group home by the County. Upon such placement, the County Probation Department and the group home execute an Agency-Group Home Agreement, which outlines the responsibilities of the County and the group home as to the effected juvenile. The placement and ongoing supervision of a juvenile in a group home may involve the exchange of PHI between the group home and the County Probation Department. To the extent that a group home may be a covered entity under HIPAA, a group home may seek to have the County enter into a Business Associate Agreement so that PHI may be exchanged between the group home and the County. Such Business Associate Agreement defines the parties roles and responsibilities with respect to the use and disclosure of PHI. Authorizing the County Probation Officer or his designee to sign Business Associate Agreements on behalf of the Board allows for reduction in time and cost of processing such Agreements. The County Probation Officer or his designee would be authorized to execute Business Associate Agreements in the form of the Agreement attached hereto, or in a form otherwise approved by County Counsel, received from group homes in which juveniles are placed by the County. FISCAL. IMPACT: County funds to pay for these services are already included in the Probation Department's budget. CONTINUED ON ATTACHMENT: YES SIGNATURE. ---____ ---------------------------------------------------------_-_-------------------...___.-_-____---___-_-_. --___-- 4P RECOMMENDATION OF COUNTY ADMINISTRATOR RECOMMENDATION OF BOARD COMMITTEE ,_..�PPROVE OTHER SIGNATURE(S)- - __ ..:. --.__ ... �:� �. .„ - --------------------------- ---ACTION OF BOARD ON JUNK 2003 APPROVE AS RECOMMENDED X OTHER REF ~, VOTE OF SUPERVISORS I HEREBY CERTIFY THAT THIS IS A TRUE X UNANIMOUS AND CORRECT COPY OF AN ACTION TAKEN (ABSENT V__) AND ENTERED ON THE MINUTES OF THE AYES: NOES: BOARD OF SUPERVISORS ON THE DATE ABSENT: ABSTAIN; SHOWN. DISTRICT III SEAT VACANT ATTESTED CONTACT: Bill Grunert,3-4186 JOHN EETEN,CLERK OF THE BOARD OF SUPERVISORS AND COUNTY ADMINISTRATOR CC: Probation Department County Administrator Bud De Cesare,Privacy Officer County Counsel f{ BY . :_JlI r #: DEPUTY HIPAA BUSINESS ASSOCIATE ADDENDUM To the extent, and as long as, required by the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder(hereinafter referred to as "HIPAA"), this HIPAA Business Associate Addendum ("Addendum") supplements and is made a part of the Agency— Group Home Agreement(s) to which the Contra Costa County Probation Department ("Business Associate") and ("Covered Entity„) are parties or to which Business Associate and Covered Entity become parties during the term of this Addendum, and is effective as of ("the Addendum Effective Date"). In consideration of the mutual promises below and the exchange of information pursuant to this Addendum, the parties agree as follows: 1. Definitions: As used in this Addendum, the following terms have the following meanings; a. Designated Record Set shall have the same meaning as the term "designated record set" in 45 CFR § 164.501. b. Individual shall have the same meaning as the term "individual" in 45 CFR § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). c. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information in 45 CFR Parts 160 and 164, as in effect or as amended. d. Protected Health Information ("PHI") shall have the same meaning as the term"protected health information" in 45 CFR § 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity. e. Required by Law shall have the same meaning as the term "required by law" in 45 CFR § 164.501. f. Secretary shall mean the Secretary of the Department of Health and Human Services or his or her designee. Terms used, but not otherwise defined, in this Addendum shall have the same meaning as these terms in the Privacy Rule. 2. Obligations and Activities of Business Associate a. Business Associate agrees to not use or disclose PHI other than as permitted or required by this Addendum or as required by Law. b. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Addendum. C. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Addendum of which it becomes aware. d. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of, Covered Entity agrees to the same restrictions and conditions that apply throughout this Addendum to Business Associate with respect to such information. e. Business Associate agrees to provide access, within ten (10) days of a request by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524. f. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, within ten (10) days of a request by Covered Entity. g. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity or to the Secretary, within ten (10) days of a request by the Covered Entity or as designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. h. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. L Business Associate agrees to provide to Covered Entity or to an Individual at Covered Entity's direction, within ten (10) days of a request by Covered Entity, information collected in accordance with Section 2(h) of this Addendum, to permit Covered Entity to respond to a request by an Individual of an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. 3. Permitted Uses and Disclosures by Business Associate a. Business Associate agrees not to use PHI except for the purposes of performing Business Associate's obligations under the Agency® Group HIPAA Business Associate Addendum Page 2 Home Agreement(s) to which Business and Covered Entity are parties or to which they become parties during the term of this Addendum, or as Required by Law. b. Business Associate agrees not to disclose PHI in any manner that would constitute a violation of the Privacy Rule if disclosed by Covered Entity, except that Business Associate may use or disclose PHI (i) to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in any Agency-- Group Home Agreement(s)to which Business Associate and Covered Entity ,are parties or to which they become parties during the term of this Addendum, (ii) for the proper management and administration of Business Associate, (iii) as Required by Law, or (iv) for Data Aggregation purposes. c. To the extent that Business Associate discloses PHI to a third party, Associate must obtain, prior to making any such disclosure (i) reasonable assurances from such third party that such PHI will be held confidential as provided by this Addendum and only disclosed as Required by Law or for the purposes for which it was disclosed to such third party, and (ii) an agreement from such third party to immediately notify Business Associate of any breaches of confidentiality of the PHI, to the extent it has obtained knowledge of such breach. 4. Obligations of Covered Entity a. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity's Notice of Privacy Practices in accordance with 45 CFR § 164.520, to the extent that such information may affect Business Associate's use or disclosure of PHI. b. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI. C. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI. d. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except that Business Associate may use or disclose PHI as permitted in Section 3 of this Addendum. HIPAA Business Associate Addendum Page 3 5. Termination a. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either: L Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Addendum and the Agency-- Group Home Agreement to which the breach pertains, if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; ii. Immediately terminate this Addendum and the Agency— Group Home Agreement to which the breach pertains if Business Associate has breached a material term of this Addendum and cure is not possible; or iii. If neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary. b. Effect of Termination. L Except as provided in paragraph (ii) of this section, upon termination of this Addendum, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of PHI. ii. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. If return or destruction of PHI is infeasible, Business Associate shall extent the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI. 6. Miscellaneous a. Amendment. The parties agree to take such action as is necessary to amend this Addendum from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and HIPAA. b'. Survival. The rights and obligations of Business Associate under Section 5(b) of this Addendum shall survive the termination of this Addendum. HIPAA Business Associate Addendum Page 4 G. Interpretation. Any ambiguity in this Addendum shall be resolved to permit Covered Entity to comply with the Privacy Rule. IN WITNESS WHEREOF, the parties hereto have duly executed this Addendum as of the Addendum Effective Date. Covered Entity Business Associate Contra Costa County Probation Dept. By: By: Title: Title: Date: Date: HAMemos\Probation HIPAA BusAssoc.wpd HIPAA Business Associate Addendum Page 5