Loading...
Backup Documents 09/13/2016 Item #16E 4 ORIGINAL DOCUMENTS CHECKLIST & ROUTIIG ILIf TO ACCOMPANY ALL ORIGINAL DOCUMENTS 1�(� THE BOARD OF COUNTY COMMISSIONERS OFFICE FOR SIGNATURE Print on pink paper. Attach to original document. The completed routing slip and original documents are to be forwarded to the County Attorney Office at the time the item is placed on the agenda. All completed routing slips and original documents must be received in the County Attorney Office no later than Monday preceding the Board meeting. **NEW** ROUTING SLIP Complete routing lines#1 through#2 as appropriate for additional signatures,dates,and/or information needed. If the document is already complete with the exception of the Chairman's signature,draw a line through routing lines#1 through#2,complete the checklist,and forward to the County Attomey Office. Route to Addressee(s) (List in routing order) Office Initials Date 1. 2. 3. County Attorney Office County Attorney Office 4. BCC Office Board of County b� Commissioners \ 4 / `A*\\L 5. Minutes and Records Clerk of Court's Office PRIMARY CONTACT INFORMATION Normally the primary contact is the person who cre ted/prepared the Executive Summary. Primary contact information is needed in the event one of the addressees above,may need to contact staff for additio al or missing information. Name of Primary Staff Tabatha Butcher, MS Operations Phone Number 252-3740 Contact/Department Agenda Date Item was 9/13/16 Agenda Item Number 16.E.4 Approved by the BCC Type of Document Combined HIPAA Privacy Agreement Number of Original One(1) Attached Documents Attached PO number or account n/a number if document is to be recorded INSTRUCTIONS & CHECKLIST Initial the Yes column or mark"N/A"in the Not Applicable column,whichever is Yes N/A(Not appropriate. (Initial) Applicable) 1. Does the document require the chairman's original signature S� d`� 6QM& E 2. Does the document need to be sent to another agency for additional signatures? If yes, CMG provide the Contact Information(Name;Agency;Address;Phone)on an attached sheet. 3. Original document has been signed/initialed for legal sufficiency. (All documents to be CMG signed by the Chairman,with the exception of most letters,must be reviewed and signed by the Office of the County Attorney. 4. All handwritten strike-through and revisions have been initialed by the County Attorney's CMG Office and all other parties except the BCC Chairman and the Clerk to the Board 5. The Chairman's signature line date has been entered as the date of BCC approval of the CMG document or the final negotiated contract date whichever is applicable. 6. "Sign here"tabs are placed on the appropriate pages indicating where the Chairman's CMG signature and initials are required. 7. In most cases(some contracts are an exception),the original document and this routing slip CMG should be provided to the County Attorney Office at the time the item is input into SIRE. Some documents are time sensitive and require forwarding to Tallahassee within a certain time frame or the BCC's actions are nullified. Be aware of your deadlines! 8. The document was approved by the BCC on 9/13/16 and all changes made during the CMG meeting have been incorporated in the attached document. The County Attorney's Office has reviewed the changes,if applicable. 9. Initials of attorney verifying that the attached document is the version approved by t CMG BCC, all changes directed by the BCC have been made,and the document is ready or the Chairman's signature. [04-COA-01030/1291392/111:Forms/County Forms/BCC Forms/Original Documents Routing Slip WWS Original 9.03.04,Revised 1.26.05,Revised 2.24.05; Revised 11/30/12 1 6 E 4 MEMORANDUM Date: October 5, 2016 To: Tabatha Butcher, EMS Chief EMS Operations From: Ann Jennejohn, Deputy Clerk Minutes & Records Department Re: HIPAA Privacy, HIPAA Security Rule, and HITECH Act Compliance and Confidentiality Agreement, required pursuant to terms of the Interlocal Agreement between Collier County and the North Collier Fire Control and Rescue District Attached for your records is a copy of the agreement referenced above, (Item #16E4) approved by the Board of County Commissioners on September 13, 2016. The original agreement will be held in the Minutes and Records Department for the Board's Official Record. If you have any questions, please contact me at 252-8406. Thank you. Attachment 16E4 COMBINED HIPAA PRIVACY BUSINESS ASSOCIATE, HIPAA SECURITY RULE,HI 1'ECH ACT COMPLIANCE AND CONFIDENTIALITY AGREEMENT THIS AGREEMENT is entered into by and between the North Collier Fire Control and Rescue District, an independent fire control and rescue district operating pursuant to Chapter 2015-191, Laws of Florida, by and through its Board of Fire Commissioners, whose address is 1885 Veterans Park Dr.,Naples,Florida 34109(hereinafter"North Collier"),and Collier County, a political subdivision of the State of Florida,by and through its Board of County Commissioners, whose address is 3299 Tamiami Trail East, Naples, FL 34112 (hereinafter "Collier County"), collectively hereinafter referred to as the"parties." The parties have entered into this Agreement in compliance with the terms of the Interlocal Agreement dated March 22, 2016 and for the purpose of satisfying the Business Associate contract requirements of the regulations at 45 CFR Section 164.502(e) and 164.504(e), issued under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Security Rule, codified at 45 C.F.R Part 164, Subparts A and C. (the"Security Rule"),the Health Information Technology For Economic and Clinical Health Act, enacted in Pub. L. No. 111-05 H.R., 111th Cong. (2009), Title XIII (the "HITECH Act"), as well as the confidentiality requirements contained in Section 401.30,Florida Statutes. This Agreement is intended to provide reciprocal obligations between and among the parties as required by law when one party is acting as the Business Associate and the other party is acting as the Covered Entity. Section 1. Definitions Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in 45 CFR Sections 160.103 and 164.501, and in the HITECH Act, Subtitle D. (a) "Business Associate" has the same meaning as the term "Business associate" in 45 CFR 160.103 and shall include North Collier when acting as Business Associate of Collier County,and Collier County when acting as Business Associate of North Collier. (b) "Covered Entity"has the same meaning as the term"Covered entity" in 45 CFR 160.103 and shall include North Collier when acting as Covered Entity and Collier County is its Business Associate, and Collier County when acting as Covered Entity and North Collier is its Business Associate. (c) "Individual" has the same meaning as the term "individual" in 45 CFR Section 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR Section 164.502(g). (d)"Privacy Rule"means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and part 164, Subparts A and E. (e) "Protected Health Information"is defined at 45 CFR Section 160.103 and in the HITECH Act. [04-EMG-01149/1.255599/1] Page 1 of 16 1 6 E4 For purposes of this Agreement,the term refers only to that Protected Health Information received directly or indirectly from, or received or created on behalf of,the Covered Entity. (f) "Secretary" means the Secretary of the U.S. Department of Health and Human Services or designee. (g) "Security Incident" means any event resulting in computer systems, networks, or data being viewed, manipulated, damaged, destroyed or made inaccessible by an unauthorized activity. See National Institute of Standards and Technology (NIST) Special Publication 800-61, "Computer Security Incident Handling Guide,"Revision 2 or subsequent revision for more information. Section 2. Collier County's Obligations and Activities When Acting as Business Associate and North Collier's Obligations When Acting as Covered Entity A. Obliptions and Activities of Collier County acting as Business Associate Regarding Protected Health Information (a) Collier County agrees to not use or further disclose Protected Health Information other than as permitted or required by Subsections B.,D. and E.of this Section 2,or as required by applicable federal or laws of the State of Florida. (b) Collier County agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) Collier County agrees to mitigate, to the extent practicable, any harmful effect that is known to Collier County of a use or disclosure of Protected Health Information by Collier County in violation of the requirements of this Agreement. (d) Collier County agrees to report to North Collier any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. Collier County will report to North Collier any Security Incident of which Collier County becomes aware that is (1) a successful unauthorized access, use or disclosure of any Electronic Protected Health Information; or (2)a successful major(a) modification or destruction of any Electronic Protected Health Information or(b) interference with system operations in an information system containing any Electronic Protected Health Information. Upon North Collier's request, Collier County will report any incident of which Collier County becomes aware that is a successful minor (a) modification or destruction of any Electronic Protected Health Information or(b)interference with system operations in an information system containing any Electronic Protected Health Information. (e) Collier County agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Collier County on behalf of North Collier, agrees to the same restrictions and conditions that apply through this Agreement to Collier County with respect to such information. (f) Collier County agrees to provide access, at the request of North Collier or an Individual, [04-EMG-01149/1255599/1] Page 2 of 16 C`90d 16E4 and in a prompt and reasonable manner consistent with the HIPAA regulations,to Protected Health Information in a designated record set,to North Collier in order to meet the requirements under 45 CFR Section 164.524. (g) Collier County agrees to make any amendment(s) to Protected Health Information in a designated record set that the North Collier or an Individual directs or agrees to pursuant to 45 CFR Section 164.526,in a prompt and reasonable manner consistent with the HIPAA regulations. (h) Collier County agrees to make its internal practices,books,and records,including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Collier County on behalf of North Collier available to North Collier, or at the request of North Collier,to the Secretary in a time and manner designated by North Collier or the Secretary, for purposes of the Secretary determining North Collier's compliance with the Privacy Rule. (i) Collier County agrees to document disclosures of Protected Health Information and information related to such disclosures as would be required for North Collier to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528. (j) Collier County agrees to provide to North Collier or an Individual an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528, in a prompt and reasonable manner consistent with the HIPAA regulations. (k) Collier County certifies that it is in compliance with all applicable provisions of HIPAA standards for electronic transactions and code sets, also known as the Electronic Data Interchange (EDI)Standards,at 45 CFR Part 162;and the Annual Guidance as issued by the Secretary pursuant to the HITECH Act, Section 13401. Collier County further agrees to ensure that any agent, including a subcontractor, that conducts standard transactions on its behalf, will comply with the EDI Standards and the Annual Guidance. (1) Collier County agrees to determine the minimum necessary type and amount of Protected Health Information required to perform its services and will comply with 45 CFR Sections 164.502(b) and 514(d). B. Permitted or Required Uses and Disclosures by Collier County as Business Associate (a) Collier County acknowledges and agrees that Protected Health Information is confidential under State of Florida laws. (b) Except as expressly permitted in writing by North Collier,Collier County shall not divulge, disclose, or communicate Protected Health Information or confidential information of North Collier employees to any third party for any purpose not in conformity with this Agreement except in accordance with North Collier policies and procedures and without prior written approval from North Collier. [04-EMG-01149/1255599/1] Page 3 of 16 E4 (c) Except as otherwise limited in this Agreement, Collier County may use Protected Health Information to provide data aggregation services to North Collier as permitted by 45 CFR Section 164.504(e)(2)(i)(B). (d) Collier County may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR Section 164.502(j) (1). C. Obligations of North Collier as Covered Entity to Inform Collier County of North Collier's Privacy Practices, and any Authorization or Restrictions (a) North Collier shall provide Collier County with the notice of privacy practices that North Collier produces in accordance with 45 CFR Section 164.520, as well as any changes to such notice. (b) North Collier shall provide Collier County with any changes in, or revocation of, authorization by Individual or his or her personal representative to use or disclose Protected Health Information, if such changes affect Collier County's uses or disclosures of Protected Health Information. (c) North Collier shall notify Collier County of any restriction to the use or disclosure of Protected Health Information that North Collier has agreed to in accordance with 45 CFR Section 164.522, if such changes affect Collier County's uses or disclosures of Protected Health Information. D. Confidentiality under State Law and Computer Use by Collier County as Business Associate (a) Generally. In addition to the HIPAA privacy requirements, Collier County agrees to observe the confidentiality requirements of Section 401.30, Florida Statutes. In general, the referenced statute provides that records of emergency calls that contain patient examination or treatment information are confidential and exempt from the provisions of Section 119.07(1), Florida Statutes, and may not be disclosed without the consent of the person to whom they pertain unless otherwise statutorily prescribed. Any person who willfully, knowingly, and without authorization discloses or takes data, programs, or supporting documentation, including those residing or existing internal and external to North Collier's computer system, commits an offense in violation of Section 815.04,Florida Statutes. Confidentiality requirements protect more than unlawful disclosure of documents. The confidentiality requirements protect the disclosure of all records and information of North Collier, in whatever form, including the copying or verbally relaying of confidential information. As it relates to computer equipment and systems, Collier County agrees that it will not: i. Operate or attempt to operate any North Collier computer equipment without specific authorization from the North Collier. ii. Disclose any portion of North Collier's computerized system or data with unauthorized individuals. [04-EMG-01149/1255599/1] Page 4 of 16 ��o 4- 16E4 iii. Permit any individual to review, examine, or make copies of any report(s) or document(s) in its care,custody or control. Collier County agrees that it will access computer systems, equipment and functions only as required for the performance of its duties and responsibilities for North Collier and that it has an up-to-date anti-virus software and firewall running on its computers. In the event Collier County's password is disclosed, Collier County will immediately contact the District's Deputy Chief of Emergency Medical Services and Training at (239) 597-3222 to report the incident and request a new password. Collier County shall remove any North Collier access software before disposing of any computer. (b) Receipt of a Subpoena. If Collier County is served with subpoena requiring the production of North Collier's records or information, Collier County shall immediately contact the District's Deputy Chief of Emergency Medical Services and Training at(239) 597-3222. A subpoena is an official summons issued by a court or an administrative tribunal,which requires the recipient to do one or more of the following: i. Appear at a deposition to give sworn testimony, and may also require that certain records be brought to be examined as evidence. ii. Appear at a hearing or trial to give evidence as a witness,and may also require that certain records be brought to be examined as evidence. iii. Furnish certain records for examination, by mail or by hand-delivery. (c) Employees and Agents. Collier County acknowledges that the confidentiality requirements herein apply to all its employees,agents and representatives. Collier County assumes responsibility and liability for any damages or claims, including state and federal administrative proceedings and sanctions, against North Collier, including costs and attorneys' fees, resulting from the breach by Collier County of the confidentiality requirements of this Agreement. E. Permissible Requests by North Collier as Covered Entity North Collier shall not request Collier County to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA, the Privacy Rule, the HITECH Act, or the laws of the State of Florida, if done by North Collier. F. HIPAA Security Rule (a) Security of Electronic Protected Health Information. Collier County will develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information (as defined in 45 CFR Section 160.103)that Collier County creates, receives, maintains, or transmits on behalf of the North Collier consistent with the Security Rule. (b) Compliance Date. The parties to this Agreement will comply with this subsection F. by the last date set forth in the signature blocks below. [04-EMG-01149/1255599/11 Page 5 of 16 1 6 E G. HITECH Act Compliance In the event of any inconsistency or conflict between requirements of HIPAA, HIPAA Security Rule and HITECH Act,the more stringent provision shall apply. (a) Collier County shall make a good faith effort to identify and report any use or disclosure of Protected Health Information not provided for in this Agreement. (b) Reporting to North Collier. Collier County will report to the North Collier,within ten(10) business days of discovery,any use or disclosure of Protected Health Information not provided for in this Agreement of which the Collier County is aware.Collier County will report to North Collier, within twenty-four (24) hours of discovery, any Security Incident of which Collier County is aware. A violation of this paragraph shall be a material violation of this Agreement. Such notice shall include the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by Collier County to have been, accessed, acquired, or disclosed during such breach. (c) Reporting to Individuals. In the case of a breach of Protected Health Information discovered by Collier County,Collier County shall first notify North Collier of the pertinent details of the breach and upon prior approval of North Collier shall notify each individual whose unsecured Protected Health Information has been, or is reasonably believed by Collier County to have been,accessed,acquired or disclosed as a result of such breach. Such notification shall be in writing by first-class mail to the Individual (or the next of kin if the individual is deceased)at the last known address of the individual or next of kin,respectively,or,if specified as a preference by the individual,by electronic mail. Where there is insufficient, or out-of-date contract information (including a phone number, email address, or any other form of appropriate communication) that precludes written (or, if specifically requested, electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are ten (10) or more Individuals for which there is insufficient or out-of-date contact information, a conspicuous posting on the Web site of North Collier involved or notice in major print of broadcast media, including major media in the geographic areas where the individuals affected by the breach likely reside. In any case deemed by Collier County to require urgency because of possible imminent misuse of unsecured Protected Health Information, Collier County may also provide information to individuals by telephone or other means, as appropriate. (d) Reporting to Media. In the case of a breach of Protected Health Information discovered by Collier County where the unsecured Protected Health Information of more than five hundred(500) persons is reasonably believed to have been, accessed, acquired, or disclosed,after prior approval by North Collier, Collier County shall provide notice to prominent media.outlets serving Collier County. (e) Reporting to Secretary of Health and Human Services. Collier County shall cooperate with North Collier to provide notice to the Secretary of Health and Human Services of unsecured Protected Health Information that has been acquired or disclosed in a breach. If the breach was with respect to five hundred(500)or more Individuals,such notice must be provided immediately. [04-EMG-01149/1255599/1] Page 6 of 16 1 6 E4 If the breach was with respect to less than five hundred (500) Individuals, Collier County may maintain a log of such breach occurring and annually submit such log to North Collier so that it may satisfy its obligation to notify the Secretary of Health and Human Services documenting such breaches occurring in the year involved. (f) Content of Notices. All notices required under this Agreement shall include the content set forth in Section 13402(f),Title XIII of the American Recovery and Reinvestment Act of 2009. (g) Financial Responsibility. Collier County shall be responsible for all costs related to the notices required under this Agreement. (h) Mitigation. Collier County shall mitigate,to the extent practicable, any harmful effect that is known to Collier County of a use or disclosure of Protected Health Information in violation of this Agreement. Section 3. North Collier's Obligations and Activities When Acting as Business Associate and Collier County's Obligations When Acting as Covered Entity A. Obligations and Activities of North Collier acting as Business Associate Retarding Protected Health Information (a) North Collier agrees to not use or further disclose Protected Health Information other than as permitted or required by Subsections B.,D.,and E.of this Section 2,or as required by applicable federal or laws of the State of Florida. (b) North Collier agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) North Collier agrees to mitigate,to the extent practicable, any harmful effect that is known to North Collier of a use or disclosure of Protected Health Information by North Collier in violation of the requirements of this Agreement. (d) North Collier agrees to report to Collier County any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. North Collier will report to Collier County any Security Incident of which North Collier becomes aware that is (1) a successful unauthorized access, use or disclosure of any Electronic Protected Health Information; or(2) a successful major (a)modification or destruction of any Electronic Protected Health Information or(b)interference with system operations in an information system containing any Electronic Protected Health Information. Upon Collier County's request, North Collier will report any incident of which North Collier becomes aware that is a successful minor (a) modification or destruction of any Electronic Protected Health Information or(b)interference with system operations in an information system containing any Electronic Protected Health Information. (e) North Collier agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by North Collier on behalf of Collier County, agrees to the same restrictions and conditions that apply through this [04-EMG-01149/1255599/1] Page 7 of 16 16E4 Agreement to North Collier with respect to such information. (0 North Collier agrees to provide access, at the request of Collier County or an Individual, and in a prompt and reasonable manner consistent with the HIPAA regulations,to Protected Health Information in a designated record set, to Collier County in order to meet the requirements under 45 CFR Section 164.524. (g) North Collier agrees to make any amendment(s) to Protected Health Information in a designated record set that the Collier County or an Individual directs or agrees to pursuant to 45 CFR Section 164.526,in a prompt and reasonable manner consistent with the HIPAA regulations. (h) North Collier agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by North Collier on behalf of Collier County available to Collier County, or at the request of Collier County,to the Secretary in a time and manner designated by Collier County or the Secretary, for purposes of the Secretary determining Collier County's compliance with the Privacy Rule. (i) North Collier agrees to document disclosures of Protected Health Information and information related to such disclosures as would be required for Collier County to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528. (j) North Collier agrees to provide to Collier County or an Individual an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528, in a prompt and reasonable manner consistent with the HIPAA regulations. (k) North Collier certifies that it is in compliance with all applicable provisions of HIPAA standards for electronic transactions and code sets, also known as the Electronic Data Interchange (EDI) Standards,at 45 CFR Part 162;and the Annual Guidance as issued by the Secretary pursuant to the HITECH Act, Section 13401. North Collier further agrees to ensure that any agent, including a subcontractor, that conducts standard transactions on its behalf, will comply with the EDI Standards and the Annual Guidance. (1) North Collier agrees to determine the minimum necessary type and amount of Protected Health Information required to perform its services and will comply with 45 CFR Sections 164.502(b) and 514(d). B. Permitted or Required Uses and Disclosures by North Collier as Business Associate (a) North Collier acknowledges and agrees that Protected Health Information is confidential under State of Florida laws. (b) Except as expressly permitted in writing by Collier County,North Collier shall not divulge, disclose, or communicate Protected Health Information or confidential information of Collier County employees to any third party for any purpose not in conformity with this Agreement except [04-EMG-01149/1255599/l] Page 8 of 16 c90 16E4 in accordance with Collier County policies and procedures and without prior written approval from Collier County. (c) Except as otherwise limited in this Agreement, North Collier may use Protected Health Information to provide data aggregation services to Collier County as permitted by 45 CFR Section 164.504(e)(2)(i)(B). (d) North Collier may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR Section 164.502(j) (1). C. Obligations of Collier County as Covered Entity to Inform North Collier of Collier County's Privacy Practices, and any Authorization or Restrictions (a) Collier County shall provide North Collier with the notice of privacy practices that Collier County produces in accordance with 45 CFR Section 164.520, as well as any changes to such notice. (b) Collier County shall provide North Collier with any changes in, or revocation of, authorization by Individual or his or her personal representative to use or disclose Protected Health Information, if such changes affect North Collier's uses or disclosures of Protected Health Information. (c) Collier County shall notify North Collier of any restriction to the use or disclosure of Protected Health Information that Collier County has agreed to in accordance with 45 CFR Section 164.522,if such changes affect North Collier's uses or disclosures of Protected Health Information. D. Confidentiality under State Law and Computer Use by North Collier as Business Associate (a) Generally. In addition to the HIPAA privacy requirements,North Collier agrees to observe the confidentiality requirements of Section 401.30, Florida Statutes. In general, the referenced statute provides that records of emergency calls that contain patient examination or treatment information are confidential and exempt from the provisions of Section 119.07(1),Florida Statutes, and may not be disclosed without the consent of the person to whom they pertain unless otherwise statutorily prescribed. Any person who willfully, knowingly, and without authorization discloses or takes data,programs, or supporting documentation, including those residing or existing internal and external to Collier County's computer system, commits an offense in violation of Section 815.04, Florida Statutes. Confidentiality requirements protect more than unlawful disclosure of documents. The confidentiality requirements protect the disclosure of all records and information of Collier County, in whatever form, including the copying or verbally relaying of confidential information. As it relates to computer equipment and systems,North Collier agrees that it will not: i. Operate or attempt to operate any Collier County computer equipment without specific authorization from the Collier County. [04-EMG-01149/1255599/1] Page 9 of 16 t 16E4 ii. Disclose any portion of Collier County's computerized system or data with unauthorized individuals. iii. Permit any individual to review, examine, or make copies of any report(s) or document(s)in its care, custody or control. North Collier agrees that it will access computer systems,equipment and functions only as required for the performance of its duties and responsibilities for Collier County and that it has an up-to- date anti-virus software and firewall running on its computers. In the event North Collier's password is disclosed, North Collier will immediately contact Collier County's Administrative Secretary/Record Custodian, Collier County Emergency Medical Services, at (239) 252-3740. North Collier shall remove any Collier County access software before disposing of any computer. (b) Receipt of a Subpoena. If North Collier is served with subpoena requiring the production of Collier County's records or information, North Collier shall immediately contact Collier County's Administrative Secretary/Record Custodian, Collier County Emergency Medical Services at (239)252-3740. A subpoena is an official summons issued by a court or an administrative tribunal,which requires the recipient to do one or more of the following: i, Appear at a deposition to give sworn testimony, and may also require that certain records be brought to be examined as evidence. ii. Appear at a hearing or trial to give evidence as a witness, and may also require that certain records be brought to be examined as evidence. iii. Furnish certain records for examination, by mail or by hand-delivery. (c) Employees and Agents. North Collier acknowledges that the confidentiality requirements herein apply to all its employees,agents and representatives. North Collier assumes responsibility and liability for any damages or claims,including state and federal administrative proceedings and sanctions, against Collier County, including costs and attorneys'fees,resulting from the breach by North Collier of the confidentiality requirements of this Agreement. E. Permissible Requests by Collier County as Covered Entity Collier County shall not request North Collier to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA, the Privacy Rule, the HITECH Act, or the laws of the State of Florida, if done by Collier County. F. HIPAA Security Rule (a) Security of Electronic Protected Health Information. North Collier will develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected health Information (as defined in 45 CFR Section 160.103) that North Collier creates, receives, maintains, or transmits on behalf of the Collier County consistent with the Security Rule. [04-EMG-01149/1255599/1] Page 10 of 16 0 16E4 (b) Compliance Date. The parties to this Agreement will comply with this subsection F. by the last date set forth in the signature blocks below. G. HITECH Act Compliance In the event of any inconsistency or conflict between requirements of HIPAA, HIPAA Security Rule and HITECH Act,the more stringent provision shall apply. (a) North Collier shall make a good faith effort to identify and report any use or disclosure of Protected Health Information not provided for in this Agreement. (b) Reporting to Collier County. North Collier will report to Collier County, within ten (10) business days of discovery, any use or disclosure of Protected Health Information not provided for in this Agreement of which the North Collier is aware. North Collier will report to the Collier County, within twenty-four(24)hours of discovery, any Security Incident of which North Collier is aware. A violation of this paragraph shall be a material violation of this Agreement. Such notice shall include the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by North Collier to have been, accessed, acquired, or disclosed during such breach. (c) Reporting to Individuals. In the case of a breach of Protected Health Information discovered by North Collier,North Collier shall first notify Collier County of the pertinent details of the breach and upon prior approval of Collier County shall notify each individual whose unsecured Protected Health Information has been, or is reasonably believed by North Collier to have been, accessed, acquired or disclosed as a result of such breach. Such notification shall be in writing by first-class mail to the Individual (or the next of kin if the individual is deceased)at the last known address of the individual or next of kin,respectively, or, if specified as a preference by the individual,by electronic mail. Where there is insufficient,or out-of-date contract information (including a phone number, email address, or any other form of appropriate communication)that precludes written (or, if specifically requested, electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are ten (10) or more Individuals for which there is insufficient or out-of-date contact information, a conspicuous posting on the Web site of Collier County involved or notice in major print of broadcast media, including major media in the geographic areas where the individuals affected by the breach likely reside. In any case deemed by North Collier to require urgency because of possible imminent misuse of unsecured Protected Health Information,North Collier may also provide information to individuals by telephone or other means, as appropriate. (d) Reporting to Media. In the case of a breach of Protected Health Information discovered by North Collier where the unsecured Protected Health Information of more than five hundred(500) persons is reasonably believed to have been, accessed, acquired, or disclosed, after prior approval by Collier County, North Collier shall provide notice to prominent media outlets serving Collier County. (e) Reporting to Secretary of Health and Human Services. North Collier shall cooperate with Collier County to provide notice to the Secretary of Health and Human Services of unsecured [04-EMG-01149/1255599/1] Page 11 of 16 coo 1 6E4 Protected Health Information that has been acquired or disclosed in a breach. If the breach was with respect to five hundred(500)or more Individuals, such notice must be provided immediately. If the breach was with respect to less than five hundred (500) Individuals, North Collier may maintain a log of such breach occurring and annually submit such log to Collier County so that it may satisfy its obligation to notify the Secretary of Health and Human Services documenting such breaches occurring in the year involved. (f) Content of Notices. All notices required under this Agreement shall include the content set forth in Section 13402(f), Title XIII of the American Recovery and Reinvestment Act of 2009. (g) Financial Responsibility. North Collier shall be responsible for all costs related to the notices required under this Agreement. (h) Mitigation. North Collier shall mitigate, to the extent practicable, any harmful effect that is known to North Collier of a use or disclosure of Protected Health Information in violation of this Agreement. Section 4. Term and Termination (a) Term. The Term of this Agreement shall begin on the last date set forth on the signature blocks below and shall terminate on March 31,2017 unless otherwise extended by both parties in writing. (b) Termination for Cause. Without limiting any other termination rights the parties may have, upon party acting as Covered Entity's knowledge of a material breach by party acting as Business Associate of a provision under this Agreement, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. If the Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, the Covered Entity shall have the right to immediately terminate the Agreement. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary. (c) Return or Destruction of Protected Health Information upon Termination. Within sixty (60) days after termination of the Agreement for any reason, or within such other time period as mutually agreed upon in writing by the parties, party acting as Business Associate shall return to party acting as Covered Entity or destroy all Protected Health Information maintained by Business Associate in any form and shall retain no copies thereof Business Associate also shall recover, and shall return or destroy with such time period, any Protected Health Information in the possession of its subcontractors or agents. Within fifteen (15) days after termination of the Agreement for any reason,Business Associate shall notify Covered Entity in writing as to whether Business Associate intends to return or destroy such Protected Health Information. If Business Associate elects to destroy such Protected Health Information,it shall certify to Covered Entity in writing when and that such Protected Health Information has been destroyed. If any subcontractors or agents of the Business Associate elect to destroy the Protected Health Information, Business Associate will require such subcontractors or agents to certify to Business Associate and to Covered Entity in writing when such Protected Health Information has been destroyed. If it is not feasible for Business Associate to return or destroy any of said Protected Health Information, Business Associate shall notify Covered Entity in writing that Business Associate has determined [04-EMG-01149/1255599/1] Page 12 of 16 16E4 E4 that it is not feasible to return or destroy the Protected Health Information and the specific reasons for such determination. Business Associate further agrees to extend any and all protections, limitations, and restrictions set forth in this Agreement to Business Associate's use or disclosure of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses or disclosures to the purposes that make the return or destruction of the Protected Health Information not feasible. If it's not feasible for Business Associate to obtain, from a subcontractor or agent, any Protected Health Information in the possession of the subcontractor or agent, Business Associate shall provide a written explanation to Covered Entity and require the subcontractors and agents to agree to extend any and all protections, limitations, and restrictions set forth in this Agreement to the subcontractors' or agents' uses or disclosures of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses or disclosures to the purposes that make the return or destruction of the Protected Health Information not feasible. Prior to destroying any records hereunder, Business Associate shall obtain written confirmation from the Covered Entity that such actions will not violate the State of Florida's or the Covered Entity's record retention policies. Section 5. Regulatory References A reference in this Agreement to a section in the Privacy Rule,the Security Rule or the HITECH Act means the section as in effect or as amended, and for which compliance is required. Section 6. Amendment Upon the enactment of any law or regulation affecting the use or disclosure of Protected Health Information, Standard Transactions, the security of Health Information, or other aspects of HIPAA-AS or the HITECH Act applicable or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, amend this Agreement in such manner as such party determines necessary to comply with such law or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to agree on an amendment within thirty(30)days thereafter, then either of the parties may terminate the Agreement on thirty (30) days written notice to the other party• Section 7. Survival Each party agrees that its obligations under this Agreement with regard to Protected Health Information and all other provisions in this Agreement that expressly or customarily survive the termination or expiration of the Agreement shall continue in effect after the Agreement is terminated or expires. [04-EMG-01149/1255599/1] Page 13 of 16 16 E4 Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits party acting as Covered Entity to comply with the Privacy Rule and the confidentiality requirements of the State of Florida,including Section 401.30,Florida Statutes. Section 9. Disclaimer of Third Party Beneficiaries This Agreement is solely for the benefit of the parties to this Agreement. No right or cause of action shall accrue upon or by reason hereof inure to or for the benefit of any third party. Section 10. Governing Law The laws of the State of Florida shall govern the validity, interpretation, construction and performance of this Agreement to the extent not preempted by the Privacy Rules or other applicable federal law. In the event of a dispute,venue for any suit involving this Agreement shall be in Collier County, Florida if filed in state court and in the Southern District of Florida if filed in federal court. Section 11. Indemnification and Performance Guarantees Each party shall indemnify, defend, and save harmless the other and Individuals for any financial loss as a result of claims brought by third parties and which are caused by the failure of party acting as the Business Associate, its officers, directors or agents to comply with the terms of this Agreement. Notwithstanding, nothing in this Agreement shall be interpreted as a waiver of party acting as the Business Associate's sovereign immunity or an extension of its liability beyond the limits established in Section 768.28, Florida Statutes, nor be construed as consent by party acting as the Business Associate to be sued by third parties in any manner arising out of this Agreement. Section 12. Assignment Neither party shall assign either its obligations or benefits under this Agreement without the expressed written consent of the other party, which shall be at the sole discretion of such party. Section 13. Notices All notices, demands, requests, and other communications hereunder shall be deemed sufficient and properly given, if in writing and delivered to the above addresses, or via facsimile, or sent by certified or registered mail, postage prepaid with return receipt requested, at such addresses; provided, if such notices, demands, requests or other communications are sent by mail,they shall be deemed as given on the third day following such mailing which is not a Saturday, Sunday,or a day on which United States mail is not delivered. Any party may, by like notice, designate any further or different address to which subsequent notices shall be sent. Any notices hereunder signed on behalf of the notifying party by a duly authorized attorney at law shall be valid and effective to the same extent as if signed on behalf of such party by a duly authorized officer or employee. Page 14 of 16 wt.,. . 16E4 Section 14. Waiver Unless otherwise specifically provided by the terms of this Agreement, no delay or failure to exercise a right resulting from any breach of this Agreement shall impair such right or shall be construed to be a waiver thereof, but such right may be exercised from time to time and as often as may be deemed expedient. Any waiver shall be in writing and signed by the party granting such waiver. If any representation, warranty or covenant contained in this Agreement is breached by any party and thereafter waived by another party, such waiver shall be limited to the particular breach so waived and shall not be deemed to waive,either expressed or impliedly,any other breach under this Agreement. Section 15. Severability In the event any provision of this Agreement shall, for any reason, be determined invalid, illegal or unenforceable in any respect the parties hereto shall negotiate in good faith and agree to such amendments,modifications or supplements to this Agreement or such other appropriate actions as shall, to the maximum extent practicable in the light of such determination implement and give effect to the intentions of the parties as reflected herein,and the other provisions of this Agreement, as amended, modified, supplemented or otherwise affected by such action, shall remain in full force and effect. [SIGNATURE PAGE FOLLOWS] [04-EMG-Ol 149/1255599/1] Page 15 of 16 , . _ 16E4 E 4 IN WITNESS WHEREOF, the parties have executed this combined HIPAA Privacy Business Associate, HIPAA Security Rule, HITECH Act Compliance and Confidentiality Agreement, on the date(s) set forth below. NORTH COLLIER FIRE CONTROL AND RESCUE DISTRICT By: d 41.- Pam./1-47 , railee., Print Name and Title Date: Z./,47/6., ATTEST: BOARD OF COUNTY COMMISSIONERS DWIGHT E. BROCK, Clerk COLL ' COUNTY, FLORIDA By: (J;UL..t N#' - By: a uty Clerk DONNA FIALA, CHAIRMAN Attest a' • ha , an's signature only., -Approved as to form and legality: ce ) r 0/ / ?VI pa,frL_32_____. Jeffrey A. Klatzkow k>'-'1 County Attorney Item# ILF Agenda QY _v31/— Date ` � Date 'O r _ Recd �P t `f‘ Deputy 111 . [04-EMG-01149/1255599/1] Page 16 of 16 0