Backup Documents 09/13/2016 Item #16E 4 ORIGINAL DOCUMENTS CHECKLIST & ROUTIIG
ILIf
TO ACCOMPANY ALL ORIGINAL DOCUMENTS 1�(�
THE BOARD OF COUNTY COMMISSIONERS OFFICE FOR SIGNATURE
Print on pink paper. Attach to original document. The completed routing slip and original documents are to be forwarded to the County Attorney Office
at the time the item is placed on the agenda. All completed routing slips and original documents must be received in the County Attorney Office no later
than Monday preceding the Board meeting.
**NEW** ROUTING SLIP
Complete routing lines#1 through#2 as appropriate for additional signatures,dates,and/or information needed. If the document is already complete with the
exception of the Chairman's signature,draw a line through routing lines#1 through#2,complete the checklist,and forward to the County Attomey Office.
Route to Addressee(s) (List in routing order) Office Initials Date
1.
2.
3. County Attorney Office County Attorney Office
4. BCC Office Board of County b�
Commissioners \ 4 / `A*\\L
5. Minutes and Records Clerk of Court's Office
PRIMARY CONTACT INFORMATION
Normally the primary contact is the person who cre ted/prepared the Executive Summary. Primary contact information is needed in the event one of the
addressees above,may need to contact staff for additio al or missing information.
Name of Primary Staff Tabatha Butcher, MS Operations Phone Number 252-3740
Contact/Department
Agenda Date Item was 9/13/16 Agenda Item Number 16.E.4
Approved by the BCC
Type of Document Combined HIPAA Privacy Agreement Number of Original One(1)
Attached Documents Attached
PO number or account n/a
number if document is
to be recorded
INSTRUCTIONS & CHECKLIST
Initial the Yes column or mark"N/A"in the Not Applicable column,whichever is Yes N/A(Not
appropriate. (Initial) Applicable)
1. Does the document require the chairman's original signature S� d`� 6QM& E
2. Does the document need to be sent to another agency for additional signatures? If yes, CMG
provide the Contact Information(Name;Agency;Address;Phone)on an attached sheet.
3. Original document has been signed/initialed for legal sufficiency. (All documents to be CMG
signed by the Chairman,with the exception of most letters,must be reviewed and signed
by the Office of the County Attorney.
4. All handwritten strike-through and revisions have been initialed by the County Attorney's CMG
Office and all other parties except the BCC Chairman and the Clerk to the Board
5. The Chairman's signature line date has been entered as the date of BCC approval of the CMG
document or the final negotiated contract date whichever is applicable.
6. "Sign here"tabs are placed on the appropriate pages indicating where the Chairman's CMG
signature and initials are required.
7. In most cases(some contracts are an exception),the original document and this routing slip CMG
should be provided to the County Attorney Office at the time the item is input into SIRE.
Some documents are time sensitive and require forwarding to Tallahassee within a certain
time frame or the BCC's actions are nullified. Be aware of your deadlines!
8. The document was approved by the BCC on 9/13/16 and all changes made during the CMG
meeting have been incorporated in the attached document. The County Attorney's
Office has reviewed the changes,if applicable.
9. Initials of attorney verifying that the attached document is the version approved by t CMG
BCC, all changes directed by the BCC have been made,and the document is ready or the
Chairman's signature.
[04-COA-01030/1291392/111:Forms/County Forms/BCC Forms/Original Documents Routing Slip WWS Original 9.03.04,Revised 1.26.05,Revised 2.24.05;
Revised 11/30/12
1 6 E 4
MEMORANDUM
Date: October 5, 2016
To: Tabatha Butcher, EMS Chief
EMS Operations
From: Ann Jennejohn, Deputy Clerk
Minutes & Records Department
Re: HIPAA Privacy, HIPAA Security Rule, and HITECH Act
Compliance and Confidentiality Agreement, required pursuant
to terms of the Interlocal Agreement between Collier County
and the North Collier Fire Control and Rescue District
Attached for your records is a copy of the agreement referenced above, (Item #16E4)
approved by the Board of County Commissioners on September 13, 2016.
The original agreement will be held in the Minutes and Records Department for the
Board's Official Record.
If you have any questions, please contact me at 252-8406.
Thank you.
Attachment
16E4
COMBINED HIPAA PRIVACY BUSINESS ASSOCIATE,
HIPAA SECURITY RULE,HI 1'ECH
ACT COMPLIANCE AND
CONFIDENTIALITY AGREEMENT
THIS AGREEMENT is entered into by and between the North Collier Fire Control and
Rescue District, an independent fire control and rescue district operating pursuant to Chapter
2015-191, Laws of Florida, by and through its Board of Fire Commissioners, whose address is
1885 Veterans Park Dr.,Naples,Florida 34109(hereinafter"North Collier"),and Collier County,
a political subdivision of the State of Florida,by and through its Board of County Commissioners,
whose address is 3299 Tamiami Trail East, Naples, FL 34112 (hereinafter "Collier County"),
collectively hereinafter referred to as the"parties." The parties have entered into this Agreement
in compliance with the terms of the Interlocal Agreement dated March 22, 2016 and for the
purpose of satisfying the Business Associate contract requirements of the regulations at 45 CFR
Section 164.502(e) and 164.504(e), issued under the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA"), the Security Rule, codified at 45 C.F.R Part 164,
Subparts A and C. (the"Security Rule"),the Health Information Technology For Economic and
Clinical Health Act, enacted in Pub. L. No. 111-05 H.R., 111th Cong. (2009), Title XIII (the
"HITECH Act"), as well as the confidentiality requirements contained in Section 401.30,Florida
Statutes. This Agreement is intended to provide reciprocal obligations between and among the
parties as required by law when one party is acting as the Business Associate and the other party
is acting as the Covered Entity.
Section 1. Definitions
Terms used but not otherwise defined in this Agreement shall have the same meaning as those
terms in 45 CFR Sections 160.103 and 164.501, and in the HITECH Act, Subtitle D.
(a) "Business Associate" has the same meaning as the term "Business associate" in 45 CFR
160.103 and shall include North Collier when acting as Business Associate of Collier County,and
Collier County when acting as Business Associate of North Collier.
(b) "Covered Entity"has the same meaning as the term"Covered entity" in 45 CFR 160.103 and
shall include North Collier when acting as Covered Entity and Collier County is its Business
Associate, and Collier County when acting as Covered Entity and North Collier is its Business
Associate.
(c) "Individual" has the same meaning as the term "individual" in 45 CFR Section 164.501 and
shall include a person who qualifies as a personal representative in accordance with 45 CFR
Section 164.502(g).
(d)"Privacy Rule"means the Standards for Privacy of Individually Identifiable Health Information
at 45 CFR Part 160 and part 164, Subparts A and E.
(e) "Protected Health Information"is defined at 45 CFR Section 160.103 and in the HITECH Act.
[04-EMG-01149/1.255599/1] Page 1 of 16
1 6 E4
For purposes of this Agreement,the term refers only to that Protected Health Information received
directly or indirectly from, or received or created on behalf of,the Covered Entity.
(f) "Secretary" means the Secretary of the U.S. Department of Health and Human Services or
designee.
(g) "Security Incident" means any event resulting in computer systems, networks, or data being
viewed, manipulated, damaged, destroyed or made inaccessible by an unauthorized activity. See
National Institute of Standards and Technology (NIST) Special Publication 800-61, "Computer
Security Incident Handling Guide,"Revision 2 or subsequent revision for more information.
Section 2. Collier County's Obligations and Activities When Acting as Business Associate
and North Collier's Obligations When Acting as Covered Entity
A. Obliptions and Activities of Collier County acting as Business Associate Regarding
Protected Health Information
(a) Collier County agrees to not use or further disclose Protected Health Information other than
as permitted or required by Subsections B.,D. and E.of this Section 2,or as required by applicable
federal or laws of the State of Florida.
(b) Collier County agrees to use appropriate safeguards to prevent use or disclosure of the
Protected Health Information other than as provided for by this Agreement.
(c) Collier County agrees to mitigate, to the extent practicable, any harmful effect that is
known to Collier County of a use or disclosure of Protected Health Information by Collier County
in violation of the requirements of this Agreement.
(d) Collier County agrees to report to North Collier any use or disclosure of the Protected
Health Information not provided for by this Agreement of which it becomes aware. Collier County
will report to North Collier any Security Incident of which Collier County becomes aware that is
(1) a successful unauthorized access, use or disclosure of any Electronic Protected Health
Information; or (2)a successful major(a) modification or destruction of any Electronic Protected
Health Information or(b) interference with system operations in an information system containing
any Electronic Protected Health Information. Upon North Collier's request, Collier County will
report any incident of which Collier County becomes aware that is a successful minor (a)
modification or destruction of any Electronic Protected Health Information or(b)interference with
system operations in an information system containing any Electronic Protected Health
Information.
(e) Collier County agrees to ensure that any agent, including a subcontractor, to whom it
provides Protected Health Information received from, or created or received by Collier County on
behalf of North Collier, agrees to the same restrictions and conditions that apply through this
Agreement to Collier County with respect to such information.
(f) Collier County agrees to provide access, at the request of North Collier or an Individual,
[04-EMG-01149/1255599/1] Page 2 of 16
C`90d
16E4
and in a prompt and reasonable manner consistent with the HIPAA regulations,to Protected Health
Information in a designated record set,to North Collier in order to meet the requirements under 45
CFR Section 164.524.
(g) Collier County agrees to make any amendment(s) to Protected Health Information in a
designated record set that the North Collier or an Individual directs or agrees to pursuant to 45
CFR Section 164.526,in a prompt and reasonable manner consistent with the HIPAA regulations.
(h) Collier County agrees to make its internal practices,books,and records,including policies
and procedures and Protected Health Information, relating to the use and disclosure of Protected
Health Information received from, or created or received by Collier County on behalf of North
Collier available to North Collier, or at the request of North Collier,to the Secretary in a time and
manner designated by North Collier or the Secretary, for purposes of the Secretary determining
North Collier's compliance with the Privacy Rule.
(i) Collier County agrees to document disclosures of Protected Health Information and
information related to such disclosures as would be required for North Collier to respond to a
request by an Individual for an accounting of disclosures of Protected Health Information in
accordance with 45 CFR Section 164.528.
(j) Collier County agrees to provide to North Collier or an Individual an accounting of
disclosures of Protected Health Information in accordance with 45 CFR Section 164.528, in a
prompt and reasonable manner consistent with the HIPAA regulations.
(k) Collier County certifies that it is in compliance with all applicable provisions of HIPAA
standards for electronic transactions and code sets, also known as the Electronic Data Interchange
(EDI)Standards,at 45 CFR Part 162;and the Annual Guidance as issued by the Secretary pursuant
to the HITECH Act, Section 13401. Collier County further agrees to ensure that any agent,
including a subcontractor, that conducts standard transactions on its behalf, will comply with the
EDI Standards and the Annual Guidance.
(1) Collier County agrees to determine the minimum necessary type and amount of Protected
Health Information required to perform its services and will comply with 45 CFR Sections
164.502(b) and 514(d).
B. Permitted or Required Uses and Disclosures by Collier County as Business Associate
(a) Collier County acknowledges and agrees that Protected Health Information is confidential
under State of Florida laws.
(b) Except as expressly permitted in writing by North Collier,Collier County shall not divulge,
disclose, or communicate Protected Health Information or confidential information of North
Collier employees to any third party for any purpose not in conformity with this Agreement except
in accordance with North Collier policies and procedures and without prior written approval from
North Collier.
[04-EMG-01149/1255599/1] Page 3 of 16
E4
(c) Except as otherwise limited in this Agreement, Collier County may use Protected Health
Information to provide data aggregation services to North Collier as permitted by 45 CFR Section
164.504(e)(2)(i)(B).
(d) Collier County may use Protected Health Information to report violations of law to
appropriate Federal and State authorities, consistent with 45 CFR Section 164.502(j) (1).
C. Obligations of North Collier as Covered Entity to Inform Collier County of
North Collier's Privacy Practices, and any Authorization or Restrictions
(a) North Collier shall provide Collier County with the notice of privacy practices that North
Collier produces in accordance with 45 CFR Section 164.520, as well as any changes to such
notice.
(b) North Collier shall provide Collier County with any changes in, or revocation of,
authorization by Individual or his or her personal representative to use or disclose Protected Health
Information, if such changes affect Collier County's uses or disclosures of Protected Health
Information.
(c) North Collier shall notify Collier County of any restriction to the use or disclosure of
Protected Health Information that North Collier has agreed to in accordance with 45 CFR Section
164.522, if such changes affect Collier County's uses or disclosures of Protected Health
Information.
D. Confidentiality under State Law and Computer Use by Collier County as Business
Associate
(a) Generally. In addition to the HIPAA privacy requirements, Collier County agrees to
observe the confidentiality requirements of Section 401.30, Florida Statutes. In general, the
referenced statute provides that records of emergency calls that contain patient examination or
treatment information are confidential and exempt from the provisions of Section 119.07(1),
Florida Statutes, and may not be disclosed without the consent of the person to whom they pertain
unless otherwise statutorily prescribed. Any person who willfully, knowingly, and without
authorization discloses or takes data, programs, or supporting documentation, including those
residing or existing internal and external to North Collier's computer system, commits an offense
in violation of Section 815.04,Florida Statutes.
Confidentiality requirements protect more than unlawful disclosure of documents. The
confidentiality requirements protect the disclosure of all records and information of North Collier,
in whatever form, including the copying or verbally relaying of confidential information.
As it relates to computer equipment and systems, Collier County agrees that it will not:
i. Operate or attempt to operate any North Collier computer equipment without
specific authorization from the North Collier.
ii. Disclose any portion of North Collier's computerized system or data with
unauthorized individuals.
[04-EMG-01149/1255599/1] Page 4 of 16
��o
4-
16E4
iii. Permit any individual to review, examine, or make copies of any report(s) or
document(s) in its care,custody or control.
Collier County agrees that it will access computer systems, equipment and functions only as
required for the performance of its duties and responsibilities for North Collier and that it has an
up-to-date anti-virus software and firewall running on its computers. In the event Collier County's
password is disclosed, Collier County will immediately contact the District's Deputy Chief of
Emergency Medical Services and Training at (239) 597-3222 to report the incident and request a
new password. Collier County shall remove any North Collier access software before disposing
of any computer.
(b) Receipt of a Subpoena. If Collier County is served with subpoena requiring the production
of North Collier's records or information, Collier County shall immediately contact the District's
Deputy Chief of Emergency Medical Services and Training at(239) 597-3222.
A subpoena is an official summons issued by a court or an administrative tribunal,which requires
the recipient to do one or more of the following:
i. Appear at a deposition to give sworn testimony, and may also require that certain
records be brought to be examined as evidence.
ii. Appear at a hearing or trial to give evidence as a witness,and may also require that
certain records be brought to be examined as evidence.
iii. Furnish certain records for examination, by mail or by hand-delivery.
(c) Employees and Agents. Collier County acknowledges that the confidentiality
requirements herein apply to all its employees,agents and representatives. Collier County assumes
responsibility and liability for any damages or claims, including state and federal administrative
proceedings and sanctions, against North Collier, including costs and attorneys' fees, resulting
from the breach by Collier County of the confidentiality requirements of this Agreement.
E. Permissible Requests by North Collier as Covered Entity
North Collier shall not request Collier County to use or disclose Protected Health Information in
any manner that would not be permissible under HIPAA, the Privacy Rule, the HITECH Act, or
the laws of the State of Florida, if done by North Collier.
F. HIPAA Security Rule
(a) Security of Electronic Protected Health Information. Collier County will develop,
implement, maintain, and use administrative, technical, and physical safeguards that reasonably
and appropriately protect the confidentiality, integrity, and availability of Electronic Protected
Health Information (as defined in 45 CFR Section 160.103)that Collier County creates, receives,
maintains, or transmits on behalf of the North Collier consistent with the Security Rule.
(b) Compliance Date. The parties to this Agreement will comply with this subsection F. by
the last date set forth in the signature blocks below.
[04-EMG-01149/1255599/11 Page 5 of 16
1 6 E
G. HITECH Act Compliance
In the event of any inconsistency or conflict between requirements of HIPAA, HIPAA Security
Rule and HITECH Act,the more stringent provision shall apply.
(a) Collier County shall make a good faith effort to identify and report any use or disclosure
of Protected Health Information not provided for in this Agreement.
(b) Reporting to North Collier. Collier County will report to the North Collier,within ten(10)
business days of discovery,any use or disclosure of Protected Health Information not provided for
in this Agreement of which the Collier County is aware.Collier County will report to North Collier,
within twenty-four (24) hours of discovery, any Security Incident of which Collier County is
aware. A violation of this paragraph shall be a material violation of this Agreement. Such notice
shall include the identification of each individual whose unsecured Protected Health Information
has been, or is reasonably believed by Collier County to have been, accessed, acquired, or
disclosed during such breach.
(c) Reporting to Individuals. In the case of a breach of Protected Health Information
discovered by Collier County,Collier County shall first notify North Collier of the pertinent details
of the breach and upon prior approval of North Collier shall notify each individual whose
unsecured Protected Health Information has been, or is reasonably believed by Collier County to
have been,accessed,acquired or disclosed as a result of such breach. Such notification shall be in
writing by first-class mail to the Individual (or the next of kin if the individual is deceased)at the
last known address of the individual or next of kin,respectively,or,if specified as a preference by
the individual,by electronic mail. Where there is insufficient, or out-of-date contract information
(including a phone number, email address, or any other form of appropriate communication) that
precludes written (or, if specifically requested, electronic) notification to the individual, a
substitute form of notice shall be provided, including, in the case that there are ten (10) or more
Individuals for which there is insufficient or out-of-date contact information, a conspicuous
posting on the Web site of North Collier involved or notice in major print of broadcast media,
including major media in the geographic areas where the individuals affected by the breach likely
reside. In any case deemed by Collier County to require urgency because of possible imminent
misuse of unsecured Protected Health Information, Collier County may also provide information
to individuals by telephone or other means, as appropriate.
(d) Reporting to Media. In the case of a breach of Protected Health Information discovered by
Collier County where the unsecured Protected Health Information of more than five hundred(500)
persons is reasonably believed to have been, accessed, acquired, or disclosed,after prior approval
by North Collier, Collier County shall provide notice to prominent media.outlets serving Collier
County.
(e) Reporting to Secretary of Health and Human Services. Collier County shall cooperate with
North Collier to provide notice to the Secretary of Health and Human Services of unsecured
Protected Health Information that has been acquired or disclosed in a breach. If the breach was
with respect to five hundred(500)or more Individuals,such notice must be provided immediately.
[04-EMG-01149/1255599/1] Page 6 of 16
1 6 E4
If the breach was with respect to less than five hundred (500) Individuals, Collier County may
maintain a log of such breach occurring and annually submit such log to North Collier so that it
may satisfy its obligation to notify the Secretary of Health and Human Services documenting such
breaches occurring in the year involved.
(f) Content of Notices. All notices required under this Agreement shall include the content
set forth in Section 13402(f),Title XIII of the American Recovery and Reinvestment Act of 2009.
(g) Financial Responsibility. Collier County shall be responsible for all costs related to the
notices required under this Agreement.
(h) Mitigation. Collier County shall mitigate,to the extent practicable, any harmful effect that
is known to Collier County of a use or disclosure of Protected Health Information in violation of
this Agreement.
Section 3. North Collier's Obligations and Activities When Acting as Business Associate
and Collier County's Obligations When Acting as Covered Entity
A. Obligations and Activities of North Collier acting as Business Associate Retarding
Protected Health Information
(a) North Collier agrees to not use or further disclose Protected Health Information other than
as permitted or required by Subsections B.,D.,and E.of this Section 2,or as required by applicable
federal or laws of the State of Florida.
(b) North Collier agrees to use appropriate safeguards to prevent use or disclosure of the
Protected Health Information other than as provided for by this Agreement.
(c) North Collier agrees to mitigate,to the extent practicable, any harmful effect that is known
to North Collier of a use or disclosure of Protected Health Information by North Collier in violation
of the requirements of this Agreement.
(d) North Collier agrees to report to Collier County any use or disclosure of the Protected
Health Information not provided for by this Agreement of which it becomes aware. North Collier
will report to Collier County any Security Incident of which North Collier becomes aware that is
(1) a successful unauthorized access, use or disclosure of any Electronic Protected Health
Information; or(2) a successful major (a)modification or destruction of any Electronic Protected
Health Information or(b)interference with system operations in an information system containing
any Electronic Protected Health Information. Upon Collier County's request, North Collier will
report any incident of which North Collier becomes aware that is a successful minor (a)
modification or destruction of any Electronic Protected Health Information or(b)interference with
system operations in an information system containing any Electronic Protected Health
Information.
(e) North Collier agrees to ensure that any agent, including a subcontractor, to whom it
provides Protected Health Information received from, or created or received by North Collier on
behalf of Collier County, agrees to the same restrictions and conditions that apply through this
[04-EMG-01149/1255599/1] Page 7 of 16
16E4
Agreement to North Collier with respect to such information.
(0 North Collier agrees to provide access, at the request of Collier County or an Individual,
and in a prompt and reasonable manner consistent with the HIPAA regulations,to Protected Health
Information in a designated record set, to Collier County in order to meet the requirements under
45 CFR Section 164.524.
(g) North Collier agrees to make any amendment(s) to Protected Health Information in a
designated record set that the Collier County or an Individual directs or agrees to pursuant to 45
CFR Section 164.526,in a prompt and reasonable manner consistent with the HIPAA regulations.
(h) North Collier agrees to make its internal practices, books, and records, including policies
and procedures and Protected Health Information, relating to the use and disclosure of Protected
Health Information received from, or created or received by North Collier on behalf of Collier
County available to Collier County, or at the request of Collier County,to the Secretary in a time
and manner designated by Collier County or the Secretary, for purposes of the Secretary
determining Collier County's compliance with the Privacy Rule.
(i) North Collier agrees to document disclosures of Protected Health Information and
information related to such disclosures as would be required for Collier County to respond to a
request by an Individual for an accounting of disclosures of Protected Health Information in
accordance with 45 CFR Section 164.528.
(j) North Collier agrees to provide to Collier County or an Individual an accounting of
disclosures of Protected Health Information in accordance with 45 CFR Section 164.528, in a
prompt and reasonable manner consistent with the HIPAA regulations.
(k) North Collier certifies that it is in compliance with all applicable provisions of HIPAA
standards for electronic transactions and code sets, also known as the Electronic Data Interchange
(EDI) Standards,at 45 CFR Part 162;and the Annual Guidance as issued by the Secretary pursuant
to the HITECH Act, Section 13401. North Collier further agrees to ensure that any agent,
including a subcontractor, that conducts standard transactions on its behalf, will comply with the
EDI Standards and the Annual Guidance.
(1) North Collier agrees to determine the minimum necessary type and amount of Protected
Health Information required to perform its services and will comply with 45 CFR Sections
164.502(b) and 514(d).
B. Permitted or Required Uses and Disclosures by North Collier as Business Associate
(a) North Collier acknowledges and agrees that Protected Health Information is confidential
under State of Florida laws.
(b) Except as expressly permitted in writing by Collier County,North Collier shall not divulge,
disclose, or communicate Protected Health Information or confidential information of Collier
County employees to any third party for any purpose not in conformity with this Agreement except
[04-EMG-01149/1255599/l] Page 8 of 16
c90
16E4
in accordance with Collier County policies and procedures and without prior written approval from
Collier County.
(c) Except as otherwise limited in this Agreement, North Collier may use Protected Health
Information to provide data aggregation services to Collier County as permitted by 45 CFR Section
164.504(e)(2)(i)(B).
(d) North Collier may use Protected Health Information to report violations of law to
appropriate Federal and State authorities, consistent with 45 CFR Section 164.502(j) (1).
C. Obligations of Collier County as Covered Entity to Inform North Collier of
Collier County's Privacy Practices, and any Authorization or Restrictions
(a) Collier County shall provide North Collier with the notice of privacy practices that Collier
County produces in accordance with 45 CFR Section 164.520, as well as any changes to such
notice.
(b) Collier County shall provide North Collier with any changes in, or revocation of,
authorization by Individual or his or her personal representative to use or disclose Protected Health
Information, if such changes affect North Collier's uses or disclosures of Protected Health
Information.
(c) Collier County shall notify North Collier of any restriction to the use or disclosure of
Protected Health Information that Collier County has agreed to in accordance with 45 CFR Section
164.522,if such changes affect North Collier's uses or disclosures of Protected Health Information.
D. Confidentiality under State Law and Computer Use by North Collier as Business
Associate
(a) Generally. In addition to the HIPAA privacy requirements,North Collier agrees to observe
the confidentiality requirements of Section 401.30, Florida Statutes. In general, the referenced
statute provides that records of emergency calls that contain patient examination or treatment
information are confidential and exempt from the provisions of Section 119.07(1),Florida Statutes,
and may not be disclosed without the consent of the person to whom they pertain unless otherwise
statutorily prescribed. Any person who willfully, knowingly, and without authorization discloses
or takes data,programs, or supporting documentation, including those residing or existing internal
and external to Collier County's computer system, commits an offense in violation of Section
815.04, Florida Statutes.
Confidentiality requirements protect more than unlawful disclosure of documents. The
confidentiality requirements protect the disclosure of all records and information of Collier
County, in whatever form, including the copying or verbally relaying of confidential information.
As it relates to computer equipment and systems,North Collier agrees that it will not:
i. Operate or attempt to operate any Collier County computer equipment without
specific authorization from the Collier County.
[04-EMG-01149/1255599/1] Page 9 of 16
t
16E4
ii. Disclose any portion of Collier County's computerized system or data with
unauthorized individuals.
iii. Permit any individual to review, examine, or make copies of any report(s) or
document(s)in its care, custody or control.
North Collier agrees that it will access computer systems,equipment and functions only as required
for the performance of its duties and responsibilities for Collier County and that it has an up-to-
date anti-virus software and firewall running on its computers. In the event North Collier's
password is disclosed, North Collier will immediately contact Collier County's Administrative
Secretary/Record Custodian, Collier County Emergency Medical Services, at (239) 252-3740.
North Collier shall remove any Collier County access software before disposing of any computer.
(b) Receipt of a Subpoena. If North Collier is served with subpoena requiring the production
of Collier County's records or information, North Collier shall immediately contact Collier
County's Administrative Secretary/Record Custodian, Collier County Emergency Medical
Services at (239)252-3740.
A subpoena is an official summons issued by a court or an administrative tribunal,which requires
the recipient to do one or more of the following:
i, Appear at a deposition to give sworn testimony, and may also require that certain
records be brought to be examined as evidence.
ii. Appear at a hearing or trial to give evidence as a witness, and may also require that
certain records be brought to be examined as evidence.
iii. Furnish certain records for examination, by mail or by hand-delivery.
(c) Employees and Agents. North Collier acknowledges that the confidentiality requirements
herein apply to all its employees,agents and representatives. North Collier assumes responsibility
and liability for any damages or claims,including state and federal administrative proceedings and
sanctions, against Collier County, including costs and attorneys'fees,resulting from the breach by
North Collier of the confidentiality requirements of this Agreement.
E. Permissible Requests by Collier County as Covered Entity
Collier County shall not request North Collier to use or disclose Protected Health Information in
any manner that would not be permissible under HIPAA, the Privacy Rule, the HITECH Act, or
the laws of the State of Florida, if done by Collier County.
F. HIPAA Security Rule
(a) Security of Electronic Protected Health Information. North Collier will develop,
implement, maintain, and use administrative, technical, and physical safeguards that reasonably
and appropriately protect the confidentiality, integrity, and availability of Electronic Protected
health Information (as defined in 45 CFR Section 160.103) that North Collier creates, receives,
maintains, or transmits on behalf of the Collier County consistent with the Security Rule.
[04-EMG-01149/1255599/1] Page 10 of 16
0
16E4
(b) Compliance Date. The parties to this Agreement will comply with this subsection F. by
the last date set forth in the signature blocks below.
G. HITECH Act Compliance
In the event of any inconsistency or conflict between requirements of HIPAA, HIPAA Security
Rule and HITECH Act,the more stringent provision shall apply.
(a) North Collier shall make a good faith effort to identify and report any use or disclosure of
Protected Health Information not provided for in this Agreement.
(b) Reporting to Collier County. North Collier will report to Collier County, within ten (10)
business days of discovery, any use or disclosure of Protected Health Information not provided for
in this Agreement of which the North Collier is aware. North Collier will report to the Collier
County, within twenty-four(24)hours of discovery, any Security Incident of which North Collier
is aware. A violation of this paragraph shall be a material violation of this Agreement. Such notice
shall include the identification of each individual whose unsecured Protected Health Information
has been, or is reasonably believed by North Collier to have been, accessed, acquired, or disclosed
during such breach.
(c) Reporting to Individuals. In the case of a breach of Protected Health Information
discovered by North Collier,North Collier shall first notify Collier County of the pertinent details
of the breach and upon prior approval of Collier County shall notify each individual whose
unsecured Protected Health Information has been, or is reasonably believed by North Collier to
have been, accessed, acquired or disclosed as a result of such breach. Such notification shall be in
writing by first-class mail to the Individual (or the next of kin if the individual is deceased)at the
last known address of the individual or next of kin,respectively, or, if specified as a preference by
the individual,by electronic mail. Where there is insufficient,or out-of-date contract information
(including a phone number, email address, or any other form of appropriate communication)that
precludes written (or, if specifically requested, electronic) notification to the individual, a
substitute form of notice shall be provided, including, in the case that there are ten (10) or more
Individuals for which there is insufficient or out-of-date contact information, a conspicuous
posting on the Web site of Collier County involved or notice in major print of broadcast media,
including major media in the geographic areas where the individuals affected by the breach likely
reside. In any case deemed by North Collier to require urgency because of possible imminent
misuse of unsecured Protected Health Information,North Collier may also provide information to
individuals by telephone or other means, as appropriate.
(d) Reporting to Media. In the case of a breach of Protected Health Information discovered by
North Collier where the unsecured Protected Health Information of more than five hundred(500)
persons is reasonably believed to have been, accessed, acquired, or disclosed, after prior approval
by Collier County, North Collier shall provide notice to prominent media outlets serving Collier
County.
(e) Reporting to Secretary of Health and Human Services. North Collier shall cooperate with
Collier County to provide notice to the Secretary of Health and Human Services of unsecured
[04-EMG-01149/1255599/1] Page 11 of 16
coo
1
6E4
Protected Health Information that has been acquired or disclosed in a breach. If the breach was
with respect to five hundred(500)or more Individuals, such notice must be provided immediately.
If the breach was with respect to less than five hundred (500) Individuals, North Collier may
maintain a log of such breach occurring and annually submit such log to Collier County so that it
may satisfy its obligation to notify the Secretary of Health and Human Services documenting such
breaches occurring in the year involved.
(f) Content of Notices. All notices required under this Agreement shall include the content
set forth in Section 13402(f), Title XIII of the American Recovery and Reinvestment Act of 2009.
(g) Financial Responsibility. North Collier shall be responsible for all costs related to the
notices required under this Agreement.
(h) Mitigation. North Collier shall mitigate, to the extent practicable, any harmful effect that
is known to North Collier of a use or disclosure of Protected Health Information in violation of
this Agreement.
Section 4. Term and Termination
(a) Term. The Term of this Agreement shall begin on the last date set forth on the signature
blocks below and shall terminate on March 31,2017 unless otherwise extended by both parties in
writing.
(b) Termination for Cause. Without limiting any other termination rights the parties may have,
upon party acting as Covered Entity's knowledge of a material breach by party acting as Business
Associate of a provision under this Agreement, Covered Entity shall provide an opportunity for
Business Associate to cure the breach or end the violation. If the Business Associate does not cure
the breach or end the violation within the time specified by Covered Entity, the Covered Entity
shall have the right to immediately terminate the Agreement. If neither termination nor cure is
feasible, Covered Entity shall report the violation to the Secretary.
(c) Return or Destruction of Protected Health Information upon Termination. Within sixty
(60) days after termination of the Agreement for any reason, or within such other time period as
mutually agreed upon in writing by the parties, party acting as Business Associate shall return to
party acting as Covered Entity or destroy all Protected Health Information maintained by Business
Associate in any form and shall retain no copies thereof Business Associate also shall recover,
and shall return or destroy with such time period, any Protected Health Information in the
possession of its subcontractors or agents. Within fifteen (15) days after termination of the
Agreement for any reason,Business Associate shall notify Covered Entity in writing as to whether
Business Associate intends to return or destroy such Protected Health Information. If Business
Associate elects to destroy such Protected Health Information,it shall certify to Covered Entity in
writing when and that such Protected Health Information has been destroyed. If any subcontractors
or agents of the Business Associate elect to destroy the Protected Health Information, Business
Associate will require such subcontractors or agents to certify to Business Associate and to
Covered Entity in writing when such Protected Health Information has been destroyed. If it is not
feasible for Business Associate to return or destroy any of said Protected Health Information,
Business Associate shall notify Covered Entity in writing that Business Associate has determined
[04-EMG-01149/1255599/1] Page 12 of 16
16E4 E4
that it is not feasible to return or destroy the Protected Health Information and the specific reasons
for such determination. Business Associate further agrees to extend any and all protections,
limitations, and restrictions set forth in this Agreement to Business Associate's use or disclosure
of any Protected Health Information retained after the termination of this Agreement, and to limit
any further uses or disclosures to the purposes that make the return or destruction of the Protected
Health Information not feasible. If it's not feasible for Business Associate to obtain, from a
subcontractor or agent, any Protected Health Information in the possession of the subcontractor or
agent, Business Associate shall provide a written explanation to Covered Entity and require the
subcontractors and agents to agree to extend any and all protections, limitations, and restrictions
set forth in this Agreement to the subcontractors' or agents' uses or disclosures of any Protected
Health Information retained after the termination of this Agreement, and to limit any further uses
or disclosures to the purposes that make the return or destruction of the Protected Health
Information not feasible.
Prior to destroying any records hereunder, Business Associate shall obtain written confirmation
from the Covered Entity that such actions will not violate the State of Florida's or the Covered
Entity's record retention policies.
Section 5. Regulatory References
A reference in this Agreement to a section in the Privacy Rule,the Security Rule or the HITECH
Act means the section as in effect or as amended, and for which compliance is required.
Section 6. Amendment
Upon the enactment of any law or regulation affecting the use or disclosure of Protected Health
Information, Standard Transactions, the security of Health Information, or other aspects of
HIPAA-AS or the HITECH Act applicable or the publication of any decision of a court of the
United States or any state relating to any such law or the publication of any interpretive policy or
opinion of any governmental agency charged with the enforcement of any such law or regulation,
either party may, by written notice to the other party, amend this Agreement in such manner as
such party determines necessary to comply with such law or regulation. If the other party disagrees
with such amendment, it shall so notify the first party in writing within thirty (30) days of the
notice. If the parties are unable to agree on an amendment within thirty(30)days thereafter, then
either of the parties may terminate the Agreement on thirty (30) days written notice to the other
party•
Section 7. Survival
Each party agrees that its obligations under this Agreement with regard to Protected Health
Information and all other provisions in this Agreement that expressly or customarily survive the
termination or expiration of the Agreement shall continue in effect after the Agreement is
terminated or expires.
[04-EMG-01149/1255599/1] Page 13 of 16
16 E4
Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits party acting
as Covered Entity to comply with the Privacy Rule and the confidentiality requirements of the
State of Florida,including Section 401.30,Florida Statutes.
Section 9. Disclaimer of Third Party Beneficiaries
This Agreement is solely for the benefit of the parties to this Agreement. No right or cause of
action shall accrue upon or by reason hereof inure to or for the benefit of any third party.
Section 10. Governing Law
The laws of the State of Florida shall govern the validity, interpretation, construction and
performance of this Agreement to the extent not preempted by the Privacy Rules or other
applicable federal law. In the event of a dispute,venue for any suit involving this Agreement shall
be in Collier County, Florida if filed in state court and in the Southern District of Florida if filed
in federal court.
Section 11. Indemnification and Performance Guarantees
Each party shall indemnify, defend, and save harmless the other and Individuals for any financial
loss as a result of claims brought by third parties and which are caused by the failure of party acting
as the Business Associate, its officers, directors or agents to comply with the terms of this
Agreement. Notwithstanding, nothing in this Agreement shall be interpreted as a waiver of party
acting as the Business Associate's sovereign immunity or an extension of its liability beyond the
limits established in Section 768.28, Florida Statutes, nor be construed as consent by party acting
as the Business Associate to be sued by third parties in any manner arising out of this Agreement.
Section 12. Assignment
Neither party shall assign either its obligations or benefits under this Agreement without the
expressed written consent of the other party, which shall be at the sole discretion of such party.
Section 13. Notices
All notices, demands, requests, and other communications hereunder shall be deemed sufficient
and properly given, if in writing and delivered to the above addresses, or via facsimile, or sent by
certified or registered mail, postage prepaid with return receipt requested, at such addresses;
provided, if such notices, demands, requests or other communications are sent by mail,they shall
be deemed as given on the third day following such mailing which is not a Saturday, Sunday,or a
day on which United States mail is not delivered. Any party may, by like notice, designate any
further or different address to which subsequent notices shall be sent. Any notices hereunder
signed on behalf of the notifying party by a duly authorized attorney at law shall be valid and
effective to the same extent as if signed on behalf of such party by a duly authorized officer or
employee.
Page 14 of 16
wt.,. .
16E4
Section 14. Waiver
Unless otherwise specifically provided by the terms of this Agreement, no delay or failure to
exercise a right resulting from any breach of this Agreement shall impair such right or shall be
construed to be a waiver thereof, but such right may be exercised from time to time and as often
as may be deemed expedient. Any waiver shall be in writing and signed by the party granting such
waiver. If any representation, warranty or covenant contained in this Agreement is breached by
any party and thereafter waived by another party, such waiver shall be limited to the particular
breach so waived and shall not be deemed to waive,either expressed or impliedly,any other breach
under this Agreement.
Section 15. Severability
In the event any provision of this Agreement shall, for any reason, be determined invalid, illegal
or unenforceable in any respect the parties hereto shall negotiate in good faith and agree to such
amendments,modifications or supplements to this Agreement or such other appropriate actions as
shall, to the maximum extent practicable in the light of such determination implement and give
effect to the intentions of the parties as reflected herein,and the other provisions of this Agreement,
as amended, modified, supplemented or otherwise affected by such action, shall remain in full
force and effect.
[SIGNATURE PAGE FOLLOWS]
[04-EMG-Ol 149/1255599/1] Page 15 of 16
, . _
16E4 E 4
IN WITNESS WHEREOF, the parties have executed this combined HIPAA Privacy Business
Associate, HIPAA Security Rule, HITECH Act Compliance and Confidentiality Agreement, on the
date(s) set forth below.
NORTH COLLIER FIRE CONTROL
AND RESCUE DISTRICT
By: d 41.-
Pam./1-47 , railee.,
Print Name and Title
Date: Z./,47/6.,
ATTEST: BOARD OF COUNTY COMMISSIONERS
DWIGHT E. BROCK, Clerk COLL ' COUNTY, FLORIDA
By: (J;UL..t N#' - By:
a uty Clerk DONNA FIALA, CHAIRMAN
Attest a' •
ha
, an's
signature only.,
-Approved as to form and legality:
ce ) r 0/ / ?VI pa,frL_32_____.
Jeffrey A. Klatzkow
k>'-'1 County Attorney Item# ILF
Agenda QY
_v31/—
Date ` �
Date 'O r _
Recd �P
t `f‘
Deputy 111 .
[04-EMG-01149/1255599/1] Page 16 of 16
0