The URL can be used to link to this page

Backup Documents 07/23/2024 Item #16D 1 ORIGINAL DOCUMENTS CHECKLIST & ROUTING SLIP 1 6 D 1 TO ACCOMPANY ALL ORIGINAL DOCUMENTS SENT TO 7.23.24 BCC MTG THE BOARD OF COUNTY COMMISSIONERS OFFICE FOR SIGNATURE Print on pink paper. Attach to original document. The completed routing slip and original documents are to be forwarded to the County Attorney Office at the time the item is placed on the agenda. All completed routing slips and original documents must be received in the County Attorney Office no later than Monday preceding the Board meeting. **NEW** ROUTING SLIP Complete routing lines#1 through#2 as appropriate for additional signatures,dates,and/or information needed. If the document is already complete with the exception of the Chairman's signature,draw a line through routing lines#1 through#2,complete the checklist,and forward to the County Attomey Office. Route to Addressee(s) (List in routing order) Office Initials Date 1. Carolyn Noble Community and Human CN 6/6/2024 Services 2. County Attorney Office— Selk- County Attorney Office 1Ak/Ai 7b..ilLy 3. BCC Office Board of County Commissioners CH i/ 7/l 7/23/Zcf 4. Minutes and Records Clerk of Court's Office 7/?3/fr4i PRIMARY CONTACT INFORMATION Normally the primary contact is the person who created/prepared the Executive Summary. Primary contact information is needed in the event one of the addressees above,may need to contact staff for additional or missing information. Name of Primary Staff Carolyn Noble Phone Number 239-450-5186 Contact/ Department Agenda Date Item was 7.23.24 BCC Mtg Agenda Item Number 16.D. I Approved by the BCC Type of Document -3-ORIGINAL BAA AGREEMENT/ Number of Original 3.140CUMEN-TS Attached Documents Attached 3 C.pies PO number or account number if document is to be recorded INSTRUCTIONS & CHECKLIST Initial the Yes column or mark"N/A" in the Not Applicable column,whichever is Yes N/A(Not appropriate. (Initial) Applicable) 1. Does the document require the chairman's original signature STAMP OK CN 2. Does the document need to be sent to another agency for additional signatures? If yes, N/A provide the Contact Information(Name;Agency;Address;Phone)on an attached sheet. 3. Original document has been signed/initialed for legal sufficiency. (All documents to be Yes signed by the Chairman,with the exception of most letters,must be reviewed and signed by the Office of the County Attorney. 4. All handwritten strike-through and revisions have been initialed by the County Attorney's N/A Office and all other parties except the BCC Chairman and the Clerk to the Board 5. The Chairman's signature line date has been entered as the date of BCC approval of the N/A document or the final negotiated contract date whichever is applicable. 6. "Sign here"tabs are placed on the appropriate pages indicating where the Chairman's YES signature and initials are required. 7. In most cases(some contracts are an exception),the original document and this routing slip N/A should be provided to the County Attorney Office at the time the item is input into SIRE. Some documents are time sensitive and require forwarding to Tallahassee within a certain time frame or the BCC's actions are nullified. Be aware of your deadlines! 8. The document was approved by the BCC on above date and all changes made during /1 N/A is not the meeting have been incorporated in the attached document. The County 54,4 an option for Attorney's Office has reviewed the changes,if applicable. this line. 9. Initials of attorney verifying that the attached document is the version approved by the ,-' N/A is not BCC,all changes directed by the BCC have been made, and the document is ready for the ✓✓��'' �1 j.y� an option for Chairman's signature. this line. 16D1 COMBINED HIPAA PRIVACY BUSINESS ASSOCIATE AGREEMENT AND CONFIDENTIALITY AGREEMENT AND HIPAA SECURITY RULE ADDENDUM AND HITECH ACT COMPLIANCE AGREEMENT AND QUALIFIED SERVICE ORGANIZATION AGREEMENT The parties,David Lawrence Mental Health Center,Inc. (the"Covered Entity")and Collier County(the "Business Associate")have entered into this agreement(the"Agreement")for the purpose of satisfying the Business Associate contract requirements of the regulations at 45 C.F.R. 164.502(e)and 164.504(e), issued under the Health Insurance Portability and Accountability Act of 1996("HIPAA"),the Security Rule,codified at 45 C.F.R.Part 164, Subparts A and C, (the"Security Rule"),the Health Information Technology for Economic and Clinical Health Act,enacted in Pub. L. No. 1 I 1-05 H.R., 11 Cong. (2009), Title XIII (the"HITECH Act")and the Administrative Simplification provisions of the Patient Protection and Affordable Care Act,codified at 45 C.F.R. Part 160(2013). A.Definitions Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in 45 C.F.R. 160.103 and 164.501 and in the HITECH Act, Subtitle D. "Breach"generally means an unauthorized acquisition,access,use,or disclosure of Protected Health Information("PHI") which compromises the security or privacy of such information. "Business Associate" is a person or entity,other than an employee of a Covered Entity,who performs functions or activities on behalf of or provides certain services to a Covered Entity that involve access to PHI. Business Associates may also be subcontractors that create, receive, maintain,or transmit PHI on behalf of another Business Associate. "Covered Entity"means a health plan,a health care clearinghouse,or a healthcare provider who transmits any health information in electronic form in connections with a transaction covered by HIPAA. "Designated Record Set"shall mean a group of records maintained by or for the Covered Entity that is the medical records and billing records about Individuals maintained by or for the Covered Entity or Used in whole or in part, by or for the Covered Entity'to make decisions about Individuals,as specifically stated in the }IiPAA rules. "Disclosure"means the release,transfer, provision of,access to,or divulging in any manner of information outside the entity holding the information. "Electronic PHI"("ePHI") means PHI which is transmitted by Electronic Media(as defined in the HIPAA Rules)or maintained in Electronic Media. "HITECH Rule"was enacted under Title XiIi of the American Recovery and Reinvestment Act of 2009 to stimulate the adoption of electronic health records and supporting technology in the United States. "Individual"has the same meaning as the term "individual" in 45 C.F.R. 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.P.R. 164,502(g). ADM-341A rev 6/2021 Can .16Dl "Omnibus Rule"(Health Insurance Portability and Accountability Act of 1996 omnibus rule), in a health information technology context, is a rule enacted by the U.S. Department of Health and Human Services' Office of Civil Rights(OCR)to modify the Health hlsurance Portability and Accountability Act (lIIPAA) Privacy, Security and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health(HITECH)Act. "Privacy Rule"means the Standards of Privacy of individually Identifiable Health Information as codified at 45 C.F.R.part 160 and part 164,subparts A and E. "Protected Health Information"("PHI") is defined at 45 C.F.R. 160.103 and in the HITECH Act. For purposes of this Agreement,the terms refers only to that PHI received directly or indirectly from, or received or created on behalf of,the Covered Entity. "Qualified service organization" is defined at 42 C.F.R.Chapter 1, Subchapter A,Part 2 and means an individual or entity who: Provides services to a part 2 program, such as data processing, bill collecting,dosage preparation, laboratory analyses,or legal,accounting, population health management, medical staffing,or other professional services,or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy,and Has entered into a written agreement with a part 2 program under which that individual or entity: (i)Acknowledges that in receiving, storing, processing,or otherwise dealing with any patient records from the part 2 program, it is fully bound by the regulations in this part;and (ii)If necessary,will resist in judicial proceedings any efforts to obtain access to patient identifying information related to substance use disorder diagnosis,treatment,or referral for treatment except as permitted by the regulations in this part. "Unsecured PHI"means PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary of the US Department of Health and Human Resources(the"Secretary")through published guidance. B.Agents: Business Associate agrees to ensure that any agent, including subcontractors,that creates, receives, maintains,or transmits PHI on behalf of the Business Associate regarding Covered Entity, agrees in writing to the same restrictions,conditions,and requirements that apply through the Agreement and the HIPAA Rules to Business Associate with respect to such information. Moreover, Business Associate shall ensure that any such agent or subcontractor agrees to implement reasonable and appropriate safeguards to protect Covered Entity's ePHI. C.Reporting: Business Associate agrees to report to Covered Entity ally use or disclosure of PHI not permitted hereunder of which Business Associate becomes aware, including breaches and unsecured protected health information. The Business Associate shall make a good faith effort to identify and report any use or disclosure of PHI not provided for in the Agreement. 1.To Covered Entity. The Business Associate will report to the Covered Entity, within five (5) business days of discovery, any use or disclosure of PHI not provided for in the Agreement of which the Business Associate is aware. The Business Associate will report to the Covered Entity,within twenty-four (24) hours of discovery, any Security Incident of which the Business Associate is aware. A violation of this paragraph shall be a material violation of the Agreement. ADM-341A rev 6/2021 C. 16D1 Such notice shall include the identification of each individual whose unsecured PHI has been or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such breach. 2. It would be the Covered Entity's responsibility to notify organizations, individuals, media,and the Secretary of Health and Human Services as required and as set forth in Section 13402{£), Title Xl1T of the American Recovery Reinvestment Act of 2009. However, Business Associate shall remain responsible for and shall reimburse Covered Entity for any and all costs and expenses incurred by Covered Entity in responding to any use or disclosure of PHI not permitted hereunder, including breaches and unsecured PHI and any Security Incident, including without limitation complying with the requirements of Subpart D of 45 CFR §164 that are imposed on Covered Entity as a result of any use or disclosure of PHI not permitted hereunder or breach committed by Business Associate. Business Associate shall assist and fully cooperate with Covered Entity in Covered Entity's efforts to provide proper notification to all appropriate parties and help mitigate all costs resulting from such breach or unsecured PHI or any other use of disclosure of PHI not permitted hereunder. 3. Content of Notices. All notices required shall include the content set forth in Section 13402{£),Title XIIT of the American Recovery and Reinvestment Act of 2009. 4. Financial Responsibility. The Business Associate shall be responsible for all costs related to the notices required under the Agreement. 5.Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of P1-Il in violation of the Agreement. D. Obligations and Activities of Business Associate Regarding Protected Health Information: 1. Business Associate agrees to not use or further disclose PHI other than as permitted or required by the Agreement,or as required by applicable federal or laws of the State of Florida. 2. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R Part 164 with respect to ePHI, to prevent use or disclosure of the PHI other than as provided for by the Agreement. 3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of the Agreement. 4. Business Associate agrees to report to Covered Entity any use or disclosure of the PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHi as required at 45 C.F.R. 164.410. 5. In accordance with 45 C.F.R_ 164.502(e)(l)(ii) and 164.308(b)(2),if applicable, Business Associate agrees to ensure that any agent, including any subcontractor that creates, receives, maintains or transmits PHI on behalf of the Business Associate, agrees to the same restrictions and conditions that apply through the Agreement to Business Associate with respect to such information. 6. Business Associate agrees to make available PHI in a designated record set to the request of Covered Entity or an Individual or Individual's designee,and in a prompt and reasonable manner consistent with the HIPAA regulations,to PHI in a designated record set, to the Covered Entity or directly to an individual or Individual's designee as necessary to satisfy the Covered Entity's obligations under 45 C.F.R. 164.524. 7. Business Associate agrees to make any Amendment(s)to PHI in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526,or take other measures as necessary to satisfy the covered entity's obligations under 45 C.F.R. 164.526 in a prompt and reasonable manner consistent with the HIPAA regulations. 8. Business Associate agrees to make its internal practices,books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, ADM-341A rev 6/2021 .bpi 16D1 or created or received by Business Associate on behalf of Covered Entity available to the Covered Entity, or at the request of the Covered Entity,to the Secretary in a time and manner designated by the Covered Entity or the Secretary,for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. 9. Business Associate agrees to maintain records and account for all disclosures for at least a 3 year period and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity's obligations under 45 C.F.R. 164.528. 10. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528. 11. Business Associate agrees to provide to Covered Entity or an Individual an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528, in a prompt and reasonable manner consistent with the HIPAA regulations. 12. Business Associate certifies that it is in compliance with all applicable provisions of I-IIPAA standards for electronic transactions and code sets, also known as the Electronic Data Interchange(EDI) Standards,at 45 C.F.R. Part 162; and the Annual Guidance as issued by the Secretary pursuant to the HITECH Act, sec. 13401. Business Associate further agrees to ensure that any agent, including a subcontractor,that conducts standard transactions on its behalf, will comply with the EDI Standards and the Annual Guidance. 13. Business Associate agrees to determine the Minimum Necessary type and amount of PHI required to perform its services and will comply with 45 C.F.R. 164.502(b) and 5 14(d). 14. Business Associate agrees to make its internal practices, books,and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. E. Qualified Service Organization Agreement 1. Business Associate acknowledges that Covered Entity is a health care provider that provides services as a part 2 program under 42 C.F.R.Chapter I,Subchapter A, Part 2. Furthermore,the Business Associate acknowledges and agrees that in receiving,storing, processing,or otherwise dealing with any information from the Covered Entity about the clients receiving services, Business Associate is a Qualified Service Organization and is fully bound by the provisions of the Federal regulations governing Confidentiality of Alcohol and Drug Abuse Client Records,42 C.F.R. Part 2;and shall undertake to resist in judicial proceedings any effort to obtain access to patient identifying information related to substance use disorder diagnosis,treatment,or referral for treatment except as permitted by the confidentiality regulations in 42 CFR part 2.Further, Business Associate,as a Qualified Service Organization shall timely inform Covered Entity of any efforts by third parties to obtain access to patient identifying information related to substance use disorder diagnosis,treatment,or referral for treatment except as permitted by the confidentiality regulations in 42 CFR part 2. F. Permitted or Required Uses and Disclosures by Business Associate: I. Except as expressly permitted in writing by the Covered Entity, Business Associate shall not divulge,disclose,or communicate PHI to any third party for any purpose not in conformity with this Contract without prior written approval from the Covered Entity. ADM-341A rev 6/2021 16D1 2. Except as otherwise limited in this Agreement, Business Associate may use PI-II to provide data aggregation services to Covered Entity as permitted by 45 C.F.R 164.504(e)(2)(i)(B). 3_ Business Associate may use or disclose PHI as required by law. 4. Business Associate may use PHI as necessary to provide the services required under the effective contract between Covered Entity and Business Associate. 5. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity,except for the specific uses and disclosures set forth herein. G.Obligations of Covered Entity to Inform Business Associate of Covered Entity's Privacy Practice and any Authorization or Restrictions: I. Covered Entity shall notify Business Associate of any limitations in the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. 164.520, as well as any changes to such notice, to the extent that such limitation may affect Business Associate's use or disclosure of PHI. 2. Covered Entity shall provide Business Associate with any changes in, or revocation of, authorization by Individual or his or her personal representative to use or disclose PHI, to the extent that such changes may affect Business Associate's uses or disclosures of Protected Health information. 3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. 164.522, if such changes may affect Business Associate's uses or disclosures of PHI. H.Permissible Requests by Covered Entity: Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule, the HiTECH Act,or the laws of the State of Florida, if done by Covered Entity. I. HIPAA Security, Rule Addendum: 1. Security of Electronic Protected Health Information. Business Associate will develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI (as defined in 45 C.F.R, 160.103) that Business Associate creates, receives, maintains, or transmits on behalf of the Covered Entity consistent with the Security Rule. 2. Reporting Security Incidents. Business Associate will report to the Covered Entity any Security Incident of which Business Associate becomes aware that is(1) a successful unauthorized access, use or disclosure of any ePHI; or(2) a successful major (a) modification or destruction of any ePHI or (b) interference with system operations in an information system containing any ePHI. Upon the Covered Entity's request, Business Associate will report any incident of which Business Associate becomes aware that is a successful minor (a) modification or destruction of any ePHI or(b) interference with system operations in an information system containing any ePHI. 3. Compliance Date. The parties will comply with this Addendum through the later of the (1) the last date set forth in the signature blocks below or(2)the compliance deadline of the Security Rule as defined in 45 C.F.R. 160.103. J. HITECH Act Compliance Agreement: In the event of any inconsistency or conflict between State and Federal laws, the more stringent ADM-341A rev 6/2021 CAA 16D I provision shall apply. K. Term and Termination: I. Term. The Term of the Agreement shall begin on the last date set forth on the signature blocks below and shall terminate on the date the Business Associate no longer provides services to the Covered Entity. 2. Termination for Cause. Without limiting any other termination rights the parties may have, upon Covered Entity's knowledge of a material breach by Business Associate of a provision under the Agreement, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. if the Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, the Covered Entity shall have the right to immediately terminate the Agreement. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary. 3 Return or Destruction of PHI upon Termination. Within sixty (60) days after termination of the Agreement for any reason, or within such other time period as mutually agreed upon in writing by the parties, Business Associate shall return to Covered Entity or destroy all PHi maintained by Business Associate in any form and shall retain no copies thereof. Business Associate also shall recover, and shall return or destroy with such time period, any PHi in the possession of its subcontractors or agents. Within fifteen (15)days after termination of the Agreement for any reason, Business Associate shall notify Covered Entity in writing as to whether Business Associate intends to return or destroy such PHI. If Business Associate elects to destroy such PHI, it shall certify to Covered Entity in writing when and that such PHI has been destroyed. If any subcontractors or agents of the Business Associate elect to destroy the PHI, Business Associate will require such subcontractors or agents to certify to Business Associate and to Covered Entity in writing when such Protected Health Information has been destroyed. If it is not feasible for Business Associate to return or destroy any of said PHI, Business Associate shall notify Covered Entity in writing that Business Associate has determined that it is not feasible to return or destroy the PHI and the specific reasons for such determination. Business Associate further agrees to extend any and all protections, limitations, and restrictions set forth in the Agreement to Business Associate's use or disclosure of any PHI retained after the termination of the Agreement, and to limit any further uses or disclosures to the purposes that make the return or destruction of the PHI not feasible. If it is not feasible for Business Associate to obtain, from a subcontractor or agent, any PHI in the possession of the subcontractor or agent, Business Associate shall provide a written explanation to Covered Entity and require the subcontractors and agents to agree to extend any and all protections, limitations, and restrictions set forth in the Agreement to the subcontractors'or agents' uses or disclosures of any PHI retained after the termination of the Agreement, and to limit any further uses or disclosures to the purposes that make the return or destruction of the PHI not feasible. Prior to destroying any records hereunder, the Business Associate shall obtain written confirmation from the Covered Entity that such actions will not violate the State of Florida's record retention policies. L. Miscellaneous: 1. Regulatory References. A reference in the Agreement to a section in the Privacy Rule, the Security Rule or the HITECH Act means the section as in effect or as amended, and for which compliance is required. ADM-341A rev 6/2021 1 6 D 1 2. Amendment. Upon the enactment of any law or regulation affecting the use or disclosure of PHI, Standard Transactions, the security of health information, or other aspects of HIPAA-AS or the HiTECH Act applicable or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, amend the Agreement in such manner as such party determines necessary to comply with such law or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to agree on an amendment within thirty (30) days thereafter, then either of the parties may terminate the Agreement on thirty (30) days written notice to the other party. 3. Survival. All provisions in the Agreement that expressly or customarily survive the termination or expiration of the Agreement shall continue in effect after the Agreement is terminated or expires. 4. Interpretation. Any ambiguity in the Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule and the confidentiality requirements of the State of Florida. 5. No Third Party Beneficiary. Nothing expressed or implied in the Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assignees of the parties, any rights, remedies, obligations, or liabilities whatsoever. 6. Governing Law. The Agreement shall be governed by and construed in accordance Nvith the laws of the state of Florida to the extent not preempted by the Privacy Rules or other applicable federal law, In the event of a dispute, venue of any proceedings shall be the appropriate federal or state court in Collier County, Florida. 7. Indemnification and Performance Guarantees. Business Associate shall indemnify, defend, and save harmless the Covered Entity from any financial loss or liability as a result of claims brought by third parties and which are caused by the failure of Business Associate, its officers, directors or agents to comply with the terms of the Agreement, including without limitation any use or disclosure of PHI not permitted hereunder, including breaches and unsecured PHI and any Security Incident. 8. Assignment.Business Associate shall not assign either its obligations or benefits under the Agreement without the expressed written consent of the Covered Entity, which shall be at the sole discretion of the Covered Entity. 9. Notices. Any notices to be given hereunder shall be made via U.S. mail or express courier, or hand delivery to the other parry's address given below as follows and are effective upon receipt by the other party ADM-341A rev 6/2021 16 D1 if to Business Associate: Collier County Government Community&Human Services Division 3339 E Tamiami Trail, Suite 211 Naples, FL 34112 If to Covered Entity: David Lawrence Mental Health Center, Inc. 6075 Bathey Lane Naples, FL 34116 Attn: Chief Executive Officer IN WITNESS WHEREOF,the SUBRECIPIENT and the COUNTY, have each, respectively, by an authorized person or agent, hereunder set their hands and seals on the date first written above. ATTEST: AS TO COUNTY: CRYSTAL K. KINZEL, CLERK BOARD OF COUNTY COMMISSIONERS OF COLLIER COUNTY, FLORIDA Attest .s t• hairtrtar eputy Clerk si..at •4only By: • CHRIS HALL, CHAIRPERSON Dated: (/23/ 47-02 / Date: 7/ 13 2 Y (SEAL,} 1 ADM-341A rev 6/2021 16 D1 WITN SSES: AS TO SUBRECIPIENT: 1 \ DAVID LAWRENCE MENTAL HEALTH Witness #1 Sign ure CENTER, INC. n4tCZ ArsIstl By: Witness #1 Printed Name SCOTT BURGESS, PRESIDENT AND CEO Witness #2 Signature Date: S_23 2o'Lk Jc : . } tom La } e --, otO [Please provide evidence of signing authority] Witness #2 Printed Name Approve, .' : 1. p an legality: , , -...,..... Jeffrey A rKla • ow, County Attorney ADM-341A rev 6/2021