The URL can be used to link to this page

Backup Documents 02/28/2017 Item #16E 2 ORIGINAL DOCUMENTS CHECKLIST & ROUTING SLIP1 L c TO ACCOMPANY ALL ORIGINAL DOCUMENTS SENT TO I („) THE BOARD OF COUNTY COMMISSIONERS OFFICE FOR SIGNATURE Print on pink paper. Attach to original document. The completed routing slip and original documents are to be forwarded to the County Attorney Office at the time the item is placed on the agenda. All completed routing slips and original documents must be received in the County Attorney Offi no later than Monday preceding the Board meeting. **NEW** ROUTING SLIP Pe-(014:1-w 2� Complete routing lines#1 through#2 as appropriate for additional signatures,dates,and/or information needed. If the document is already Otnplete with the exception of the Chairman's signature,draw a line through routing lines#1 through#2,complete the checklist,and forward to the County Attorney Office. Route to Addressee(s) (List in routing order) Office Initials Date 1. 2. 3. County Attorney Office County Attorney Office JAB 2/28/17 4. BCC Office Board of County Commissioners \M�5/ a \v—1 5. Minutes and Records Clerk of Court's Office PM 2140 3;4 PRIMARY CONTACT INFORMATION Normally the primary contact is the person who created/prepared the Executive Summary. Primary contact information is needed in the event one of the addressees above,may need to contact staff for additional or missing information. Name of Primary Staff Jennifer Bel edio County Attorney's 252-8400 Contact/ Department Office Agenda Date Item was 2/28/17 Agenda Item Number 16E2 1/./ Approved by the BCC Type of Document o First Amendment—Interlocal Number of Original One each Attached o First Amendment-HIPAA Documents Attached PO number or account n/a number if document is to be recorded INSTRUCTIONS & CHECKLIST Initial the Yes column or mark"N/A"in the Not Applicable column,whichever is Yes N/A(Not appropriate. (Initial) Applicable) 1. Does the document require the chairman's original signa re STAMP OK JAB 2. Does the document need to be sent to another agency for a.:' ional signatur- If yes, NA provide the Contact Information(Name;Agency;Address;Phone . attached sheet. 3. Original document has been signed/initialed for legal sufficiency. (All documents to be JAB signed by the Chairman,with the exception of most letters,must be reviewed and signed by the Office of the County Attorney. 4. All handwritten strike-through and revisions have been initialed by the County Attorney's NA Office and all otherparties except the BCC Chairman and the Clerk to the Board 5. The Chairman's signature line date has been entered as the date of BCC approval of the JAB document or the fmal negotiated contract date whichever is applicable. 6. "Sign here"tabs are placed on the appropriate pages indicating where the Chairman's JAB signature and initials are required. 7. In most cases(some contracts are an exception),the original document and this routing slip NA should be provided to the County Attorney Office at the time the item is input into SIRE. Some documents are time sensitive and require forwarding to Tallahassee within a certain time frame or the BCC's actions are nullified. Be aware of your deadlines! 8. The document was approved by the BCC on 2/28/17 and all changes made during the JAB meeting have been incorporated in the attached document. The County Attorney's Office has reviewed the changes,if applicable. 9. Initials of attorney verifying that the attached document is the version approved by the B 'Vp BCC,all changes directed by the BCC have been made,and the document is ready for Chairman's signature. I:Forms/County Forms/BCC Forms/Original Documents Routing Slip WWS Original 9.03.04,Revised 1.26.05,Revised 2.24.05;Revised 11/30/12 16 E 2 MEMORANDUM Date: March 2, 2017 To: Kathy Heinrichsberg, Executive Secretary Bureau of Emergency Services Cc: Jorge Aguilera, Assistant Chief of Emergency Medical Services North Collier Fire Control & Rescue District From: Martha Vergara, Deputy Clerk Minutes & Records Department Re: First Amendment to the Interlocal Agreement w/North Collier Fire and Rescue District & The First Amendment to the combined HIPAA Privacy Business Associated, HIPAA Security Rule, Hitech Act Compliance and Confidentiality Agreement Attached is one (1) scanned copy of the original document as referenced above, (Item #16E1) approved by the Board of County Commissioners on Tuesday, February 28, 2017. The ORIGINAL has been kept by the Board's Minutes and Records Department as part of the Board's Official Records. If you have any questions, please contact me at 252-7240. Thank you. Attachments FIRST AMENDMENT TO INTERLOCAL AGREEMENT WITH 1 6 E 2 NORTH COLLIER FIRE CONTROL AND RESCUE DISTRICT THIS FIRST AMENDMENT is entered into this Itickt,day of c - A.,, 2011. , by and between Collier County, a political subdivision of the State of Florida, through its Board of County Commissioners, hereinafter referred to as "County," and North Collier Fire Control and Rescue District, hereinafter referred to as"District,"collectively stated as the"Parties." RECITALS: WHEREAS, on March 22, 2016, the County entered into Interlocal Agreement with District (hereinafter referred to as the "Agreement" and attached as Exhibit "A" hereto) to resolve a lawsuit initiated by District titled North Collier Fire Control and Rescue District v. Board of County Commissioners of Collier County(Case No. 11-2015-CA-001871); and WHEREAS, also on March 22, 2016, the County issued a certificate of public convenience ("COPCN") in accordance with the terms and conditions set forth in the Agreement; and WHEREAS, the Parties are satisfied with the arrangement they currently enjoy under the Agreement and the District is presently pursuing annual renewal of its COPCN; and WHEREAS, the Parties desire to extend the Agreement for one year through March 31, 2018 with automatic extensions subject to termination by either party; and WHEREAS, the Parties recognize that the Agreement contemplates the expiration of the existing COPCN on March 31, 2017, and that the annual renewal of a COPCN is necessary for the Agreement to be successful. NOW, THEREFORE, in consideration of the foregoing Recitals, and other good and valuable consideration, the receipt and sufficiency of which is hereby mutually acknowledged,the Parties agree as follows: 1. The foregoing Recitals are true and correct and are incorporated by reference herein. 2. Section 3 is hereby replaced in its entirety as follows: This Interlocal Agreement shall take effect upon execution by the Parties ("Effective Date"). The Interlocal Agreement will automatically renew for an additional year each and every March 31, thereafter,unless a Party provides to the other Party written notice to the contrary no later than January 31st of such year. Notwithstanding, if a COPCN is not issued to the District, then this Interlocal Agreement shall automatically terminate without further action of the Parties. District shall follow all COPCN annual renewal INSTR 5374488 OR 5368 PG 3064 RECORDED 3/6/2017 10:22 AM PAGES 12 DWIGHT E. BROCK, CLERK OF THE CIRCUIT COURT Page 1 COLLIER COUNTY FLORIDA REC$103.50 E2 procedures as set forth in Collier County Ordinance No. 04-12, as it may be amended ori 6 otherwise modified. 3. The terms, covenants and conditions set forth in the Agreement that have not been specifically amended herein, will continue in existence, are hereby ratified, approved and confirmed, and will remain binding upon the parties. This First Amendment merges any prior written and oral understanding and agreements, if any, between the parties with respect to the matters set forth herein. 4. This First Amendment shall be recorded by the County, at the expense of the County, in the Official Records of Collier County, Florida, within sixty(60) days of approval by the Board of County Commissioners. IN WITNESS WHEREOF, the Parties have executed this First Amendment to Interlocal Agreement with North Collier Fire and Rescue District on the date and year first above written. Attest: BOARD OF COUNTY COMMISSIONERS DWIGHT E. BROCK, Clerk OF COLLI' • 0 TY,FLORIDA By: f • 4 B f?ePu Cs Giron. —7=,A oma- , r�+�IRMAN Attest as to Chairman's t signature only. NORTH COL.IER FIRE AND RESCUE DISTRICT WITN SES: /,eadeetirBy: /79 - - ;t/i Print Name: \oQ, F R.P{ Sign. re "ie./4yy / 0 g.+ ,il_ Foci Print Naifie: b zt k bry res Printed/Typed Name C►'Y�t1`Kn'Ya Printed/Typed Title Approved as to form and legality Je r A. Belpe • Assistant County Attorney 0-97 Q\� Page 2 16E 2 EXHIBIT INSTR 5243339 OR 5254 FSG 803 t 15, DW1GH DE BROCKCLERK OF�HEEC,RCUIT COLLIER COUNTY FLORIDA COURT REC$86.50 INTERLOCAL AGREEMENT THIS INTERLOCAL AGREEMENT, dated this .22.,Y- day of March, 2016, is entered into as authorized by Ch. 163, Florida Statutes("Fla. Stat."), Intergovernmental Programs by and between the North Collier Fire Control and Rescue District (hereinafter "District") and the Collier County Board of County Commissioners(hereinafter"County"). WITNESSETH: WHEREAS, Section 163.01, Fla. Stat., authorizes the joint exercise of any power, privilege, or authority which the public agencies involved herein share in common and which each might exercise separately; and WHEREAS, District filed a lawsuit against the County in the litigation titled North Collier Fire Control and Rescue District, District/Plaintiff,v. Board of County Commissioners of Collier County, Respondent/Defendant (Case No. 11-2015-CA-001871), pending in the Twentieth Judicial Circuit in Collier County,(hereinafter referred to as the"Lawsuit");and WHEREAS, the Parties have engaged in the Ch. 164, Fla. Stat., Governmental Dispute process and have agreed to settle the litigation pursuant to the terms of this Interlocal Agreement as specifically authorized by Sec. 164.1055(2), Fla. Stat., which provides for a joint public meeting and mediation process;and WHEREAS,District and the County,without either Party admitting any liability or fault, desire to settle the Lawsuit and any and all disputes that arise from, relate or refer in any way, whether directly or indirectly,known or unknown, to the incidents described or allegations made in the Lawsuit;and WHEREAS, District and the County desire to execute this Interlocal Agreement as required by Sec. 164.1057, Fla. Stat., and so that it shall be binding upon them as well as their Pagel of 10 16 E 2 10 A respective owners, principals, elected officials, officers, employees, ex-employees, agents, attorneys,representatives, insurers,successors,assigns, and affiliates;and NOW, THEREFORE, in consideration of the mutual covenants, promises and consideration set forth in this Interlocal Agreement, and with the intent to be legally bound, District and the County agree as follows: 1. District and the County adopt and incorporate the foregoing recitals, sometimes referred to as"Whereas Clauses", by reference into this Interlocal Agreement. 2. The County shall issue the District a certificate of public convenience and necessity ("COPCN") to provide advanced life support ("ALS") non-transport services throughout the boundaries of the District on the Effective Date of this Agreement subject to the following terms and conditions: a. The District shall retain the services of the Collier County Medical Director to serve as the District's Medical Director(hereinafter referred to a's the County Medical Director/District Medical Director) by this Agreement with the County for this service and shall utilize the protocols and standards issued by the County Medical Director/District •Medical Director to govern the provisions of advanced life support services authorized by the COPCN and licensed by the State. There shall be no charge to the District for these services. The District may employ an Associate Medical Director to assist the District with the implementation of the protocols, standards, training, and certification/recertification standards established by the County Medical Director/District Medical Director relating to ALS services provided by the District. The Associate Medical Director or any other medical professional Page 2 of 10 16E 2 IOA employee and/or volunteer of the District shall work under the supervision of the County Medical Director/District Medical Director. It is acknowledged by both Parties that the District does not, by this Agreement or any other agreement or requirement, report to the Collier County Emergency Medical Services ("EMS") Division or Collier County, and that all statutory and rule requirements related to medical direction shall be made directly to the District by the County Medical Director/District Medical Director. The County Medical Director/District Medical Director and, if applicable, the Collier County Deputy Medical Director, shall comply with the provisions of Ch. 119, Fla. Stat., the Health Insurance Portability and Accountability Act ("HIPAA"), Health Information Technology for Economic and Clinical Health requirements, and any other federal or state applicable laws relating to records and/or confidentiality of records. To that end, the County Medical Director/District Medical Director, and, if applicable, the Collier County Deputy Medical Director, shall execute a HIPAA Business Associate Agreement with the District. The County Medical Director/District Medical Director may delegate any or all of his responsibilities under this Agreement to the Collier County Deputy Medical Director. b. The District shall operate under the emergency medical technicians("EMTs") and paramedic credentialing and recredentialing standards issued by the County Medical Director/District Medical Director, except, all current credentialing shall be honored by the County Medical Director/District Medical Director until December 31, 2017. The recredentialing standards Page 3 of 10 1 6 E 2 10 A used presently by the District shall remain in place through March 31, 2017. The County Medical Director/District Medical Director shall develop, with input from the District, the recredentialing standards for ALS non-transport paramedics and EMTs on or before January 1, 2017. c. The District shall adhere to the paramedic and EMT credentialing and recertification ride-time requirements as established by the County Medical Director/District Medical Director. The District may meet its ride-time requirements by accompanying a patient on the Collier County EMS ALS transport from scene to hospital when any ALS service has been performed on the patient prior to the transport. However, the Collier County EMS Chief, District Fire Chief and the County Medical Director/District Medical Director may identify in writing any exceptions to the ride time requirements. The District agrees that any time a Collier County EMS paramedic requests a District paramedic to accompany a patient on the Collier County EMS ALS transport from scene to hospital regardless of the level of service, the District paramedic shall accompany the patient to the hospital. d. The District shall have its own quality assurance program for District paramedics and EMTs as established by the County Medical Director/District Medical Director.The District's quality assurance program shall solely consist of the County Medical Director/District Medical Director, the District's Associate Medical Director and District staff. The District shall also participate in a countywide Quality Assurance Committee as established by the County Medical Director/District Medical Director, contingent upon all Page 4 of 10 16 IOA interested parties entering into a written mutually agreeable business associate agreement to ensure compliance with the HIPAA requirements and any other federal or state applicable laws. e. The District shall adhere to the patient care reporting system requirements that allows for view only access to patient care reports. The District will provide to Collier County a one-user login account to a view only patient care report dashboard of the District's Patient Care Reporting System to be used for continuum of care for a patient, quality assurance and performance benchmarking. Collier County will provide to the District a one-user login account to a view only patient care report dashboard of Collier County's Patient Care Reporting System to be used for continuum of care for a patient, quality assurance, and performance benchmarking. The Parties agree that it shall control the access and use to such patient care reports. The District will provide login access to the District's Patient Care Reporting System to the County Medical Director/District Medical Director, with such access protected from disclosure by the County Medical Director/District Medical Director. Both Parties will work cooperatively to ensure that any necessary third party providers, such as hospitals and emergency rooms, have view only access to the District's patient care reports. The Parties will also work cooperatively to implement a single consolidated patient care reporting system as soon as practicable. The Parties shall use their best efforts to negotiate and enter into any agreements that may be necessary to meet any and all lawful requirements, including those related to HIPAA. Page 5ofi0 E 2 10 A 3. This Interlocal Agreement shall take effect upon execution by the Parties (`Effective Date"). The term of the COPCN and this Interlocal Agreement shall be effective through March 31,2017. 4. Should the District be found to have breached the terms of this Interlocal Agreement or the COPCN in any way, all written complaints shall be investigated by both the County staff and the District staff, and a report thereon made to both the Board of County Commissioners and the District Board of Fire Commissioners. together with findings and recommendations, within 15 days of such complaint. If termination of the Interlocal Agreement or revocation, suspension or alteration of the COPCN appears warranted, the Board of County Commissioners shall give notice to the District that the same will be considered at a specific commission meeting, provided the date of such meeting shall not be less than five days from the date of the notice. The Board of County Commissioners shall thereupon consider the complaint and either revoke or suspend the COPCN, terminate the Interlocal Agreement, suggest alternatives to the COPCN, or dismiss the complaint. Notwithstanding, this procedure shall be held in compliance with the County's COPCN Ordinance No. 04-12, § 14, as amended. 5. Should the County or the County Medical Director/District Medical Director be found to have breached the terms of this Interlocal Agreement or the COPCN in any way, all written complaints shall be investigated by both the County staff and the District staff, and a report thereon made to both the Board of County Commissioners and the District Board of Fire Commissioners, together with findings and recommendations, within 15 days of such complaint. If termination of the Interlocal Agreement or alteration of the COPCN or the Interlocal Agreement appears warranted, the District shall give notice to the County that the same will be considered at a specific commission meeting, provided the date of such meeting shall not be less Page 6 of 10 , E 1. 0 A than five days from the date of notice. The District Board of Fire Commissioners shall thereupon consider the complaint and either terminate the Interlocal Agreement or suggest alternatives to the COPCN or the Interlocal Agreement. 6. In consideration of the resolution of all disputes or claims arising from or referring or relating in any way, whether directly or indirectly,to the Lawsuit, the District agrees to dismiss the Lawsuit with prejudice. 7. In consideration of the resolution of the Lawsuit, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties, on behalf of themselves, their attorneys, agents, representatives, insurers, heirs, successors and assigns, hereby expressly releases and forever discharge each other, as well as their elected officials, officers, employees, ex-employees, agents, attorneys, representatives, successors, assigns, insurers and affiliates from any and all claims, demands, causes of actions, damages, costs, attorney's fees, expenses and obligations of any kind or nature whatsoever that they have asserted or could have asserted in the Lawsuit or that arise from or relate or refer in any way, whether directly or indirectly, to the Lawsuit or any incident, event or allegation referred to or made in the Lawsuit. 8. Notwithstanding anything that may be to the contrary in this Interlocal Agreement, District and the County agree that either of them (as well as any other persons or entities intended to be bound) shall, in the event of any breach, retain the right to enforce the terms and conditions of this Interlocal Agreement. 9. District and the County acknowledge and agree that this Interlocal Agreement is intended to and shall be binding upon their respective owners, principals. officials, officers, Page 7 of 10 1 & E2 IOA employees. ex-employees, agents, attorneys, representatives, insurers, successors, assigns, and affiliates. 10. District and the County recognize and acknowledge that this Interlocal Agreement memorializes and states a settlement of disputed claims and nothing in this Interlocal Agreement shall be construed to be an admission of any kind, whether of fault, liability, or of a particular policy or procedure,on the part of either District or the County. 11. District and the County acknowledge and agree that this Interlocal Agreement is the product of mutual negotiation and no doubtful or ambiguous language or provision in this Agreement to be construed against any Party based upon a claim that the Party drafted the ambiguous provision or language or that the Party was intended to be benefited by the ambiguous provision or language. 12. This Interlocal Agreement may be amended only by a written instrument specifically referring to this Agreement and executed with the same formalities as this Agreement. 13. In the event of an alleged breach of this Interlocal Agreement, District and the County agree that all underlying causes of action or claims of District related to the September 8, 2015 denial of the District's COPCN, have been extinguished by this Agreement and that the sole remedy for breach of this Agreement shall be for specific performance of its terms and conditions or any damages arising from the breach. In this regard, District and the County further agree that the sole venue for any such action shall be in the Twentieth Judicial Circuit in and for Collier County, Florida in Naples, Florida. 14. This Interlocal Agreement shall be governed by the laws of the State of Florida. Page 8of10 MIIIIIIMMte 16E 2 10A 15. Either the County or District may terminate this Interlocal Agreement after providing written notice of its intent to terminate at least thirty (30) days in advance of the date of termination. The District's COPCN is revoked on the termination date of this Interlocal Agreement without further action by the County. This Interlocal Agreement shall automatically terminate if the District is notified by the Florida Department of Health that its license to provide ALS service has been revoked under Ch. 401, Fla. Stat., and associated rules. Upon receipt of such notification,the District shall inform the County in writing. 16. This Interlocal Agreement supersedes the agreement titled "Interlocal Agreement Advanced Life Support Partnership Between Collier County and Big Corkscrew Island Fire Control and Rescue District"dated March 25,2014. 17. Prior to its effectiveness,this Interlocal Agreement shall be filed with the Clerk of Courts for the Circuit Court for Collier County pursuant to Sec. 163.01 (2), Fla. Stat.. The County shall file said agreement as soon as practicable after approval and execution by both parties. IN WITNESS WHEREOF, District and the County have signed and sealed this Interlocal Agreement� as set forth below. Date: &44Z,t' t I I1, ATTEST: BOARD OF COUNTY COMMISSIONERS DWIGHT-E. BROCK,gerk COLLIER COUNTY,FLORIDA • BY: 4,..A 4. . _.,-.�+1l..*. By: ar-p-r--0--' ,t. . 3u a n4 lir.' erk DONNA FIALA, CHAIRMAN � te '��1� } Appro R l t, .'fohri"and legality: Alf i Jeffrey .;'. feVV ow County . ey Page 9 of 10 16E Z 1 0 A By: 'e , +v� '�a�. North Collier Fire Control and Rescue District DISTRICT Page 10 of 10 E INSTR 5374489 OR 5368 PG 07 RECORDED 3/6/2017 10:22 AM PAGES 22 DWIGHT E. BROCK, CLERK OF THE CIRCUIT COURT COLLIER COUNTY FLORIDA REC$188.50 FIRST AMENDMENT TO COMBINED HIPAA PRIVACY BUSINESS ASSOCIATE,HIPAA SECURITY RULE, HITECH ACT COMPLIANCE AND CONFIDENTIALITY AGREEMENT THIS FIRST AMENDMENT(hereinafter "Amendment")is made by NORTH COLLIER FIRE CONTROL AND RESCUE DISTRICT, an independent fire control and rescue district operating pursuant to Chapter 2015-191, Laws of Florida, by and through its Board of Fire Commissioners, whose address is 1885 Veterans Park Drive, Naples, Florida 34109 (hereinafter "North Collier"), and COLLIER COUNTY, a political subdivision of the State of Florida, by and through its Board of County Commissioners, whose address is 3299 Tamiami Trail East,Naples, Florida 34112 (hereinafter"Collier County"), collectively hereinafter referred to as the "Parties", as of the last date set forth on the signature blocks below. WHEREAS, the Combined HIPAA Privacy Business Associate, HIPAA Security Rule, HITECH Act Compliance and Confidentiality Agreement was approved by North Collier on June 16, 2016 and Collier County on September 13,2016(hereinafter"Agreement"); WHEREAS, Section 6 of the Agreement provides for amendments necessary to comply with any law or regulation affecting the use or disclosure of protected health information, the security of health information, or other aspects of the Health Insurance Portability and Accountability Act ( hereinafter "HIPAA) or the Health Information Technology for Economic and Clinical Health Act(hereinafter"HITECH Act"); WHEREAS, the U.S. Department of Health & Human Services (hereinafter "HHS") requires covered entities to enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information and that state law may apply to such agreements; WHEREAS, Section 501.171, Florida Statutes, the Florida Information Protection Act of 2014 (hereinafter "FIPA"), has additional notification requirements on covered entities that experience a breach of security; WHEREAS, Section 456.057, Florida Statutes, provides for the ownership and control of patient records; and WHEREAS, on October 7, 2016, the HHS published guidance on cloud computing that provides that a cloud services provider is a business associate under HIPAA if engaged by a covered entity to create, receive, maintain, or transmit protected health information and is required to enter into a HIPAA-compliant business associate agreement wherein it is both contractually liable for meeting the terms of the business associate agreement and directly liable for compliance with the applicable requirements of HIPAA. NOW, THEREFORE, the Parties agree as follows: 1. Section 1, Definitions, is hereby amended with the following underlined additions: (b) "Covered Entity" has the same meaning as the term "covered entity" in 45 CFR 160.103 and Section 501.171(1)(b), Florida Statutes, and shall include North Collier when acting as Covered Entity and Collier County is its Business Associate, and Collier County when acting as Covered Entity and North Collier is its Business Associate. 16E 2 (h)"Personal Information" is defined at Section 501.171(1)(g), Florida Statutes. (i)"Department" means the Department of Legal Affairs for Florida. 2. Section 2.A., Obligations and Activities of Collier County Acting as Business Associate Regarding Protected Health Information, is hereby amended with the following underlined additions: (e) Collier County agrees to ensure that any agent, including a subcontractor or a cloud services provider, to whom it provides Protected Health Information received from, or created or received by Collier County on behalf of North Collier, agrees to the same restrictions and conditions that apply through this Agreement to Collier County with respect to such information and is directly liable for compliance with the applicable requirements of the HIPAA, Privacy Rules, Security Rule, and HIPAA breach notification and enforcement rules. 3. Section 2.D., Confidentiality under State Law and Computer Use by Collier County as Business Associate, is hereby amended with the following underlined additions: (d) FIPA. In addition to the HIPAA privacy requirements and Section 401.30, Florida Statutes, Collier County agrees to observe the security of Personal Information requirements of Section 501.171, Florida Statutes. (e) Disposal of Records. Collier County agrees to observe the FIPA requirements for the proper disposal of records. (f) Ownership of Records. Collier County agrees that the ownership and control of patient records as set forth in Section 456.057, Florida Statutes, is with the covered entity that generates the medical records. 4. Section 2.G., HITECH Act Compliance, is hereby amended with the following underlined additions: (f) Reporting to Department. Collier County shall cooperate with North Collier to provide notice to the Department of unauthorized access of data in electronic form containing Personal Information affecting 500 or more individuals in Florida within thirty (30) days after the determination of the breach or reason to believe a breach occurred in accordance with FIPA. (g) Reporting to Credit Reporting Agencies. Collier County shall cooperate with North Collier to provide notice to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis if Collier County discovers circumstances requiring notice pursuant to FIPA of more than 1,000 individuals at a single time. Page 2 of 6 X90 16E 2 (h) Content of Notice. All notices required under this Agreement shall include the content set forth in Section 13402(f), Title XIII of the American Recovery and Reinvestment Act of 2009, and in compliance with the HIPAA Privacy Rules and FIPA. uj Financial Responsibility. Collier County shall be responsible for all costs related to the notices required under this Agreement. (j) Mitigation. Collier County shall mitigate,to the extent practicable, any harmful effect that is known to Collier County of a use or disclosure of Protected Health Information and unauthorized access of data in electronic form containing Personal Information in violation of this Agreement. 5. Section 3.A., Obligations and Activities of North Collier Acting as Business Associate Regarding Protected Health Information, is hereby amended with the following underlined additions: (e) North Collier agrees to ensure that any agent, including a subcontractor or a cloud services provider, to whom it provides Protected Health Information received from, or created or received by North Collier on behalf of Collier County, agrees to the same restrictions and conditions that apply through this Agreement to North Collier with respect to such information and is directly liable for compliance with the applicable requirements of the HIPAA , Privacy Rules, Security Rule, and HIPAA breach notification and enforcement rules. 6. Section 3.D., Confidentiality under State Law and Computer Use by North Collier as Business Associate, is hereby amended with the following underlined additions: (d) FIPA. In addition to the HIPAA privacy requirements and Section 401.30. Florida Statutes, North Collier agrees to observe the security of Personal Information requirements of Section 501.171,Florida Statutes. (e) Disposal of Records. North Collier agrees to observe the FIPA requirements for the proper disposal of records. (f) Ownership of Records. North Collier agrees that the ownership and control of patient records as set forth in Section 456.057, Florida Statutes, is with the covered entity that generates the medical records. 7. Section 3.G., HITECH Act Compliance, is hereby amended with the following underlined additions: (f) Reporting to Department. North Collier shall cooperate with Collier County to provide notice to the Department of unauthorized access of data in electronic form containing Personal Information affecting 500 or more individuals in Florida within Page 3 of 6 C9O 16E2 thirty (30) days after the determination of the breach or reason to believe a breach occurred in accordance with FIPA. (g) Reporting to Credit Reporting Agencies. North Collier shall cooperate with Collier County to provide notice to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis if North Collier discovers circumstances requiring notice pursuant to FIPA of more than 1,000 individuals at a single time. (h) Content of Notice. All notices required under this Agreement shall include the content set forth in Section 13402(f), Title XIII of the American Recovery and Reinvestment Act of 2009, and in compliance with the HIPAA Privacy Rules and FIPA. ) Financial Responsibility. North Collier shall be responsible for all costs related to the notices required under this Agreement. (l_2 Mitigation. North Collier shall mitigate, to the extent practicable, any harmful effect that is known to North Collier of a use or disclosure of Protected Health Information, and unauthorized access of data in electronic form containing Personal Information in violation of this Agreement. 8. Section 4(a),Term, is hereby replaced in its entirety as follows: (a) Term. The Term of this Agreement shall begin on September 13, 2016 and shall automatically renew for an additional year each and every March 31. thereafter, unless the Interlocal Agreement between the Parties (attached as Exhibit '`A" hereto), or as amended, is not renewed or is terminated, then this Agreement shall automatically terminate without further action of the Parties. 9. Except as set forth in this Amendment, the Agreement is unaffected and shall continue in full force and effect in accordance with its terms. If there is conflict between this Amendment and the Agreement, the terms of this Amendment will prevail. IN WITNESS WHEREOF, the Parties have executed this Amendment to the Combined HIPAA Privacy Business Associate, HIPAA Security Rule, HITECH Act Compliance and Confidentiality Agreement, on the date(s) set forth below. Page 4 of 6 16E 2 NORTH COLLIER FIRE CONTROL AND RESC I' DISTRICT By: L Print N. e: Nj j j F-eoe2. Title: i Date: 1— I H ' 7 ATTE ' ' R. BOARD OF COUNTY COMMISSIONERS, DWIOIT-E BROOD,CLERK COLLIE' C' . TY,FLORIDA By: . By: Iep €' Cler Attest as t0 C 1atrman'S Print Name: , IV TfA ILO 2 signature only. Title: C 4_ v v-i4 +� Date: "fE.- 6le.J.Ar2 ( o2g aO () Approved as to form and legality: olleen Mreene Assistant County Attorney Page5of6 0 16 E 2 Exhibit A Interlocal Agreement Page 6 of 6 0 1 6 E 2 1 6 E4 COMBINED HIPAA PRIVACY BUSINESS ASSOCIATE, HIPAA SECURITY RULE,HITECH ACT COMPLIANCE AND CONFIDENTIALITY AGREEMENT THIS AGREEMENT is entered into by and between the North Collier Fire Control and Rescue District, an independent fire control and rescue district operating pursuant to Chapter 2015-191, Laws of Florida, by and through its Board of Fire Commissioners, whose address is 1885 Veterans Park Dr.,Naples,Florida 34109(hereinafter"North Collier"),and Collier County, a political subdivision of the State of Florida,by and through its Board of County Commissioners, whose address is 3299 Tamiami Trail East, Naples, FL 34112 (hereinafter "Collier County"), collectively hereinafter referred to as the"parties." The parties have entered into this Agreement in compliance with the terms of the Interlocal Agreement dated March 22, 2016 and for the purpose of satisfying the Business Associate contract requirements of the regulations at 45 CFR Section 164.502(e) and 164.504(e), issued under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Security Rule, codified at 45 C.F.R Part 164, Subparts A and C. (the"Security Rule"),the Health Information Technology For Economic and Clinical Health Act, enacted in Pub. L. No. 111-05 H.R., 111th Cong. (2009), Title XIII (the "HITECH Act"),as well as the confidentiality requirements contained in Section 401.30,Florida Statutes. This Agreement is intended to provide reciprocal obligations between and among the parties as required by law when one party is acting as the Business Associate and the other party is acting as the Covered Entity. Section 1. Definitions Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in 45 CFR Sections 160.103 and 164.501,and in the HITECH Act, Subtitle D. (a) "Business Associate" has the same meaning as the term `Business associate" in 45 CFR 160.103 and shall include North Collier when acting as Business Associate of Collier County,and Collier County when acting as Business Associate of North Collier. (b) "Covered Entity"has the same meaning as the term"Covered entity"in 45 CFR 160.103 and shall include North Collier when acting as Covered Entity and Collier County is its Business Associate, and Collier County when acting as Covered Entity and North Collier is its Business Associate. (c) "Individual" has the same meaning as the term "individual" in 45 CFR Section 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR Section 164.502(g). (d)"Privacy Rule"means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and part 164, Subparts A and E. (e) "Protected Health Information"is defined at 45 CFR Section 160.103 and in the HITECH Act. [04-EMG-01149/1255599/1] Page 1 of 16 16E2 ioE4 For purposes of this Agreement,the term refers only to that Protected Health Information received directly or indirectly from, or received or created on behalf of,the Covered Entity. (f) "Secretary" means the Secretary of the U.S. Department of Health and Human Services or designee. (g) "Security Incident" means any event resulting in computer systems, networks, or data being viewed,manipulated, damaged, destroyed or made inaccessible by an unauthorized activity. See National Institute of Standards and Technology (NIST) Special Publication 800-61, "Computer Security Incident Handling Guide,"Revision 2 or subsequent revision for more information. Section 2. Collier County's Obligations and Activities When Acting as Business Associate and North Collier's Obligations When Acting as Covered Entity A. Obligations and Activities of Collier County acting as Business Associate Regarding Protected Health Information (a) Collier County agrees to not use or further disclose Protected Health Information other than as permitted or required by Subsections B.,D.and E.of this Section 2,or as required by applicable federal or laws of the State of Florida. (b) Collier County agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) Collier County agrees to mitigate, to the extent practicable, any harmful effect that is known to Collier County of a use or disclosure of Protected Health Information by Collier County in violation of the requirements of this Agreement. (d) Collier County agrees to report to North Collier any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. Collier County will report to North Collier any Security Incident of which Collier County becomes aware that is (1) a successful unauthorized access, use or disclosure of any Electronic Protected Health Information;or(2)a successful major(a)modification or destruction of any Electronic Protected Health Information or(h)interference with system operations in an information system containing any Electronic Protected Health Information. Upon North Collier's request, Collier County will report any incident of which Collier County becomes aware that is a successful minor (a) modification or destruction of any Electronic Protected Health Information or(b)interference with system operations in an information system containing any Electronic Protected Health Information. (e) Collier County agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Collier County on behalf of North Collier, agrees to the same restrictions and conditions that apply through this Agreement to Collier County with respect to such information. (f) Collier County agrees to provide access, at the request of North Collier or an Individual, [04-EMG-01149/1255599/1] Page 2 of 16 C',9 1 6 E 2 16E4 and in a prompt and reasonable manner consistent with the HIPAA regulations,to Protected Health Information in a designated record set,to North Collier in order to meet the requirements under 45 CFR Section 164.524. (g) Collier County agrees to make any amendment(s) to Protected Health Information in a designated record set that the North Collier or an Individual directs or agrees to pursuant to 45 CFR Section 164.526,in a prompt and reasonable manner consistent with the HIPAA regulations. (h) Collier County agrees to make its internal practices,books,and records,including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Collier County on behalf of North Collier available to North Collier,or at the request of North Collier,to the Secretary in a time and manner designated by North Collier or the Secretary, for purposes of the Secretary determining North Collier's compliance with the Privacy Rule. (i) Collier County agrees to document disclosures of Protected Health Information and information related to such disclosures as would be required for North Collier to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528. (j) Collier County agrees to provide to North Collier or an Individual an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528, in a prompt and reasonable manner consistent with the HIPAA regulations. (k) Collier County certifies that it is in compliance with all applicable provisions of HIPAA standards for electronic transactions and code sets,also known as the Electronic Data Interchange (EDI)Standards,at 45 CFR Part 162;and the Annual Guidance as issued by the Secretary pursuant to the HITECH Act, Section 13401. Collier County further agrees to ensure that any agent, including a subcontractor, that conducts standard transactions on its behalf, will comply with the EDI Standards and the Annual Guidance. (1) Collier County agrees to determine the minimum necessary type and amount of Protected Health Information required to perform its services and will comply with 45 CFR Sections 164.502(b)and 514(d). B. Permitted or Required Uses and Disclosures by Collier County as Business Associate (a) Collier County acknowledges and agrees that Protected Health Information is confidential under State of Florida laws. (b) Except as expressly permitted in writing by North Collier,Collier County shall not divulge, disclose, or communicate Protected Health Information or confidential information of North Collier employees to any third party for any purpose not in conformity with this Agreement except in accordance with North Collier policies and procedures and without prior written approval from North Collier. [04-EMG-01149/1255599/1] Page 3 of 16 f' 16E 2 E4 (c) Except as otherwise limited in this Agreement, Collier County may use Protected Health Information to provide data aggregation services to North Collier as permitted by 45 CFR Section 164.504(e)(2)(i)(B). (d) Collier County may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR Section 164.502(j)(1). C. Obligations of North Collier as Covered Entity to Inform Collier County of North Collier's Privacy Practices, and any Authorization or Restrictions (a) North Collier shall provide Collier County with the notice of privacy practices that North Collier produces in accordance with 45 CFR Section 164.520, as well as any changes to such notice. (b) North Collier shall provide Collier County with any changes in, or revocation of, authorization by Individual or his or her personal representative to use or disclose Protected Health Information, if such changes affect Collier County's uses or disclosures of Protected Health Information. (c) North Collier shall notify Collier County of any restriction to the use or disclosure of Protected Health Information that North Collier has agreed to in accordance with 45 CFR Section 164.522, if such changes affect Collier County's uses or disclosures of Protected Health Information. D. Confidentiality under State Law and Computer Use by Collier County as Business Associate (a) Generally. In addition to the IIIPAA privacy requirements, Collier County agrees to observe the confidentiality requirements of Section 401.30, Florida Statutes. In general, the referenced statute provides that records of emergency calls that contain patient examination or treatment information are confidential and exempt from the provisions of Section 119.07(1), Florida Statutes,and may not be disclosed without the consent of the person to whom they pertain unless otherwise statutorily prescribed. Any person who willfully, knowingly, and without authorization discloses or takes data, programs, or supporting documentation, including those residing or existing internal and external to North Collier's computer system,commits an offense in violation of Section 815.04, Florida Statutes. Confidentiality requirements protect more than unlawful disclosure of documents. The confidentiality requirements protect the disclosure of all records and information of North Collier, in whatever form, including the copying or verbally relaying of confidential information. As it relates to computer equipment and systems,Collier County agrees that it will not: i. Operate or attempt to operate any North Collier computer equipment without specific authorization from the North Collier. ii. Disclose any portion of North Collier's computerized system or data with unauthorized individuals. [04-EMG-01149/1255599/1] Page 4 of 16 1 6 E 2 16E4 Permit any individual to review, examine, or make copies of any report(s) or document(s)in its care,custody or control. Collier County agrees that it will access computer systems, equipment and functions only as required for the performance of its duties and responsibilities for North Collier and that it has an up-to-date anti-virus software and firewall running on its computers. In the event Collier County's password is disclosed, Collier County will immediately contact the District's Deputy Chief of Emergency Medical Services and Training at (239) 597-3222 to report the incident and request a new password. Collier County shall remove any North Collier access software before disposing of any computer. (b) Receipt of a Subpoena. If Collier County is served with subpoena requiring the production of North Collier's records or information,Collier County shall immediately contact the District's Deputy Chief of Emergency Medical Services and Training at(239)597-3222. A subpoena is an official summons issued by a court or an administrative tribunal,which requires the recipient to do one or more of the following: i. Appear at a deposition to give sworn testimony, and may also require that certain records be brought to be examined as evidence. ii. Appear at a hearing or trial to give evidence as a witness,and may also require that certain records be brought to be examined as evidence. iii. Furnish certain records for examination,by mail or by hand-delivery. (c) Employees and Agents. Collier County acknowledges that the confidentiality requirements herein apply to all its employees,agents and representatives. Collier County assumes responsibility and liability for any damages or claims, including state and federal administrative proceedings and sanctions, against North Collier, including costs and attorneys' fees, resulting from the breach by Collier County of the confidentiality requirements of this Agreement. E. Permissible Requests by North Collier as Covered Entity North Collier shall not request Collier County to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA,the Privacy Rule, the HITECH Act, or the laws of the State of Florida, if done by North Collier. F. HIPAA Security Rule (a) Security of Electronic Protected Health Information. Collier County will develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information(as defined in 45 CFR Section 160.103)that Collier County creates, receives, maintains,or transmits on behalf of the North Collier consistent with the Security Rule. (b) Compliance Date. The parties to this Agreement will comply with this subsection F. by the last date set forth in the signature blocks below. [04-EMG-01149/1255599/1] Page 5 of 16 i 1 6 E 2 16E4 G. HITECH Act Compliance In the event of any inconsistency or conflict between requirements of HIPAA, HIPAA Security Rule and HITECH Act,the more stringent provision shall apply. (a) Collier County shall make a good faith effort to identify and report any use or disclosure of Protected Health Information not provided for in this Agreement. (b) Reporting to North Collier. Collier County will report to the North Collier,within ten(10) business days of discovery,any use or disclosure of Protected Health Information not provided for in this Agreement of which the Collier County is aware.Collier County will report to North Collier, within twenty-four (24) hours of discovery, any Security Incident of which Collier County is aware. A violation of this paragraph shall be a material violation of this Agreement. Such notice shall include the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by Collier County to have been, accessed, acquired, or disclosed during such breach. (c) Reporting to Individuals. In the case of a breach of Protected Health Information discovered by Collier County,Collier County shall first notify North Collier of the pertinent details of the breach and upon prior approval of North Collier shall notify each individual whose unsecured Protected Health Information has been, or is reasonably believed by Collier County to have been,accessed,acquired or disclosed as a result of such breach. Such notification shall be in writing by first-class mail to the Individual (or the next of kin if the individual is deceased)at the last known address of the individual or next of kin,respectively,or, if specified as a preference by the individual, by electronic mail. Where there is insufficient, or out-of-date contract information (including a phone number, email address, or any other form of appropriate communication) that precludes written (or, if specifically requested, electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are ten(10) or more Individuals for which there is insufficient or out-of-date contact information, a conspicuous posting on the Web site of North Collier involved or notice in major print of broadcast media, including major media in the geographic areas where the individuals affected by the breach likely reside. In any case deemed by Collier County to require urgency because of possible imminent misuse of unsecured Protected Health Information, Collier County may also provide information to individuals by telephone or other means, as appropriate. (d) Reporting to Media. In the case of a breach of Protected Health Information discovered by Collier County where the unsecured Protected Health Information of more than five hundred(500) persons is reasonably believed to have been,accessed, acquired, or disclosed,after prior approval by North Collier, Collier County shall provide notice to prominent media outlets serving Collier County. (e) Reporting to Secretary of Health and Human Services. Collier County shall cooperate with North Collier to provide notice to the Secretary of Health and Human Services of unsecured Protected Health Information that has been acquired or disclosed in a breach. If the breach was with respect to five hundred(500)or more Individuals,such notice must be provided immediately. [04-EMG-01149/1255599/1] Page 6 of 16 �'g0 1 6 E 2 ioE4 If the breach was with respect to less than five hundred (500) Individuals, Collier County may maintain a log of such breach occurring and annually submit such log to North Collier so that it may satisfy its obligation to notify the Secretary of Health and Human Services documenting such breaches occurring in the year involved. (f) Content of Notices. All notices required under this Agreement shall include the content set forth in Section 13402(t),Title XIII of the American Recovery and Reinvestment Act of 2009. (g) Financial Responsibility. Collier County shall be responsible for all costs related to the notices required under this Agreement. (h) Mitigation. Collier County shall mitigate,to the extent practicable,any harmful effect that is known to Collier County of a use or disclosure of Protected Health Information in violation of this Agreement. Section 3. North Collier's Obligations and Activities When Acting as Business Associate and Collier County's Obligations When Acting as Covered Entity A. Obligations and Activities of North Collier acting as Business Associate Regarding Protected Health Information (a) North Collier agrees to not use or further disclose Protected Health Information other than as permitted or required by Subsections B.,D.,and E.of this Section 2,or as required by applicable federal or laws of the State of Florida. (b) North Collier agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) North Collier agrees to mitigate,to the extent practicable,any harmful effect that is known to North Collier of a use or disclosure of Protected Health Information by North Collier in violation of the requirements of this Agreement. (d) North Collier agrees to report to Collier County any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. North Collier will report to Collier County any Security Incident of which North Collier becomes aware that is (1) a successful unauthorized access, use or disclosure of any Electronic Protected Health Information; or(2) a successful major (a)modification or destruction of any Electronic Protected Health Information or(b)interference with system operations in an information system containing any Electronic Protected Health Information. Upon Collier County's request, North Collier will report any incident of which North Collier becomes aware that is a successful minor (a) modification or destruction of any Electronic Protected Health Information or(b)interference with system operations in an information system containing any Electronic Protected Health Information. (e) North Collier agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from,or created or received by North Collier on behalf of Collier County, agrees to the same restrictions and conditions that apply through this [04-EMG-01149/1255599/1] Page 7 of 16 16E2 1 6 E Agreement to North Collier with respect to such information. (I) North Collier agrees to provide access, at the request of Collier County or an Individual, and in a prompt and reasonable manner consistent with the HIPAA regulations,to Protected Health Information in a designated record set, to Collier County in order to meet the requirements under 45 CFR Section 164.524. (g) North Collier agrees to make any amendment(s) to Protected Health Information in a designated record set that the Collier County or an Individual directs or agrees to pursuant to 45 CFR Section 164.526,in a prompt and reasonable manner consistent with the HIPAA regulations. (h) North Collier agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by North Collier on behalf of Collier County available to Collier County, or at the request of Collier County,to the Secretary in a time and manner designated by Collier County or the Secretary, for purposes of the Secretary determining Collier County's compliance with the Privacy Rule. (i) North Collier agrees to document disclosures of Protected Health Information and information related to such disclosures as would be required for Collier County to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528. (j) North Collier agrees to provide to Collier County or an Individual an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528, in a prompt and reasonable manner consistent with the HIPAA regulations. (k) North Collier certifies that it is in compliance with all applicable provisions of HIPAA standards for electronic transactions and code sets, also known as the Electronic Data Interchange (EDI)Standards,at 45 CFR Part 162;and the Annual Guidance as issued by the Secretary pursuant to the HITECH Act, Section 13401. North Collier further agrees to ensure that any agent, including a subcontractor, that conducts standard transactions on its behalf, will comply with the EDI Standards and the Annual Guidance. (1) North Collier agrees to determine the minimum necessary type and amount of Protected Health Information required to perform its services and will comply with 45 CFR Sections 164.502(b)and 514(d). B. Permitted or Required Uses and Disclosures by North Collier as Business Associate (a) North Collier acknowledges and agrees that Protected Health Information is confidential under State of Florida laws. (b) Except as expressly permitted in writing by Collier County,North Collier shall not divulge, disclose, or communicate Protected Health Information or confidential information of Collier County employees to any third party for any purpose not in conformity with this Agreement except [04-EMG-01149/1255599/1] Page 8 of 16 C''t0 S 16E 2 16E4 in accordance with Collier County policies and procedures and without prior written approval from Collier County. (c) Except as otherwise limited in this Agreement, North Collier may use Protected Health Information to provide data aggregation services to Collier County as permitted by 45 CFR Section 164.504(e)(2)(i)(B). (d) North Collier may use Protected Health Information to report violations of law to appropriate Federal and State authorities,consistent with 45 CFR Section 164.502(j) (1). C. Obligations of Collier County as Covered Entity to Inform North Collier of Collier County's Privacy Practices, and any Authorization or Restrictions (a) Collier County shall provide North Collier with the notice of privacy practices that Collier County produces in accordance with 45 CFR Section 164.520, as well as any changes to such notice. (b) Collier County shall provide North Collier with any changes in, or revocation of, authorization by Individual or his or her personal representative to use or disclose Protected Health Information, if such changes affect North Collier's uses or disclosures of Protected Health Information. (c) Collier County shall notify North Collier of any restriction to the use or disclosure of Protected Health Information that Collier County has agreed to in accordance with 45 CFR Section 164.522,if such changes affect North Collier's uses or disclosures of Protected Health Information. D. Confidentiality under State Law and Computer Use by North Collier as Business Associate (a) Generally. In addition to the HIPAA privacy requirements,North Collier agrees to observe the confidentiality requirements of Section 401.30, Florida Statutes. In general, the referenced statute provides that records of emergency calls that contain patient examination or treatment information are confidential and exempt from the provisions of Section 119.07(1),Florida Statutes, and may not be disclosed without the consent of the person to whom they pertain unless otherwise statutorily prescribed. Any person who willfully, knowingly, and without authorization discloses or takes data,programs,or supporting documentation,including those residing or existing internal and external to Collier County's computer system, commits an offense in violation of Section 815.04, Florida Statutes. Confidentiality requirements protect more than unlawful disclosure of documents. The confidentiality requirements protect the disclosure of all records and information of Collier County, in whatever form, including the copying or verbally relaying of confidential information. As it relates to computer equipment and systems,North Collier agrees that it will not: i. Operate or attempt to operate any Collier County computer equipment without specific authorization from the Collier County. [04-EMG-01149/1255599/1] Page 9 of 16 16E 2 16E4 ii. Disclose any portion of Collier County's computerized system or data with unauthorized individuals. iii. Permit any individual to review, examine, or make copies of any report(s) or document(s)in its care,custody or control. North Collier agrees that it will access computer systems,equipment and functions only as required for the performance of its duties and responsibilities for Collier County and that it has an up-to- date anti-virus software and firewall running on its computers. In the event North Collier's password is disclosed, North Collier will immediately contact Collier County's Administrative Secretary/Record Custodian, Collier County Emergency Medical Services, at (239) 252-3740. North Collier shall remove any Collier County access software before disposing of any computer. (b) Receipt of a Subpoena. If North Collier is served with subpoena requiring the production of Collier County's records or information, North Collier shall immediately contact Collier County's Administrative Secretary/Record Custodian, Collier County Emergency Medical Services at(239)252-3740. A subpoena is an official summons issued by a court or an administrative tribunal,which requires the recipient to do one or more of the following: i. Appear at a deposition to give sworn testimony, and may also require that certain records be brought to be examined as evidence. ii. Appear at a hearing or trial to give evidence as a witness,and may also require that certain records be brought to be examined as evidence. iii. Furnish certain records for examination, by mail or by hand-delivery. (c) Employees and Agents. North Collier acknowledges that the confidentiality requirements herein apply to all its employees,agents and representatives. North Collier assumes responsibility and liability for any damages or claims,including state and federal administrative proceedings and sanctions, against Collier County, including costs and attorneys'fees,resulting from the breach by North Collier of the confidentiality requirements of this Agreement. E. Permissible Requests by Collier County as Covered Entity Collier County shall not request North Collier to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA, the Privacy Rule, the HITECH Act, or the laws of the State of Florida, if done by Collier County. F. HIPAA Security Rule (a) Security of Electronic Protected Health Information. North Collier will develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Ilealth Information (as defined in 45 CFR Section 160.103) that North Collier creates, receives, maintains,or transmits on behalf of the Collier County consistent with the Security Rule. (04-EMG-01149/1255599/1] Page 10 of 16 16E 2 E4 (b) Compliance Date. The parties to this Agreement will comply with this subsection F. by the last date set forth in the signature blocks below. G. HITECH Act Compliance In the event of any inconsistency or conflict between requirements of HIPAA, HIPAA Security Rule and HITECH Act,the more stringent provision shall apply. (a) North Collier shall make a good faith effort to identify and report any use or disclosure of Protected Health Information not provided for in this Agreement. (b) Reporting to Collier County. North Collier will report to Collier County, within ten(10) business days of discovery,any use or disclosure of Protected Health Information not provided for in this Agreement of which the North Collier is aware. North Collier will report to the Collier County, within twenty-four(24)hours of discovery, any Security Incident of which North Collier is aware. A violation of this paragraph shall be a material violation of this Agreement. Such notice shall include the identification of each individual whose unsecured Protected Health Information has been,or is reasonably believed by North Collier to have been,accessed, acquired, or disclosed during such breach. (c) Reporting to Individuals. In the case of a breach of Protected Health Information discovered by North Collier,North Collier shall first notify Collier County of the pertinent details of the breach and upon prior approval of Collier County shall notify each individual whose unsecured Protected Health Information has been, or is reasonably believed by North Collier to have been,accessed, acquired or disclosed as a result of such breach. Such notification shall be in writing by first-class mail to the Individual (or the next of kin if the individual is deceased)at the last known address of the individual or next of kin,respectively,or, if specified as a preference by the individual,by electronic mail. Where there is insufficient,or out-of-date contract information (including a phone number, email address, or any other form of appropriate communication)that precludes written (or, if specifically requested, electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are ten (10) or more Individuals for which there is insufficient or out-of-date contact information, a conspicuous posting on the Web site of Collier County involved or notice in major print of broadcast media, including major media in the geographic areas where the individuals affected by the breach likely reside. In any case deemed by North Collier to require urgency because of possible imminent misuse of unsecured Protected Health Information,North Collier may also provide information to individuals by telephone or other means, as appropriate. (d) Reporting to Media. In the case of a breach of Protected Health Information discovered by North Collier where the unsecured Protected Health Information of more than five hundred(500) persons is reasonably believed to have been,accessed,acquired, or disclosed,after prior approval by Collier County, North Collier shall provide notice to prominent media outlets serving Collier County. (e) Reporting to Secretary of Health and Human Services. North Collier shall cooperate with Collier County to provide notice to the Secretary of Health and Human Services of unsecured [04-EMG-01149/1255599/1] Page 11 of 16 1 E 2 1 6E 4 Protected Health Information that has been acquired or disclosed in a breach. If the breach was with respect to five hundred(500)or more Individuals,such notice must be provided immediately. If the breach was with respect to less than five hundred (500) Individuals, North Collier may maintain a log of such breach occurring and annually submit such log to Collier County so that it may satisfy its obligation to notify the Secretary of Health and Human Services documenting such breaches occurring in the year involved. (f) Content of Notices. All notices required under this Agreement shall include the content set forth in Section 13402(f),Title XIII of the American Recovery and Reinvestment Act of 2009. (g) Financial Responsibility. North Collier shall be responsible for all costs related to the notices required under this Agreement. (h) Mitigation. North Collier shall mitigate, to the extent practicable, any harmful effect that is known to North Collier of a use or disclosure of Protected Health Information in violation of this Agreement. Section 4. Term and Termination (a) Term. The Term of this Agreement shall begin on the last date set forth on the signature blocks below and shall terminate on March 31,2017 unless otherwise extended by both parties in writing. (b) Termination for Cause. Without limiting any other termination rights the parties may have, upon party acting as Covered Entity's knowledge of a material breach by party acting as Business Associate of a provision under this Agreement, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. If the Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, the Covered Entity shall have the right to immediately terminate the Agreement. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary. (c) Return or Destruction of Protected Health Information upon Termination. Within sixty (60) days after termination of the Agreement for any reason, or within such other time period as mutually agreed upon in writing by the parties, party acting as Business Associate shall return to party acting as Covered Entity or destroy all Protected Health Information maintained by Business Associate in any form and shall retain no copies thereof. Business Associate also shall recover, and shall return or destroy with such time period, any Protected Health Information in the possession of its subcontractors or agents. Within fifteen (15) days after termination of the Agreement for any reason,Business Associate shall notify Covered Entity in writing as to whether Business Associate intends to return or destroy such Protected Health Information. If Business Associate elects to destroy such Protected Health Information,it shall certify to Covered Entity in writing when and that such Protected Health Information has been destroyed. If any subcontractors or agents of the Business Associate elect to destroy the Protected Health Information, Business Associate will require such subcontractors or agents to certify to Business Associate and to Covered Entity in writing when such Protected Health Information has been destroyed. If it is not feasible for Business Associate to return or destroy any of said Protected Health Information, Business Associate shall notify Covered Entity in writing that Business Associate has determined [04-EMG-01149/1255599/1] Page 12 of 16 C'10: 1 6 E 2 1 6 E4 that it is not feasible to return or destroy the Protected Health Information and the specific reasons for such determination. Business Associate further agrees to extend any and all protections, limitations, and restrictions set forth in this Agreement to Business Associate's use or disclosure of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses or disclosures to the purposes that make the return or destruction of the Protected Health Information not feasible. If it's not feasible for Business Associate to obtain, from a subcontractor or agent, any Protected Health Information in the possession of the subcontractor or agent, Business Associate shall provide a written explanation to Covered Entity and require the subcontractors and agents to agree to extend any and all protections, limitations, and restrictions set forth in this Agreement to the subcontractors' or agents' uses or disclosures of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses or disclosures to the purposes that make the return or destruction of the Protected Health Information not feasible. Prior to destroying any records hereunder, Business Associate shall obtain written confirmation from the Covered Entity that such actions will not violate the State of Florida's or the Covered Entity's record retention policies. Section 5. Regulatory References A reference in this Agreement to a section in the Privacy Rule,the Security Rule or the HITECH Act means the section as in effect or as amended, and for which compliance is required. Section 6. Amendment Upon the enactment of any law or regulation affecting the use or disclosure of Protected Health Information, Standard Transactions, the security of Health Information, or other aspects of HIPAA-AS or the HITECH Act applicable or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, amend this Agreement in such manner as such party determines necessary to comply with such law or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to agree on an amendment within thirty(30)days thereafter,then either of the parties may terminate the Agreement on thirty (30) days written notice to the other ply. Section 7. Survival Each party agrees that its obligations under this Agreement with regard to Protected Health Information and all other provisions in this Agreement that expressly or customarily survive the termination or expiration of the Agreement shall continue in effect after the Agreement is terminated or expires. [04-EMG-01149/1255599/1] Page 13 of 16 4`'..a. 16E 2 16E4 Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits party acting as Covered Entity to comply with the Privacy Rule and the confidentiality requirements of the State of Florida,including Section 401.30,Florida Statutes. Section 9. Disclaimer of Third Party Beneficiaries This Agreement is solely for the benefit of the parties to this Agreement. No right or cause of action shall accrue upon or by reason hereof inure to or for the benefit of any third party. Section 10. Governing Law The laws of the State of Florida shall govern the validity, interpretation, construction and performance of this Agreement to the extent not preempted by the Privacy Rules or other applicable federal law. In the event of a dispute,venue for any suit involving this Agreement shall be in Collier County,Florida if filed in state court and in the Southern District of Florida if filed in federal court. Section 11. Indemnification and Performance Guarantees Each party shall indemnify, defend, and save harmless the other and Individuals for any financial loss as a result of claims brought by third parties and which are caused by the failure of party acting as the Business Associate, its officers, directors or agents to comply with the terms of this Agreement. Notwithstanding,nothing in this Agreement shall be interpreted as a waiver of party acting as the Business Associate's sovereign immunity or an extension of its liability beyond the limits established in Section 768.28,Florida Statutes,nor be construed as consent by party acting as the Business Associate to be sued by third parties in any manner arising out of this Agreement. Section 12. Assignment Neither party shall assign either its obligations or benefits under this Agreement without the expressed written consent of the other party,which shall be at the sole discretion of such party. Section 13. Notices All notices, demands, requests, and other communications hereunder shall be deemed sufficient and properly given, if in writing and delivered to the above addresses, or via facsimile,or sent by certified or registered mail, postage prepaid with return receipt requested, at such addresses; provided, if such notices, demands,requests or other communications are sent by mail,they shall be deemed as given on the third day following such mailing which is not a Saturday,Sunday,or a day on which United States mail is not delivered. Any party may, by like notice, designate any further or different address to which subsequent notices shall be sent. Any notices hereunder signed on behalf of the notifying party by a duly authorized attorney at law shall be valid and effective to the same extent as if signed on behalf of such party by a duly authorized officer or employee. Page 14 0116 16E 2 1 6 E4 Section 14. Waiver Unless otherwise specifically provided by the terms of this Agreement, no delay or failure to exercise a right resulting from any breach of this Agreement shall impair such right or shall be construed to be a waiver thereof,but such right may be exercised from time to time and as often as may be deemed expedient.Any waiver shall be in writing and signed by the party granting such waiver. If any representation, warranty or covenant contained in this Agreement is breached by any party and thereafter waived by another party, such waiver shall be limited to the particular breach so waived and shall not be deemed to waive,either expressed or impliedly,any other breach under this Agreement. Section 15. Severability In the event any provision of this Agreement shall, for any reason, be determined invalid, illegal or unenforceable in any respect the parties hereto shall negotiate in good faith and agree to such amendments,modifications or supplements to this Agreement or such other appropriate actions as shall, to the maximum extent practicable in the light of such determination implement and give effect to the intentions of the parties as reflected herein,and the other provisions of this Agreement, as amended, modified, supplemented or otherwise affected by such action, shall remain in full force and effect. [SIGNATURE PAGE FOLLOWS] [04-EMG-01149/1255599/1] Page 15 of 16 16E 2 16E4 IN WITNESS WHEREOF, the parties have executed this combined HIPAA Privacy Business Associate, HIPAA Security Rule, HITECH Act Compliance and Confidentiality Agreement, on the date(s) set forth below. NORTH COLLIER FIRE CONTROL AND RESCUE DISTRICT By: /1 It/ / /04:2A!,n 46( F-koet., Print Name and Title Date: //6-, ATTEST: BOARD OF COUNTY COMMISSIONERS DWIGHT E.BROCK, Clerk COLL COUNTY,FLORIDA By:_ ,L(.( ‘,#, r p L - By: _ - .uty Clerk DONNA FIALA, CHAIRMAN Attest a. • ha an's signature only., pgproved as to form and legality: ��/ / 04/L-12--- Jeffrey A. Klatzkow k)0 County Attorney Item# I(OC LF Agenda 4_o_ve Date Date 'O /_ Recd Y� Deputy 'J. [04-EMG-01149/1255599/1] Page 16 of 16 16E 2 16E4 For purposes of this Agreement,the term refers only to that Protected Health Information received directly or indirectly from, or received or created on behalf of, the Covered Entity. (f) "Secretary" means the Secretary of the U.S. Department of health and Human Services or designee. (g) "Security Incident" means any event resulting in computer systems, networks, or data being viewed, manipulated, damaged, destroyed or made inaccessible by an unauthorized activity. See National Institute of Standards and Technology (NIST) Special Publication 800-61, "Computer Security Incident Handling Guide," Revision 2 or subsequent revision for more information. Section 2. Collier County's Obligations and Activities When Acting as Business Associate and North Collier's Obligations When Acting as Covered Entity A. Obligations and Activities of Collier County acting as Business Associate Regarding Protected Health Information (a) Collier County agrees to not use or further disclose Protected Health Information other than as permitted or required by Subsections B.,D. and E.of this Section 2,or as required by applicable federal or laws of the State of Florida. (b) Collier County agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) Collier County agrees to mitigate, to the extent practicable, any harmful effect that is known to Collier County of a use or disclosure of Protected Health Information by Collier County in violation of the requirements of this Agreement. (d) Collier County agrees to report to North Collier any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. Collier County will report to North Collier any Security Incident of which Collier County becomes aware that is (1) a successful unauthorized access, use or disclosure of any Electronic Protected Health Information; or(2)a successful major(a) modification or destruction of any Electronic Protected Health Information or(b) interference with system operations in an information system containing any Electronic Protected Health Information. Upon North Collier's request, Collier County will report any incident of which Collier County becomes aware that is a successful minor (a) modification or destruction of any Electronic Protected Health Information or(b)interference with system operations in an information system containing any Electronic Protected Health Information. (e) Collier County agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Collier County on behalf of North Collier, agrees to the same restrictions and conditions that apply through this Agreement to Collier County with respect to such information. (f) Collier County agrees to provide access, at the request of North Collier or an Individual, [04-EMG-01149/1255599/11 Page 2 of 16 'Si 1 6 E 2 1 6 E4 and in a prompt and reasonable manner consistent with the HIPAA regulations,to Protected Health Information in a designated record set,to North Collier in order to meet the requirements under 45 CFR Section 164.524. (g) Collier County agrees to make any amendment(s) to Protected I lealth Information in a designated record set that the North Collier or an Individual directs or agrees to pursuant to 45 CFR Section 164.526, in a prompt and reasonable manner consistent with the HIPAA regulations. , (h) Collier County agrees to make its internal practices,books,and records,including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Collier County on behalf of North Collier available to North Collier,or at the request of North Collier,to the Secretary in a time and manner designated by North Collier or the Secretary, for purposes of the Secretary determining North Collier's compliance with the Privacy Rule. (i) Collier County agrees to document disclosures of Protected Health Information and information related to such disclosures as would be required for North Collier to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528. (j) Collier County agrees to provide to North Collier or an Individual an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528, in a prompt and reasonable manner consistent with the HIPAA regulations. (k) Collier County certifies that it is in compliance with all applicable provisions of HIPAA standards for electronic transactions and code sets,also known as the Electronic Data Interchange (EDI)Standards,at 45 CFR Part 162;and the Annual Guidance as issued by the Secretary pursuant to the HITECH Act, Section 13401. Collier County further agrees to ensure that any agent, including a subcontractor,that conducts standard transactions on its behalf, will comply with the EDI Standards and the Annual Guidance. (1) Collier County agrees to determine the minimum necessary type and amount of Protected Health Information required to perform its services and will comply with 45 CFR Sections 164.502(b)and 514(d). B. Permitted or Required Uses and Disclosures by Collier County as Business Associate (a) Collier County acknowledges and agrees that Protected Health Information is confidential under State of Florida laws. (b) Except as expressly permitted in writing by North Collier,Collier County shall not divulge, disclose, or communicate Protected Health Information or confidential information of North Collier employees to any third party for any purpose not in conformity with this Agreement except in accordance with North Collier policies and procedures and without prior written approval from North Collier. [04-EMG-01149/1255599/1] Page 3 of 16 r 1 6 E E4 (c) Except as otherwise limited in this Agreement, Collier County may use Protected Health Information to provide data aggregation services to North Collier as permitted by 45 CFR Section 164.504(e)(2)(i)(B). (d) Collier County may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR Section 164.502(j)(1). C. Obligations of North Collier as Covered Entity to Inform Collier County of North Collier's Privacy Practices, and any Authorization or Restrictions (a) North Collier shall provide Collier County with the notice of privacy practices that North Collier produces in accordance with 45 CFR Section 164.520, as well as any changes to such notice. (b) North Collier shall provide Collier County with any changes in, or revocation of, authorization by Individual or his or her personal representative to use or disclose Protected Health Information, if such changes affect Collier County's uses or disclosures of Protected Health Information. (c) North Collier shall notify Collier County of any restriction to the use or disclosure of Protected Health Information that North Collier has agreed to in accordance with 45 CFR Section 164.522, if such changes affect Collier County's uses or disclosures of Protected Health Information. D. Confidentiality under State Law and Computer Use by Collier County as Business Associate (a) Generally. In addition to the IIIPAA privacy requirements, Collier County agrees to observe the confidentiality requirements of Section 401.30, Florida Statutes. In general, the referenced statute provides that records of emergency calls that contain patient examination or treatment information are confidential and exempt from the provisions of Section 119.07(1), Florida Statutes,and may not be disclosed without the consent of the person to whom they pertain unless otherwise statutorily prescribed. Any person who willfully, knowingly, and without authorization discloses or takes data, programs, or supporting documentation, including those residing or existing internal and external to North Collier's computer system,commits an offense in violation of Section 815.04, Florida Statutes. Confidentiality requirements protect more than unlawful disclosure of documents. The confidentiality requirements protect the disclosure of all records and information of North Collier, in whatever form, including the copying or verbally relaying of confidential information. As it relates to computer equipment and systems, Collier County agrees that it will not: i. Operate or attempt to operate any North Collier computer equipment without specific authorization from the North Collier. ii. Disclose any portion of North Collier's computerized system or data with unauthorized individuals. [04-EMG-01149/1255599/1] Page 4 of 16 !)9!) 1 6 E 2 16E4 iii. Permit any individual to review, examine, or make copies of any report(s) or document(s)in its care,custody or control. Collier County agrees that it will access computer systems, equipment and functions only as required for the performance of its duties and responsibilities for North Collier and that it has an up-to-date anti-virus software and firewall running on its computers. In the event Collier County's password is disclosed, Collier County will immediately contact the District's Deputy Chief of Emergency Medical Services and Training at (239) 597-3222 to report the incident and request a new password. Collier County shall remove any North Collier access software before disposing of any computer. (b) Receipt of a Subpoena. If Collier County is served with subpoena requiring the production of North Collier's records or information,Collier County shall immediately contact the District's Deputy Chief of Emergency Medical Services and Training at(239)597-3222. A subpoena is an official summons issued by a court or an administrative tribunal, which requires the recipient to do one or more of the following: i. Appear at a deposition to give sworn testimony, and may also require that certain records be brought to be examined as evidence. ii. Appear at a hearing or trial to give evidence as a witness,and may also require that certain records be brought to be examined as evidence. iii. Furnish certain records for examination,by mail or by hand-delivery. (c) Employees and Agents. Collier County acknowledges that the confidentiality requirements herein apply to all its employees,agents and representatives. Collier County assumes responsibility and liability for any damages or claims, including state and federal administrative proceedings and sanctions, against North Collier, including costs and attorneys' fees, resulting from the breach by Collier County of the confidentiality requirements of this Agreement. E. Permissible Requests by North Collier as Covered Entity North Collier shall not request Collier County to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA,the Privacy Rule, the HITECH Act, or the laws of the State of Florida,if done by North Collier. F. HIPAA Security Rule (a) Security of Electronic Protected Health Information. Collier County will develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information(as defined in 45 CFR Section 160.103)that Collier County creates, receives, maintains,or transmits on behalf of the North Collier consistent with the Security Rule. (b) Compliance Date. The parties to this Agreement will comply with this subsection F. by the last date set forth in the signature blocks below. [04-EMG-01149/1255599/1] Page 5 of 16 r'r 16E 2 16E4 G. HITECH Act Compliance In the event of any inconsistency or conflict between requirements of HIPAA, HLPAA Security Rule and HITECH Act,the more stringent provision shall apply. (a) Collier County shall make a good faith effort to identify and report any use or disclosure of Protected Health Information not provided for in this Agreement. (b) Reporting to North Collier. Collier County will report to the North Collier,within ten(10) business days of discovery,any use or disclosure of Protected Health Information not provided for in this Agreement of which the Collier County is aware.Collier County will report to North Collier, within twenty-four (24) hours of discovery, any Security Incident of which Collier County is aware. A violation of this paragraph shall be a material violation of this Agreement. Such notice shall include the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by Collier County to have been, accessed, acquired, or disclosed during such breach. (c) Reporting to Individuals. In the case of a breach of Protected Health Information discovered by Collier County,Collier County shall first notify North Collier of the pertinent details of the breach and upon prior approval of North Collier shall notify each individual whose unsecured Protected Health Information has been, or is reasonably believed by Collier County to have been,accessed,acquired or disclosed as a result of such breach. Such notification shall be in writing by first-class mail to the Individual(or the next of kin if the individual is deceased)at the last known address of the individual or next of kin,respectively,or, if specified as a preference by the individual, by electronic mail. Where there is insufficient,or out-of-date contract information (including a phone number,email address, or any other form of appropriate communication)that precludes written (or, if specifically requested, electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are ten (10) or more Individuals for which there is insufficient or out-of-date contact information, a conspicuous posting on the Web site of North Collier involved or notice in major print of broadcast media, including major media in the geographic areas where the individuals affected by the breach likely reside. In any case deemed by Collier County to require urgency because of possible imminent misuse of unsecured Protected Health Information, Collier County may also provide information to individuals by telephone or other means,as appropriate. (d) Reporting to Media. In the case of a breach of Protected Health Information discovered by Collier County where the unsecured Protected Health Information of more than five hundred(500) persons is reasonably believed to have been,accessed, acquired,or disclosed,after prior approval by North Collier, Collier County shall provide notice to prominent media outlets serving Collier County. (e) Reporting to Secretary of Health and I Iuman Services. Collier County shall cooperate with North Collier to provide notice to the Secretary of Health and Human Services of unsecured Protected Health Information that has been acquired or disclosed in a breach. If the breach was with respect to five hundred(500)or more Individuals,such notice must be provided immediately. [04-EMG-01149/1255599/I] Page 6 of 16 O 16E 2 16E4 If the breach was with respect to less than five hundred (500) Individuals, Collier County may maintain a log of such breach occurring and annually submit such log to North Collier so that it may satisfy its obligation to notify the Secretary of Health and Human Services documenting such breaches occurring in the year involved. (f) Content of Notices. All notices required under this Agreement shall include the content set forth in Section 13402(t),Title XIII of the American Recovery and Reinvestment Act of 2009. (g) Financial Responsibility. Collier County shall be responsible for all costs related to the notices required under this Agreement. (h) Mitigation. Collier County shall mitigate,to the extent practicable, any harmful effect that is known to Collier County of a use or disclosure of Protected Health Information in violation of this Agreement. Section 3. North Collier's Obligations and Activities When Acting as Business Associate and Collier County's Obligations When Acting as Covered Entity A. Obligations and Activities of North Collier acting as Business Associate Regarding Protected Health Information (a) North Collier agrees to not use or further disclose Protected Health Information other than as permitted or required by Subsections B.,D.,and E.of this Section 2,or as required by applicable federal or laws of the State of Florida. (b) North Collier agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) North Collier agrees to mitigate,to the extent practicable,any harmful effect that is known to North Collier of a use or disclosure of Protected Health Information by North Collier in violation of the requirements of this Agreement. (d) North Collier agrees to report to Collier County any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. North Collier will report to Collier County any Security Incident of which North Collier becomes aware that is (1) a successful unauthorized access, use or disclosure of any Electronic Protected Health Information; or(2) a successful major(a)modification or destruction of any Electronic Protected Health Information or(h) interference with system operations in an information system containing any Electronic Protected Health Information. Upon Collier County's request, North Collier will report any incident of which North Collier becomes aware that is a successful minor (a) modification or destruction of any Electronic Protected I Iealth Information or(b)interference with system operations in an information system containing any Electronic Protected Health Information. (e) North Collier agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by North Collier on behalf of Collier County, agrees to the same restrictions and conditions that apply through this [04-EMG-01149/1255599/1] Page 7 of 16 16 E 2 1 6 E4 Agreement to North Collier with respect to such information. (f) North Collier agrees to provide access, at the request of Collier County or an Individual, and in a prompt and reasonable manner consistent with the HIPAA regulations,to Protected Health Information in a designated record set, to Collier County in order to meet the requirements under 45 CFR Section 164.524. (g) North Collier agrees to make any amendment(s) to Protected Health Information in a designated record set that the Collier County or an Individual directs or agrees to pursuant to 45 CFR Section 164.526, in a prompt and reasonable mariner consistent with the HIPAA regulations. (h) North Collier agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by North Collier on behalf of Collier County available to Collier County, or at the request of Collier County, to the Secretary in a time and manner designated by Collier County or the Secretary, for purposes of the Secretary determining Collier County's compliance with the Privacy Rule. (i) North Collier agrees to document disclosures of Protected Health Information and information related to such disclosures as would be required for Collier County to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528. (j) North Collier agrees to provide to Collier County or an Individual an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528, in a prompt and reasonable manner consistent with the HIPAA regulations. (k) North Collier certifies that it is in compliance with all applicable provisions of HIPAA standards for electronic transactions and code sets, also known as the Electronic Data Interchange (EDI)Standards,at 45 CFR Part 162;and the Annual Guidance as issued by the Secretary pursuant to the HITECH Act, Section 13401. North Collier further agrees to ensure that any agent, including a subcontractor, that conducts standard transactions on its behalf, will comply with the EDI Standards and the Annual Guidance. (1) North Collier agrees to determine the minimum necessary type and amount of Protected Health Information required to perform its services and will comply with 45 CFR Sections 164.502(b)and 514(d). B. Permitted or Required Uses and Disclosures by North Collier as Business Associate (a) North Collier acknowledges and agrees that Protected Health Information is confidential under State of Florida laws. (b) Except as expressly permitted in writing by Collier County,North Collier shall not divulge, disclose, or communicate Protected Health Information or confidential information of Collier County employees to any third party for any purpose not in conformity with this Agreement except (04-EMG-01149/1255599/1] Page 8 of 16 Za� 16E 2 16E4 in accordance with Collier County policies and procedures and without prior written approval from Collier County. (c) Except as otherwise limited in this Agreement, North Collier may use Protected Health Information to provide data aggregation services to Collier County as permitted by 45 CFR Section 164.504(e)(2)(i)(B). (d) North Collier may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR Section 164.502(j) (1). C. Obligations of Collier County as Covered Entity to Inform North Collier of Collier County's Privacy Practices, and any Authorization or Restrictions (a) Collier County shall provide North Collier with the notice of privacy practices that Collier County produces in accordance with 45 CFR Section 164.520, as well as any changes to such notice. (b) Collier County shall provide North Collier with any changes in, or revocation of, authorization by Individual or his or her personal representative to use or disclose Protected Health Information, if such changes affect North Collier's uses or disclosures of Protected Health Information. (c) Collier County shall notify North Collier of any restriction to the use or disclosure of Protected Health Information that Collier County has agreed to in accordance with 45 CFR Section 164.522,if such changes affect North Collier's uses or disclosures of Protected Health Information. D. Confidentiality under State Law and Computer Use by North Collier as Business Associate (a) Generally. In addition to the 1-IIPAA privacy requirements,North Collier agrees to observe the confidentiality requirements of Section 401.30, Florida Statutes. In general, the referenced statute provides that records of emergency calls that contain patient examination or treatment information are confidential and exempt from the provisions of Section 119.07(1),Florida Statutes, and may not be disclosed without the consent of the person to whom they pertain unless otherwise statutorily prescribed. Any person who willfully, knowingly, and without authorization discloses or takes data,programs,or supporting documentation,including those residing or existing internal and external to Collier County's computer system, commits an offense in violation of Section 815.04, Florida Statutes. Confidentiality requirements protect more than unlawful disclosure of documents. The confidentiality requirements protect the disclosure of all records and information of Collier County, in whatever form, including the copying or verbally relaying of confidential information. As it relates to computer equipment and systems,North Collier agrees that it will not: i. Operate or attempt to operate any Collier County computer equipment without specific authorization from the Collier County. [04-EMU-01149/1255599/1] Page 9 of 16 , 16E 2 16E4 ii. Disclose any portion of Collier County's computerized system or data with unauthorized individuals. iii. Permit any individual to review, examine, or make copies of any report(s) or document(s)in its care,custody or control. North Collier agrees that it will access computer systems,equipment and functions only as required for the performance of its duties and responsibilities for Collier County and that it has an up-to- date anti-virus software and firewall running on its computers. In the event North Collier's password is disclosed, North Collier will immediately contact Collier County's Administrative Secretary/Record Custodian, Collier County Emergency Medical Services, at (239) 252-3740. North Collier shall remove any Collier County access software before disposing of any computer. (b) Receipt of a Subpoena. If North Collier is served with subpoena requiring the production of Collier County's records or information, North Collier shall immediately contact Collier County's Administrative Secretary/Record Custodian, Collier County Emergency Medical Services at(239)252-3740. A subpoena is an official summons issued by a cQurt or an administrative tribunal,which requires the recipient to do one or more of the following: i. Appear at a deposition to give sworn testimony, and may also require that certain records be brought to be examined as evidence. ii. Appear at a hearing or trial to give evidence as a witness,and may also require that certain records be brought to be examined as evidence. iii. Furnish certain records for examination, by mail or by hand-delivery. (c) Employees and Agents. North Collier acknowledges that the confidentiality requirements herein apply to all its employees,agents and representatives. North Collier assumes responsibility and liability for any damages or claims,including state and federal administrative proceedings and sanctions,against Collier County, including costs and attorneys'fees,resulting from the breach by North Collier of the confidentiality requirements of this Agreement. E. Permissible Requests by Collier County as Covered Entity Collier County shall not request North Collier to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA, the Privacy Rule, the HITECH Act, or the laws of the State of Florida, if done by Collier County. F. HIPAA Security Rule (a) Security of Electronic Protected Health Information. North Collier will develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information (as defined in 45 CFR Section 160.103) that North Collier creates, receives, maintains, or transmits on behalf of the Collier County consistent with the Security Rule. [04-EMG-01149/1255599/1] Page 10 of 16 �tG 16E 2 1 6 E4 (b) Compliance Date. The parties to this Agreement will comply with this subsection F. by the last date set forth in the signature blocks below. G. HI'I'ECII Act Compliance In the event of any inconsistency or conflict between requirements of HIPAA, HIPAA Security Rule and IIIT> CH Act,the more stringent provision shall apply. (a) North Collier shall make a good faith effort to identify and report any use or disclosure of Protected Health Information not provided for in this Agreement. (b) Reporting to Collier County. North Collier will report to Collier County, within ten (10) business days of discovery,any use or disclosure of Protected Health Information not provided for in this Agreement of which the North Collier is aware. North Collier will report to the Collier County, within twenty-four(24)hours of discovery, any Security Incident of which North Collier is aware. A violation of this paragraph shall be a material violation of this Agreement. Such notice shall include the identification of each individual whose unsecured Protected Health Information has been,or is reasonably believed by North Collier to have been, accessed, acquired,or disclosed during such breach. (c) Reporting to Individuals. In the case of a breach of Protected Health Information discovered by North Collier, North Collier shall first notify Collier County of the pertinent details of the breach and upon prior approval of Collier County shall notify each individual whose unsecured Protected Health Information has been, or is reasonably believed by North Collier to have been,accessed,acquired or disclosed as a result of such breach. Such notification shall be in writing by first-class mail to the Individual (or the next of kin if the individual is deceased)at the last known address of the individual or next of kin,respectively,or, if specified as a preference by the individual, by electronic mail. Where there is insufficient, or out-of-date contract information (including a phone number, email address, or any other form of appropriate communication) that precludes written (or, if specifically requested, electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are ten (10) or more Individuals for which there is insufficient or out-of-date contact information, a conspicuous posting on the Web site of Collier County involved or notice in major print of broadcast media, including major media in the geographic areas where the individuals affected by the breach likely reside. In any case deemed by North Collier to require urgency because of possible imminent misuse of unsecured Protected Health Information,North Collier may also provide information to individuals by telephone or other means, as appropriate. (d) Reporting to Media. In the case of a breach of Protected Health Information discovered by North Collier where the unsecured Protected Health Information of more than five hundred(500) persons is reasonably believed to have been, accessed, acquired, or disclosed, after prior approval by Collier County, North Collier shall provide notice to prominent media outlets serving Collier County. (e) Reporting to Secretary of Health and Human Services. North Collier shall cooperate with Collier County to provide notice to the Secretary of Health and Human Services of unsecured [04-EMG-01149/1255599/1] Page 11 of 16 16E 2 1 6 E 4 Protected Health Information that has been acquired or disclosed in a breach. If the breach was with respect to live hundred(500)or more Individuals,such notice must be provided immediately. If the breach was with respect to less than five hundred (500) Individuals, North Collier may maintain a log of such breach occurring and annually submit such log to Collier County so that it may satisfy its obligation to notify the Secretary of Health and Human Services documenting such breaches occurring in the year involved. (0 Content of Notices. All notices required under this Agreement shall include the content set forth in Section 13402(0,Title XIII of the American Recovery and Reinvestment Act of 2009. (g) Financial Responsibility. North Collier shall be responsible for all costs related to the notices required under this Agreement. (h) Mitigation. North Collier shall mitigate, to the extent practicable, any harmful effect that is known to North Collier of a use or disclosure of Protected Health Information in violation of this Agreement. Section 4. Term and Termination (a) 'Term. The Term of this Agreement shall begin on the last date set forth on the signature blocks below and shall terminate on March 31, 2017 unless otherwise extended by both parties in writing. (b) Termination for Cause. Without limiting any other termination rights the parties may have, upon party acting as Covered Entity's knowledge of a material breach by party acting as Business Associate of a provision under this Agreement, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. If the Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, the Covered Entity shall have the right to immediately terminate the Agreement. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary. (c) Return or Destruction of Protected Health Information upon Termination. Within sixty (60) days after termination of the Agreement for any reason, or within such other time period as mutually agreed upon in writing by the parties, party acting as Business Associate shall return to party acting as Covered Entity or destroy all Protected Health Information maintained by Business Associate in any form and shall retain no copies thereof. Business Associate also shall recover, and shall return or destroy with such time period, any Protected Health Information in the possession of its subcontractors or agents. Within fifteen (15) days after termination of the Agreement for any reason,Business Associate shall notify Covered Entity in writing as to whether Business Associate intends to return or destroy such Protected Health Information. If Business Associate elects to destroy such Protected Health Information, it shall certify to Covered Entity in writing when and that such Protected Health Information has been destroyed. If any subcontractors or agents of the Business Associate elect to destroy the Protected Health Information, Business Associate will require such subcontractors or agents to certify to Business Associate and to Covered Entity in writing when such Protected Health Information has been destroyed. If it is not feasible for Business Associate to return or destroy any of said Protected Health Information, Business Associate shall notify Covered Entity in writing that Business Associate has determined [04-EMG-01149/1255599/1] Page 12 of 16 16E 2 . 1 6 E4 that it is not feasible to return or destroy the Protected Health Information and the specific reasons for such determination. Business Associate further agrees to extend any and all protections, limitations, and restrictions set forth in this Agreement to Business Associate's use or disclosure of any Protected Health Information retained after the termination of this Agreement,and to limit any further uses or disclosures to the purposes that make the return or destruction of the Protected Health Information not feasible. If it's not feasible for Business Associate to obtain, from a subcontractor or agent, any Protected Health Information in the possession of the subcontractor or agent, Business Associate shall provide a written explanation to Covered Entity and require the subcontractors and agents to agree to extend any and all protections, limitations, and restrictions set forth in this Agreement to the subcontractors' or agents' uses or disclosures of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses or disclosures to the purposes that make the return or destruction of the Protected Health Information not feasible. Prior to destroying any records hereunder, Business Associate shall obtain written confirmation from the Covered Entity that such actions will not violate the State of Florida's or the Covered Entity's record retention policies. Section 5. Regulatory References A reference in this Agreement to a section in the Privacy Rule,the Security Rule or the HITECH Act means the section as in effect or as amended, and for which compliance is required. Section 6. Amendment Upon the enactment of any law or regulation affecting the use or disclosure of Protected Health Information, Standard Transactions, the security of Health Information, or other aspects of HIPAA-AS or the HITECH Act applicable or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, amend this Agreement in such manner as such party determines necessary to comply with such law or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to agree on an amendment within thirty(30)days thereafter, then either of the parties may terminate the Agreement on thirty (30) days written notice to the other party. Section 7. Survival Each party agrees that its obligations under this Agreement with regard to Protected Health Information and all other provisions in this Agreement that expressly or customarily survive the termination or expiration of the Agreement shall continue in effect after the Agreement is terminated or expires. [04-EMG-01149/1255599/1] Page 13 of 16 6'f) 16E 2 1 6 E Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits party acting as Covered Entity to comply with the Privacy Rule and the confidentiality requirements of the State of Florida,including Section 401.30,Florida Statutes, Section 9. Disclaimer of Third Party Beneficiaries This Agreement is solely for the benefit of the parties to this Agreement. No right or cause of action shall accrue upon or by reason hereof inure to or for the benefit of any third party. Section 10. Governing Law The laws of the State of Florida shall govern the validity, interpretation, construction and performance of this Agreement to the extent not preempted by the Privacy Rules or other applicable federal law. In the event of a dispute,venue for any suit involving this Agreement shall be in Collier County, Florida if filed in state court and in the Southern District of Florida if filed in federal court. Section 11. Indemnification and Performance Guarantees Each party shall indemnify, defend, and save harmless the other and Individuals for any financial loss as a result of claims brought by third parties and which are caused by the failure of party acting as the Business Associate, its officers, directors or agents to comply with the terms of this Agreement. Notwithstanding,nothing in this Agreement shall be interpreted as a waiver of party acting as the Business Associate's sovereign immunity or an extension of its liability beyond the limits established in Section 768.28,Florida Statutes,nor be construed as consent by party acting as the Business Associate to be sued by third parties in any mariner arising out of this Agreement. Section 12. Assignment Neither party shall assign either its obligations or benefits under this Agreement without the expressed written consent of the other party, which shall be at the sole discretion of such party. Section 13. Notices All notices, demands, requests, and other communications hereunder shall be deemed sufficient and properly given, if in writing and delivered to the above addresses, or via facsimile,or sent by certified or registered mail, postage prepaid with return receipt requested, at such addresses; provided, if such notices, demands, requests or other communications are sent by mail,they shall be deemed as given on the third day following such mailing which is not a Saturday, Sunday,or a day on which United States mail is not delivered. Any party may, by like notice, designate any further or different address to which subsequent notices shall be sent. Any notices hereunder signed on behalf of the notifying party by a duly authorized attorney at law shall be valid and effective to the same extent as if signed on behalf of such party by a duly authorized officer or employee. Page 14 of 16 ,,fi 16E 2 1 6 E4 Section 14. Waiver Unless otherwise specifically provided by the terms of this Agreement, no delay or failure to exercise a right resulting from any breach of this Agreement shall impair such right or shall be construed to be a waiver thereof, but such right may be exercised from time to time and as often as may he deemed expedient. Any waiver shall be in writing and signed by the party granting such waiver. If any representation, warranty or covenant contained in this Agreement is breached by any party and thereafter waived by another party, such waiver shall be limited to the particular breach so waived and shall not be deemed to waive,either expressed or impliedly,any other breach under this Agreement. Section 15. Severability In the event any provision of this Agreement shall, for any reason, be determined invalid, illegal or unenforceable in any respect the parties hereto shall negotiate in good faith and agree to such amendments,modifications or supplements to this Agreement or such other appropriate actions as shall, to the maximum extent practicable in the light of such determination implement and give effect to the intentions of the parties as reflected herein,and the other provisions of this Agreement, as amended, modified, supplemented or otherwise affected by such action, shall remain in full force and effect. [SIGNATURE PAGE FOLLOWS] [04-EM0-01149/1255599/1] Page 15 of 16 r?1 1 6 E 2 16E4 IN WITNESS WHEREOF, the parties have executed this combined HIPAA Privacy Business Associate, HIPAA Security Rule, HITECH Act Compliance and Confidentiality Agreement, on the date(s) set forth below. NORTH COLLIER FIRE CONTROL AND RESCUE DISTRICT By:- Al;.Rn..'irt/ '. Print Name and Title Date: 7/G:> ATTEST: BOARD OF COUNTY COMMISSIONERS DWIGHT E. BROCK, Clerk COLLI COUNTY, FLORIDA • BY: i' :I' By , ta .uty Clerk DONNA FIALA, CHAIRMAN Attest a. $ ha an's signature only., Zproved as to form and legality: aca • Jeffrey A. Klatzkow County Attorney Item# 1(.0E4 Agenda Q_o_i/- Date ` `(� Date 'O / Recd IN,�% Deputy ' . [04-EMG-01 1.19/1255599/1] Page 16 of 16 0