CONTRACT 2772A Amendment® „, .,e.l
HIPAA BUSINESS ASSOCIATE AGREEMENT
This Agreement ("Agreement") is entered into by and between Wittman Enterprises, LLC ("Business
Associate") and City of El Segundo ("Covered Entity").
RECITALS
WHEREAS, Business Associate performs functions, activities, or services for, or on behalf of Covered
Entity, and Business Associate receives, has access to or creates Health Information in order to perform such
functions, activities or services;
WHEREAS, Covered Entity is subject to the Administrative Simplification requirements of the Health
Insurance Portability and Accountability Act of 1996 and regulations promulgated there under ("HIPAA"),
including but not limited to, the Standards for Privacy of Individually Identifiable Health Information, 45 Code of
Federal Regulations Parts 160 and 164; and
WHEREAS, HIPAA requires Covered Entity to enter into a contract with Business Associate to provide
for the protection of the privacy and security of Health Information, and HIPAA prohibits the disclosure to or use of
Health Information by Business Associate if such a contract is not in place.
AGREEMENT
NOW, THEREFORE, in consideration of the foregoing, and for other good and valuable consideration,
the receipt and adequacy of which is hereby acknowledged, the parties agree as follows:
ARTICLE I
DEFINITIONS
In addition to the definitions listed below, this Agreement incorporates the definitions set forth in the
covered entity's HIPAA Policies and Procedures. In the event of any conflict, the Covered Entity's HIPAA Policies
and Procedures will take precedent.
1.1 "Disulo " and "Disclosure" mean, with respect to Health Information, the release, transfer,
provision of access to, or divulging in any other manner of Health Information outside Business Associate's internal
operations or to other than its employees.
1.2 "Health Information" means information that (a) relates to the past, present or future physical or
mental health or condition of an individual; the provision of health care to an individual, or the past, present or
future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a
reasonable basis for believing that the information can be used to identify the individual); and (c) is received by
Business Associate from or on behalf of Covered Entity, or is created by Business Associate, or is made accessible
to Business Associate by Covered Entity.
1.3 ">ij� �" means the Standards for Privacy of Covered Individually Identifiable
Health Information, 45 Code of Federal Regulations Parts 160 and 164, promulgated under HIPAA.
1.4 "Services" means the services provided by Business Associate pursuant to the Underlying
Agreement(s), or if no such agreement(s) are in effect, the services Business Associate performs with respect to the
Covered Entity.
1.5 "UnderIvinLy Agreement" means the services agreement executed by the Covered Entity and
Business Associate, if any.
1.6 "Use" or "Uses" mean, with respect to Health Information, the sharing, employment, application,
utilization, examination or analysis of such Health Information within Business Associate's internal operations.
ARTICLE II
OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Initial Effective Date of Performance. The obligations created under this Agreement becomes
effective on
2.2 Permitted Uses and Disclosures of Health Information. Business Associate is authorized to and
shall:
a. Use and Disclose Health Information as necessary to perform Services for, or on behalf
of Covered Entity:
b. Use Health Information to create aggregated or de -identified information (in accordance
with the requirements of the Privacy Regulations);
C. Use or Disclose Health Information (including aggregated or de -identified information)
as otherwise directed by Covered Entity provided that Covered Entity shall not request Business Associate to Use or
Disclose Health Information in a manner that would not be permissible if done by Covered Entity.
Business Associate shall not Use Health Information for any other purpose, except in accordance with applicable
law and Covered Entity's HIPAA Policies and Procedures. In addition, Business Associate may Use Health
Information for the proper management and administration of Business Associate.
2.3 Adequ e Safeguards for Health Information. Business Associate warrants that it has
implemented and will maintain appropriate safeguards to prevent the Use or Disclosure of Health Information in any
manner other than as permitted by this Agreement.
2.4 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect
that is known to Business Associate of a Use or Disclosure of Health Information by Business Associate in violation
of the requirements of this Agreement.
2.5 Reporting Non-Pernutted Use or Disclosure. Business Associate shall report to Covered Entity
each Use or Disclosure that is made by Business Associate, its employees, representatives, agents or subcontractors
that is not specifically permitted by this Agreement of which Business Associate becomes aware. The initial report
shall be made by telephone call to the Covered Entity within forty-eight (48) hours from the time the Business
Associate becomes aware of the non -permitted Use or Disclosure, followed by a written report to covered Entity no
later than five (5) days from the date the Business Associate becomes aware of the non -permitted Use or Disclosure.
2.6 Availability of Internal Practices 'Books and 'Recorrds. Business Associate agrees to make its
internal practices, books and records relating to the Use and Disclosure of Health Information available to the
Covered Entity and the Secretary of the U.S. Department of Health and Human Services ("Secretary"), for purposes
of determining Covered Entity's compliance with the Privacy Regulations.
2.7 Access to and Amen Megt of Health hifornrn t:'ion. Business Associate shall, to the extent Covered
Entity determines that any Health Information constitutes a "designated record set" under the Privacy Regulations,
(a) make the Health Information specified by Covered Entity available to Covered Entity or to the individual(s)
identified by Covered Entity as being entitled to access and copy that Health Information, and (b) make any
amendments to Health Information that are requested by Covered Entity. Business Associate shall provide such
access and make such amendments within the time and in the manner specified by Covered Entity.
2.8 Ica ountino'f Disclosures. Upon Covered Entity's request, Business Associate shall provide to
Covered Entity an accounting of each Disclosure of Health Information made by Business Associate or its
employees, agents, representatives or subcontractors as required by the Privacy Regulations. For each Disclosure
that requires an accounting under this Section 2.8, Business Associate shall track the information required by the
Privacy Regulations, and shall securely maintain the information for six (6) years from the date of the Disclosure.
2.9 Use of Subcontractors and Agents. Business Associate shall require each of its agents and
subcontractors that receive Health Information from Business Associate to execute a written agreement obligating
the agent or subcontractor to comply with all the terms of this Agreement with respect to such Health Information.
ARTICLE III
OBLIGATIONS OF COVERED ENTITY
3.1 Privacy Notice. Covered Entity shall notify Business Associate of any limitation(s) in Covered
Entity's notice of privacy practices to the extent such limitation(s) may affect Business Associate's Use or
Disclosure of Health Information. Business Associate acknowledges receipt of Covered Entity's HIPAA Policies
and Procedures.
ARTICLE IV
TERM AND TERMINATION
4.1 Term. Subject to the provisions of Sections 4.2 and 4.3, the term of this Agreement shall be the
term of the Underlying Agreement(s).
4.2 Termination for Cause. Upon Covered Entity's knowledge of a material breach of this Agreement
by the Business Associate, Covered Entity shall either:
a. notify Business Associate of the breach in writing, and provide an opportunity to cure the
breach or end the violation within ten (10) business days of such notification; provided that if Business Associate
fails to cure the breach or end the violation within such time period to the satisfaction of Covered Entity, Covered
Entity shall have the right to immediately terminate this Agreement and the Underlying Agreement(s) upon written
notice to Business Associate;
b. upon written notice to Business Associate, immediately terminate this Agreement and the
Underlying Agreement(s) if Covered Entity determines that such breach cannot be cured; or
C. if Covered Entity determines that neither termination nor cure is feasible, the Covered
Entity shall report the violation to the Secretary.
4.3 Termination for Breach of Section _5_2. Covered Entity may terminate the Underlying
Agreement(s) and this Agreement upon thirty (30) days written notice in the event (a) Business Associate does not
promptly enter into negotiations to amend this Agreement when requested by Covered Entity pursuant to Section 5.2
or (b) Business Associate does not enter into an amendment to this Agreement providing assurances regarding the
safeguarding of Health Information that the Covered Entity, in its sole discretion, deems sufficient to satisfy the
standards and requirements of HIPAA.
4.4 Disposition of Health Information 'Upon Termination or Expiration. Upon termination or
expiration of this Agreement, Business Associate shall either return or destroy, in Covered Entity's sole discretion
and in accordance with any instructions by Covered Entity, all Health Information in the possession or control of
Business Associate and its agents and subcontractors. In such event, Business Associate shall retain no copies of
such Health Information. However, if the Business Associate determines that neither return nor destruction of
Health Information is feasible, Business Associate shall notify Covered Entity of the conditions that make return or
destruction infeasible, and may retain Health Information provided that Business Associate (a) continues to comply
with the provisions of this Agreement for as long as it retains Health Information, and (b) further limits Uses and
Disclosures of Health Information to those purposes that make the return or destruction of Health Information
infeasible.
ARTICLE V
MISCELLANEOUS
5.1 Indemnification. Notwithstanding anything to the contrary in the Underlying Agreement(s), at
Business Associate's expense, Business Associate agrees to indemnify, defend and hold harmless Covered Entity
W ® 0
and Covered Entity's employees, directors, officers, subcontractors or agents (the "Indemnities") against all
damages, losses, lost profits, fines, penalties, costs or expenses (including reasonable attorneys' fees) and all liability
to third parties arising from any material breach of this Agreement by Business Associate or its employees,
directors, officers, subcontractors, agents or other members of Business Associate's workforce. Business
Associate's obligation to indemnify the Indemnities shall survive the expiration or termination of this Agreement for
any reason.
5.2 Amendment to CoLn jy.w. tll,_ gvv. The parties acknowledge that state and federal laws relating to
electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to
provide for procedures to ensure compliance with such developments. The parties specifically agree to take such
action as is necessary to implement the standards and requirements of HIPAA and other applicable laws relating to
the security or confidentiality of Health Information. The parties understand and agree that Covered Entity must
receive satisfactory written assurance from Business Associate that Business Associate will adequately safeguard all
Health Information that it receives or creates on behalf of Covered Entity. Upon Covered Entity's request, Business
Associate agrees to promptly enter into negotiations with Covered Entity, concerning the terms of any amendment to
this Agreement embodying written assurances consistent with the standards and requirements of HIPAA or other
applicable laws.
5.3 Relationship to Underlymp- AereemeptLsj Provisions. In the event that a provision of this
Agreement is contrary to a provision of an Underlying Agreement(s), the provision of this Agreement shall control.
Otherwise, this Agreement shall be construed under, and in accordance with, the terms of such Underlying
Agreement(s), and shall be considered an amendment of and supplement to such Underlying Agreement(s).
5.4 Modification of Agreement. No alteration, amendment, or modification of the terms of this
Agreement shall be valid or effective unless in writing and signed by Business Associate and Covered Entity.
5.5 Non -Waiver. A failure of any party to enforce at any time any term, provision or condition of this
Agreement, or to exercise any right or option herein, shall in no way operate as a waiver thereof, nor shall any single
or partial exercise preclude any other right or option herein. In no way whatsoever shall a waiver of any term,
provision or condition of this Agreement be valid unless in writing, signed by the waiving party, and only to the
extent set forth in such writing.
5.6 A nniczat 1�r t ; d B' All Parties. This Agreement is the result of arm's length negotiations
between the parties and shall be construed to have been drafted by all parties such that any ambiguities in this
Agreement shall not be construed against either party.
5.7 Severability. If any provision of this Agreement is found to be invalid or unenforceable by any
court, such provision shall be ineffective only to the extent that it is in contravention of applicable laws without
invalidating the remaining provisions hereof.
5.8 Section Headings. The section headings contained herein are for convenience in reference and are
not intended to define or limit the scope of any provision of this Agreement.
5.9 No Third PartyBenetiriaries. There are no third party beneficiaries to this Agreement.
5.10 Counterpart . This Agreement may be executed in one or more counterparts, each of which shall
be deemed an original, and will become effective and binding upon the parties as of the effective date at such time
as all the signatories hereto have signed a counterpart of this Agreement.
5.11 Notices. Any notices required or permitted to be given hereunder by either party to the other shall
be given in writing: (1) by personal delivery; (2) by electronic facsimile with confirmation sent by United States first
class registered or certified mail, postage prepaid, return receipt requested; (3) by bonded courier or by a nationally
recognized overnight delivery service; or (4) by United States first class registered or certified mail, postage prepaid,
return receipt requested, in each case, addressed to:
If to Business Associate:
Wittman Enterprises, LLC
21 Blue Sky Court
Sacramento, CA 95828
Attn: Privacy Officer
If to Covered Entity:
City of El Segundo
314 Main Street
El Segundo, CA 90245-3895
Attn: Privacy Officer
or to such other addresses as the parties may request in writing by notice given pursuant to this Section 5.12.
Notices shall be deemed received on the earliest of personal delivery; upon delivery by electronic facsimile with
confirmation from the transmitting machine that the transmission was completed; twenty-four (24) hours following
deposit with a bonded courier or overnight delivery service; or seventy-two (72) hours following deposit in the U.S.
Mail as required herein.
5.12 An cable Law and Yenue. This Agreement shall be governed by and construed in accordance
with the internal laws of the State of California (without regard to principles of conflicts of laws). The parties agree
that all actions or proceedings arising in connection with this Agreement shall be tried and litigated exclusively in
the state or federal (if permitted by law and a party elects to file an action in federal court) courts located in County.
This choice of venue is intended by the parties to be mandatory and not permissive in nature, and to preclude the
possibility of litigation between the parties with respect to, or arising out of, this Agreement in any jurisdiction other
than that specified in this Section 5.12. Each party waives any right it may have to assert the doctrine of forum non -
convenience or similar doctrine or to object to venue with respect to any proceeding'brought in accordance with this
Section 5.12.
5.13 Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to
comply with the Privacy Regulations.
above.
IN WITNESS WHEREOF, the parties hereto have executed this Agreement effective as of the date stated
COVERED ENTITY
BUSINESS ASSOCIATE
B ,kL
By: By:
Printed Name: Dona Wittman
Yf�
Pr�i��aatcd 9'a�rn
Title: City Manager Title: President
Dated: Dated: _ -... ......