CONTRACT 4100 Other4100.'BiA
BUSINESS ASSOCIATE AGREEMENT
This Agreement is made effective on the date signed below by and between Financial Credit
Network, Inc., hereinafter referred to as "Covered Entity", and City of El Segundo, hereinafter
referred to as "Business Associate (individually, a "Party" and collectively, the "Parties ").
WITNESSETH:
WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and
Accountability Act of 1996, Public Law 104 -191, known as "the Administrative Simplification
provisions," direct the Department of Health and Human Services to develop standards to
protect the security, confidentiality and integrity of health information; and
WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and
Human Services has issued regulations modifying 45 CFR Parts 160 and 164 (the " HIPAA Privacy
Rule" and the " HIPAA Security Rule "); and
WHEREAS, Title XIII of the American Recovery and Reinvestment Act, known as "the HITECH
Act" has amended HIPAA and the HIPAA regulations, including HIPAA's Administrative
Simplification provisions; and
WHEREAS, the Parties wish to enter into or have entered into an arrangement whereby
Business Associate will provide certain services to Covered Entity, and, pursuant to such
arrangement, Business Associate may be considered a "business associate" of Covered Entity as
defined in the HIPAA Privacy Rule; and
WHEREAS, Business Associate may have access to Protected Health Information (as defined
below) in fulfilling its responsibilities under such arrangement;
THEREFORE, in consideration of the Parties' continuing obligations under the HIPAA Privacy
Rule and Security Rule, and other good and valuable consideration, the receipt and sufficiency
of which is hereby acknowledged, the Parties agree to the provisions of this Agreement in order
to address the requirements of the HIPAA Privacy Rule and Security Rule and to protect the
interests of both Parties.
I. DEFINITIONS
Except as otherwise defined herein, any and all capitalized terms in this Section shall have the
definitions set forth in the HIPAA Privacy Rule and the HIPAA Security Rule. In the event of an
inconsistency between the provisions of this Agreement and mandatory provisions of the
HIPAA Privacy Rule and Security Rule, as amended, the HIPAA Privacy Rule and Security Rules
shall control. Where provisions of this Agreement are different than those mandated in the
HIPAA Privacy Rule and Security Rule, but are nonetheless permitted by the HIPAA Privacy Rule
and /or Security Rule, the provisions of this Agreement shall control.
The term "Protected Health Information" (abbreviated as "PHI ") means individually identifiable
health information including, without limitation, all information, data, documentation, and
materials, including without limitation, demographic, medical and financial information, that
relates to the past, present, or future physical or mental health or condition of an individual;
the provision of health care to an individual; or the past, present, or future payment for the
provision of health care to an individual; and that identifies the individual or with respect to
which there is a reasonable basis to believe the information can be used to identify the
individual.
Business Associate acknowledges and agrees that all Protected Health Information that is
created or received by Covered Entity and disclosed or made available in any form, including
paper record, oral communication, audio recording, and electronic display by Covered Entity or
its operating units to Business Associate or Is created or received by Business Associate on
Covered Entity's behalf shall be subject to this Agreement.
II. CONFIDENTIALITY REQUIREMENTS
(A) Business Associate agrees:
(i) to use or disclose any Protected Health Information solely: (1) for meeting its obligations
as set forth in any agreements between the Parties evidencing their business relationship,
or (2) as required by applicable law, rule or regulation, or by accrediting or credentialing
organization to whom Covered Entity is required to disclose such information or as
otherwise permitted under this Agreement, or the HIPAA Privacy Rule or Security Rule;
(ii) at termination of this Agreement, or any similar documentation of the business
relationship of the Parties, or upon request of Covered Entity, whichever occurs first, if
feasible, Business Associate will return or destroy all Protected Health Information received
from or created or received by Business Associate on behalf of Covered Entity that Business
Associate still maintains in any form and retain no copies of such information, or if such
return or destruction is not feasible, Business Associate will extend the protections of this
Agreement to the information in perpetuity and limit further uses and disclosures to those
purposes that make the return or destruction of the information not feasible; and
(iii) to ensure that its agents, including a subcontractor, to whom it provides Protected
Health Information received from or created by Business Associate on behalf of Covered
Entity, agrees to the same restrictions and conditions that apply to Business Associate with
respect to such information. In addition, Business Associate agrees to take reasonable steps
to ensure that its employees' actions or omissions do not cause Business Associate to
breach the terms of this Agreement or the mandatory requirements of the HIPAA Privacy
Rule and Security Rule that may apply to Business Associate.
(B) Notwithstanding the prohibitions set forth in this Agreement, Business Associate may use
and disclose Protected Health Information as follows:
(i) if necessary, for the proper management and administration of Business Associate or to
carry out the legal responsibilities of Business Associate, provided that as to any such
disclosure, the following requirements are met:
(a) the disclosure is required by law, not merely permitted by law; or
4100•,..
(b) Business Associate obtains reasonable assurances from the person or party to whom
the information is disclosed that it will be held confidentially and used for the purpose
for which it was disclosed to the person or party, and the person or party notifies
Business Associate of any instances of which it is aware in which the confidentiality of
the information has been breached;
(C) Business Associate will implement appropriate safeguards to prevent use or disclosure of
Protected Health Information other than as permitted in this Agreement. The Secretary of
Health and Human Services shall have the right to audit Business Associate's records and
practices related to uses and disclosures of Protected Health Information to ensure Covered
Entity's compliance with the terms of the HIPAA Privacy Rule and Security Rule. Business
Associate shall timely report to Covered Entity any use or disclosure of Protected Health
Information which is not in compliance with the terms of this Agreement of which it becomes
aware.
Ill. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
(a) Business Associate agrees that it is required under the amended HIPAA regulations to
comply with, and shall comply with, the HIPAA Security Rule, including the Security Rule's
Administrative, Physical, and Technical safeguard requirements.
(b) Business Associate agrees that it is required under the amended HIPAA regulations to
comply with, and shall comply with, the use and disclosure provisions of the HIPAA Privacy
Rule.
(c) Business Associate agrees to not use or disclose Protected Health Information other than as
permitted or required by the Agreement or as required by law.
(d) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the
Protected Health Information other than as provided for by this Agreement.
(e) Breach Disclosures to Covered Entity: Business Associate agrees to immediately report to
Covered Entity any use or disclosure of Protected Health Information not provided for by
this Agreement of which it becomes aware. Further, Business Associate agrees to notify the
Covered Entity of any individual whose Protected Health Information has been
inappropriately or unlawfully released, accessed, or obtained. Business Associate agrees
that such notification will meet the requirements of Section 13402 of the HITECH Act and §
164.410 of the amended HIPAA regulations. Specifically, the following shall apply:
i. A breach is considered discovered on the first day the Business Associate knows or
should have known about it.
ii. Business Associate shall notify the Covered Entity of any and all breaches of
Protected Health Information, and provide detailed information to the Covered
Entity about the breach, along with the names and contact information, when
available, of all individuals whose Protected Health Information was involved.
(f) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it
provides Protected Health Information received from, or created or received by Business
Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that
apply through this Agreement to Business Associate with respect to such information.
41 U0 ..'.a
(g) Business Associate agrees to make internal practices, books, and records, including policies
and procedures and Protected Health Information, relating to the use and disclosure of
Protected Health Information received from, or created or received by Business Associate
on behalf of, Covered Entity available to the Covered Entity or to the Secretary of the U.S.
Department of Health and Human Services (the "Secretary"), for purposes of determining
Business Associate's compliance with the HIPAA Privacy Rule and Security Rule. Business
Associate shall provide to the Covered Entity a copy of any Protected Health Information
that Business Associate provides to the Secretary concurrently with providing such
Protected Health Information to the Secretary.
(h) Business Associate agrees to document such disclosures of Protected Health Information
and information related to such disclosures as would be required for Covered Entity to
respond to a request by an Individual for an accounting of disclosures of Protected Health
Information in accordance with 45 CFR § 164.528.
(i) Business Associate agrees to comply with the requirements of the "Red Flags" Rule and
implement a compliant identity theft prevention program by or before the required "Red
Flags" Rule compliance date.
IV. AVAILABILITY OF PHI
(a) Business Associate agrees to make available Protected Health Information to the extent and
in the manner required by Section 164.524 of the HIPAA Privacy Rule.
(b) In addition, Business Associate agrees to make Protected Health Information available for
purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Privacy
Rule to conduct a reasonable inspection of the facilities, systems, books, records,
agreements, policies and procedures relating to the use or disclosure of Protected Health
Information pursuant to this Agreement for the purpose of determining whether Business
Associate has complied with this Agreement; provided, however that:
(i) Business Associate and Covered Entity shall mutually agree in advance upon the
scope, timing and location of such an inspection;
(ii) Covered Entity shall protect the confidentiality of all confidential and proprietary
information of Business Associate to which Covered Entity has access during the
course of such inspections; and
(iii) Covered Entity shall execute a nondisclosure agreement, upon terms mutually agreed
upon by the parties, if requested by the Business Associate.
V. BREACH PATTERN OR PRACTICE OF COVERED ENTITY
In compliance with the HIPAA Privacy Rule and Security Rule., if the Business Associate knows
of a pattern of activity or practice of the Covered Entity that constitutes a material breach or
violation of the Covered Entity's obligations under this Agreement, the Business Associate must
take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, the
Business Associate must terminate this Agreement if feasible, or if termination is not feasible,
report the problem to the Secretary. Business Associate shall provide written notice to the
Covered Entity of any pattern of activity or practice of the Covered Entity that Business
Associate believes constitutes a material breach or violation of the Covered Entity's obligation
4
4100.„
under this Agreement and shall contact the Covered Entity to discuss and attempt to resolve
the problem as one of the reasonable steps to cure the breach or end the violation.
VI. TERMINATION
Notwithstanding anything in this Agreement to the contrary, Covered Entity shall have the right
to terminate this Agreement immediately if Covered Entity determines that Business Associate
has violated any material term of this Agreement. If Covered Entity reasonably believes that
Business Associate will violate a material term of this Agreement and, where practicable,
Covered Entity gives written notice to Business Associate of such belief within a reasonable
time after forming such belief, and Business Associate fails to provide adequate written
assurances to Covered Entity that it will not breach the cited term of this Agreement within a
reasonable period of time given the specific circumstances, but in any event, before the
threatened breach Is to occur, then Covered Entity shall have the right to terminate this
Agreement immediately.
VII. MISCELLANEOUS
Except as expressly stated herein or in the HIPAA Privacy Rule or Security Rule, the parties to
this Agreement do not intend to create any rights for any third parties. The obligations of
Business Associate under this Section shall survive the expiration, termination, or cancellation
of this Agreement, and /or the business relationship of the parties, and shall continue to bind
Business Associate, its agents, employees, contractors, successors, and assigns as set forth
herein.
This Agreement may be amended or modified only in a writing signed by the Parties. No Party
may assign its respective rights and obligations under this Agreement without the prior written
consent of the other Party. None of the provisions of this Agreement are intended to create,
nor will they be deemed to create any relationship between the Parties other than that of
independent parties contracting with each other solely for the purposes of effecting the
provisions of this Agreement and any other agreements between the Parties evidencing their
business relationship. This Agreement shall be governed by the laws of the State of California.
No change, waiver or discharge of any liability or obligation hereunder on any one or more
occasions shall be deemed a waiver of performance of any continuing or other obligation, or
shall prohibit enforcement of any obligation, on any other occasion. The parties agree that, in
the event that any documentation of the arrangement pursuant to which Business Associate
provides services to Covered Entity contains provisions relating to the use or disclosure of
Protected Health Information which are more restrictive than the provisions of this Agreement,
the provisions of the more restrictive documentation will control. The provisions of this
Agreement are intended to establish the minimum requirements regarding Business Associate's
use and disclosure of Protected Health Information.
In the event that any provision of this Agreement is held by a court of competent jurisdiction to
be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in
full force and effect. In addition, in the event a party believes in good faith that any provision of
this Agreement fails to comply with the then - current requirements of the HIPAA Privacy Rule or
Security Rule, such party shall notify the other parry in writing, for a period of up to thirty days,
the parties shall address in good faith such concern and amend the terms of this Agreement, if
necessary to bring it Into compliance. If, after such thirty-day period, the Agreement falls to
comply with the requirements of the HIPAA Privacy Rule and Security Rule, then either party
has the right to terminate upon written notice to the other party.
IN WITNESS WHEREOF, the Parties have executed this Agreement as of the day and year
written above.
DATED: December 8,2010
FINANCIAL CREDIT NETWORK, INC.
BY: ju�b2A� BY:
Kris Davisson
Vice President
1300 West Main Street
Visalia, CA 93291
(559) 733 -7550
Email: krisd @fcnetwork.com
CI'T'Y OF E NDO
Prin Name: .Tack Walt
Title: City Manager
350 Main St.
El Segundo, CA 90245
(310) 524 -2300
Email:
ATTEST:
City Clerk
0�? of Cf
6