Fillable BUSINESS ASSOCIATE AGREEMENT (Westside Regional Center)

Fill Online, Printable, Fillable, Blank BUSINESS ASSOCIATE AGREEMENT (Westside Regional Center) Form

Use Fill to complete blank online WESTSIDE REGIONAL CENTER pdf forms for free. Once completed you can sign your fillable form or send for signing. All forms are printable and downloadable.

BUSINESS ASSOCIATE AGREEMENT (Westside Regional Center)

On average this form takes 4 minutes to complete

The BUSINESS ASSOCIATE AGREEMENT (Westside Regional Center) form is 9 pages long and contains:

  • 0 signatures
  • 0 check-boxes
  • 14 other fields

Country of origin: US
File type: PDF

Use our library of forms to quickly fill and sign your Westside Regional Center forms online.

BROWSE WESTSIDE REGIONAL CENTER FORMS

Related forms
Fill has a huge library of thousands of forms all set up to be filled in easily and signed.
Fill in your chosen form
Sign the form using our drawing tool
Send to someone else to fill in and sign.
find another form
 
Page 1 of 9
July 2017
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (this “Agreement”), is entered into between and among
Coastal Developmental Services Foundation, doing business as WESTSIDE REGIONAL CENTER (“Business
Associate” of the Department of Developmental Services (“DDS”)) and
(“Subcontractor”). Business Associate and Subcontractor are sometimes collectively referred to herein
as the “Parties”.
1. Definitions
1.1. “Breach” shall mean the impermissible, unlawful or unauthorized acquisition, use,
access, or disclosure of Protected Health Information (“PHI”) (defined below) which compromises the
security or privacy of PHI as set forth in the HIPAA interim final rule of 2009 and the HIPAA Omnibus
Rule of 2013.
1.2. “Business Associate” shall have the meaning given to such term under HIPAA (45 CFR
160.103). It includes a third party that performs functions for or on behalf of Covered Entity or another
Business Associate and has access to Covered Entity’s PHI and uses such PHI in the performance of its
functions. A subcontractor who fulfills this requirement is a Business Associate despite a designation as
a “subcontractor.
1.3. “Covered Entity” shall have the meaning given to such term under HIPAA (45 CFR
160.103). It includes any health plan, health care clearing house, or health care provider who transmits
any health information in electronic form in a manner described under the HIPAA regulations. Under
this agreement it means the Department of Developmental Services.
1.4. “Data Aggregation” shall have the meaning given to such term under HIPAA (45 CFR
164.501)and shall include the combining of PHI received or created by Subcontractor to permit data
analyses relating to healthcare operations of Business Associate.
1.5. “Designated Record Set” shall have the meaning given to such term under HIPAA (45
CFR 164.501) and shall include consumers’ (defined below) medical or billing records or any group of
records which contains PHI that is used, in whole or in part, by or for Business Associate in rendition or
facilitation of services on behalf of consumers.
1.6. “Disclosure” shall have the meaning given to such term under HIPAA (45 CFR 160.103),
and includes the release, transfer, provision of access to, or divulging in any manner of information
outside the entity or individual holding the information.
1.7. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996,
Public Law 104-191, Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law 111-
005, and regulations promulgated thereunder by the U. S. Department of Health & Human Services, as
amended from time to time, including the Final Omnibus Rule of 2013.
1.8. “Limited Data Set” shall have the meaning as “de-identified protected health
information” under HIPAA (45 CFR 164.514).
Page 2 of 9
July 2017
1.9. “Consumer or Client shall have the same meaning as the term “individual” under
HIPAA (45 CFR 160.103), and it also includes any person designated or serving as a personal
representative of a consumer.
1.10. “Minimum Necessary” shall have the meaning given such term under HIPAA (45 CFR
164.502).
1.11. “Protected Health Information” (“PHI”) shall have the meaning given to such term
under HIPAA (45 CFR 160.103). It includes any individually identifiable health information, whether oral
or recorded in any form or medium, limited to the information created or received by Subcontractor
from or on behalf of Business Associate or Covered Entity (i) that relates to the past, present or future
physical or mental health condition of the Consumer; (ii) the provision of health care to Consumer; (iii)
or past, present or future payment for the provision of health care to Consumer.
1.12. “Required by Law” shall have the meaning given such term under HIPAA (45 CFR
164.103), which meaning includes a mandate contained in law that compels an entity to make a use or
disclosure of PHI and that is enforceable in a court of law. Required by law includes, but is not limited to,
court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a
governmental or tribal inspector general, or an administrative body authorized to require the
production of information; a civil or an authorized investigative demand; Medicare conditions of
participation with respect to health care providers participating in the program; and statutes or
regulations that require the production of information, including statutes or regulations that require
such information if payment is sought under a government program providing public benefits.
1.13. “Secretary” shall mean the Secretary of the Department of Health and Human Services
or her/his designee.
1.14. “Secured” shall mean protection of PHI by a technology or methodology, which renders
the data unreadable, unusable, or indecipherable to unauthorized individuals and is consistent with
guidance published by the Secretary of the Department of Health and Human Services as then in effect.
1.15. “Security Incident” shall have the meaning given such term under HIPAA (45 CFR
164.304), which meaning includes any accidental, malicious or natural act that:
1.15.1. Results in a Breach of any of Business Associate's data;
1.15.2. Adversely impacts the functionality of the Business Associate's information
network;
1.15.3. Permits unauthorized access to Business Associate's information network;
1.15.4. Impacts the integrity of Business Associate's files or databases including, but not
limited to:
i. Interface failures;
ii. Inadequate testing or change control procedures;
iii. Other failures, which result in the deletion or unauthorized changes to
an electronic database.
1.15.5. Involves the loss or loss of control of an information technology resource owned
or controlled by Business Associate;
Page 3 of 9
July 2017
1.15.6. Involves the use of Business Associate’s technology resources for illegal
purposes or to launch attacks against other individuals or organizations; or
1.15.7. Involves a “Breach” of PHI.
1.16. “Subcontractor” shall have the meaning given such term under HIPAA (45 CFR 164.304),
and includes a person to whom a business associate delegates a function, activity, or service, other than
in the capacity of a member of the workforce of such business associate. A subcontractor can also be a
business associate.
2. Permitted Uses and Disclosures by Subcontractor
2.1. Except as otherwise limited by law, this Agreement or other agreements between the
Parties, Subcontractor shall access, use or disclose PHI only for the benefit of Business Associate or
Covered Entity, and to perform functions, activities, or services on behalf of Business Associate or
Covered Entity. Subcontractor shall use only the minimum amount of PHI necessary to perform
functions, activities, or services on behalf of Business Associate and shall prevent unnecessary use or
disclosure of PHI. In the event of inadvertent access by Subcontractor to more than the minimum
necessary amount of Business Associate's PHI, Subcontractor will (i) treat all such PHI in accordance with
this Business Associate Agreement; (ii) promptly notify Business Associate, in accordance with paragraph
3.4 below, of such access; (iii) erase, delete, and/or return such PHI, as directed by the Business
Associate, as quickly as possible; and (iv) take all necessary actions to prevent further unauthorized
access to PHI beyond the minimum necessary amount.
2.2. Except as otherwise limited in this Agreement or other agreements between the Parties,
Subcontractor may use or disclose PHI for its proper management and administration or to carry out its
legal responsibilities, provided that (i) the disclosure is required by law, or (ii) the Subcontractor obtains
reasonable assurances from the person to whom the information is disclosed that such information shall
remain confidential and be used or further disclosed solely as required by law or for the purpose of
assisting Subcontractor to meet Subcontractor's obligations to Business Associate or Covered Entity.
Subcontractor shall require any person to whom PHI is disclosed under this subsection to notify
Subcontractor of any instance of which it is aware in which the confidentiality or security of the PHI has
been breached. Subcontractor shall then immediately notify Business Associate of such breach of
confidentiality or security.
2.3. Except as otherwise limited in this Agreement or other agreements between the Parties,
Subcontractor may use PHI to provide data aggregation services only for Business Associate or Covered
Entity.
2.4. In the event Subcontractor is provided with or is asked to create for Business Associate
or Covered Entity a Limited Data Set as defined under HIPAA, Subcontractor shall not use or disclose the
Limited Data Set provided to it in a manner that would violate the requirements of HIPAA. Further,
Subcontractor agrees that it shall not attempt to actually identify the information, or contact the
individuals whose records are contained within the Limited Data Set.
3. Obligations of Subcontractor
3.1. Subcontractor shall not use or disclose PHI other than as permitted or required by this
Agreement, other agreements between the Parties, or as required by law.
Page 4 of 9
July 2017
3.2. Subcontractor shall use appropriate safeguards to secure against further use or
disclosure of PHI other than as provided for by this Agreement, other agreements between the Parties,
or as required by law. Subcontractor shall implement administrative, physical, and technical safeguards
that reasonably and appropriately protect the confidentiality, security, integrity, and availability of PHI
that it receives, maintains, transmits, or creates on behalf of Business Associate or Covered Entity. All
PHI stored or maintained on electronic media (such as servers, laptops, thumb/flash drives, PDAs, CDs,
tapes, DVDs, etc.) shall be secured with encryption that satisfies the FIPS 140-2 level or the applicable
National Institute of Standard and Technology (“NIST”) minimum level of encryption under HIPAA.
3.3. Subcontractor shall promptly mitigate, to the extent practicable, any harmful effect of a
use or disclosure of PHI by Subcontractor in violation of this Agreement or other agreements between
the Parties.
3.4. Subcontractor shall promptly notify Business Associate of any Security Incident or
Breach in writing in the most expedient time possible, and not to exceed twenty- four (24) hours, in the
event of a Breach, following Subcontractor’s discovery of such Security Incident or Breach.
Notwithstanding any notice provisions in any other agreements between the Parties, such notice shall
be made to Mary Lou Weise-Stusser, Director of Community Services or his designee by means of fax to
(310) 649-1312 or by email to marylou@westsiderc.org. Subcontractor shall cooperate fully in good faith
with Business Associate in the investigation of any Breach or Security Incident.
3.5. Following notification to Business Associate of a Breach, Subcontractor shall cooperate
with Business Associate in determining which entity shall provide any required Breach notification. If the
Parties agree that Subcontractor shall provide any required Breach notification, Subcontractor shall
provide Business Associate with documentation of Subcontractor's actions, including documentation of
the names and addresses of those to whom the notifications were provided.
3.6. Subcontractor shall ensure that any agent, including another subcontractor, to whom it
provides PHI agrees in a written contract with Subcontractor that satisfies all requirements under HIPAA
for a Business Associate with the same restrictions and conditions that apply to Subcontractor with
respect to such information and that such agent or subcontractor shall implement reasonable and
appropriate safeguards for the protection of PHI which shall be no less that those required of
Subcontractor at Section 3.2 above. In performing services under this Agreement, Subcontractor shall
use agents, employees, and/or subcontractors that are domiciled only within the United States of
America and its territories.
3.7. If Subcontractor holds PHI in Designated Record Sets as determined by Business
Associate or Covered Entity, Subcontractor shall provide prompt access to the PHI to Business Associate
or Covered Entity, or, if directed by Business Associate or Covered Entity, to a Consumer in order to
meet the requirements of HIPAA. If requested, such access shall be in electronic format. If Consumer
requests directly from Subcontractor (i) to inspect or copy his or her PHI, or (ii) requests its disclosure to
a third party, the Subcontractor shall promptly notify Business Associate's Community Services Director,
Ernie Cruz or their designee, by the means provided in Section 3.4.
3.8. Subcontractor shall promptly make amendment(s) to PHI requested by Business
Associate or Covered Entity and shall do so in the time and manner requested by Business Associate or
Page 5 of 9
July 2017
Covered Entity to enable it to comply with HIPAA. If Consumer requests an amendment to his or her PHI,
directly from Subcontractor, Subcontractor shall promptly notify Business Associate's Community
Services Director or his designee of such request and await such official's denial or approval of the
request, by the means provided in Section 3.4.
3.9. Subcontractor shall promptly make its internal practices, books, records, including its
policies and procedures, relating to the use, disclosure, or security of PHI that the Subcontractor
received from, maintained or created for or on behalf of Business Associate, available to Business
Associate, Covered Entity, or the Secretary, in a time and manner designated by Business Associate,
Covered Entity, or the Secretary, to enable the Secretary to determine compliance with HIPAA.
3.10. Subcontractor shall document all disclosures of PHI and information related to such
disclosures as required under HIPAA in order that it may provide an accounting of such disclosures as
Business Associate directs. Subcontractor shall:
3.10.1. Provide an accounting as required under HIPAA to those Consumers who direct
their requests to Subcontractor; or
3.10.2. Provide the accounting information required under HIPAA to Business Associate,
if so requested by Business Associate, in the time and manner specified by Business Associate.
3.11. Subcontractor shall cooperate with Business Associate to preserve and protect the
confidentiality of PHI accessed or used pursuant to this Agreement, other agreements between the
Parties, or as required by law and shall not disclose utilize in any fashion such information during or
after the termination of this Agreement or other agreements between the Parties except as required by
law.
3.12. If, during the term of this Agreement or other agreements between the Parties,
Subcontractor wishes to destroy permanently PHI, it shall notify Business Associate in writing about its
intent to destroy such data at least ten (10) days before such date of destruction. If Business Associate
requests the return of any PHI, Business Associate shall comply as requested.
3.13. Subcontractor shall comply with all the obligations required of a Subcontractor and/or
Business Associate under all applicable laws, including but not limited to the Health Information
Technology for Economic Clinical Health Act (“HITECH Act”), Title XIII of the American Recovery and
Reinvestment Act of 2009. 45 C.F.R. Sections 164.308, 164.310, 164.312, and 164.316 shall apply to
Subcontractor in the same manner that such sections apply to Business Associate. The written policies
and procedures and documentation required by 45 CFR Section 164.316 shall be made available to
Business Associate, upon Business Associate's request. The additional requirements of the HITECH Act
that relate to privacy and security and that are made applicable with respect to covered entities and
business associates shall also be applicable to Subcontractor and shall be and by this reference hereby
are incorporated into this Agreement.
4. Effect of Breach of Obligations
4.1. If Subcontractor violates or any way fails to comply with any of its obligations under this
Agreement, said violation shall also be considered a violation of its obligations under any other
Page 6 of 9
July 2017
agreements between the Parties hereto. In the event of a breach of this Agreement by Subcontractor,
Business Associate shall have the option to do the following:
4.1.1. Provide Subcontractor an opportunity to cure the violation, to the extent
curable, and end the violation within a reasonable time specified by Business Associate. If Subcontractor
does not cure the violation or end the violation as and within the time specified by Business Associate,
or if the violation is not curable, Business Associate may terminate its obligations to Subcontractor,
including, but not limited to, its future payment obligations and obligations to provide information,
materials, equipment or resources to Subcontractor; or
4.1.2. Immediately terminate this Agreement and any other agreements between the
Parties, if Business Associate reasonably determines that Subcontractor (i) has acted with gross
negligence in performing its obligations; (ii) is in violation of the law; (iii) willfully has violated or is
violating the privacy and security provisions of this Agreement; (iv) is unable to provide, if requested,
written assurances to Business Associate of its ability to protect the confidentiality and security of PHI;
or (v) is unable to comply with its obligations under this Agreement. Such termination of this Agreement
and any other agreements between the Parties shall be without prejudice to other legal remedies
available to Business Associate.
4.2. Business Associate may also report the violation to the Secretary and Covered Entity,
and shall report the violation if neither termination nor cure is feasible.
5. Effect of Termination
5.1. Upon termination of this Agreement, Subcontractor shall promptly return to Business
Associate one copy of all PHI, including derivatives thereof, and shall take all reasonable steps to
promptly destroy all other PHI held by Subcontractor by (i) shredding; (ii) securely erasing, or (iii)
otherwise modifying the information in those records to make it unreadable or undecipherable in the
future through any means. This provision shall apply to PHI in the possession of subcontractors or agents
of Subcontractor. At Business Associate's or Covered Entity’s request, Subcontractor shall certify in
writing that is has complied with the requirements of this section.
5.2. If the return or destruction of PHI is infeasible, Subcontractor shall promptly notify
Business Associate of the conditions that make such return or destruction infeasible. Upon mutual
agreement by the Parties that return or destruction of PHI is infeasible; Subcontractor shall extend the
protections of this Agreement to such data and shall limit its further use or disclosure to purposes that
make its return or destruction infeasible. If Subcontractor subsequently wishes to destroy permanently
PHI, Subcontractor shall notify Business Associate in writing about its intent to destroy data at least ten
(10) days before such date of destruction. If Business Associate requests the return of any PHI,
Subcontractor shall comply as requested.
6. Indemnity
6.1. Subcontractor shall promptly and fully defend, indemnify and hold harmless Business
Associate, its affiliates and respective officers, directors, agents and employees (“Indemnified Parties”)
against any act or omission of Subcontractor which gives rise to or results in any claim, demand, liability,
losses, fine, penalty, assessment, cost, judgment and award, including attorney’s fees, made or
recovered against Indemnified Parties or issued in favor of a third party, or cost of notification or
Page 7 of 9
July 2017
remediation relating to notification required by law for individuals whose PHI or personal information
have been inappropriately accessed or disclosed.
6.2. In the event that either party is required by law to notify individuals whose PHI was
inappropriately accessed, used, or disclosed by Subcontractor or its agents, and the PHI contains (i) the
individual’s first initial or first name, last name, and social security number; (ii) the individual’s first initial
or first name, last name, and driver’s license or state identification card; (iii) the individual’s first initial
or first name, last name, account number, credit or debit card number, in combination with any
required security code, access code, or password that would permit access to an individual's financial
account; or (iv) any information which under federal or state law requires that credit monitoring be
provided, then Subcontractor and Business Associate shall work together to structure a credit
monitoring offering commensurate to the risk posed by the breach. All costs and expenses of such credit
monitoring and required notification shall be paid by Subcontractor, and the credit monitoring will
extend for a minimum of one (1) year or longer as determined by Business Associate. In the event of a
Breach of PHI by Subcontractor or one of its agents, Subcontractor will also be responsible for paying all
costs, including legal fees, incurred in assuring compliance with the law with respect to such Breach.
7. Insurance. Subcontractor shall obtain insurance for itself and all its employees, agents and
independent contractors in an amount not less than One Million Dollars ($1,000,000) per occurrence
and Three Million Dollars ($3,000,000) annual aggregate of Commercial General Liability insurance and
One Million Dollars ($1,000,000) per occurrence and Three Million Dollars ($3,000,000) annual
aggregate of Errors and Omissions insurance. The Errors and Omissions insurance shall cover, among
other things, Breaches. Subcontractor shall name Business Associate as an “additional insured”.
Subcontractor shall provide Business Associate with certificates of insurance or other written evidence
of the insurance policy or policies required herein prior to execution of this Agreement and other
agreements between the Parties (or as shortly thereafter as is practicable) and as of each annual
renewal of such insurance policies during the period of such coverage. Further, in the event of any
modification, termination, expiration, non-renewal, or cancellation of any of such insurance policies,
Subcontractor shall give written notice thereof to Business Associate not more than ten (10) days
following Subcontractor’s receipt of such notification. In the event Subcontractor fails to procure,
maintain, or pay for the insurance required under this section, Business Associate shall have the right,
but not the obligation, to obtain such insurance. Should that occur, Subcontractor shall promptly upon
written request (within 14 days) reimburse Business Associate for the cost of the insurance, and failure
to repay the cost with 14 days upon demand by Business Associate shall constitute a material violation
of this Agreement and other agreements between the Parties.
8. No Third-Party Beneficiary. The provisions and covenants set forth in this Agreement are
expressly entered into only by and between Subcontractor and Business Associate, and are only for their
benefit. Neither Subcontractor nor Business Associate intends to create or establish any third party
beneficiary status or right (or the equivalent thereof) in any other third party and no such third party
shall have any right to enforce or enjoy any benefit created or established by the provisions and
covenants in this Agreement.
9. Amendment. The parties agree to promptly modify or amend this Agreement to permit Business
Associate to comply with any new laws, rules, or regulations that might modify the terms and conditions
herein.
Page 8 of 9
July 2017
10. Conflict With Other Agreements. This Agreement is intended to be construed in harmony with
any other agreements between the Parties, but in the event that any provision in this Agreement
conflicts with the provisions of any other agreement, the provisions in this Agreement shall be deemed
to control and such conflicting provision or part thereof shall be deemed removed and replaced with the
governing provision herein to the extent necessary to reconcile the conflict.
11. Applicable Law & Enforcement. The Parties agree that this Agreement is made, executed and
entered into and is intended to be governed, construed and performed in accordance with the laws of
the State of California and the laws of the United States of America, and any action to enforce or for
breach of this Agreement shall be brought in the Los Angeles County Superior Court.
12. Benefit of Agreement. This Agreement shall inure to the benefit of the Parties, their affiliates
and respective officers, directors, agents and employees, and shall be binding upon each of the Parties
and their affiliates and respective officers, directors, agents and employees.
13. Warranty of Execution. The Parties warrant that they have read and understand the terms of
this Agreement and have been given the opportunity to have this Agreement reviewed by an attorney
representing their sole and separate interest prior to the signing hereof. Each of the Parties signing this
Agreement warrants that they have the legal power and capacity to bind themselves and any other
persons or entities on whose behalf this Agreement is executed.
14. Integration. This Agreement supersedes and replaces all prior negotiations and agreements
between the Parties and constitutes the entire agreement of the Parties regarding the subject matter
hereof. No other oral or written representations have been made to the Parties or any of their agents.
The terms of this Agreement are contractual and not mere recitals.
15. Waiver, Modification, and Amendment. No breach of this Agreement or of any provision herein
may be waived except by an express written waiver executed by the Party waiving such breach. Waiver
of any one breach shall not be deemed a waiver of any other breach of the same or other provisions of
this Agreement. This Agreement may be amended, altered, modified, or otherwise changed in any
respect or particular only by a writing duly executed by the Parties hereto or their authorized
representatives.
16. Mutual Contribution. Each Party hereto has jointly reviewed this Agreement, and as a result, the
rule of construction to the effect that any ambiguities are to be resolved against the drafting party shall
not be employed in the interpretation of this Agreement.
Page 9 of 9
July 2017
17. Counterparts. This Agreement may be executed in multiple counterparts, with each of the
counterparts, taken together, deemed to be an original. Facsimiles and photocopies of this Agreement
shall have the same force and effect as an original.
Executed in Culver City, California as of the date first written above.
“SUBCONTRACTOR” “BUSINESS ASSOCIATE
__________________________________ WESTSIDE REGIONAL CENTER
A California (corporation, limited liability California nonprofit corporation
Corporation, etc.
By: By:
Signed Carmine Manicone, Executive Director
Printed Name & Title
Vendor number: ________________________________
Vendor number: ________________________________
Vendor number: ________________________________
Vendor number: ________________________________
Vendor number: ________________________________
Vendor number: ________________________________
Vendor number: ________________________________
Vendor number: ________________________________
Vendor number: ________________________________
Download
Save PDF to desktop
Email
Email completed PDF
Send for Signing
Email for others to sign
Print
Print document
Choose a Field
Click on a field and
select the person that should complete it
Want to add a signature?
You can add a signature field
and assign it to someone else
to sign
Choose a Field
Click on a field and
select the person that should complete it

BUSINESS ASSOCIATE AGREEMENT (Westside Regional Center)

This document is locked as it has been sent for signing.

You have successfully completed this document.

Other parties need to complete fields in the document. You will recieve an email notification when the document has been completed by all parties.

This document has been signed by all parties.

Completed 5 August 2020

Message

View Audit Log
Print With Audit Log
Duplicate Document