Title
a. Approve the updated Business Associate Agreement ("BAA") to be used by the Health Department for all agreements for which a business associate agreement is required pursuant to Federal and State privacy laws, subject to further review and approval of County Counsel and County Risk Manager regarding the indemnity provision in BAA.; and
b. Authorize the Director of Health or Contracts/Purchasing Officer, as the case may be, to execute the updated BAA to replace the current standalone BAA accompanying any existing approved agreement with a business associate of the Health Department;
c. Approve one amendment to each existing approved agreement with a business associate of the Health Department for the sole purpose of replacing any current BAA attached to the agreement as an exhibit or addendum with the updated BAA; and
c. Authorize Director of Health or Contracts/Purchasing Officer, as case may be, to execute one amendment to each existing approved agreement with a business associate of the Health Department for the sole purpose of replacing any current BAA attached to the agreement as an exhibit or addendum with the updated BAA.
Report
RECOMMENDATION:
It is recommended that the Board of Supervisors:
a. Approve the updated Business Associate Agreement ("BAA") to be used by the Health Department for all agreements for which a business associate agreement is required pursuant to Federal and State privacy laws, subject to further review and approval of County Counsel and County Risk Manager regarding the indemnity provision in BAA.; and
b. Authorize the Director of Health or Contracts/Purchasing Officer, as the case may be, to execute the updated BAA to replace the current standalone BAA accompanying any existing approved agreement with a business associate of the Health Department;
c. Approve one amendment to each existing approved agreement with a business associate of the Health Department for the sole purpose of replacing any current BAA attached to the agreement as an exhibit or addendum with the updated BAA; and
d. Authorize Director of Health or Contracts/Purchasing Officer, as case may be, to execute one amendment to each existing approved agreement with a business associate of the Health Department for the sole purpose of replacing any current BAA attached to the agreement as an exhibit or addendum with the updated BAA.
SUMMARY/DISCUSSION:
Under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), a business associate" is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A "business associate" also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.
The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law.
A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.
The attached Business Associate Agreement is a written contract between the County, doing business as the Monterey County Health Department, a covered entity, and the County's vendor that meets the definition of a "business associate." The Agreement, among other things: (1) establishes the permitted and required uses and disclosures of protected health information by the business associate; (2) provides that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; (3) requires the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information; and (4) requires the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.
As contracts that require a BAA have come up for approval or renewal since approval of the "Omnibus" Rule, the Health Department has been using an updated BAA approved by County Counsel that incorporates required changes for the business associate. The Director of Health recommends the BAA presented today be approved for use from the date of the Board's approval and requests authority for the Director or the Contracts/Purchasing Officer (depending on who signed the current standalone BAA or agreement to which a current BAA was attached as an exhibit or addendum) to execute the updated BAA for all current approved agreements requiring a BAA so long as there are no other changes to the agreement affecting the term, scope or payment provisions. All current contracts must have the updated BAA by September 23, 2014.
This work supports the Monterey County Health Department 2011-2015 strategic plan initiative: 3) Ensure access to culturally and linguistically appropriate, customer-friendly, quality health services. It also supports one of the ten essential public health services, specifically: 6) Enforce laws and regulations that protect health and ensure safety.
OTHER AGENCY INVOLVEMENT:
County Counsel has reviewed and approved the BAA for legal form and legality. Risk Management initially reviewed the BAA and will be finalizing insurance and indemnity requirements with County Counsel and the Department. Due to late submission of this Board Report, the CAO Budget and Analysis Division was not provided adequate time to fully review for potential fiscal, organizational, policy, or other implications to the County of Monterey. A copy of the BAA template is on file with the Clerk to the Board.
FINANCING:
Funding for activities related to assuring compliance with Federal and State privacy laws are incorporated in the Health Department's FY 2014-15 Adopted Budget.
Prepared by: Molly Hubbard, Privacy Compliance Officer, 4522
Approved by: Ray Bullick, Director of Health, 4526
Attachments:
BAA template is on file with the Clerk of the Board