File #: A 24-056    Name: BAA Template
Type: BoS Agreement Status: Health Department - Consent
File created: 2/13/2024 In control: Board of Supervisors
On agenda: 2/27/2024 Final action:
Title: a. Approve the revised Business Associate Agreement ("BAA") template to be utilized by County of Monterey Health Department ("Health") in conjunction with contracts involving Business Associates ("BAs") performing specified services including the use or disclosure of protected health information ("PHI"); and b. Authorize the Director of Health Services or designee to execute the revised BAA Template in conjunction with contracts involving BAs performing specified services including the use or disclosure of PHI; and c. Authorize Health to implement future changes to the BAA template and to execute further revised BAAs, all subject to review and approval by County Counsel; delegation of authority limited to June 30, 2028.
Attachments: 1. Board Report, 2. BAA template for use by County of Monterey Health Department, 3. Completed Board Order Item No. 47

Title

a. Approve the revised Business Associate Agreement (“BAA”) template to be utilized by County of Monterey Health Department (“Health”) in conjunction with contracts involving Business Associates (“BAs”) performing specified services including the use or disclosure of protected health information (“PHI”); and

b. Authorize the Director of Health Services or designee to execute the revised BAA Template in conjunction with contracts involving BAs performing specified services including the use or disclosure of PHI; and

c. Authorize Health to implement future changes to the BAA template and to execute further revised BAAs, all subject to review and approval by County Counsel; delegation of authority limited to June 30, 2028.

 

Report

RECOMMENDATION:

It is recommended that the Board of Supervisors:

a. Approve the revised Business Associate Agreement (“BAA”) template to be utilized by County of Monterey Health Department (“Health”) in conjunction with contracts involving Business Associates (“BAs”) performing specified services including the use or disclosure of protected health information (“PHI”); and

b. Authorize the Director of Health Services or designee to execute the revised BAA Template in conjunction with contracts involving BAs performing specified services including the use or disclosure of PHI; and

c. Authorize Health to implement future changes to the BAA template and to execute further revised BAAs, all subject to review and approval by County Counsel; delegation of authority limited to June 30, 2028.

 

SUMMARY/DISCUSSION:


Background
By law, the Health Insurance Portability and Accountability (HIPAA) Privacy Rule applies only to covered entities. However, most health care providers do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions - not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.

 

General Provision
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered entity.

The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

 

A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). The contract must:

                     Describe the permitted and required uses of protected health information by the business associate; and

                     Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and

                     Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.

 

Overview of Revised Business Associate Agreement template
The attached Business Associate Agreement (“BAA”) template is a written contract between the County of Monterey Health Department and the County’s vendor that meets the definition of a “business associate.”  The Agreement: establishes the permitted and required uses and disclosures of protected health information by the business associate; provides that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; requires the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information; and requires the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.  This iteration of the BAA includes updates to the cyber security coverage limits. 

 

This work supports one of County of Monterey Health Department’s 2018-2024 Strategic Plan Goal(s); 4. Mobilize community partnerships and action to identify and solve health problems, and 6. Enforce laws and regulations that protect health and ensure safety.

 

OTHER AGENCY INVOLVEMENT:

The Office of the County Counsel has reviewed and approved the revised BAA template for legal form and legality. 

 

FINANCING:

There is no cost associated with this request.

 

BOARD OF SUPERVISORS STRATEGIC INITIATIVES:

Check the related Board of Supervisors Strategic Initiatives:

 

Economic Development:

                     Through collaboration, strengthen economic development to ensure a diversified and healthy economy.

Administration:

                     Promote an organization that practices efficient and effective resource management and is recognized for responsiveness, strong customer orientation, accountability and transparency.

Health & Human Services:

                     Improve health and quality of life through County supported policies, programs, and services; promoting access to equitable opportunities for healthy choices and healthy environments in collaboration with communities.

Infrastructure:

                     Plan and develop a sustainable, physical infrastructure that improves the quality of life for County residents and supports economic development results.

Public Safety:

                     Create a safe environment for people to achieve their potential, leading businesses and communities to thrive and grow by reducing violent crimes as well as crimes in general.


Prepared by: Shiba Sumeshwar, Compliance Officer, 755-4018

 

Approved by:

 

 

______________________________ Date ______________________

Elsa Mendoza Jimenez, Director of Health Services, 755-4621

 

Attachments:

Board Report

BAA template for use by County of Monterey Health Department