HomeMy WebLinkAbout2017-08-14-E02B FD Pulsara BAA AGENDA ITEM:
CITY OF WAUKEE, IOWA
CITY COUNCIL MEETING COMMUNICATION
MEETING DATE: August 14, 2017
AGENDA ITEM: Consideration of a resolution approving a Business Associate Agreement
(BAA) with the CommuniCare Technology Company, aka PULSARA
FORMAT: Consent Agenda
SYNOPSIS INCLUDING PRO & CON: This a confidentiality agreement related to the transfer of
protected health information between two HIPAA covered organizations, in
this case Waukee fire and Pulsara. Pulsara is a technology that allows faster
communication of patient condition to the hospital, including Stroke alerts and
Cardiac Cath Lab activations (heart attacks) and other routine
communications from EMS to the hospitals. .
FISCAL IMPACT INCLUDING COST/BENEFIT ANALYSIS: No cost
COMMISSION/BOARD/COMMITTEE COMMENT:
STAFF REVIEW AND COMMENT:
RECOMMENDATION: Approve the resolution.
ATTACHMENTS: I. Proposed Resolution
PREPARED BY:
REVIEWED BY:
PUBLIC NOTICE INFORMATION –
NAME OF PUBLICATION:
DATE OF PUBLICATION:
THE CITY OF WAUKEE, IOWA
RESOLUTION 17-
APPROVING BUSINESS ASSOCIATE AGREEMENT (BAA) WITH
COMMUNICARE TECHNOLOGY, INC., D/B/A PULSARA
IN THE NAME AND BY THE AUTHORITY OF THE CITY OF WAUKEE, IOWA
WHEREAS, the City of Waukee, Dallas County, State of Iowa, is a duly organized Municipal
Organization; AND,
WHEREAS, on August 14, 2017, the Waukee City Council approved a Subscription Agreement
with CommuniCare Technology, Inc., d/b/a Pulsara (Resolution #17-XXX); AND,
WHEREAS, implementation of the Pulsara communication system requires a confidentiality
agreement related to the transfer of protected health information between the Waukee Fire
Deparment and Pulsara, both of which are HIPAA-covered organizations.
NOW THEREFORE BE IT RESOLVED by the City Council of the City of Waukee, Iowa on
this 14th day of August, 2017 that the Business Associate Agreement (BAA) with CommuniCare
Technology, Inc., d/b/a Pulsara is hereby approved.
____________________________
William F. Peard, Mayor
Attest:
___________________________________
Rebecca D. Schuett, City Clerk
ROLL CALL VOTE AYE NAY ABSENT ABSTAIN
Anna Bergman
R. Charles Bottenberg
Brian Harrison
Shelly Hughes
Larry R. Lyon
1
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is effective as of , 201__
(“Effective Date”) by and between Waukee Fire Department with offices at 1300 E. L.A. Grant Pkwy, Ste.
B, Waukee, IA 50263 (“Covered Entity”) and CommuniCare Technology, Inc. (dba and hereinafter
“Pulsara”), a Delaware corporation, with offices at 2880 Technology Blvd. West, Bozeman, MT 59718
(“Business Associate”).
RECITALS
A. Covered Entity possesses Protected Health Information (“PHI”)that is protected under
HIPAA Rules (as defined below), and wishes to ensure that Business Associate will appropriately safeguard
such information; and
B. Business Associate is licensing certain software and related technology to Covered Entity
pursuant to that certain Enterprise Subscription Agreement dated as of the Effective Date (“Subscription
Agreement”).
Based upon the above recitals and the mutual covenants in this Agreement, Covered Entity and Business
Associate agree as follows:
1. Definitions. The following terms used in this Agreement shall have the same meaning as those terms in the
HIPAA Rules: Breach, Data Aggregation, Disclosure, Health Care Operations, Individual, Notice of Privacy
Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured
and Use.
a. “Business Associate” shall generally have the same meaning as the term “business
associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean Pulsara.
b. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45
CFR 160.103, and in reference to the party to this agreement, shall mean the Covered Entity first
written above.
c. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement
Rules at 45 CFR Part 160 and Part 164.
2. Permitted Uses and Disclosures.
a. Performance of Services. Business Associate may use and disclose PHI in connection
with the performance of the services as described in the Subscription Agreement
(“Services”) if such use or disclosure of PHI would not violate HIPAA Rules, or such use
or disclosure is expressly permitted hereunder.
b. Proper Management and Administration. Business Associate may use PHI for
the proper management and administration of Business Associate in connection with the
performance of Services described in the Subscription Agreement. Business Associate may
disclose PHI for such proper management and administration of Business Associate. Any
such disclosure of PHI shall only be made if the disclosure is required by law or
Business Associate obtains reasonable assurances from the person to whom the PHI is
disclosed that: (1) the PHI will be held confidentially and used or further disclosed only
as required by law or for the purpose for which it was disclosed to the person; and (2)
Business Associate will be notified by such person of any instances of which it becomes
aware in which the confidentiality of the PHI has been breached.
c. Other Permitted Uses. Unless otherwise limited herein, the Business Associate may
also: (1) perform Data Aggregation for the health care operations of Covered Entity; (2)
may use, analyze, and disclose the PHI in its possession for the public health activities and
2
purposes set forth at C.F.R. § 164.512(b); (3) de-identify any and all PHI provided that
Business Associate implements de-identification criteria in accord with 45 C.F.R.
§164.514(b); and (4) may otherwise use and disclose the PHI as authorized by Covered
Entity pursuant to the Subscription Agreement.
d. Minimum Necessary. Covered Entity shall provide, and Business Associate shall request,
Use and Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the
request, Use or Disclosure. The Parties acknowledge that the Secretary may issue guidance with
respect to the definition of “minimum necessary” from time to time, and agree to stay informed of
any relevant changes to the definition.
3. Nondisclosure
a. As Provided In Agreement. Business Associate shall not use or further disclose PHI except
as permitted or required by this Agreement or as required by law.
4. Safeguards, Reporting, Mitigation and Enforcement.
a. Safeguards. Business Associate shall use appropriate safeguards to protect PHI, and
comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information,
to prevent use or disclosure of PHI not provided for by this Agreement.
b. Business Associate’s Agents. Business Associate shall ensure that any agents, including
subcontractors, to whom it provides PHI agree in writing to be bound by the same restrictions and
conditions that apply to Business Associate with respect to such PHI.
c. Reporting. Business Associate shall promptly report to Covered Entity any use or
disclosure of PHI in violation of this Agreement or applicable law of which it becomes actually
aware. Business Associate further agrees to promptly report to Covered Entity any Security
Incident of which it becomes actually aware. In addition, Business Associate shall promptly report
to Covered Entity any Breach of Unsecured PHI.
d. Mitigation. Business Associate shall have procedures in place to mitigate any deleterious
effect from any use or disclosure of PHI in violation of this Agreement or applicable law.
e. Sanctions. Business Associate shall have and apply appropriate sanctions against any
employee, subcontractor or agent who uses or discloses PHI in violation of this Agreement or
applicable law.
f. United States Department of Health and Human Services. Business Associate shall make
its internal practices, books and records relating to the use and disclosure of PHI available to the
Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Rules;
provided, however, that Business Associate shall promptly notify Covered Entity upon receipt by
Business Associate of any such request for access by the Secretary, and shall provide Covered
Entity with a copy thereof as well as a copy of all materials disclosed pursuant thereto. The parties’
respective rights and obligations under this Section shall survive termination of this Agreement.
5. Obligation to Provide Access, Amendment and Accounting of PHI.
a. Access to PHI. Business Associate shall make available to Covered Entity such
information as Covered Entity may require to fulfill Covered Entity’s obligations to provide access
to, and copies of, PHI in accordance with HIPAA Rules.
b. Amendment of PHI. Business Associate shall make available to Covered Entity such
information as Covered Entity may require to fulfill Covered Entity’s obligations to amend PHI in
accordance with HIPAA Rules. In addition, Business Associate shall, as directed by Covered
Entity, incorporate any amendments to Covered Entity’s PHI into copies of such information
maintained by Business Associate.
c. Accounting of Disclosures of PHI. Business Associate shall make available to Covered
Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to
provide an accounting of disclosures with respect to PHI in accordance with HIPAA Rules.
3
Business Associate shall make this information available to Covered Entity upon Covered Entity’s
request.
d. Forwarding Requests From Individual. In the event that any individual requests access to,
amendment of, or accounting of PHI directly from Business Associate, Business Associate shall
forward such request to Covered Entity. Covered Entity shall have the responsibility of responding
to forwarded requests. However, if forwarding the individual’s request to Covered Entity would
cause Covered Entity or Business Associate to violate HIPAA Rules, Business Associate shall
instead respond to the individual’s request as required by such law and notify Covered Entity of
such response as soon as practicable.
6. Responsibilities of Covered Entity. Covered Entity will:
a. provide Business Associate with the notice of privacy practices that Covered Entity
produces in accordance with 45 C.F.R. § 164.520 as well as any changes to such notice;
b. provide Business Associate with any changes in, or revocation of, permission by Individual
to the use and/or disclosure of PHI, if such changes affect Business Associate’s permitted or
required uses and/or disclosures;
c. notify Business Associate of any restriction to the use and/or disclosure of PHI that
Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522; and
d. notify Business Associate, in writing, of any amendment(s) to the PHI in the possession of
Business Associate that the Business Associate will make to the PHI and inform the Business
Associate of the time, form and manner in which such amendment(s) will be made.
7. Limited Liability. Without limiting Covered Entity’s remedies under any other provision of this
Agreement, in the event of a Breach involving Unsecured PHI maintained, used or disclosed by
Business Associate that is the fault of Business Associate, Business Associate shall reimburse
Covered Entity for reasonable cost of providing any legally required notice to affected individuals
and the cost of credit monitoring for such individuals to the extent deemed necessary by Covered
Entity in its reasonable discretion. Neither Party shall be liable to the other party for any incidental,
consequential or punitive damages of any kind or nature, whether such liability is asserted on the
basis of contract, tort (including negligence or strict liability), or otherwise, even if the other party
has been advised of the possibility of such loss or damages. Business Associate’s total cumulative
liability for all matters arising out of or in connection with this Agreement whether in contract, tort
(including negligence or strict liability), or otherwise will be $25,000.
8. Material Breach, Enforcement and Termination.
a. Term. This Agreement shall be effective as of the Effective Date, and shall continue until
the earlier of when this Agreement is terminated in accordance with the provisions of this Section or
the Subscription Agreement terminates.
b. Termination.
1) If Covered Entity determines that Business Associate has breached or violated a material
term of this Agreement, Covered Entities may, at its option, pursue any and all of the following
remedies:
a) Take any reasonable steps that Covered Entity, in its sole discretion, shall deem
necessary to cure such breach or end such violation; and/or
b) Covered Entity may terminate this Agreement in the event of Business Associate’s
uncured material breach of this Agreement following 30 days’ notice and opportunity to
cure, if curable.
2) If Business Associate determines that Covered Entity has breached or violated a material
term of this Agreement, Business Associate may, at its option, pursue any and all of the
4
following remedies:
a) take any reasonable steps that Business Associate, in its sole discretion, shall deem
necessary to cure such breach or end such violation; and/or
b) Business Associate may terminate this Agreement in the event of Covered Entity’s
uncured material breach of this Agreement following 30 days’ notice and opportunity to
cure, if curable.
c. Return or Destruction of Records. Upon termination of this Agreement for any reason, Business
Associate shall return or destroy, as specified by Covered Entity, all PHI that Business Associate
still maintains in any media, and shall retain no copies of such PHI. If Covered Entity, in its sole
discretion, requires that Business Associate destroy any or all PHI in its possession, Business
Associate shall certify to Covered Entity that the PHI has been destroyed. If return or destruction is
not feasible, Business Associate shall inform Covered Entity of the reason it is not feasible and shall
continue to extend the protections of this Agreement to such information and limit further use and
disclosure of such PHI to those purposes that make the return or destruction of such PHI infeasible.
The foregoing will not apply, however, to any PHI for which Business Associate has received from
the applicable individual (with respect to whom the PHI pertains) authorization in accordance with
HIPAA that Business Associate may retain such PHI for the purposes authorized by the individual.
Business Associate’s obligations with respect to such PHI will become outside the scope of this
Agreement and will be governed by HIPAA and the agreement between Business Associate and the
individual.
9. Miscellaneous Terms.
a. State Law. Nothing in this Agreement shall be construed to require Business Associate to
use or disclose PHI without a written authorization from an individual who is a subject of the PHI,
or written authorization from any other person, where such authorization would be required under
state law for such use or disclosure.
b. Amendment. Covered Entity and Business Associate agree that amendment of this
Agreement may be required to ensure that Covered Entity and Business Associate comply with
changes in state and federal laws and regulations relating to the privacy, security, and confidentiality
of PHI, including, but not limited to, changes under the HIPAA Rules. This Agreement may not
otherwise be amended except by written agreement between both parties.
c. Governing Law and Venue. This Agreement will be construed in accordance with and
governed by the internal law of Montana without regard to the choice or conflicts of law provisions
of any jurisdiction. In the event that Covered Entity institutes any action or proceeding arising out of
or relating to this Agreement, exclusive jurisdiction will be in the state or federal court for Gallatin
County. In the event that Business Associate institutes any action or proceeding arising out of or
relating to this Agreement exclusive jurisdiction shall be in the state of federal court where the
covered entity is located as first written above.
d. Attorney’s Fees. The prevailing party in any action or proceeding to enforce any of the
provisions of this Agreement shall be entitled to recover reasonable attorneys’ fees, costs and
expenses incurred in connection with actions or proceedings.
e. Waiver. A waiver by a party of any provision of this Agreement in any instance will not be
deemed a waiver of such provision, or any other provision of this Agreement as to any future
instance or occurrence. All remedies, rights, undertakings, and obligations contained in this
Agreement will be cumulative and none of them will be in limitation of any other remedy, right,
undertaking, or obligation of a party.
f. Severability. The provisions of this Agreement are severable. The invalidity, in whole or in
part, of any provision of this Agreement will not affect the validity or enforceability of any other of
its provisions. If one or more provisions of this Agreement are declared invalid or unenforceable,
the remaining provisions will remain in full force and effect and will be construed in the broadest
possible manner to effectuate the purposes of this Agreement. The parties further agree to replace
such void or unenforceable provisions of this Agreement with valid and enforceable provisions that
5
will achieve, to the extent possible, the economic, business, and other purposes of the void or
unenforceable provisions.
g. Assignment. The rights and/or obligations contained in this Agreement may not be
assigned, delegated or otherwise transferred by either party (except to a direct or indirect parent or
subsidiary) without the prior written approval of the other party, not to be unreasonably withheld,
provided, however that either party may assign this agreement in connection with a merger,
consolidation or acquisition of a party resulting in a change of control or a transfer or sale of all or
substantially all of the assets of either party. No assignment or delegation shall relieve either party
of liability for its obligations hereunder.
h. Counterparts. This Agreement may be executed in any number of counterparts.
i. Notices. All notices, requests, or consents required or permitted under this Agreement will
be in writing (including electronic form) and will be delivered to the address set forth by each party
in this Agreement, or to such other party and/or address as any of such parties may designate in a
written notice served upon the other party in the manner provided for below. Each notice, request,
consent, or other communication will be given and will be effective: (1) if delivered by hand, when
so delivered; (2) if delivered by nationally recognized overnight courier service or sent by United
States Express Mail, upon confirmation of delivery; (3) if delivered by certified or registered mail,
on the third following day after deposit with the United States Postal Service; or (4) if delivered by
facsimile, upon confirmation of successful transmission.
The parties have executed this Agreement duly authorized to be effective as of the Effective Date.
COVERED ENTITY BUSINESS ASSOCIATE
Waukee Fire Department CommuniCare Technology, Inc. dba Pulsara
By: By:
James T. Woodson, CEO
Printed Name, Title Printed Name, Title