The URL can be used to link to this page

Home My WebLink About2017-08-14-E02B FD Pulsara BAA AGENDA ITEM: CITY OF WAUKEE, IOWA CITY COUNCIL MEETING COMMUNICATION MEETING DATE: August 14, 2017 AGENDA ITEM: Consideration of a resolution approving a Business Associate Agreement (BAA) with the CommuniCare Technology Company, aka PULSARA FORMAT: Consent Agenda SYNOPSIS INCLUDING PRO & CON: This a confidentiality agreement related to the transfer of protected health information between two HIPAA covered organizations, in this case Waukee fire and Pulsara. Pulsara is a technology that allows faster communication of patient condition to the hospital, including Stroke alerts and Cardiac Cath Lab activations (heart attacks) and other routine communications from EMS to the hospitals. . FISCAL IMPACT INCLUDING COST/BENEFIT ANALYSIS: No cost COMMISSION/BOARD/COMMITTEE COMMENT: STAFF REVIEW AND COMMENT: RECOMMENDATION: Approve the resolution. ATTACHMENTS: I. Proposed Resolution PREPARED BY: REVIEWED BY: PUBLIC NOTICE INFORMATION – NAME OF PUBLICATION: DATE OF PUBLICATION: THE CITY OF WAUKEE, IOWA RESOLUTION 17- APPROVING BUSINESS ASSOCIATE AGREEMENT (BAA) WITH COMMUNICARE TECHNOLOGY, INC., D/B/A PULSARA IN THE NAME AND BY THE AUTHORITY OF THE CITY OF WAUKEE, IOWA WHEREAS, the City of Waukee, Dallas County, State of Iowa, is a duly organized Municipal Organization; AND, WHEREAS, on August 14, 2017, the Waukee City Council approved a Subscription Agreement with CommuniCare Technology, Inc., d/b/a Pulsara (Resolution #17-XXX); AND, WHEREAS, implementation of the Pulsara communication system requires a confidentiality agreement related to the transfer of protected health information between the Waukee Fire Deparment and Pulsara, both of which are HIPAA-covered organizations. NOW THEREFORE BE IT RESOLVED by the City Council of the City of Waukee, Iowa on this 14th day of August, 2017 that the Business Associate Agreement (BAA) with CommuniCare Technology, Inc., d/b/a Pulsara is hereby approved. ____________________________ William F. Peard, Mayor Attest: ___________________________________ Rebecca D. Schuett, City Clerk ROLL CALL VOTE AYE NAY ABSENT ABSTAIN Anna Bergman R. Charles Bottenberg Brian Harrison Shelly Hughes Larry R. Lyon 1 BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (“Agreement”) is effective as of , 201__ (“Effective Date”) by and between Waukee Fire Department with offices at 1300 E. L.A. Grant Pkwy, Ste. B, Waukee, IA 50263 (“Covered Entity”) and CommuniCare Technology, Inc. (dba and hereinafter “Pulsara”), a Delaware corporation, with offices at 2880 Technology Blvd. West, Bozeman, MT 59718 (“Business Associate”). RECITALS A. Covered Entity possesses Protected Health Information (“PHI”)that is protected under HIPAA Rules (as defined below), and wishes to ensure that Business Associate will appropriately safeguard such information; and B. Business Associate is licensing certain software and related technology to Covered Entity pursuant to that certain Enterprise Subscription Agreement dated as of the Effective Date (“Subscription Agreement”). Based upon the above recitals and the mutual covenants in this Agreement, Covered Entity and Business Associate agree as follows: 1. Definitions. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Disclosure, Health Care Operations, Individual, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured and Use. a. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean Pulsara. b. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the Covered Entity first written above. c. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. 2. Permitted Uses and Disclosures. a. Performance of Services. Business Associate may use and disclose PHI in connection with the performance of the services as described in the Subscription Agreement (“Services”) if such use or disclosure of PHI would not violate HIPAA Rules, or such use or disclosure is expressly permitted hereunder. b. Proper Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate in connection with the performance of Services described in the Subscription Agreement. Business Associate may disclose PHI for such proper management and administration of Business Associate. Any such disclosure of PHI shall only be made if the disclosure is required by law or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (1) the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (2) Business Associate will be notified by such person of any instances of which it becomes aware in which the confidentiality of the PHI has been breached. c. Other Permitted Uses. Unless otherwise limited herein, the Business Associate may also: (1) perform Data Aggregation for the health care operations of Covered Entity; (2) may use, analyze, and disclose the PHI in its possession for the public health activities and 2 purposes set forth at C.F.R. § 164.512(b); (3) de-identify any and all PHI provided that Business Associate implements de-identification criteria in accord with 45 C.F.R. §164.514(b); and (4) may otherwise use and disclose the PHI as authorized by Covered Entity pursuant to the Subscription Agreement. d. Minimum Necessary. Covered Entity shall provide, and Business Associate shall request, Use and Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the definition of “minimum necessary” from time to time, and agree to stay informed of any relevant changes to the definition. 3. Nondisclosure a. As Provided In Agreement. Business Associate shall not use or further disclose PHI except as permitted or required by this Agreement or as required by law. 4. Safeguards, Reporting, Mitigation and Enforcement. a. Safeguards. Business Associate shall use appropriate safeguards to protect PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of PHI not provided for by this Agreement. b. Business Associate’s Agents. Business Associate shall ensure that any agents, including subcontractors, to whom it provides PHI agree in writing to be bound by the same restrictions and conditions that apply to Business Associate with respect to such PHI. c. Reporting. Business Associate shall promptly report to Covered Entity any use or disclosure of PHI in violation of this Agreement or applicable law of which it becomes actually aware. Business Associate further agrees to promptly report to Covered Entity any Security Incident of which it becomes actually aware. In addition, Business Associate shall promptly report to Covered Entity any Breach of Unsecured PHI. d. Mitigation. Business Associate shall have procedures in place to mitigate any deleterious effect from any use or disclosure of PHI in violation of this Agreement or applicable law. e. Sanctions. Business Associate shall have and apply appropriate sanctions against any employee, subcontractor or agent who uses or discloses PHI in violation of this Agreement or applicable law. f. United States Department of Health and Human Services. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Rules; provided, however, that Business Associate shall promptly notify Covered Entity upon receipt by Business Associate of any such request for access by the Secretary, and shall provide Covered Entity with a copy thereof as well as a copy of all materials disclosed pursuant thereto. The parties’ respective rights and obligations under this Section shall survive termination of this Agreement. 5. Obligation to Provide Access, Amendment and Accounting of PHI. a. Access to PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide access to, and copies of, PHI in accordance with HIPAA Rules. b. Amendment of PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to amend PHI in accordance with HIPAA Rules. In addition, Business Associate shall, as directed by Covered Entity, incorporate any amendments to Covered Entity’s PHI into copies of such information maintained by Business Associate. c. Accounting of Disclosures of PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide an accounting of disclosures with respect to PHI in accordance with HIPAA Rules. 3 Business Associate shall make this information available to Covered Entity upon Covered Entity’s request. d. Forwarding Requests From Individual. In the event that any individual requests access to, amendment of, or accounting of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or Business Associate to violate HIPAA Rules, Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable. 6. Responsibilities of Covered Entity. Covered Entity will: a. provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520 as well as any changes to such notice; b. provide Business Associate with any changes in, or revocation of, permission by Individual to the use and/or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses and/or disclosures; c. notify Business Associate of any restriction to the use and/or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522; and d. notify Business Associate, in writing, of any amendment(s) to the PHI in the possession of Business Associate that the Business Associate will make to the PHI and inform the Business Associate of the time, form and manner in which such amendment(s) will be made. 7. Limited Liability. Without limiting Covered Entity’s remedies under any other provision of this Agreement, in the event of a Breach involving Unsecured PHI maintained, used or disclosed by Business Associate that is the fault of Business Associate, Business Associate shall reimburse Covered Entity for reasonable cost of providing any legally required notice to affected individuals and the cost of credit monitoring for such individuals to the extent deemed necessary by Covered Entity in its reasonable discretion. Neither Party shall be liable to the other party for any incidental, consequential or punitive damages of any kind or nature, whether such liability is asserted on the basis of contract, tort (including negligence or strict liability), or otherwise, even if the other party has been advised of the possibility of such loss or damages. Business Associate’s total cumulative liability for all matters arising out of or in connection with this Agreement whether in contract, tort (including negligence or strict liability), or otherwise will be $25,000. 8. Material Breach, Enforcement and Termination. a. Term. This Agreement shall be effective as of the Effective Date, and shall continue until the earlier of when this Agreement is terminated in accordance with the provisions of this Section or the Subscription Agreement terminates. b. Termination. 1) If Covered Entity determines that Business Associate has breached or violated a material term of this Agreement, Covered Entities may, at its option, pursue any and all of the following remedies: a) Take any reasonable steps that Covered Entity, in its sole discretion, shall deem necessary to cure such breach or end such violation; and/or b) Covered Entity may terminate this Agreement in the event of Business Associate’s uncured material breach of this Agreement following 30 days’ notice and opportunity to cure, if curable. 2) If Business Associate determines that Covered Entity has breached or violated a material term of this Agreement, Business Associate may, at its option, pursue any and all of the 4 following remedies: a) take any reasonable steps that Business Associate, in its sole discretion, shall deem necessary to cure such breach or end such violation; and/or b) Business Associate may terminate this Agreement in the event of Covered Entity’s uncured material breach of this Agreement following 30 days’ notice and opportunity to cure, if curable. c. Return or Destruction of Records. Upon termination of this Agreement for any reason, Business Associate shall return or destroy, as specified by Covered Entity, all PHI that Business Associate still maintains in any media, and shall retain no copies of such PHI. If Covered Entity, in its sole discretion, requires that Business Associate destroy any or all PHI in its possession, Business Associate shall certify to Covered Entity that the PHI has been destroyed. If return or destruction is not feasible, Business Associate shall inform Covered Entity of the reason it is not feasible and shall continue to extend the protections of this Agreement to such information and limit further use and disclosure of such PHI to those purposes that make the return or destruction of such PHI infeasible. The foregoing will not apply, however, to any PHI for which Business Associate has received from the applicable individual (with respect to whom the PHI pertains) authorization in accordance with HIPAA that Business Associate may retain such PHI for the purposes authorized by the individual. Business Associate’s obligations with respect to such PHI will become outside the scope of this Agreement and will be governed by HIPAA and the agreement between Business Associate and the individual. 9. Miscellaneous Terms. a. State Law. Nothing in this Agreement shall be construed to require Business Associate to use or disclose PHI without a written authorization from an individual who is a subject of the PHI, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure. b. Amendment. Covered Entity and Business Associate agree that amendment of this Agreement may be required to ensure that Covered Entity and Business Associate comply with changes in state and federal laws and regulations relating to the privacy, security, and confidentiality of PHI, including, but not limited to, changes under the HIPAA Rules. This Agreement may not otherwise be amended except by written agreement between both parties. c. Governing Law and Venue. This Agreement will be construed in accordance with and governed by the internal law of Montana without regard to the choice or conflicts of law provisions of any jurisdiction. In the event that Covered Entity institutes any action or proceeding arising out of or relating to this Agreement, exclusive jurisdiction will be in the state or federal court for Gallatin County. In the event that Business Associate institutes any action or proceeding arising out of or relating to this Agreement exclusive jurisdiction shall be in the state of federal court where the covered entity is located as first written above. d. Attorney’s Fees. The prevailing party in any action or proceeding to enforce any of the provisions of this Agreement shall be entitled to recover reasonable attorneys’ fees, costs and expenses incurred in connection with actions or proceedings. e. Waiver. A waiver by a party of any provision of this Agreement in any instance will not be deemed a waiver of such provision, or any other provision of this Agreement as to any future instance or occurrence. All remedies, rights, undertakings, and obligations contained in this Agreement will be cumulative and none of them will be in limitation of any other remedy, right, undertaking, or obligation of a party. f. Severability. The provisions of this Agreement are severable. The invalidity, in whole or in part, of any provision of this Agreement will not affect the validity or enforceability of any other of its provisions. If one or more provisions of this Agreement are declared invalid or unenforceable, the remaining provisions will remain in full force and effect and will be construed in the broadest possible manner to effectuate the purposes of this Agreement. The parties further agree to replace such void or unenforceable provisions of this Agreement with valid and enforceable provisions that 5 will achieve, to the extent possible, the economic, business, and other purposes of the void or unenforceable provisions. g. Assignment. The rights and/or obligations contained in this Agreement may not be assigned, delegated or otherwise transferred by either party (except to a direct or indirect parent or subsidiary) without the prior written approval of the other party, not to be unreasonably withheld, provided, however that either party may assign this agreement in connection with a merger, consolidation or acquisition of a party resulting in a change of control or a transfer or sale of all or substantially all of the assets of either party. No assignment or delegation shall relieve either party of liability for its obligations hereunder. h. Counterparts. This Agreement may be executed in any number of counterparts. i. Notices. All notices, requests, or consents required or permitted under this Agreement will be in writing (including electronic form) and will be delivered to the address set forth by each party in this Agreement, or to such other party and/or address as any of such parties may designate in a written notice served upon the other party in the manner provided for below. Each notice, request, consent, or other communication will be given and will be effective: (1) if delivered by hand, when so delivered; (2) if delivered by nationally recognized overnight courier service or sent by United States Express Mail, upon confirmation of delivery; (3) if delivered by certified or registered mail, on the third following day after deposit with the United States Postal Service; or (4) if delivered by facsimile, upon confirmation of successful transmission. The parties have executed this Agreement duly authorized to be effective as of the Effective Date. COVERED ENTITY BUSINESS ASSOCIATE Waukee Fire Department CommuniCare Technology, Inc. dba Pulsara By: By: James T. Woodson, CEO Printed Name, Title Printed Name, Title