The URL can be used to link to this page

Home My WebLink AboutRES 23-179RESOLUTION NO. 23-179 BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF BEAUMONT: THAT the City Manager be and he is hereby authorized to approve an Agreement with UT Health Science Center of Houston, Texas for HIPPA Patient Care. The meeting at which this resolution was approved was in all things conducted in strict compliance with the Texas Open Meetings Act, Texas Government Code, Chapter 551. PASSED BY THE CITY COUNCIL of the City of Bepumont this the 11th day of July, 2023. AW p fj v,®. VP �f'd �` Mayor Roy HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement (this "BA Agreement") is made and entered into effective as of May 110, 2023 (the "Effective Date") by The University of Texas Health Science Center at Houston an agency and institution of higher education established under the laws of the State of Texas, located at 7000 Fannin, Houston, TX 77030 ("Business Associate"), and the City of Beaumont city in southeastern Texas located at P.O. Box 3827, Beaumont, TX 77704 ("Covered Entity"). A. Definitions. For purposes of this BA Agreement: 1. "Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR 160,103, and in reference to the party to this agreement, shall mean The University of Texas Health Science Center at Houston 2. "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the City of Beaumont. . 3. "Agreement" shall mean the "Partnership Agreement" made and entered into effective as of May 10, 2023, by Business Associate and The Covered Entity, 4. "Individual' shall have the same meaning as the term "individual" in 45 CFR § 164.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). 5. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. 6, "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 CFR § 164.103, limited to the PHI created, maintained, transmitted, or received by Business Associate from or on behalf of Covered Entity. 8. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR § 164,103. 9 "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee. 10. All other capitalized terms used in this Agreement shall have the meanings set forth in the applicable definitions under the HIPAA Rules. B. Obligations and Activities of Business Associate 1. Business Associate agrees to not use or disclose PHI other than as permitted or required by this BA Agreement or as Required By Law. 2. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent the use or disclosure of PHI other than as provided for by this BA Agreement. 4, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BA Agreement. 5. Business Associate agrees to report immediately, but no later than three (3) days, to Covered Entity any use or disclosure of PHi not provided for by this BA Agreement of which it becomes aware including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware. The party responsible for the Breach of Unsecured PHI shall be responsible for payment of all actual costs associated with the Breach, including without limitation, costs of notifying affected Individuals, credit monitoring (where applicable), and other efforts to mitigate the harm to Individuals. Breach notification will be written in plain language and will include, to the extent possible or available, the following: The identification of the individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Broach; b. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach; c. A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether the full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); Any steps Individuals who were subjects of the Breach should take to protect themselves from potential harm that may result from the Breach; A brief description of what Business Associate is doing to investigate the Breach, to mitigate the harm to individuals, and to protect against further Breaches; and Contact procedures for individuals to ask questions or learn additional information, including a toll free telephone number, an email address, Web site, or postal address. 6. Business Associate agrees to ensure that any agents or subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information. 7. Business Associate agrees to provide access, at the request of Covered Entity, in a reasonable time and manner, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the requirements under 45 CFR § 164.524. 8. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in a reasonable time and manner. 9. Business Associate agrees to make internal practices, books, and records including policies and procedures and PHI relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a reasonable time and manner, for the purpose of permitting the Secretary to determine Covered Entity's compliance with the HIPAA Ruies. 10. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528. 11. Business Associate agrees to provide to Covered Entity or an Individual, in a reasonable time and, information collected in accordance with Section B,(10) of this BA Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. 12, Business Associate agrees, to the extent the business associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); C. Permitted Uses and Disclosures of PHI by Business Associate 1. Business Associate may only use or disclose PHI as permitted by the HIPAA Rules. Business Associate may use or disclose PHI to perform, manage and administer the activities or services required under the Agreement or other such arrangement between Covered Entity and Business Associate, including the de -identification of PHI, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity, 2. Business associate agrees to make uses and disclosures and requests for protected health information consistent with covered entity's minimum necessary policies and procedures. 3. Business assorWo may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by covered entity, except for the specific uses and disclosures set forth below. 4. Business Associate may use PH I for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. 5, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. 6. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with §164,5020)(1). D. Obligations of Covered Entity Covered Entity shall notify Business Associate of any limitations in its notice(s) of privacy practices in accordance with 45 CFR § 164.520 to the extent that such limitations may affect Business Associate's use or disclosure of PHI. 2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent such changes may affect Business Associate's use and disclosure of PHI. 3, Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522 to the extent that such restriction may affect Business Associate's use or disclosure of PHI. E. Restriction on Covered Entity Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except Business Associate may use or disclose PHI for data aggregation or management and administrative activities of Business Associate. Term and Termination Term. The Term of this BA Agreement and the obligations herein shall be deemed effective as of the Effective Date, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section, Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either: a. Provide an opportunity for Business Associate to cure the material breach or end the violation and terminate this BA Agreement and Covered Entity's participation in the Agreement if Business Associate does not cure the material breach or end the violation within the reasonable time specified by Covered Entity; or b. Immediately terminate this BA Agreement and Covered Entity's participation in the Agreement if Business Associate has breached a material term of this BA Agreement and a cure is not possible. Effect of Termination, a. Except as provided in Section F.(2), upon termination of this BA Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. b. In the event that Business Associate determines that returning or destroying the PHI is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction not feasible, including the need to retain PHI for audit, justification of work product or compliance with pharmacy or other applicable law. Business Associate shall extend the protections of this BA Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains such PHI. G. Miscellaneous 1. Regulatory References. A reference in this BA Agreement to a section in the HIPAA Rules means the section as in effect, or as amended, and for which compliance is required. 2. Amendment, The Parties agree to take such action as is necessary to amend this BA Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Rules and the Health Insurance Portability and Accountability Act of 1996, Pub. Law 104-191. This BA Agreement may be amended only in writing when signed by a duly authorized representative of each Party. 3. Survival. The respective rights and obligations of Business Associate under Section F.(3) of this BA Agreement shall survive the termination of this BA Agreement. 4, Interpretation. Any ambiguity in this BA Agreement or in the Agreement shall be resolved in favor of a moaning that permits Covered Entity to comply with the HIPAA Rules. 5. Assignment. Neither Party may assign this BA Agreement without prior written consent from the other party, which will not be unreasonably withheld; provided, however, either party may assign this BA Agreement to the extent that they are permitted to assign the applicable Agreement. Nothing in this BA Agreement will confer any right, remedy, or obligation upon anyone other than Covered Entity and Business Associate Cooperation in Investigations, The parties acknowledge that certain breaches or violations of this BA Agreement may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties. Each party will cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry Conflicts. To the extent that this BA Agreement may conflict with the Agreement, this BA Agreement shall govern. CLIENT: PROVIDER: THE UNIVERSITY OF TEXAS THE CITY OF BEAUMONT HEALTH SCIENCE CENTER AT HOUSTON By: Name Title: Valerie Bomben Director, Sponsored Contracts By: _ Name: Title: HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement (this "BA Agreement") is made and entered into effective as of May 10, 2023 (the "Effective Date") by The University of Texas Health Science Center at Houston an agency and institution of higher education established under the laws of the State of Texas, located at 7000 Fannin, Houston, TX 77030 ("Business Associate"), and the City of Beaumont city in southeastern Texas located at P.O. Box 3627, Beaumont, TX 77704 ("Covered Entity"). A. Definitions. For purposes of this BA Agreement: 1, "Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR 160.103, and in reference to the party to this agreement, shall mean The University of Texas Health Science Center at Houston 2, "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the City of Beaumont. . 3. "Agreement" shall mean the "Partnership Agreement" made and entered into effective as of May 10, 2023, by Business Associate and The Covered Entity. 4. "Individual" shall have the same meaning as the term "Individual' in 45 CFR § 164.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). 5, "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. 6. "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 CFR § 164.103, limited to the PHI created, maintained, transmitted, or received by Business Associate from or on behalf of Covered Entity. 8. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.103. 9 "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee. 10. All other capitalized terms used in this Agreement shall have the meanings set forth In the applicable definitions under the HIPAA Rules. B, Obligations and Activities of Business Associate 1. Business Associate agrees to not use or disclose PHI other than as permitted or required by this BA Agreement or as Required By Law. 2. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent the use or disclosure of PHI other than as provided for by this BA Agreement. 4. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BA Agreement. 5. Business Associate agrees to report immediately, but no later than three (3) days, to Covered Entity any use or disclosure of PHI not provided for by this BA Agreement of which it becomes aware including breaches of unsecured protected health Information as required at 45 CFR 164.410, and any security incident of which it becomes aware. The party responsible for the Breach of Unsecured PHI shall be responsible for payment of all actual costs associated with the Breach, including without limitation, costs of notifying affected Individuals, credit monitoring (where applicable), and other efforts to mitigate the harm to Individuals. Breach notification will be written in plain language and will include, to the extent possible or available, the following; a. The identification of the individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach; C. A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether the full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); d. Any steps Individuals who were subjects of the Breach should lake to protect themselves from potential harm that may result from the Breach; e. A brief description of what Business Associate is doing to investigate the Breach, to mitigate the harm to individuals, and to protect against further Breaches; and Contact procedures for individuals to ask questions or learn additional information, including a toll free telephone number, an email address, Web site, or postal address. 6. Business Associate agrees to ensure that any agents or subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information. 7. Business Associate agrees to provide access, at the request of Covered Entity, in a reasonable time and manner, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the requirements under 45 CFR § 164.524. 8. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164,526 at the request of Covered Entity or an Individual, and in a reasonable time and manner. 9. Business Associate agrees to make internal practices, books, and records including policies and procedures and PHI relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a reasonable time and manner, for the purpose of permitting the Secretary to determine Covered Entity's compliance with the HIPAA Rules, 10. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528. 11. Business Associate agrees to provide to Covered Entity or an Individual, in a reasonable time and, information collected in accordance with Section B.(10) of this BA Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. 12. Business Associate agrees, to the extent the business associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); C. Permitted Uses and Disclosures of PHI by Business Associate 1. Business Associate may only use or disclose PHI as permitted by the HIPAA Rules. Business Associate may use or disclose PHI to perform, manage and administer the activities or services required under the Agreement or other such arrangement between Covered Entity and Business Associate, including the de -identification of PHI, provided that such use or disclosure would not violate the HIPAA Rules If done by Covered Entity. 2. Business associate agrees to make uses and disclosures and requests for protected health information consistent with covered entity's minimum necessary policies and procedures. 3. Business associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by covered entity, except for the specific uses and disclosures set forth below. 4. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. 5. Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. 6. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with § 164.502()(11), D, Obligations of Covered Entity 1. Covered Entity shall notify Business Associate of any limitations in its notice(s) of privacy practices in accordance with 45 CFR § 164.520 to the extent that such limitations may affect Business Associate's use or disclosure of PHI. 2, Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent such changes may affect Business Associate's use and disclosure of PHI. 3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522 to the extent that such restriction may affect Business Associate's use or disclosure of PHI. E. Restriction on Covered Entity Covered Entity shall not request Business Associate to use or disclose PHi in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except Business Associate may use or disclose PHI for data aggregation or management and administrative activities of Business Associate. F. Term and Termination 1. Term. The Term of this BA Agreement and the obligations herein shall be deemed effective as of the Effective Date, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section. 2. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either: a. Provide an opportunity for Business Associate to cure the material breach or end the violation and terminate this BA Agreement and Covered Entity's participation in the Agreement if Business Associate does not cure the material breach or end the violation within the reasonable time specified by Covered Entity; or b. Immediately terminate this BA Agreement and Covered Entity's participation in the Agreement if Business Associate has breached a material term of this BA Agreement and a cure Is not possible, 3. Effect of Termination. a. Except as provided in Section F.(2), upon termination of this BA Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHi that is in the possession of subcontractors or agents of Business Associate, b, in the event that Business Associate determines that returning or destroying the PHI is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction not feasible, including the need to retain PHI for audit, justification of work product or compliance with pharmacy or other applicable law. Business Associate shall extend the protections of this BA Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains such PHI. G. Miscellaneous 1. Regulatory References. A reference in this BA Agreement to a section in the HIPAA Rules means the section as in effect, or as amended, and for which compliance is required. 2. Amendment. The Parties agree to take such action as is necessary to amend this BA Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Rules and the Health Insurance Portability and Accountability Act of 1996, Pub. Law 104-191, This BA Agreement may be amended only in writing when signed by a duly authorized representative of each Party. 3. Survival. The respective rights and obligations of Business Associate under Section F.(3) of this BA Agreement shall survive the termination of this BA Agreement. 4. Interpretation. Any ambiguity in this BA Agreement or in the Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules. 5. Assignment. Neither Party may assign this BA Agreement without prior written consent from the other party, which will not be unreasonably withheld; provided, however, either party may assign this BA Agreement to the extent that they 7. CLIENT: are permitted to assign the applicable Agreement. Nothing in this BA Agreement will confer any right, remedy, or obligation upon anyone other than Covered Entity and Business Associate Cooperation in Investigations. The parties acknowledge that certain breaches or violations of this BA Agreement may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties. Each party will cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry Conflicts. To the extent that this BA Agreement may conflict with the Agreement, this BA Agreement shall govern. THE UNIVERSITY OF TEXAS HEALTH SCIE =, Name: Valerie om en T HOUST�� N By; lerie B Title: Director, Sponsored Contracts PROVIDER: THE CITY OF BEAUMONT By. Name: o_vws Title: ( 114A M a&&AA ✓