HomeMy WebLinkAboutContract 63410FORT WORTH. CSC No. 63410
CITY OF FORT WORTH BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (the "BAA") is made and entered into by and between the
City of Fort Worth Texas, a home -rule municipality organized under the laws of the state of
Texas ("Covered Entity") and CommuniCare Technology, Inc. dba Pulsara, a corporation
("Business Associate", in accordance with the meaning given to those terms at 45 CFR §
164.501). In this BAA, Covered Entity and Business Associate are each a "Party" and,
collectively, are the "Parties."
WHEREAS, Covered Entity is a "covered entity" as defined under the Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH
Act (as defined below) and the related regulations promulgated by HHS (as defined below)
(collectively, "HIPAA") and, as such, is required to comply with HIPANs provisions regarding
the confidentiality and privacy of Protected Health Information ("PHI");
WHEREAS, the Parties have entered into or will enter into one or more agreements
under which Business Associate provides or will provide certain specified services to Covered
Entity (collectively, the "Agreement");
WHEREAS, in providing services pursuant to the Agreement, Business Associate will
have access to PHI;
WHEREAS, by providing the services pursuant to the Agreement, Business Associate
will become a "business associate" of the Covered Entity as such term is defined under HIPAA;
WHEREAS, both Parties are committed to complying with all federal and state laws
governing the confidentiality and privacy of health information, including, but not limited to, the
Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160
and Part 164, Subparts A and E (collectively, the "Privacy Rule"); and
WHEREAS, both Parties intend to protect the privacy and provide for the security of
Protected Health Information disclosed to Business Associate pursuant to the terms of this
Agreement, HIPAA and other applicable laws.
NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein
and the continued provision of PHI by Covered Entity to Business Associate under the
Agreement in reliance on this BAA, the Parties agree as follows:
OFFICIAL RECORD
CITY SECRETARY
FT. WORTH, TX
FORT WORTH.
1. Definitions
For purposes of this BAA, the Parties give the following meaning to each of the terms in this
Section 1 below. Any capitalized term used in this BAA, but not otherwise defined, has the
meaning given to that term in the Privacy Rule or pertinent law.
A. "Affiliate" means a subsidiary or affiliate of Covered Entity that is, or has been,
considered a covered entity, as defined by HIPAA.
B. "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not
permitted under the Privacy Rule which compromises the security or privacy of the PHI, as
defined in 45 CFR § 164.402.
C. "Breach Notification Rule" means the portion of HIPAA set forth in Subpart D of 45
CFR Part 164.
D. "Data Aggregation" means, with respect to PHI created or received by Business
Associate in its capacity as the "business associate" under HIPAA of Covered Entity, the
combining of such PHI by Business Associate with the PHI received by Business Associate in its
capacity as a business associate of one or more other "covered entity" under HIPAA, to permit
data analyses that relate to the Health Care Operations (defined below) of the respective covered
entities. The meaning of "data aggregation" in this BAA shall be consistent with the meaning
given to that term in the Privacy Rule.
E. "Designated Record Set" has the meaning given to such term under the Privacy Rule,
including 45 CFR § 164.501.B.
F. "De -Identify" means to alter the PHI such that the resulting information meets the
requirements described in 45 CFR § § 164.514(a) and (b).
G. "Electronic PHI" means any PHI maintained in or transmitted by electronic media as
defined in 45 CFR § 160.103.
H. "Health Care Operations" has the meaning given to that term in 45 CFR § 164.501.
I. "HHS" means the U.S. Department of Health and Human Services.
J. "HITECH Act" means the Health Information Technology for Economic and Clinical
Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public
Law 111-005.
FORT WORTH.
K. "Individual" has the same meaning given to that term i in 45 CFR §§164.501 and
160.130 and includes a person who qualifies as a personal representative in accordance with 45
CFR § 164.502(g).
L. "Privacy Rule" means that portion of HIPAA set forth in 45 CFR Part 160 and Part
164, Subparts A and E.
M. "Protected Health Information" or "PHI" has the meaning given to the term
"protected health information" in 45 CFR §§164.501 and 160.103, limited to the information
created or received by Business Associate from or on behalf of Covered Entity.
N. "Security Incident" means the attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or interference with system operations in
an information system.
O. "Security Rule" means the Security Standards for the Protection of Electronic Health
Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
P. "Unsecured Protected Health Information" or "Unsecured PHI" means any "protected
health information" as defined in 45 CFR § § 164.501 and 160.103 that is not rendered unusable,
unreadable or indecipherable to unauthorized individuals through the use of a technology or
methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH
Act and codified at 42 USC § 17932(h).
2. Use and Disclosure of PHI
A. Except as otherwise provided in this BAA, Business Associate may use or
disclose PHI as reasonably necessary to provide the services described in the Agreement to
Covered Entity, and to undertake other activities of Business Associate permitted or required of
Business Associate by this BAA or as required by law.
B. Except as otherwise limited by this BAA or federal or state law, Covered Entity
authorizes Business Associate to use the PHI in its possession for the proper management and
administration of Business Associate's business and to carry out its legal responsibilities.
Business Associate may disclose PHI for its proper management and administration, provided
that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to
making any disclosure to a third party (a) reasonable assurances from this third party that the PHI
will be held confidential as provided under this BAA and used or further disclosed only as
required by law or for the purpose for which it was disclosed to this third party and (b) an
agreement from this third party to notify Business Associate immediately of any breaches of the
confidentiality of the PHI, to the extent it has knowledge of the breach.
FORT WORTH.
C. Business Associate will not use or disclose PHI in a manner other than as
provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business
Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the
minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in
accordance with Section 13405(b) of the HITECH Act (codified at 42 USC § 17935(b)) and any
of the act's implementing regulations adopted by HHS, for each use or disclosure of PHI.
D. Upon request, Business Associate will make available to Covered Entity any of
Covered Entity's PHI that Business Associate or any of its agents or subcontractors have in their
possession.
E. Business Associate may use PHI to report violations of law to appropriate
Federal and State authorities, consistent with 45 CFR § 164.5020)(1).
3. Safeguards Against Misuse of PHI
Business Associate will use appropriate safeguards to prevent the use or disclosure of
PHI other than as provided by the Agreement or this BAA and Business Associate agrees to
implement administrative, physical, and technical safeguards that reasonably and appropriately
protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives,
maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable
steps, including providing adequate training to its employees to ensure compliance with this
BAA and to ensure that the actions or omissions of its employees or agents do not cause
Business Associate to breach the terms of this BAA.
4. Reporting Disclosure of PHI and Security Incidents
Business Associate will report to Covered Entity in writing any use or disclosure of PHI
not provided for by this BAA of which it becomes aware and Business Associate agrees to report
to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it
becomes aware. Business Associate agrees to report any such event within five business days of
becoming aware of the event.
5. Reporting Breaches of Unsecured PHI
Business Associate will notify Covered Entity in writing promptly upon the discovery of
any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR § 164.410,
but in no case later than 30 calendar days after discovery of a Breach. Business Associate will
reimburse Covered Entity for any costs incurred by it in complying with the requirements of
Subpart D of 45 CFR § 164 that are imposed on Covered Entity as a result of a Breach committed
by Business Associate.
FORT WORTH.
6. Mitigation of Disclosures of PHI
Business Associate will take reasonable measures to mitigate, to the extent practicable,
any harmful effect that is known to Business Associate of any use or disclosure of PHI by
Business Associate or its agents or subcontractors in violation of the requirements of this BAA.
7. Agreements with Agents or Subcontractors
Business Associate will ensure that any of its agents or subcontractors that have access
to, or to which Business Associate provides, PHI agree in writing to the restrictions and
conditions concerning uses and disclosures of PHI contained in this BAA and agree to
implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates,
receives, maintains or transmits on behalf of Business Associate or, through the Business
Associate, Covered Entity. Business Associate shall notify Covered Entity, or upstream Business
Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor
or agent receives PHI as described in section I.M. of this BAA. Such notification shall occur
within 30 (thirty) calendar days of the execution of the subcontract by placement of such notice
on the Business Associate's primary website. Business Associate shall ensure that all
subcontracts and agreements provide the same level of privacy and security as this BAA.
8. Audit
Upon request, Business Associate will provide Covered Entity, or upstream Business
Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315),
HITRUST certification or other mutually agreed upon independent standards based third party
audit report. Covered entity agrees not to re -disclose Business Associate's audit report.
9. Access to PHI by Individuals
A. Upon request, Business Associate shall cooperate with Covered Entity to ensure
that Covered Entity has timely access to PHI necessary to respond to an Individual's request for
access under 45 CFR § 164.524. Covered Entity shall determine whether any such PHI is part of
a Designated Record Set.
B. In the event any Individual or personal representative requests access to the
Individual's PHI directly from Business Associate, Business Associate within ten business days,
will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the
PHI requested by an Individual or a personal representative and compliance with the
requirements applicable to an Individual's right to obtain access to PHI shall be the sole
responsibility of Covered Entity.
FORT WORTH.
10. Amendment of PHI
A. Upon request and instruction from Covered Entity, Business Associate will make
available to Covered Entity such information as Covered Entity may require to fulfill Covered
Entity's obligations to amend PHI or a record about an Individual that is maintained by, or
otherwise within the possession of, Business Associate as directed by Covered Entity in
accordance with procedures established by 45 CFR § 164.526.
B. In the event that any Individual requests that Business Associate amend such
Individual's PHI or record, Business Associate within ten business days will forward this request
to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested
by an Individual and compliance with the requirements applicable to an Individual's right to
request an amendment of PHI will be the sole responsibility of Covered Entity.
11. Accounting of Disclosures
A. Business Associate will document any disclosures of PHI made by it to account
for such disclosures as required by 45 CFR § 164.528(a). Business Associate also will make
available information related to such disclosures as would be required for Covered Entity to
respond to a request for an accounting of disclosures in accordance with 45 CFR § 164.528. At a
minimum, Business Associate will furnish Covered Entity the following with respect to any
covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the
entity or person who received PHI, and, if known, the address of such entity or person; (iii) a
brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure
which includes the basis for such disclosure.
B. Business Associate will furnish to Covered Entity information collected in
accordance with this Section 10, within ten business days after written request by Covered
Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR
§ 164.528, or in the event that Covered Entity elects to provide an Individual with a list of its
business associates, Business Associate will provide an accounting of its disclosures of PHI upon
request of the Individual, if and to the extent that such accounting is required under the HITECH
Act or under HHS regulations adopted in connection with the HITECH Act.
C. In the event an Individual delivers the initial request for an accounting directly to
Business Associate, Business Associate will within ten business days forward such request to
Covered Entity.
12. Availability of Books and Records
Business Associate will make available its internal practices, books, agreements, records,
and policies and procedures relating to the use and disclosure of PHI, upon request, to the
FORT WORTH.
Secretary of HHS for purposes of determining Covered Entity's and Business Associate's
compliance with HIPAA, and this BAA.
13. Responsibilities of Covered Entity
With regard to the use and/or disclosure of PHI by Business Associate, Covered Entity agrees to:
A. Notify Business Associate of any limitation(s) in its notice of privacy practices in
accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business
Associate's use or disclosure of PHI.
B. Notify Business Associate of any changes in, or revocation of, permission by an
Individual to use or disclose Protected Health Information, to the extent that such changes may
affect Business Associate's use or disclosure of PHI.
C. Notify Business Associate of any restriction to the use or disclosure of PHI that
Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such
restriction may affect Business Associate's use or disclosure of PHI.
D. Except for data aggregation or management and administrative activities of
Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI
in any manner that would not be permissible under HIPAA if done by Covered Entity.
14. Data Ownership
Business Associate's data stewardship does not confer data ownership rights on Business
Associate with respect to any data shared with it under the Agreement, including any and all
forms thereof.
15. Term and Termination
A. This BAA will become effective upon execution by the Covered Entity's City
Manager, Deputy City Manager, or Assistant City Manager, and will continue in effect until all
obligations of the Parties have been met under the Agreement and under this BAA, unless earlier
terminated in accordance with the terms of this BAA.
B. Covered Entity may terminate immediately this BAA, the Agreement, and any
other related agreements if Covered Entity determines that Business Associate has breached a
material term of this BAA and Business Associate has failed to cure that material breach, to
Covered Entity's reasonable satisfaction, within 30 days after written notice from Covered
Entity. Covered Entity may report the problem to the Secretary of HHS if termination is not
FORT WORTH.
feasible. Notwithstanding the foregoing, Covered Entity may also terminate the Agreement any
other related agreements as provided by the terms of such agreements. Additionally, Covered
Entity may terminate this BAA for convenience upon 30 days' prior written notice to Business
Associate.
C. If Business Associate determines that Covered Entity has breached a material
term of this BAA, then Business Associate will provide Covered Entity with written notice of the
existence of the breach and shall provide Covered Entity with 30 days to cure the breach.
Covered Entity's failure to cure the breach within the 30-day period will be grounds for
immediate termination of the Agreement and this BAA by Business Associate. Business
Associate may report the breach to HHS.
D. Upon termination of the Agreement or this BAA for any reason, all PHI
maintained by Business Associate will be returned to Covered Entity or destroyed by Business
Associate. Business Associate will not retain any copies of such information. This provision will
apply to PHI in the possession of Business Associate's agents and subcontractors. If return or
destruction of the PHI is not feasible, in Business Associate's reasonable judgment, Business
Associate will furnish Covered Entity with notification, in writing, of the conditions that make
return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction
of the PHI is infeasible, Business Associate will extend the protections of this BAA to such
information for as long as Business Associate retains such information and will limit further uses
and disclosures to those purposes that make the return or destruction of the information not
feasible. The Parties understand that this Section 14.1). will survive any termination of this BAA.
16. Effect of BAA
A. This BAA is a part of and subject to the terms of the Agreement, except that to the
extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA
will govern.
B. Except as expressly stated in this BAA or as provided by law, this BAA will not
create any rights in favor of any third party.
17. Regulatory References
Regulatory References. A reference in this BAA to a section in HIPAA means the section
as in effect or as amended at the time.
FORT WORTH.
18. Notices
Notices required pursuant to the provisions of this BAA will be conclusively determined
to have been delivered when (1) hand -delivered to the other party, its agents, employees, servants
or representatives, (2) received via electronic mail, (3) delivered by facsimile with electronic
confirmation of the transmission, or (4) received by the other party by United States Mail,
registered, return receipt requested, addressed as follows:
To Covered Entity:
City of Fort Worth
Attn: Assistant City Manager
100 Fort Worth Trail
Fort Worth, TX 76102-6314
Facsimile: (817) 392-8654
With copy to Fort Worth City Attorney's
Office at same address
19. Amendments and Waiver
To Business Associate:
Pulsara
Attn: Compliance & Technical Services
9450 SW Gemini Dr., PMB 75708
Beaverton, OR 97008-7105
Email: compliance@pulsara.com
This BAA may not be modified, nor will any provision be waived or amended, except in
writing duly signed by authorized representatives of the Parties. A waiver with respect to one
event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to
subsequent events.
20. HITECH Act Compliance
The Parties acknowledge that the HITECH Act includes significant changes to the
Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth
provisions that significantly change the requirements for business associates and the agreements
between business associates and covered entities under HIPAA and these changes may be further
clarified in forthcoming regulations and guidance. Each Party agrees to comply with the
applicable provisions of the HITECH Act and any HHS regulations issued with respect to the
HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably
necessary to comply with the HITECH Act and its regulations as they become effective but, in
the event that the Parties are unable to reach agreement on such a modification, either Parry will
have the right to terminate this BAA upon 30- days' prior written notice to the other Party.
FORTWORTH.
[Executed effective as of the date signed by the Assistant City Manager below.] / [ACCEPTED
AND AGREED:]
Covered Entity:
1•nl nI
By: _
Name 1J.TJ l
Title: Assistant City Manager
Date: 06/11 /2025
Business Associate
By:
Name: Anna Larson
Title: Sales Operations Manager
Date: 6/5/2025
CITY OF FORT WORTH INTERNAL ROUTING PROCESS:
Approval Recommended:
,
By: J, D� 9, ?F
Name:
Title:
Approved as ) Form and Legality:
By:
Name: Taylor C. Paris
Title: Assistant City Attorney
Contract Compliance Manager:
By signing I acknowledge that I am the
person responsible for the monitoring and
administration of this contract, including
ensuring all performance and reporting
requirements.
Ereil Kat
i
t _
By: Brenda Ray (Jun ° '10-"' '10•16 CDT,
Name:
Title:
t I Ak y iC
City Secretary:
Il
pO� pORT�aO
AO
per' o°=o
��� � OQp*eo o•o*dd
IlIlpnnEXP$a''�>
By:
Name: Jannette S. Goodall
Title: City Secretary
OFFICIAL RECORD
CITY SECRETARY
FT. WORTH, TX