Laserfiche WebLink
pis <br />VMII-�. R 1�5I ESS ASSOCIATE AGREEMENT MDs <br />This Business Associate Agreement ("Agreement") is entered into by and between a -MDs, Inc., whose principal office is at <br />9900 Spectrum Drive, Austin, Texas 78717 (the "Business Associate") and Jefferson County Public Health with its <br />principal office located at 615 Sheridan St. Port Townsend, WA 98368 (the "Covered Entity") (each a "Party' and <br />collectively the "Parties"). <br />INTRODUCTION <br />WHEREAS, the Business Associate is a Texas Corporation and the Covered Entity is a <br />.Government Entity ; and <br />WHEREAS, the Parties have or are entering into a separate agreement (the "License Order") under which the <br />Business Associate will perform certain specified services for or on behalf of the Covered Entity (the "Services"), in addition <br />to licensing certain software products to the Covered Entity; and <br />WHEREAS, in providing the Services, Business Associate may use and/or disclose protected health information <br />received from the Covered Entity ("PHI") as defined in 45 C.F.R. § 160.103 relating to the Standards for Privacy of <br />Individually Identifiable Health Information (the "Privacy Regulations") and the Security Standards for the Protection of <br />Electronic Protected Health Information (the "Security Regulations'), promulgated under the Health Insurance Portability and <br />Accountability Act of 1996, as amended ("HIPAA" ); and <br />WHEREAS, this Agreement sets forth the terms and conditions pursuant to which the Business Associate must <br />maintain, protect, create, use and/or disclose any PHI (which includes electronic PHI, or EPHI) that is provided to, or is <br />created or received by, it from or on behalf of the Covered Entity; and <br />WHEREAS, the Parties intend that this Agreement comply with the provisions in the Privacy Regulations and <br />Security Regulations requiring business associates to provide adequate assurances to a covered entity with respect to the <br />Business Associate's duties to protect the confidentiality of PHI. <br />NOW, THEREFORE, for good and valuable consideration, the receipt and adequacy of which are hereby <br />acknowledged, the Parties hereby agree as follows: <br />1. RESPONSIBILITIES OF BUSINESS ASSOCIATE WITH RESPECT TO PHI <br />1.1 Primary Responsibilities of Business Associate with Respect to PHI. With regard to its use and/or disclosure of PHI, <br />the Business Associate hereby agrees to do the following: <br />a. Use and/or disclose the PHI only as reasonably necessary to perform the Services, as required by Law, and <br />as otherwise permitted or required by this Agreement. <br />b. Use commercially reasonable safeguards to prevent use or disclosure of the PHI other than as provided for <br />by this Agreement. <br />c. Report to the designated Privacy Officer of the Covered Entity, in writing, any use and/or disclosure of the PHI <br />that is not permitted or required by this Agreement of which Business Associate becomes aware within five <br />(5) business days of the Business Associate's discovery of such unauthorized use and/or disclosure. <br />d. Establish procedures for mitigating, in a commercially reasonable manner, any deleterious effects from any <br />improper use and/or disclosure of PHI that the Business Associate reports to the Covered Entity. <br />e. Provide adequate administrative, technical and physical safeguards to protect and maintain the confidentiality <br />of any PHI in its possession. If Business Associate electronically exchanges data containing PHI with <br />Covered Entity, Business Associate will use commercially reasonable efforts to ensure that all transmissions <br />of data are authorized, protect the integrity and confidentiality of PHI, and protect business records and data <br />from improper access. In particular, as required by the Security Regulations, the Business Associate agrees <br />to the following requirements: <br />1. implement administrative, physical, and technical safeguards that reasonably and appropriately protect <br />the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains or transmits on <br />behalf of the Covered Entity; <br />2. ensure that any agent, including a subcontractor, to whom it provides EPHI agrees to implement <br />reasonable and appropriate safeguards to protect it; <br />3. promptly report to the Covered Entity any security incident of which it becomes aware, and in no case <br />make such notification later than sixty (60) calendar days after discovery of such security incident. The <br />notification shall include, to the extent possible, the identification of each individual whose unsecured <br />e -MDs BAA — Page 1 of 7 <br />Revised 517/2010 <br />