COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY. AND ACCOUNTABILITY ACT (HIPAA) The STATE and LOCAL AGENCY have a responsibility to comply with the provisions of the 1996 Federal Health Insurance Portability and Accountability Act (HIPAA) and the 2001 State Health Insurance Portability and Accountability Implementation Act. HIPAA provisions become applicable once the association and relationships of the health care providers are determined by the LOCAL AGENCY. It is the LOCAL AGENCY’S responsibility to determine their status as a “covered entity” and the relationships of personnel as “health care providers”, “health care clearinghouse”, “hybrid entities”, business associates”, or “trading partners”. STATE personnel assigned to fill the LOCAL AGENCY’S positions within this Agreement, and their supervisors, may fall under the requirements of HIPAA based on the LOCAL AGENCY’S status. It is the LOCAL AGENCY’S responsibility to identify, notify, train, and provide all necessary policy and procedures to the STATE personnel that fall under HIPAA requirements so that they can comply with the required security and privacy standards of the act.
COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY. ACCOUNTABILITY ACT OF 1996 (HIPAA)
A. Obligations and Activities of the Agency
1. The Agency agrees not to use or disclose protected health information other than as permitted or required by law.
2. Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the protected health information that it creates, receives, maintains or transmits on behalf of the covered entity as required by 45 CFR Part 164, Subpart C.
3. The Agency agrees to mitigate, to the extent practicable, any harmful effect that is known to the Agency of a use or disclosure of protected health information by the Agency in violation of the requirements of this Contract.
4. The Agency agrees to report to King County any use or disclosure of protected health information not allowed under this contract, or security incident, within two days of the agency’s knowledge of such event.
5. The Agency agrees to ensure that any agent, including a subcontractor, to whom it provides protected health information received from, or created or received by the Agency on behalf of King County, agrees to the same restrictions and conditions that apply through this Contract to the Agency with respect to such information.
6. The Agency agrees to make available protected health information in accordance with 45 CFR § 164.524.
7. The Agency agrees to make available protected health information for amendment and incorporate any amendments to protected health information in accordance with 45 CFR § 164.526.
8. The Agency agrees to make internal practices, books, and records, including policies and procedures and protected health information, relating to the use and disclosure of protected health information received from, or created or received by the Agency on behalf of King County, available to the Secretary, in a reasonable time and manner for purposes of the Secretary determining King County’s compliance with the privacy rule.
9. The Agency agrees to make available the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528.
COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY. AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
A. Obligations and Activities of the Agency
i. The Agency agrees not to use or disclose protected health information other than as permitted or required by this Contract, HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH). The Agency shall use and disclose protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of 45 CFR § 164.504(e). The Agency is directly responsible for full compliance with the privacy provisions of HIPAA and HITECH that apply to business associates.
ii. The Agency agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the protected health information that it creates, receives, maintains, or transmits on behalf of the City as required by 45 CFR, Part 164, Subpart C. The Agency is directly responsible for compliance with the security provisions of HIPAA and HITECH to the same extent as the City.
iii. Within two (2) business days of the discovery of a breach as defined at 45 CFR § 164.402 the Agency shall notify the City of any breach of unsecured protected health information. The notification shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the Agency to have been, accessed, acquired, or disclosed during such breach; a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; a description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); any steps individuals should take to protect themselves from potential harm resulting from the breach; a brief description of what the Agency is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; the contact procedures of the Agency for individuals to ask questions or learn additional information, which shall include a toll free number, an e-mail address, Web site, or postal address; and any other information required to be provided to the individual by the City pursuant to 45 CFR § 164.404, as amended. A breach shall be treated as disco...
