BUSINESS ASSOCIATE AGREEMENT
For The City of Redmond

This Business Associate Agreement ("Agreement") is entered into by and between the City of Redmond ("Covered Entity") and _______________, ("Business Associate"), effective as of the ___ day of _______________, 20__ ("Effective Date").

RECITALS

WHEREAS, the parties contemplate one (1) or more arrangements (collectively, the "Arrangement") whereby Business Associate provides services to Covered Entity, and Business Associate creates, receives, maintains, transmits, or has access to Protected Health Information in order to provide those services;

WHEREAS, Covered Entity is subject to the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and regulations promulgated thereunder, including the Standards for Privacy and for Security of Individually Identifiable Health Information codified at 45 Code of Federal Regulations ("CFR") Parts 160, 162, and 164 ("Privacy Regulations" and "Security Regulations");

WHEREAS, the Privacy Regulations and Security Regulations require Covered Entity to enter into a contract with Business Associate in order to mandate certain protections for the privacy and security of Protected Health Information, and those regulations prohibit the Disclosure or Use of Protected Health Information by or to Business Associate if such a contract is not in place;

AGREEMENT

NOW, THEREFORE, in consideration of the foregoing, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the parties agree as follows:

I. DEFINITIONS

1.1 Capitalized terms used but not otherwise defined in this Agreement shall have the same meaning assigned to such terms in HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH Act") and as set forth in 45 CFR Parts 160, 162 and 164.

II. OBLIGATIONS OF BUSINESS ASSOCIATE

2.1 Permitted Uses and Disclosures of PHI. Except as otherwise limited in this Agreement, Business Associate may Use and Disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the written documents describing the Arrangement entered into by the parties, provided that such Use or Disclosure of PHI would not violate the Privacy Regulations or Security Regulations if done by Covered Entity. Business Associate further agrees not to Use or Disclose PHI other than as permitted or required by this Agreement, or as Required by Law.

2.2 Adequate Safeguards for PHI. Business Associate shall implement and maintain appropriate safeguards to prevent the Use or Disclosure of PHI in any manner other than as permitted by this Agreement or as Required by Law.

2.3 Adequate Safeguards for EPHI. Business Associate shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any EPHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate shall comply with the Security Regulations, where applicable, with respect to EPHI to prevent the Use or Disclosure of EPHI other than as permitted by this Agreement. Such compliance shall include but not be limited to, creation and maintenance of security policies and procedures pursuant to 45 CFR 164.316 and an ongoing risk assessment conducted in accordance with 45 CFR 164.308.

2.4 Reporting Non-Permitted Use, Disclosure, or Breach.

(a)

Business Associate shall immediately in writing notify Covered Entity of any Use or Disclosure of PHI not permitted by this Agreement of which Business Associate becomes aware.

(b)

Business Associate shall report to Covered Entity any Security Incident of which it becomes aware as follows: (a) reports of successful unauthorized access shall be made immediately; and (b) reports of attempted unauthorized access shall be made in a reasonable time and manner considering the nature of the information to be reported.

(c)

Business Associate shall report to Covered Entity a Breach or potential Breach of Unsecured PHI without unreasonable delay, but not later than five (5) days, following Business Associate&rsquos discovery of such Breach or potential Breach, where such report will include the identification of each individual whose Unsecured PHI has been or is reasonably believed to have been breached, additional information that Covered Entity is required to include in a Breach notification pursuant to 45 CFR 164.404(c), and other information as requested by Covered Entity. Business Associate agrees to not notify patients, the media, or HHS of a Breach unless requested to do so by Covered Entity or unless otherwise required by law. For purposes of the foregoing obligation, "Breach" shall mean the acquisition, access, Use, or Disclosure of PHI in a manner not permitted under the HIPAA Privacy Regulations which compromises the security or privacy of such information, as further defined in 45 CFR 164.402. Business Associate shall supplement its report(s) if the above information is not available at the time of the initial report, and Business Associate shall otherwise cooperate with Covered Entity&rsquos requests for information as may be necessary for Covered Entity to evaluate the scope of the incident and related compliance issues. Business Associate must notify Covered Entity of the Breach or potential Breach regardless of whether Business Associate has conducted a risk assessment, or the results of the risk assessment, described in 45 CFR 164.404.

2.5 Notice. All reporting pursuant to this Agreement shall be to the City of Redmond Privacy Officer at the following e-mail address: privacy@redmond.gov.

2.6 Availability of Internal Practices, Books and Records to Government Agencies. Business Associate agrees to make its internal practices, books, and records relating to the Use and Disclosure of PHI by Business Associate on behalf of Covered Entity available to the Secretary of the federal Department of Health and Human Services ("HHS") for purposes of determining Covered Entity&rsquos compliance with the Privacy Regulations and Security Regulations. Business Associate shall immediately in writing notify Covered Entity of any requests made by HHS and provide Covered Entity with copies of any documents produced in response to such request.

2.7 Access to and Amendment of PHI. In the event that Covered Entity&rsquos PHI in the Business Associate&rsquos possession constitutes a Designated Record Set, Business Associate shall within five (5) days of receiving a request from Covered Entity for access to PHI about an Individual contained in a Designated Record Set, Business Associate shall: (a) make the PHI specified by Covered Entity available to Covered Entity to access and copy that PHI, and

(b)

make PHI available to Covered Entity for the purpose of amendment and incorporating such amendments into the PHI. Covered Entity is responsible for responding to Individuals&rsquo request for access to PHI and, in the event Business Associate receives such requests directly from Individuals, Business Associate shall notify Covered Entity of the request promptly, but in no event longer than five (5) business days, for Covered Entity to respond to the Individuals. Business Associate shall have a process in place for requests and amendments from Covered Entity.

2.8 Accounting of Disclosures.

(a)

In accordance with 45 CFR 164.528, and Section 13405(c) of Title XII, Subtitle D of the HITECH Act, codified at 42 U.S.C. § 17932, Business Associate agrees to: (a) document Disclosures of PHI and information related to such Disclosures; (b) provide such documentation to Covered Entity in a time and manner designated by Covered Entity; and (c) permit Covered Entity to respond to a request by an individual for an accounting of Disclosures of PHI. Within ten (10) days of Business Associate receiving a request from Covered Entity, Business Associate shall provide to Covered Entity an accounting, as described in 45 CFR 164.528, of each Disclosure of PHI made by Business Associate or its employees, agents, representatives, or subcontractors. Covered Entity is responsible for responding to Individuals&rsquo request for an accounting and, in the event Business Associate receives such requests directly from Individuals, Business Associate shall notify Covered Entity of the request promptly, but in no event longer that five (5) business days, for Covered Entity to respond to the Individuals.

(b)

Any accounting provided by Business Associate under this Section 2.8 shall include: (i) the date of Disclosure; (ii) the name, and address, if known, of the entity or person who received the PHI; (iii) a brief description of Disclosed PHI; and (iv) a brief statement of the purpose of Disclosure. For each Disclosure that could require an accounting under this Section 2.8, Business Associate shall document the information specified in (i) through (iv), above, and shall securely retain this documentation for six (6) years from the date of Disclosure.

2.9 Use of Subcontractors and Agents.

(a)

Business Associate may Disclose PHI to a subcontractor, and may allow the subcontractor to create, receive, maintain, access or transmit PHI on its behalf, provided that

Business Associate obtains satisfactory assurances that the subcontractor will appropriately safeguard the information. Without limiting the generality of the foregoing, Business Associate shall require each of its subcontractors that create, receive, maintain, access or transmit PHI on behalf of Business Associate to execute a written agreement obligating the subcontractor to comply with all terms of this Agreement and to agree to the same restrictions and conditions that apply to Business Associate with respect to the PHI. Upon request from Covered Entity, Business Associate shall provide a list of subcontractors that it has Disclosed PHI to and the nature of the Disclosed PHI.

(b)

Business Associate shall terminate its agreement with any subcontractor if Business Associate knows of or discover a pattern of activity or practice of a subcontractor that constitutes a material breach or violation of the subcontractor&rsquos HIPAA obligation under the written agreement with Covered Entity Business Associate shall immediately notify Covered Entity of the termination of the subcontractor agreement if such termination resulted from a material breach or violation of the subcontractor&rsquos HIPAA obligations.

(c)

Business Associate shall require the subcontractor assent in writing to the jurisdiction and laws of the United States, regardless of whether the subcontractor is a foreign entity, is performing services outside the United States, or is not otherwise subject to the jurisdiction of the United States. Business Associate hereby agrees not to transmit or store any PHI outside of the United States.

2.10 Agreement to Mitigate. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this Agreement, and to promptly communicate to Covered Entity any actions taken pursuant to this Section 2.10.

2.11 Business Associate Practices, Policies and Procedures. Business Associate represents and warrants that Business Associate&rsquos privacy and security policies and practices shall meet current standards set by applicable state and federal law for the protection of PHI including, without limitation, user authentication, data encryption, monitoring and recording of database access, internal privacy standards and a compliance plan, all designed to provide assurances that the requirements of this Agreement are met. Upon reasonable notice, Business Associate shall make its facilities, systems, books and records available to Covered Entity to monitor Business Associate&rsquos compliance with this Agreement.

2.12 Compliance with Covered Entity Obligations. To the extent Business Associate carries out Covered Entity&rsquos obligations under the Privacy Regulations and Security Regulations, Business Associate shall comply with the requirements of such regulations that apply to Covered Entity in the performance of such obligations.

2.13 HITECH Act Compliance. Business Associate will comply with the requirements of the HITECH Act, codified at 42 U.S.C. §§ 17921&ndash17954, which are applicable to business associates, and will comply with all regulations issued by HHS to implement these referenced statutes, as of the date by which business associates are required to comply with such referenced statutes and HHS regulations.

2.14 Minimum Necessary. Business Associate shall Use or Disclose only the minimum necessary amount of PHI to accomplish the intended purpose of such Use or Disclosure.

III. OBLIGATIONS OF COVERED ENTITY

3.1 Covered Entity shall, upon request, provide Business Associate with its current notice of privacy practices adopted in accordance with the Privacy Regulations.

3.2 Covered Entity shall inform Business Associate of any revocations, amendments or restrictions in the Use or Disclosure of PHI if such changes affect Business Associate's permitted or required Uses and Disclosures of PHI hereunder.

IV. ADDITIONAL PERMITTED USES

4.1 Except as otherwise limited in this Agreement or the Arrangement, Business Associate may Use and Disclose PHI as set forth below:

(a)

Use of Information for Management, Administration and Legal Responsibilities. Business Associate may Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

(b)

Disclosure of Information for Management, Administration and Legal Responsibilities. Business Associate may Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate if the Disclosure is Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose of which it was Disclosed, and the person notifies Business Associate of any instances of which it is aware where confidentiality of the information has been breached.

V. TERM AND TERMINATION

5.1 Term and Termination. This Agreement shall commence as of the Effective Date and shall continue in effect unless and until terminated by Covered Entity under this Section 5.1. Covered Entity may terminate this Agreement, without cause or penalty, on five (5) days&rsquo prior written notice to Business Associate. In addition, this Agreement may be terminated by Covered Entity immediately and without penalty upon written notice by Covered Entity to Business Associate if Covered Entity determines, in its sole discretion, that Business Associate has violated any material term of this Agreement. Business Associate&rsquos obligations under Sections 2.4, 2.5, 2.7, 2.8, 2.9, 2.9(b), 2.10, 5.2, 6.3, 6.5, 6.6 and 6.10 of this Agreement shall survive the termination of this Agreement.1

5.2 Disposition of PHI upon Termination. Upon termination of this Agreement, Business Associate shall either return or destroy, in Covered Entity&rsquos sole discretion and in accordance with any instructions by Covered Entity, all PHI maintained in any form by Business Associate or its agents and subcontractors, and shall retain no copies of such PHI unless directed to do so by Covered Entity. However, if Covered Entity determines that neither return nor destruction of PHI is feasible, Business Associate may retain PHI provided that Business Associate: (a) continues to comply with the provisions of this Agreement for as long as it retains PHI, and (b) limits further Uses and Disclosures of PHI to those purposes that make the return or destruction of PHI infeasible.

VI. GENERAL TERMS

6.1 No Third Party Beneficiaries. There are no third party beneficiaries to this Agreement.

6.2 Relationship to Agreement Provisions. In the event that a provision of this Agreement is contrary to a provision of any other agreement between the parties, the provisions of this Agreement shall control.

6.3 Indemnification. Business Associate will indemnify, hold harmless and defend Covered Entity from and against any and all claims, losses, liabilities, costs, and other expenses (including attorneys&rsquo fees) incurred as a result or arising directly or indirectly out of, or in connection with (a) any misrepresentation, breach, or non-fulfillment of any undertaking on the part of Business Associate under this Agreement; (b) any claims, demands, awards, judgments, actions, and proceedings made by any person or organization, arising out of or in any way connected with Business Associate&rsquos obligations under this Agreement; and (c) a breach of unsecured PHI caused by Business Associate or its subcontractors or agents. Without limiting the generality of the foregoing, Business Associate agrees to reimburse Covered Entity for any and all costs and expenses incurred as a result or arising directly or indirectly out of Covered Entity&rsquos compliance with the HIPAA breach notification requirements set forth at 42 U.S.C. § 17932 and 45 CFR 164.40 et.seq. as a result of a Breach by Business Associate, including but not limited to all costs associated with Covered Entity's obligation to notify affected Individuals, the government, and the media of a Breach and any costs for credit monitoring, as applicable or establishing a toll-free number. Any limitation of liability set forth in written agreements pertaining to the Arrangement shall not apply to this Agreement.

6.4 Insurance. Business Associate shall obtain and maintain during the term of this Agreement, and at any time in which it retains PHI, liability insurance covering common law claims, breach notification expenses, data theft, and coverage related to the violation of state or federal information privacy and security laws or regulations. The policy limits for such coverage shall not be less than $1,000,000 per claim, and $3,000,000 in the annual aggregate. Such insurance shall name Covered Entity as an additional named insured. A copy of such policy or a certificate evidencing the policy shall be provided to Covered Entity upon written request. Business Associate shall provide Covered Entity with written notice of any policy cancellation within two (2) business days of the receipt of such notice. Failure of Business Associate to maintain the insurance as required shall constitute a material breach of this Agreement, upon which Covered Entity may, after giving five (5) business days notice to Business Associate to correct such breach, immediately terminate this Agreement. Business Associate&rsquos maintenance of insurance as required by this Agreement shall not be construed to limit the liability of Business Associate to the coverage provided by such insurance, or otherwise limit Covered Entity&rsquos recourse to any remedy available at law or in equity.

6.5 Data Ownership. Business Associate acknowledges and agrees that Covered Entity owns all rights, interests, and title in and to its data, including all PHI and any de-identified data, and title shall remain vested in Covered Entity at all times. Accordingly, Business Associate hereby acknowledges and agrees that it does not have the right to engage in the sale of PHI. Business Associate shall not de-identify PHI or Use or Disclose any such de-identified information unless otherwise permitted in writing by Covered Entity.

6.6 Governing Law; Venue and Jurisdiction; Attorneys&rsquo Fees. This Agreement shall in all respects be interpreted, enforced and governed by the laws of Washington State. Venue for any action or proceeding shall be in King County, Washington. In the event of any litigation or arbitration relating to or arising out of this Agreement, the substantially prevailing party or parties shall be entitled to its cost of litigation or arbitration, and reasonable attorneys&rsquo fees, including any attorneys&rsquo fees and costs incurred in bankruptcy or insolvency proceedings or on any appeal.

6.7 Legal Compliance. The parties hereto shall comply with applicable laws and regulations governing their relationship, including, without limitation, the Privacy Regulations, the Security Regulations, and any other federal or state laws or regulations governing the privacy, confidentiality, or security of patient health information, including without limitation, the Washington Uniform Healthcare Information Act, RCW Ch. 70.02. Business Associate shall comply with applicable state and federal statutes and regulations as of the date by which business associates are required to comply with applicable statutes and regulations. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Regulations, the Security Regulations, the HITECH Act, RCW ch. 70.02 and other federal or state laws or regulations governing the privacy, confidentiality, or security of patient health information or PHI.

6.8 Amendment. Upon request by Covered Entity, Business Associate agrees to promptly enter into negotiations with Covered Entity concerning the terms of an amendment to this Agreement embodying written assurances consistent with the standards and requirements of the Privacy Regulations, Security Regulations, or other applicable laws. Covered Entity may terminate this Agreement upon thirty (30) days written notice to Business Associate in the event: (a) Business Associate does not promptly enter into negotiations to amend this Agreement when requested by Covered Entity pursuant to this Section, or (b) Business Associate does not enter into an amendment of this Agreement providing assurances regarding the safeguarding of PHI that Covered Entity, in its sole discretion, deems sufficient to satisfy the standards and requirements of the Privacy Regulations, Security Regulations, or other applicable laws.

6.9 Severability. If a provision of this Agreement is held invalid under any applicable law, such invalidity will not affect any other provision of this Agreement that can be given effect without the invalid provision. Further, all terms and conditions of this Agreement will be deemed enforceable to the fullest extent permissible under applicable law, and, when necessary, the court is requested to reform any and all terms or conditions to give them such effect.

6.10 Public Records Act. The parties acknowledge that the confidentiality provisions of the HIPAA Privacy Regulations constitute an "other statute which exempts or prohibits disclosure" under the Washington State Public Records Act (see RCW 42.56.070(1); see also Hangartner v. Seattle, 151 Wn.2d 439, 453 (2004)), and that the confidentiality provisions under the Privacy Regulations and this Agreement shall control. Furthermore, Business Associate shall not release any de-identified health information without first notifying and conferring with Covered Entity.

6.11 No Assignment. Neither party shall assign this Agreement without the prior written consent of the other party.

6.12 Entire Agreement. This Agreement represents the entire agreement between the parties with respect to the subject matter hereof, and supersedes all prior discussions, negotiations and agreements relating to the same subject matter, including, but not limited to other business associate agreements or agreements related to patient data and the access, use, privacy, security and confidentiality of patient data. In the event of conflict between any written or oral provision of the Arrangement and any provision of this Agreement, the applicable provisions of this Agreement shall control with respect to patient data and the access, use, privacy, security and confidentiality of patient data.

6.13 Independent Contractor. Business Associate and Covered Entity are and shall be independent contractors to one another, and nothing herein shall be deemed to cause this Agreement to create an agency, partnership, or joint venture between the parties. No acts performed, or words spoken by either party with respect to any third party, shall be binding upon the other. Any and all obligations incurred by either party in connection with the performance of any of its obligations hereunder shall be solely at that party's own risk. Each party agrees that it shall not represent itself as the agent or legal representative of the other for any purpose whatsoever.

IN WITNESS WHEREOF, the parties hereto have executed this Agreement effective as of the Effective Date.

Business Associate: City of Redmond:

By:___________________________

Print Name: ______________________

Title: _____________________________

Dated: _____________________________