The URL can be used to link to this page

Home My WebLink AboutResolution - 2023-R0210 - Electronic Health Records Agreement with University Medical CenterResolution No. 2023-R0210 Item No. 6.20 April 25, 2023 RESOLUTION BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF LUBBOCK: THAT the Mayor of the City of Lubbock is hereby authorized and directed to execute for and on behalf of the City of Lubbock, an Electronic Health Records Agreement, Ceneer PowerChart Ambulatory ("EHR system"), to create electronic medical records and access electronic medical records created by other users of the EHR system, by and between the City of Lubbock and Lubbock County Hospital District d/b/a University Medical Center, and all related documents, Said Agreement is attached hereto and incorporated in this resolution as if fully set forth herein and shall be included in the minutes of the City Council. Passed by the City Council on this ATWEST: Courtney Paz, Interim APPROVED AS TO CONTENT: Bill Ho erton, Deputy anager APPROVED AS TO FORM: Ry B ooke, Senior Assistant City Attorney RES.Electronic Health Records Agreement- U MC. doc 3 16.23 April 25, 2023 Resolution No. 2023-RO210 ELECTRONIC HEALTH RECORD AGREEMENT Cerner PowerChart Ambulatory This Agreement is between LUBBOCK COUNTY HOSPITAL DISTRICT D/B/A UNIVERSITY MEDICAL CENTER ("UMC") and THE CITY OF LUBBOCK ("City"). City is a Texas municipality. It maintains the City of Lubbock Health Department which provides public health services and health preparedness. To promote quality and efficient services, City requires an Electronic Health Records (ERR) system. The Hospital District owns and operates UMC, a general hospital located in Lubbock, Texas and licensed by the State of Texas. UMC is willing to provide Cerner PowerChart Ambulatory ("'ERR system") to Practice. The EHR system permits users to create electronic medical records, access electronic medical records created by other users of the EHR system, and to share electronic medical records with others for appropriate purposes. The EHR system includes e-prescribing capability, computerized order entry, and documentation and clinical support tools. The EHR system shall be provided under this Agreement in accordance with the federal Physician Self - Referral Law ("Stark") exception for EHR (42 CFR 411.357(w)(6), the Anti -Kickback Statute safe harbor for EHR (42 CFR 1001.952(y)(5), and the IRS Memorandum from the Exempt Organizations Division dated May 11, 2007. Therefore, the Parties agree: 1. Term and Termination 1.1 Term. This Agreement shall begin on its execution and continue through March 31, 2024. Thereafter, this Agreement shall renew automatically each April V for successive one-year terms. 11 Termination. Either Party may terminate this Agreement by giving the other Party at least thirty days' prior written notice. 1.3 Automatic Termination. This Agreement shall terminate automatically if a Party is debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participation in government contracts or programs by any federal department or agency or by the State of Texas. 1.4 Termination Due to Regulation. If the Stark exception expires, this Agreement shall terminate automatically. The Parties will discuss options for continuing access to the EHR system pursuant to an amended agreement consistent with legal and regulatory requirements. Electronic Health Record Agreement: City of Lubbock Health Department Page 1 of IS 2. License to Access and Use EHR System 2.1 License. Consistent with the license UMC has been granted by Cerner, and consistent with the terms of this Agreement, UMC shall provide City and each of City's Authorized Users (defined in this Agreement), with access to and the right to use the EHR system. City's use of the EHR system is a nonexclusive, nonassignable, revocable, nontransferable right. 2.2 Implementation and Training. UMC shall install the EHR system and provide training on the use of the EHR system to City and its Authorized Users. 2.3 Hardware and Connectivity. City shall provide, at City's expense, all hardware and connectivity required for installation and operation of the EHR system. City shall be responsibility for the maintenance and repair of such items. UMC may require hardware and connectivity modifications from time to time as necessary to support the EHR system. 2.4 Maintenance and Support. UMC shall provide maintenance and support for the EHR system, including system upgrades and changes. Availability of service may be affected by factors outside the control of UMC, including but not limited to the level of service provided by City's internet provider and functionality of City's hardware. UMC will provide updates and may offer additional functionalities from time to time, as new features and functionalities are developed. New functionalities may be subject to an additional charge. 2.5 Limitations a. UMC items and services do not include hardware, storage devices, routers, or modems; software with core functionality other than EHR; the provision of staff to City's office; or support for data migration from paper to electronic records. b. City shall not rely solely on the EHR system as the sole means of verifying critical patient data or communicating life threatening or critically important results. The availability of clinical support tools is provided as a convenience tool only and use of such EHR system shall not relieve City of the responsibility for exercising medical judgment or conducting appropriate medical inquiries. City accepts sole responsibility for all medical judgments and advice made and provided by City based on Information available through the EHR system, in accordance with established standards of professional practice, and for the accuracy, integrity and completeness of the Information entered into the EHR System Property by City. C. UMC warrants to City that the services provided will be performed in a workmanlike manner and will substantially conform to generally accepted industry standards at the time of the work. OTHERWISE, THE EHR SYSTEM IS BEING PROVIDED TO CITY AS IS, WITH NO WARRANTY OF ANY KIND. EXCEPT AS SET FORTH IN THIS SECTION, UMC MAKES NO OTHER WARRANTY, EXPRESS OR IMPLIED, WITH RESPECT TO ANY ASPECT OF THE SERVICES OR THE EHR SYSTEM Electronic Health Record Agreement: City of Lubbock Health Department Page 2 of 15 PROPERTY, INCLUDING WARRANTIES OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE OR USE, OF NON -INFRINGEMENT OF THIRD - PARTY RIGHTS OR TITLE. FURTHER, UMC DISCLAIMS ANY WARRANTY THAT MAY ARISE OUT OF ANY COURSE OF DEALING OR COURSE OF PERFORMANCE, AND FOR ANY UNAVAILABILITY INCLUDING BUT NOT LIMITED TO CITY OR THIRD -PARTY ISSUES. CITY'S SOLE AND EXCLUSIVE REMEDY FOR ANY WARRANTY CLAIM IS REPAIR OR REPLACEMENT OF THE ERR SYSTEM PROPERTY AT UMC'S SOLE DISCRETION. 2.6 Representations on EHR System Donation a The EHR system includes e-prescribing capability that complies with CMS's Part D standards. b. The EHR system is interoperable within the meaning of 42 CFR §411.351 and 42 CFR § 1001.952(y). UMC shall not restrict interoperability or ability to interact with all payors or other systems. C. UMC will provide the EHR system to any member in the active category of UMC's professional staff, subject to the terms and conditions of a written agreement. d. UMC will not claim the cost of the donation of the EHR system on its Medicare or Medicaid cost report or otherwise shift its cost of the donation to any federal health care program. e. UMC will provide ongoing updates to meet interoperability and interface needs as they develop. f. UMC and City agree that UMC's donation is not a condition of doing business. g. City's eligibility for the donation and the interface are not based on the volume or value of referrals or business generated between the parties. h. City does not have equivalent items or services provided by UMC under this Agreement. i. UMC has not loaned or financed City's payment for the EHR system. j. The services do not include staffing of City offices and are not used primarily to conduct personal business or business unrelated to City. 3. Permitted Use 3.1 Secure Communications. UMC shall establish a secure method of communications regarding medical records and data maintained within the EHR system ("Information"). City may use the Electronic Health Record Agreement: City of Lubbock Health Department Page 3 of 15 ERR system only in accordance with the terms of this Agreement, applicable laws and regulations regarding electronic medical information, Confidentiality and Use Agreement (Exhibit A attached to and incorporated into this Agreement), terms and conditions posted on the EHR system login page, and UMC policies, which policies are available to City. 3.2 Authorized Users. "Authorized Users" are personnel identified on a list that City has submitted to UMC. Only Authorized Users may access the EHR system. City is responsible for all access, use, and disclosure of information by Authorized Users. City shall: a. obtain a signed Confidentiality and Use Agreement from each Authorized User and provide a copy to UMC; b. ensure that Authorized Users access information only for those individuals with whom the City has a treatment relationship; C. train all Authorized Users on their obligations under the Confidentiality and Use Agreement; d. ensure that passwords assigned to Authorized Users are used only by those users and not shared with others; e. monitor Authorized Users' use of the EHR system; take appropriate disciplinary action against Authorized Users who violate the terms of the Confidentiality and Use Agreement. 3.3 Use or Misuse of Information. In the event of any use or misuse of the information or the EHR system, including but not limited to, accessing, processing or using any non -patient records, City may be prevented from further use of the EHR system through injunctions, without the need of posting bond, and other remedies under rule, regulation or law. Furthermore, UMC may terminate this Agreement immediately for such breaches. 3.4 Security Breach Notice. City shall promptly disclose to UMC any breach in security in City's systems, whether internal or external, which could affect the security of the information or the EHR system, and City will take appropriate remedial action to ensure that the same type of breach does not recur. Furthermore, City shall disclose to UMC in writing immediately when an Authorized User's employment with City has terminated. 3.5 HIPAA Compliance. City acknowledges that it is a Covered Entity as defined in the Health Insurance Portability and Accountability Act of 1996 and the related regulations, as amended from time to time ("HIPAA") and agrees to comply with all applicable HIPAA requirements in using and accessing protected health information through the EHR system. UMC shall act as a Business Associate of City, as defined by the HIPAA privacy regulations, 45 C.F.R. § 160.103, in carrying out City's responsibilities under this Agreement. Such Business Associate Agreement is Electronic Health Record Agreement: City of Lubbock Health Department Page 4 of 15 incorporated herein by reference as Exhibit B, which is attached to and incorporated into this Agreement. 3.6 Consent Form. City shall include patient consent form language substantially similar to this: "This office is a client of The UMC Health System, which uses a third -party software program to manage your electronic health record. Your records are accessible by physicians in the UMC Health System who are also using the City of Lubbock Health Department. I consent to allow access of my electronic health record to UMC Health System practitioners who may assist in my treatment." 4. Fees 4.1 Monthly Fee. Commencing on the installation and successful operation of the EHR system at City, and throughout the Term of the Agreement, City agrees to pay UMC the fees set forth in the FEE SCHEDULE, attached to and incorporated into this Agreement. Provider may add additional Authorized Users by paying UMC a fee for each additional Authorized User. UMC will bill the monthly fee in advance at the beginning of each month. 4.2 Additional Functionality. City shall pay UMC 15% of UMC's cost to build custom interfaces and provide system upgrades and additional functionality for the City. UMC will invoice Provider monthly for such costs. Payment is due within thirty (30) days from date of invoice. 5. General Terms 5.1 Access to Books. Documents and Records. City agrees that until the expiration of six years after the furnishing of services provided under this Agreement. the parties will make available to the Secretary of the United States Department of Health and Human Services ("the Secretary"), the United States Comptroller General, or the Texas Department of Health, and their duly authorized representatives, this contract and all books, documents, and records necessary to certify the nature and extent of the costs of those services. If City carries out the duties of this Agreement through a subcontract, the subcontract will also contain an access clause to permit access by the Secretary, the United States Comptroller General, the Texas Department of Health, and their representatives to the related organization's books and records. 5.2 Severabihty. If any term or provision of this Agreement is held to be invalid for any reason, the invalidity of that section shall not affect the validity of any other section of this Agreement provided that any invalid provisions are not material to the overall purpose and operation of this Agreement. The remaining provisions of this Agreement shall remain in full force and shall in no way be affected, impaired, or invalidated. 53 Assignment. Neither party shall have the right to assign or transfer their rights to any third parties under this Agreement without prior written consent of the non -transferring party. Electronic Health Record Agreement: City of Lubbock Health Department Page 5 of 15 5.4 Amendment. This Agreement may be amended in writing to include such provision(s) as the Parties may agree upon. 5.5 Venue. This Agreement shall be governed by and construed and enforced in accordance with the laws of the State of Texas. Venue will be in Lubbock, Lubbock County, Texas for all purposes. 5.6 Notice. For purposes of giving any notices as may be required in this Agreement, a party may give notice by personal delivery, e-mail, fax, or by certified mail, return receipt requested. 5.7 Certification. Each party certifies that neither it nor its principals is presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participation in this contract by any federal department or agency or by the State of Texas. Each party will disclose immediately to the other party the name of any person who has an ownership or controlling interest or is an agent or managing employee who is convicted of a criminal offense related to the person's involvement in a government program. 5.8 Compliance. The parties acknowledge that each is subject to applicable federal and state laws and regulations, and policies and requirements of various accrediting organizations. Each party will enforce compliance with all applicable laws, regulations, and requirements, and will make available such information and records as may be reasonably requested in writing by the other party to facilitate its compliance, except for records that are confidential and privileged by law. Lubbock County Hospital District d/b/a University Medical Center By- 7?�L C� Bill Eubanks Executive Vice President and Chief Integration Officer Date: 4 G Zo Z City of Lubbock 0 Date: April 25, 2023 Electronic Health Record Agreement: City of Lubbock Health Department Page 6 of 15 Contract Metric Count Providers 3 Clinic: 1 EMRs: 1 FEE SCHEDULE Estimate Prepared for. My Health Department Ust Price Stark EMR-waiver participant Discount: 0% 80% Clinic/Provider - EMR Cost Model Price pen 1-time month 1-time month) Base EMR license* Provider 3 $0 $1,945 $0 $369 Remote hosting of EMR Provider 3 $0 $150 $0• $30 Software Installation & Training •• Clinic 1 $5,000 $0 • $1,000 $0 EMR migration (PDF only) EMR 1 $5,000 $0 $1,000• • $0 EMR Support Provider 3 $0 $300 $0 $60 US Implementation Clinic 1 $2,500 $150 $500 $30 Practice Management Financials Clinic 1 n/a n/a n/a n/a EMR Subtotal: $12,500 $2,445 $21500 $489 Optional Equipment Estimates: (no discount) IT Hardware (3 wkst;1 ipad;1 printer) Provider 0 $0• $0 $0 $0 IT Network/I nternet service Clinic 0 $0 $0 $0 $0 Telephone service Provider 0 $0 $0 $0 $0 Telephone devices 3 devices Provider 0 $0 $0 $0 $0 Hardware Subtotal: I $0 $0 $0 $0 Grand Total: $22 500 $2 445 $2 00 $489 'Base EMR Includes Basic RN & MD documentation Meds, Problems, Allergies tracking Registration & Scheduling Document Scanning ePresribing Patient Portal Direct Messaging Pop Health Registries PC Touch mobile / Voice dictation Providers: Dr. Ron Cook Residentphyfan Nurse Practitioner Electronic Health Record Agreement: City of Lubbock Health Department Page 7 of 15 EXHIBIT A CONFIDENTIALITY AND USE AGREEMENT University Medical Center ("UMC'') agrees to grant me access to the EHR System as an Authorized User, subject to the conditions set forth below. I agree to the following provisions: l . I acknowledge that by accessing the EHR System, I may obtain confidential patient and clinical information, and I agree to comply with all existing and future UMC and UMC Health System policies and procedures concerning the security and confidentiality of Confidential Information. 2. I will transmit Confidential Information only by secure communications as allowed by UMC and its policies and procedures. 3. I agree that I will not save Confidential Information to portable media devices (Floppies, ZIP disks, CDs, PDAs, and other devices) or to cloud storage not approved by UMC. 4. I agree not to release my tokens, PINS, or passwords to any other person, including any employee or person acting on my behalf. I agree not to allow anyone else to access the EHR System under my tokens, PINs, or passwords. I agree not to use or release anyone else's tokens, PINs, or passwords. I agree to notify the UMC IT Security immediately if I become aware or suspect that another person has or may have access to my tokens, PINS, or passwords. 5. I agree not to allow any unauthorized person to use or access the Confidential Information and EHR System either onsite or remotely. I agree not to allow my family, friends or other persons to see the Confidential Information on my computer screen while I am accessing the EHR System. I further agree to fully log out of the EHR System before leaving my workstation. 6. I agree to follow all UMC policies and procedures concerning access, use and disclosure of patient health information. I agree to access Confidential Information only for those individuals with whom I or the practice for which I work have a treatment relationship. I also agree to access only the amount of Confidential Information necessary to perform my job functions related to that treatment relationship. I agree that I am strictly prohibited from accessing non -patient Information and shall hold UMC fully harmless from any damage related to such unauthorized access. Any other access requires the express permission of UMC. 7. I agree that I will never access Confidential Information for "curiosity viewing" or "surfing" patient records. I understand that this includes viewing Confidential Information of children, other family members, friends, or coworkers, unless access is necessary to provide services to patients with whom I or the practice for which I work have a treatment relationship. 8. I agree that UMC may audit my compliance with this Agreement. I agree to allow UMC to inspect any computer I use for accessing the EHR System Property, including those located in my home, office or other facility. Electronic Health Record Agreement: City of Lubbock Health Department Page 8 of 15 9. I agree that my obligations under this Agreement will continue in the event my medical staff privileges with the practice are terminated or expire or my employment ends, as applicable, or in the event UMC terminates my access to the EHR System Property under this agreement. 10. I agree that if I breach any provision of this Agreement, UMC has the right to terminate my access to the EHR System Property immediately. I understand that, if I have credentials at UMC, any breaches may be referred to the peer review process as a breach of confidentiality as defined in the Bylaws of the Professional Staff or Professional Staff Rules and Regulations, with or without notice at UMC's discretion. Furthermore, any breach of these provisions may result in civil or criminal action taken against me, including the assessment of applicable penalties as it relates to such breach. Authorized User: Signature: Printed Name: Date: Practice intends and agrees that the above Authorized User is acting on behalf of the Practice, and, therefore, Practice is jointly bound to the terms and restrictions of this Confidentiality and Use Agreement. Practice may be held, at UMC's election, to joint and several liability hereunder. Practice Physician or Manager Signature: Printed Name: Date: Electronic Health Record Agreement: City of Lubbock Health Department Page 9 of 15 EXHIBIT B UNIVERSITY MEDICAL CENTER ("COVERED ENTITY") HIPAA Business Associate Privacy and Security Agreement Business Associate Name: University Medical Center Covered Entity: City of Lubbock and its Health Department RECITALS The purpose of this BAA is to comply with "Privacy and Security Requirements," which collectively include, the requirements of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (codified at 45 C.F.R. Parts 160, 162, and 164), as amended ("HIPAA"); privacy and security regulations promulgated by the United States Department of Health and Human Services ("DHHS"); Title XII1, Subtitle D of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, as amended ("HITECH Act"); provisions regarding Confidentiality of Alcohol and Drug Abuse Patient Records (codified at 42 C.F.R. Part 2), as amended; TEX. HEALTH & SAFETY CODE ANN. §§ 81.046, as amended, 181.001 et seq., as amended, 241.151 et seq., as amended, and 611.001 et seq., as amended; and TEX. BUSINESS COMMERCE CODE ANN. 521.001 et seq. 1. Definitions The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Specific definitions: (a) Business Associate. "Business Associate" ("BA") shall generally have the same meaning as the term "business associate" at 45 CFR 160.103. (b) Covered Entity. "Covered Entity" ("CE") shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, and in reference to the party to this agreement, shall mean University Medical Center. (c) HIPAA Rules. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. (d) Protected Health Information ("PHI"). "Protected Health Information' or PHI shall mean individually identifiable health information that is transmitted or maintained in any form or medium. (e) Required by Law. "Required by Law" shall have the same meaning as the term "required by law" in 45 CFR 164.103 and/or Texas state laws and regulations. H. Obligations and Activities of Business Associate CE wishes to disclose certain information to BA pursuant to the terms of the Underlying Agreement, and BA agrees to: (a) Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law; (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement; Electronic Health Record Agreement: City of Lubbock Health Department Page 10 of 15 (c) Without unreasonable delay and in no case later than ten (10) days after discovery, report to Covered Entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident. BA further agrees to provide CE with the following information regarding a Security Incident when it reports such Security Incident to CE: (1) a brief description of what happened, including the dates the Security Incident occurred and was discovered; (2) a reproduction of the PHI involved in the Security Incident; and (3) a description of whether and how the PHI involved in the Security Incident was rendered unusable, unreadable, or indecipherable to unauthorized individuals either by encryption or otherwise destroying the PHI prior to disposal. For purposes of this reporting requirement the term "Security Incident" does not include inconsequential incidents that occur on a frequent basis such as scans or "pings" that are not allowed past BA's firewall and that do not interfere with information system operations related to the PHI. If BA determines that it is infeasible to reproduce the PHI involved in the Security Incident, BA agrees to notify CE in writing of the conditions that make reproduction infeasible and any information BA has regarding the PHI involved. BA agrees that CE will review all Security Incidents reported by BA and CE, in its sole discretion, will take steps in response, to the extent necessary or required by law including, but not limited to, (1) notifying the individual(s) whose PHI was involved in the Security Incident, either in writing, via telephone, through the media, or by posting a notice on CE's website, or through a combination of those methods, of the Security Incident; (2) providing the individual(s) whose PHI was involved in the Security Incident with credit monitoring and related services for a period of time to be determined by CE, at no cost to the individual(s); and (3) providing notice of the Security Incident to the Secretary of the United States Department of Health and Human Services C'HHS"). BA agrees to reimburse CE for all expenses incurred as a result of BA's Security Incidents, including, but not limited to, expenses related to the activities described above. BA agrees that CE will select the vendors and negotiate the contracts related to said expenses; (d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the BA agree in writing to the same restrictions, conditions, and requirements that apply to the BA with respect to such information; (e) Within five (5) days of a request by CE for access to PHI about an individual, make available to CE such PHI for so long as such information is maintained. In the event any individual requests access to PHI directly from BA, BA shall within three (3) days forward such request to CE. Any denials of access to the PHI requested shall be the responsibility of CE; (f) Upon CE's request, promptly amend PHI or a record about the individual in a Designated Record Set that is in the custody or control of BA, so that CE may meet its amendment obligations under 45 C.F.R. § 164.526. If an individual submits a request for amendment to BA, BA shall within three (3) days forward the request to CE; (g) Within ten (10) days of notice by CE to BA that it has received a request for an accounting of disclosures of PHI regarding an individual during the six (6) years prior to the date on which the accounting was requested, make available to CE such information as is in BA's possession and is required for CE to make the accounting required by 45 CFR 164.528. At a minimum, BA shall provide CE with the following information: (a) the date of the disclosure; (b) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. In the event the request for an accounting is delivered directly to BA, BA shall, within two (2) days, forward such request to CE. It shall be CE's responsibility to prepare and deliver any such accounting requested. BA hereby agrees to implement an appropriate record keeping process to enable it to comply with the requirements of this Section; Electronic Health Record Agreement: City of Lubbock Health Department Page 11 of 15 (h) Comply with the requirements of Subpart E of 45 CFR Part 164 that apply to the CE in the performance of such obligation(s) to the extent the BA is to carry out one or more of CE's obligation(s) under Subpart E: (i) Make its internal practices, books, and records available to the CE and to the Secretary for purposes of determining compliance with the HIPAA Rules; 0) Comply with the Privacy and Security Requirements, which include Federal and State of Texas requirements governing information relating to HIV AIDS, mental health, and drugs or alcohol treatment or referral; (k) Not, without written authorization from CE, perform marketing or fundraising on behalf of CE, or engage in the types of communications on behalf of CE that are excepted from the definition of marketing established at 45 C.F.R. § 164.501. If CE requests and authorizes BA to engage in these activities, BA shall comply with the applicable Provisions of the HITECH Act and the HIPAA Rules; (1) Not directly or indirectly receive remuneration in exchange for an individual's PHI unless it is pursuant to specific written authorization by the individual or subject to an exception established in the HIPAA Rules; and (m) To the extent BA is a Creditor as defined in the Federal Trade Commission's (FTC) Red Flag Rules (16 CFR Part 681), comply with the FTC Red Flag Rules with respect to its use and disclosure of PHI under this Agreement, including but not limited to a written program to prevent, detect, and mitigate identify theft. III. Permitted Uses and Disclosures by Business Associate (a) BA may only use or disclose protected health information as necessary to provide Services to or on behalf of CE as provided in the underlying Service Agreement between CE and BA. (b) BA may use or disclose protected health information as required by law (c) BA agrees to limit uses and disclosures and requests for protected health information to "limited data set" as that term is defined at 45 CFR 164.514(e)(2) or, if needed, to the minimum necessary as defined at 45 CFR 164.502(b) to accomplish the intended purpose of such use, disclosure, or request. (d) BA may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by CE. (e) BA may use PHI to provide data aggregation services to CE as permitted by 45 CFR 164.504(e)(2)(i)(B). IV. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions (a) CE's current HIPAA Notice of Privacy Practices is found at httR:,: www.umchealthsystem.com/index Ahpifor- patients/notice-of-privacy. BA is responsible to review and comply with the uses and disclosures as set forth in this notice. (b) CE shall notify BA of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect BA's use or disclosure of protected health information. Electronic Health Record Agreement: City of Lubbock Health Department Page 12 of 15 (c) CE shall notify BA of any restriction on the use or disclosure of protected health information that CE has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect BA's use or disclosure of protected health information. V. Permissible Requests by Covered Entity (a) CE shall not request BA to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by CE. (b) CE may request BA to use or disclose PHI, if applicable and in accordance with the purpose of this Agreement or an agreement for services between CE and BA, for data aggregation. VI. Term and Termination (a) Term. The Term of this Agreement shall be effective as of the Effective Date, and shall terminate when all PHI provided to BA by CE, or created or received by BA on behalf of CE, is destroyed or returned to CE or on the date CE terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner. (b) Termination for Cause. BA authorizes termination of this Agreement and the underlying Service Agreement if the CE reasonably determines that BA has violated a material term of this Agreement. Prior to termination, CE shall provide BA with written notice of the breach and give BA an opportunity to cure the breach. If BA fails to cure the breach within a reasonable time as determined and specified by CE it its sole discretion, CE may terminate this Agreement and the underlying Service Agreement. (c) Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, BA shall return or destroy all protected health information that it maintains in any form and shall retain no copies of such information or, if the parties agree that return or destruction is not feasible, BA shall continue to extend the protections of this Agreement to such information and limit further use of the information to those purposes that make the return or destruction of the information not feasible. (d) Mitigation. If BA violates this Agreement or the HIPAA Rules, BA agrees to mitigate any damage caused by such breach. (e) Survival. The obligations of BA under this Section shall survive the termination of this Agreement. VII. General Terms (a) Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended. (b) Indemnification. BA agrees to indemnify, defend, and hold harmless, to the extent allowed by law, Lubbock County Hospital District d/b/a University Medical Center and its Board of Managers, Officers, Employees, and Agents (Individually and Collectively "Indemnitees") against any and all losses, liabilities, judgments, governmental fines and penalties, awards, and costs (including costs of investigations, legal fees, and expenses) arising out of or related to: l . BA's breach of this BAA relating to the Privacy and Security Requirements; or 2. Any negligent or wrongful acts or omissions of BA or its employees, directors, officers, subcontractors, or agents, relating to the Privacy and Security Requirements, including failure to perform their obligations under the Privacy and Security Requirements. Electronic Health Record Agreement: City of Lubbock Health Department Page 13 of 15 (c) Amendment. This Agreement may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the Parties hereto. Notwithstanding the foregoing, to the extent that any relevant provision of HIPAA or the HIPAA Rules is amended in a manner that changes the obligations of BA or CE provided for in this Agreement, such changes shall be deemed automatically to apply to and to be incorporated by reference into this Agreement. The Parties agree to amend this Agreement from time to time as necessary to reflect their agreement to such changes. (d) Severability. The provisions of this Agreement shall be severable, and if a provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein. (e) No Third Party Beneficiaries. Nothing in this Agreement shall be considered or construed as conferring any right or benefit on a person not a party to this Agreement nor imposing any obligations on either Parry hereto to persons not a parry to this Agreement. (f) Entire Agreement. This Agreement constitutes the entire Agreement between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, Agreements, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof. (g) Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules (h) Notices. Any notice required to be given pursuant to the terms and provisions of this BAA will be in writing and deemed to be given: (a) upon delivery in person, (b) three (3) days after the date deposited with or sent by U.S. Mail (first class, postage paid, return receipt requested), or (c) upon receipt by commercial delivery service, and addressed as follows, or to such address as CE may subsequently designate to BA in writing: Lubbock County Hospital District d/b a University Medical Center Attn: Privacy Officer 602 Indiana Avenue Lubbock, Texas 79415 (i) Inspection. Upon written request, BA agrees to make available to CE and its duly authorized representatives during normal business hours BA's internal practices, books, records and documents relating to the use and disclosure of confidential information, including, but not limited to, PHI received from, or created or received on behalf of, CE in a time and manner designated by CE for the purposes of CE determining compliance with the Privacy and Security Requirements. BA agrees to allow such access until the expiration of four (4) years after the services are furnished under the contract or subcontract or until the completion of any audit or audit period, whichever is later. BA agrees to allow similar access to books, records, and documents related to contracts between CE and organizations related to or subcontracted by CE to whom BA provides confidential information, including, but not limited to, PHI received from, or created or received on behalf of, CE. 0) No Agency. BA shall not be deemed to be the common law agent of CE. (k) Assignment. This Agreement shall be binding upon and shall inure to the benefit of the parties and their respective heirs (as applicable), legal representatives, successors, and permitted assigns. BA shall not have the right Electronic Health Record Agreement: City of Lubbock Health Department Page 14 of 15 to assign or transfer its rights and obligations under this Agreement to any third party without prior written consent of CE. (1) Execution. This Agreement may be executed in multiple counterparts, each of which shall constitute an original and all of which shall constitute but one Agreement. (m) Compliance with Applicable State Law. To the extent state law is not preempted by HIPAA, BA shall comply with the laws of the State of Texas protecting the access, use, disclosure and maintenance of PHI including without limitation requirements for reporting of a breach, breach notification to affected individuals and training of BA's work force. The District Court of Lubbock County, Texas shall be the exclusive forum for the determination of any disputes regarding or related to this Agreement or its performance and the parties irrevocably consent to the personal jurisdiction and venue in such court, provided that, if the District Court of Lubbock County lacks subject matter jurisdiction, exclusive jurisdiction and venue shall be in the court nearest to Lubbock, Texas which has subject matter jurisdiction over the controversy. (n) Audit. BA shall immediately notify CE's Privacy Officer if BA becomes the subject of a Department of Health and Human Services audit pursuant to 42 USC § 17940. Electronic Health Record Agreement: City of Lubbock Health Department Page 15 of 15