AG 13-237 - R.L. EVANS COMPANY, INCRETURN TO: EXT:
CITY OF FEDERAL WAY LAW DEPARTMENT ROUTING FORM
1. ORIGINATING DEPT./DIV: T HLtrAaA Ie -S®u pz-C.-e- :�s
2. ORIGINATING STAFF PERSON: UCa41 EXT: 0"S 2- 3. DATE REQ. BY.
4. TYPE OF DOCUMENT (CHECK ONE):
• CONTRACTOR SELECTION DOCUMENT (E.G., RFB, RFP, RFQ)
• PUBLIC WORKS CONTRACT ❑ SMALL OR LIMITED PUBLIC WORKS CONTRACT
❑ PROFESSIONAL SERVICE AGREEMENT ❑ MAINTENANCE AGREEMENT
❑ GOODS AND SERVICE AGREEMENT ❑ HUMAN SERVICES / CDBG
❑ REAL ESTATE DOCUMENT ❑ SECURITY DOCUMENT (E.G. BOND RELATED DOCUMENTS)
❑ ORDINANCE ❑ RESOLUTION
❑ CONTRACT AMENDMENT(AG #): ❑ iN_TERLOCAL
✓1 5 n
OTHER �i L . Q, An S 1 Ls .5 I-t Sb �� (� t-tc✓t a ,
5. PROJECT NAME: �1� fL -c^� - [ C & $ ✓I
6. NAME OF CONTRACTOR: IS . L • E✓ A n5 C, rro r4.1 y `I Yl C ,
ADDRESS: TELEPHONE
E -MAIL: FAX:
SIGNATURE NAME: TITLE
7. EXHIBITS AND ATTACHMENTS: ❑ SCOPE, WORK OR SERVICES ❑ COMPENSATION ❑ INSURANCE REQUIREMENTS /CERTIFICATE ❑ ALL
OTHER REFERENCED EXHIBITS ❑ PROOF OF AUTHORITY TO SIGN ❑ REQUIRED LICENSES ❑ PRIOR CONTRACT /AMENDMENTS
F
8. TERM: COMMENCEMENT DATE: ` 12-Le 1201 3 COMPLETION DATE:
I
9. TOTAL COMPENSATION $ (INCLUDE EXPENSES AND SALES TAX, IF ANY)
(IF CALCULATED ON HOURLY LABOR CHARGE - ATTACH SCHEDULES OF EMPLOYEES TITLES AND HOLIDAY RATES)
REIMBURSABLE EXPENSE: ❑ YES ❑ NO IF YES, MAXIMUM DOLLAR AMOUNT: $
IS SALES TAX OWED ❑ YES LINO IF YES, $ PAID BY. ❑ CONTRACTOR ❑
CITY
❑ PURCHASING: PLEASE CHARGE TO:
10. DOCUMENT /CONTRACT REVIEW INITIAL / DATE REVIEWED INITIAL/ DATE APPROVED
• PROJECT MANAGER
• DIRECTOR
• RISK MANAGEMENT (IF APPLICABLE)
❑ LAW
11. COUNCIL APPROVAL (IF APPLICABLE) COMMITTEE APPROVAL DATE: COUNCIL APPROVAL DATE:
12. CONTRACT SIGNATURE ROUTING
• SENT TO VENDOR/CONTRACTOR DATE SENT: DATE REC'D:
• ATTACH: SIGNATURE AUTHORITY, INSURANCE CERTIFICATE, LICENSES, EXHIBITS
INITIAL/ DATE SIGNED
• LAW DEPARTMENT
• CHIEF OF STAFF
❑ SIGNATORY (MAYOR OR DIRECTOR)
❑ CITY CLERK
❑ ASSIGNED AG# AG#
❑ SIGNED COPY RETURNED DATE SENT: s
COMMENTS:
11/9
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (hereinafter "Agreement") is between City of Federal Way
(hereinafter "Covered Entity ") and R.L. Evans Company. Inc. (hereinafter "Business Associate "). Covered
Entity and Business Associate may be referred to herein individually as "Parry" or collectively as "Parties."
Covered Entity acknowledges that it is subject to the Privacy Rule (45 CFR Parts 160 and 164) promulgated by
the United States Department of Health and Human Services pursuant to the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), Public Law 104 -191.
Business Associate provides services or goods to Covered Entity pursuant to one or more contractual
relationships hereinafter referred to as "Consultant Services Agreement".
In the course of executing Consultant Services Agreement, Business Associate may come into contact with,
use, or disclose Protected Health Information (defined in Section 1.7 below). Said Consultant Services
Agreement are hereby incorporated by reference and shall be taken and considered as a part of this document
the same as if fully set out herein.
In accordance with the federal privacy regulations set forth at 45 C.F.R. Part 160 and Part 164, Subparts A and
E, which require Covered Entity to have a written contract with each of its Business Associates, the Parties wish
to establish satisfactory assurances that Business Associate will appropriately safeguard "Protected Health
Information" and, therefore, make this Agreement.
1. DEFINITIONS
1.1. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms,
in 45 CFR §§ 160.103 and 164.501.
1.2. "Individual" shall have the same meaning as the term "individual' in 45 CFR § 160.103 and shall include
a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
1.3. "Secretary" shall mean the Secretary of the Department of Health and Human Services or designee.
1.4. "Security Rule" shall mean the Security Standards for Protection of Electronic Protected Health
Information in 45 CFR § 160 and § 164, subparts A and C.
1.5. "Privacy Officer" shall have the meaning as set out in its definition at 45 C.F.R. § 164.530(a)(1).
1.6. "Privacy Rule" shall mean the Standards for Privacy for Individually Identifiable Health Information at 45
CFR § 160 and § 164, subparts A and E.
1.7. "Protected Health Information" shall have the same meaning as the term "protected health information"
in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on
behalf of Covered Entity.
1.8. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.103.
2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
2.1. Business Associate agrees to fully comply with the requirements under the Privacy Rule applicable to
"business associates," as that term is defined in the Privacy Rule and not use or further disclose
Protected Health Information other than as permitted or required by this Agreement, Consultant
Services Agreement, or as Required By Law. In case of any conflict between this Agreement and
Consultant Services Agreement, this Agreement shall govern.
Page 1 of 6
2.2. Business Associate agrees to use appropriate procedural, physical, and electronic safeguards to
prevent use or disclosure of Protected Health Information other than as provided for by this Agreement.
Said safeguards shall include, but are not limited to, requiring employees to agree to use or disclose
Protected Health Information only as permitted or required by this Agreement and taking related
disciplinary actions for inappropriate use or disclosure as necessary.
2.3. Business Associate shall require any agent, including a subcontractor, to whom it provides Protected
Health Information received from, created or received by, Business Associate on behalf of Covered
Entity or that carries out any duties for the Business Associate involving the use, custody, disclosure,
creation of, or access to Protected Health Information, to agree, by written contract with Business
Associate, to the same restrictions and conditions that apply through this Agreement to Business
Associate with respect to such information.
2.4. Business Associate agrees to mitigate, to the extent practicable, any harmffi d effect that is known to
Business Associate of a use or disclosure of Protected Health Information by Business Associate in
violation of the requirements of this Agreement.
2.5. Business Associate agrees to immediately report to Covered Entity any security incident or any use or
disclosure of Protected Health Information, including Electronic Protected Health Information, not
provided for by this Agreement
2.6. Business Associate agrees to require its employees, agents, and subcontractors to immediately report,
to Business Associate, any use or disclosure of Protected Health Information in violation of this
Agreement and to report to Covered Entity any use or disclosure of the Protected Health Information not
provided for by this Agreement.
2.7. If Business Associate receives Protected Health Information from Covered Entity, then Business
Associate agrees to provide access, at the request of Covered Entity, to Protected Health Information to
Covered Entity or, as directed by covered Entity, to an Individual in order to meet the requirements
under 45 CFR § 164.524.
2.8. If Business Associate receives Protected Health Information from Covered Entity, then Business
Associate agrees to make any amendments to Protected Health Information that the Covered Entity
directs or agrees to pursuant to the 45 CFR § 164.526 at the request of Covered Entity or an Individual,
and in the time and manner designated by Covered Entity.
2.9. Business Associate agrees to make its internal practices, books, and records including policies and
procedures and Protected Health Information, relating to the use and disclosure of Protected Health
Information received from, created by or received by Business Associate on behalf of, Covered Entity
available to the Secretary of the United States Department of Health in Human Services or the
Secretary's designee, in a time and manner designated by the Secretary, for purposes of determining
Covered Entity's or Business Associate's compliance with the Privacy Rule.
2.10. Business Associate agrees to document disclosures of Protected Health Information and information
related to such disclosures as would be required for Covered Entity to respond to a request by an
Individual for an accounting of disclosure of Protected Health Information in accordance with 45 CFR §
164.528.
2.11. Business Associate agrees to provide Covered Entity or an Individual, in time and manner designated
by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to
respond to a request by an Individual for and accounting of disclosures of Protected Health Information
in accordance with 45 CFR § 164.528, to provide access to, or deliver such information which shall
include, at minimum, (a) date of the disclosure; (b) name of the third party to whom the Protected Health
Information was disclosed and, if known, the address of the third party; (c) brief description of the
disclosed information; and (d) brief explanation of the purpose and basis for such disclosure.
Page 2 of 6
2.12. Business Associate agrees it must limit any use, disclosure, or request for use or disclosure of
Protected Health Information to the minimum amount necessary to accomplish the intended purpose of
the use, disclosure, or request in accordance with the requirements of the Privacy Rule.
2.13. Business Associate agrees to comply with the applicable requirements of the Security Rule, including
the requirement to maintain appropriate administrative, physical, and technical safeguards that
reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected
Health Information.
2.14. To the extent the Business Associate is to carry out one or more of the Covered Entity's obligations
under the Privacy Rule, including but not limited to the provision of a notice of privacy practices on
behalf of Covered Entity, Business Associate agrees to comply with the requirements of the Privacy
Rule that apply to Covered Entity in the performance of such obligations.
2.14.1. Business Associate acknowledges that if Business Associate is also a covered entity, as defined by the
Privacy Rule, Business Associate is required, independent of Business Associate's obligations under
this Agreement, to comply with the Privacy Rule's minimum necessary requirements when making any
request for Protected Health Information from Covered Entity.
2.14.2. Business Associate agrees to adequately and properly maintain all Protected Health Information
received from, or created or received on behalf of, Covered Entity and to document subsequent uses
and disclosures of such information by Business Associate as may be deemed necessary and
appropriate by the Covered Entity.
2.15. If Business Associate receives a request from an Individual for a copy of the individual's Protected
Health Information, and the Protected Health Information is in the sole possession of the Business
Associate, Business Associate will provide the requested copies to the individual and notify the Covered
Entity of such action. If Business Associate receives a request for Protected Health Information in the
possession of the Covered Entity, or receives a request to exercise other individual rights as set forth in
the Privacy Rule, Business Associate shall notify Covered Entity of such request and forward the
request to Covered Entity. Business Associate shall then assist Covered Entity in responding to the
request.
2.16. Business Associate agrees to fully cooperate in good faith with and to assist Covered Entity in
complying with the requirements of the Privacy Rule.
3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
3.1. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected
Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as
specified in Consultant Services Agreement, provided that such use or disclosure would not violate the
Privacy Rule if done by Covered Entity.
3.2. Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information as required for Business Associate's proper management and administration or to carry out
the legal responsibilities of the Business Associate.
3.3. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health
Information for the proper management and administration of the Business Associate, provided that
disclosures are Required By Law, or provided that, if Business Associate discloses any Protected
Health Information to a third party for such a purpose, Business Associate shall enter into a written
agreement with such third party requiring the third party to: (a) maintain the confidentiality of Protected
Health Information and not to use or further disclose such information except as Required By Law or for
the purpose for which it was disclosed, and (b) notify Business Associate of any instances in which it
becomes aware in which the confidentiality of the Protected Health Information is breached.
Page 3 of 6
3.4. Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR §
164.504(e)(2)(1)(B).
4. OBLIGATIONS OF COVERED ENTITY
4.1. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity
produces in accordance with 45 CFR § 164.520, as well as any changes to such notice.
4.2. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an
Individual to use or disclose Protected Health Information, if such changes affect Business Associate's
permitted or required uses.
4.3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected
Health Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the
extent that such restriction may affect Business Associate's use of Protected Health Information.
S. PERMISSIBLE REQUESTS BY COVERED ENTITY
5.1. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in
any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
6. TERM AND TERMINATION
6.1. Term. This Agreement shall be effective as of the date on which it is signed by both parties and shall
terminate when all of the Protected Health Information provided by Covered Entity to Business
Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or
returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, Section
6.3. below shall apply.
6.2. Termination for Cause.
6.2.1. This Agreement authorizes and Business Associate acknowledges and agrees Covered Entity shall
have the right to immediately terminate this Agreement and Consultant Services Agreement in the event
Business Associate fails to comply with, or violates a material provision of, requirements of the Privacy
Rule or this Agreement.
6.2.2. Upon Covered Entity's knowledge of a material breach by Business Associate,
6.2.2.1. Covered Entity shall, whenever practicable, provide a reasonable opportunity for Business
Associate to cure the breach or end the violation.
6.2.2.2. If Business Associate has breached a material term of this Agreement and cure is not possible or if
Business Associate does not cure a curable breach or end the violation within a reasonable time as
specified by, and at the sole discretion of, Covered Entity, Covered Entity may immediately
terminate this Agreement and Consultant Services Agreement.
6.2.2.3. If neither cure nor termination are feasible, Covered Entity shall report the violation to the Secretary
of the United States Department of Health in Human Services or the Secretary's designee.
6.3. Effect of Termination.
6.3.1. Except as provided in Section 6.3.2., upon termination of this Agreement for any reason, Business
Associate shall return or destroy all Protected Health Information received from Covered Entity, or
created or received by Business Associate on behalf of, Covered Entity. This provision shall apply to
Page 4of6
Protected Health Information that is in the possession of subcontractors or agents of Business
Associate. Business Associate shall retain no copies of the Protected Health Information.
6.3.2. In the event that Business Associate determines that returning or destroying the Protected Health
Information is not feasible, Business Associate shall provide to Covered Entity notification of the
conditions that make return or destruction unfeasible. Upon mutual agreement of the Parties that return
or destruction of Protected Health Information is unfeasible, Business Associate shall extend the
protections of this Agreement to such Protected Health Information and limit further uses and
disclosures of such Protected Health Information to those purposes that make the return or destruction
unfeasible, for so long as Business Associate maintains such Protected Health Information.
7. MISCELLANEOUS
7.1. Regulatory Reference. A reference in this Agreement to a section in the Privacy Rule means the
section as in effect or as amended.
7.2. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time
to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the
Health Insurance Portability and Accountability Act, Public Law 104 -191. Business Associate and
Covered Entity shall comply with any amendment to the Privacy Rule, the Health Insurance Portability
and Accountability Act, Public Law 104 -191, and related regulations upon the effective date of such
amendment, regardless of whether this Agreement has been formally amended.
7.3. Survival. The respective rights and obligations of Business Associate under Section 6.3. of this
Agreement shall survive the termination of this Agreement.
7.4. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits
Covered Entity and the Business Associate to comply with the Privacy Rule.
7.5. Notices and Communications. All instructions, notices, consents, demands, or other communications
required or contemplated by this Agreement shall be in writing and shall be delivered by hand, by
facsimile transmission, by overnight courier service, or by first class mail, postage prepaid, addressed to
the respective party at the appropriate facsimile number or address, or to such other party, facsimile
number, or address as may be hereafter specified by written notice.
All instructions, notices, consents, demands, or other communications shall be considered effectively
given as of the date of hand delivery; as of the date specified for overnight courier service delivery; as of
three (3) business days after the date of mailing, or on the day the facsimile transmission is received
mechanically by the facsimile machine at the receiving location and receipt is verbally confirmed by the
sender.
7.6. Strict Compliance. No failure by any Party to insist upon strict compliance with any term or provision of
this Agreement, to exercise any option, to enforce any right, or to seek any remedy upon any default of
any other Party shall affect, or constitute a waiver of, any Party's right to insist upon such strict
compliance, exercise that option, enforce that right, or seek that remedy with respect to that default or
any prior, contemporaneous, or subsequent default. No custom or practice of the Parties at variance
with any provision of this Agreement shall affect, or constitute a waiver of, any Party's right to demand
strict compliance with all provisions of this Agreement.
7.7. Severability. With respect to any provision of this Agreement finally determined by a court of competent
jurisdiction to be unenforceable, such court shall have jurisdiction to reform such provision so that it is
enforceable to the maximum extent permitted by applicable law, and the Parties shall abide by such
court's determination. In the event that any provision of this Agreement cannot be reformed, such
provision shall be deemed to be severed from this Agreement, but every other provision of this
Agreement shall remain in full force and effect.
Page 5 of 6
IN WITNESS WHEREOF,
COVERED ENTITY LEGAL ENTITY NAME: City of Federal Way
TE LEGAL ENTITY NAME: R.L. Evans Company, Inc.
Page 6 of 6