The URL can be used to link to this page

Home My WebLink AboutVIII-07 Authorize Signature - Agreement for Professional Services and Business Associate Addendum for Protected Health Information with Emergency Services PerspectivesCity of Hastings  101 Fourth Street East  Hastings, MN 55033-1944  Phone: 651-480-2350  www.hastingsmn.gov City Council Memorandum To: Mayor Fasbender & City Council Members From: John Townsend, Fire Chief Date: August 15, 2023 Item: Approve Agreement for Professional Services and Business Associate Addendum for Protected Health Information with Emergency Service Perspectives. Council Action Requested: Approve Professional Services Agreement and Addendum for Protected Health Information with Emergency Service Perspectives. Background Information: The agreement with Emergency Service Perspectives is part of upgrading the Image Trend records management system. The addendum is for access to our records management system and protected health information. Financial Impact: 2023 budgeted records management upgrade; no impact to budget Advisory Commission Discussion: N/A Council Committee Discussion: N/A Attachments: 1. Professional Services Agreement 2. Business Associate Addendum VIII-07 1 of 5 224667v1 PROFESSIONAL SERVICES AGREEMENT This PROFESSIONAL SERVICES AGREEMENT (“Agreement”) made this 21st day of August 2023 (“Effective Date”), by and between the CITY OF HASTINGS, a Minnesota municipal corporation (“City”) and EMERGENCY SERVICE PERSPECTIVES (ESP), a Minnesota business (“Consultant”). IN CONSIDERATION OF THEIR MUTUAL COVENANTS THE PARTIES AGREE AS FOLLOWS: 1. CONTRACT DOCUMENTS. The Contract consists of the following documents: A. This Professional Services Agreement; B. Business Associate Addendum 2. SCOPE OF SERVICES. The City retains Consultant and Consultant agrees to provide the following services (the “Project”): A. From the date of this Agreement through one calendar year, Consultant shall: i. Provide the City with five (5) Arc GIS pre-built Dashboards, including departmental customizations without additional data fields (“Dashboard”). ii. Provide hosting services for the Dashboards. iii. Present ten (10) monthly RMS/GIS in-person meetings lasting 90 to 150 minutes long (“Trainings”). ESP and the City will work cooperatively to determine the topics of and schedule the Trainings to best meet the City’s needs. 3. COMPENSATION. A. For Project services, the City shall pay Consultant as follows: i. Training sessions and dashboards are a combination price. Dashboard hosting comes with the trainings. Package price is $5000 for one calendar year. The dashboards are software as a service. This is a one-year agreement on hosting this software. Trainings will be completed monthly for 10 months. If additional training is requested, a new contract will be offered. The City will pay this amount in one payment. This amount will be paid in accordance with Paragraph 3.C. B. Consultant shall be paid at a rate of $150.00 per hour for any work requested and performed above and beyond the scope of the Project. Such hourly rate will be effective for the Term of the Agreement. City will receive a formal VIII-07 2 of 5 224667v1 proposal before any billable work is performed above and beyond the scope of this Agreement. C. The City will pay Consultant within thirty (30) days upon receipt of a properly itemized invoice for work completed, unless the City has a good faith dispute over the amount of the bill, in which case the City must pay the amount that is not in dispute. 4. TERM. The term of this Agreement shall be effective on the Effective Date of this Agreement for a Term of one year. This Agreement will not be automatically renewed or extended. This Agreement may be extended upon mutual written agreement of the parties. Upon the completion of the term of this Agreement, the City shall be liable to Consultant for services performed and unpaid under this Agreement. 5. DOCUMENTS. The City shall be the owner of all documents, reports, studies, analysis and the like prepared by the Consultant in conjunction with this contract. Except as provided herein, Consultant shall exclusively own all work Consultant provides to the City, including exclusive rights to dashboard designs and lay-outs. The City agrees not to copy, retain, or share dashboards owned or developed by Consultant, unless required pursuant to the Minnesota Government Data Practices Act, Minn. Stat. Ch. 13. The City shall use its best efforts to protect any data identified as trade secret data as confidential data. 6. COMPLIANCE WITH LAWS AND REGULATIONS. In providing services hereunder, Consultant shall abide by all statutes, ordinances, rules and regulations pertaining to the provisions of services to be provided. 7. STANDARD OF CARE. Consultant shall exercise the same degree of care, skill, and diligence in the performance of the services as is ordinarily possessed and exercised by a professional consultant under similar circumstances. No other warranty, expressed or implied, is included in this Agreement. The City shall not be responsible for discovering deficiencies in the accuracy of Consultant’s services. 8. INSURANCE. Consultant shall secure and maintain a professional liability insurance policy. Said policy shall insure payment of damages for legal liability arising out of the performance of professional services for the City, in the insured's capacity as Consultant, if such legal liability is caused by an intentional or negligent act, error or omission of the insured or any person or organization for which the insured is legally liable. The policy shall provide minimum limits of $1,000,000.00 per incident with a deductible maximum of $125,000.00. Before commencing work, Consultant shall provide the City a certificate of insurance evidencing the required insurance coverage in a form acceptable to City. The certificate shall provide that such insurance cannot be cancelled until thirty (30) days after the City has received written notice of the insurer’s intention to cancel this insurance. 9. INDEPENDENT CONTRACTOR. The City hereby retains Consultant as an independent contractor upon the terms and conditions set forth in this Agreement. Consultant is not an employee of the City and is free to contract with other entities as provided herein. Consultant shall be responsible for selecting the means and methods of performing the work. Consultant shall VIII-07 3 of 5 224667v1 furnish any and all supplies, equipment, and incidentals necessary for Consultant's performance under this Agreement. The City and Consultant agree that Consultant shall not at any time or in any manner represent that Consultant or any of Consultant's agents or employees are in any manner agents or employees of the City. Consultant shall be exclusively responsible under this Agreement for Consultant's own FICA payments, workers compensation payments, unemployment compensation payments, withholding amounts, and/or self-employment taxes if any such payments, amounts, or taxes are required to be paid by law or regulation. 10. ENTIRE AGREEMENT. This Agreement supersedes all oral agreements and negotiations between the parties relating to the subject matter hereof as well as any previous agreements presently in effect between the parties relating to the subject matter hereof. Any alterations, amendments, deletions, or waivers of the provisions of this Agreement shall be valid only when expressed in writing and duly signed by the parties, unless otherwise provided herein. 11. CONTROLLING LAW. This Agreement shall be governed by and construed in accordance with the laws of the State of Minnesota. In the event of litigation, the exclusive venue shall be in the District Court of the State of Minnesota for Dakota County. 12. ASSIGNMENT. Neither party shall assign this Agreement, or any interest arising herein, without the written consent of the other party. 13. WAIVER. Any waiver by either party of a breach of any provisions of this Agreement shall not affect, in any respect, the validity of the remainder of this Agreement. 14. MINNESOTA GOVERNMENT DATA PRACTICES ACT. Consultant must comply with the Minnesota Government Data Practices Act, Minnesota Statutes Chapter 13, as it applies to (1) all data provided by the City pursuant to this Agreement, and (2) all data, created, collected, received, stored, used, maintained, or disseminated by the Consultant pursuant to this Agreement. Consultant is subject to all the provisions of the Minnesota Government Data Practices Act, including but not limited to the civil remedies of Minnesota Statutes Section 13.08, as if it were a government entity. In the event Consultant receives a request for data related in any way to this agreement or the services provided hereunder, Consultant must immediately notify the City. Consultant shall not release any data without the written consent of the City. Consultant agrees to defend, indemnify, and hold the City, its officials, officers, agents, employees, and volunteers harmless from any claims resulting from Consultant’s officers’, agents’, partners’, employees’, volunteers’, assignees’ or subcontractors’ unlawful disclosure and/or use of protected data. The terms of this paragraph shall survive the cancellation or termination of this Agreement. 15. TERMINATION OF THE AGREEMENT. Either City or Consultant may terminate this Agreement upon thirty (30) days’ written notice (including delivery by facsimile or electronic mail) to the other party or as provided in Article 4 of the Business Associate Addendum. IN WITNESS WHEREOF, the parties have entered into this Agreement on the dates shown below. By signing below each party specifically acknowledges that it has read this Agreement, that it has been advised to review the terms of this Agreement with legal counsel, that it has received all necessary approvals from governing bodies to enter into such Agreement, and that it agrees to be legally bound by all terms of the Agreement. VIII-07 4 of 5 224667v1 EMERGENCY SERVICE PERSPECTIVES Dated: , 2023 Brian DesLauriers, Owner ESP VIII-07 5 of 5 224667v1 CITY OF HASTINGS Mary Fasbender, Mayor Kelly Murtaugh, City Clerk VIII-07 Page 1 of 11 BUSINESS ASSOCIATE ADDENDUM THIS BUSINESS ASSOCIATE ADDENDUM (“Addendum”), is made and entered into by and between The City of Hastings, Minnesota (“Covered Entity”) and Emergency Service Perspectives. (“Business Associate”). This Addendum shall form a part of all agreements and other engagements as are currently in effect between the parties under which Protected Health Information (“PHI”) (as defined in Article 1 of this Addendum) is provided, created or received by Business Associate from or on behalf of Covered Entity, and shall supersede and replace any business associate agreement or amendment previously entered into between Covered Entity and Business Associate in accordance with the requirements of HIPAA (as defined below) and/or the HITECH Act (as defined below). This Addendum is effective as of the effective date of the Professional Services Agreement (the “Effective Date”). RECITALS WHEREAS, in connection with the performance of their respective obligations under the terms of the Professional Services Agreement, Covered Entity may disclose certain information to Business Associate, and Business Associate may use and/or disclose certain information, some of which may constitute PHI; and WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed to, or created, utilized or disclosed by, Business Associate pursuant to the Professional Services Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, and its implementing regulations and guidance issued by the Secretary of the U.S. Department of Health and Human Services (the “Secretary”), all as amended from time to time (“HIPAA”), as well as the requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued by the Secretary, all as amended from time to time (the “HITECH Act”), and other applicable laws; The parties do hereby agree as follows: Article 1: Definitions 1.1 Definitions. For the purposes of this Addendum, the following defined terms shall have the following definitions. All capitalized terms used in this Addendum but not otherwise defined herein shall have the meaning given in HIPAA or the HITECH Act, as applicable. (a) “Breach” has the meaning given to such term under HIPAA and the HITECH Act, including, but not limited to, at § 13400(1) of the HITECH Act and 45 CFR § 164.402. (b) “Data Aggregation” has the meaning given to such term under the Privacy VIII-07 Page 2 of 11 Standards (as defined below), including, but not limited to, at 45 CFR § 164.50l. (c) “Designated Record Set” has the meaning given to such term under the Privacy Standards, including, but not limited to, at 45 CFR § 164.501. (d) “Health Care Operations” has the meaning given to such term under the Privacy Standards, including, but not limited to, at 45 CFR § 164.501. (e) “Limited Data Set” has the meaning given to such term under the Privacy Standards, including, but not limited to, at 45 CFR § 164.514. (f) “Privacy Standards” means the HIPAA Privacy Rule and HIPAA Security Rule codified at 45 CFR Parts 160, 162 and 164. (g) “Protected Health Information” or “PHI” has the meaning given to such term under HIPAA, the HITECH Act, and the Privacy Standards, including, but not limited to, at 45 CFR § 160.103. (h) “Unsecured Protected Health Information” has the meaning given to such term under HIPAA and the HITECH Act, including, but not limited to, at § 13402(h) of the HITECH Act and 45 CFR §164.402. Article 2: Duties of Business Associate 2.1 Compliance with Privacy Provisions. Business Associate shall only use and disclose PHI in performance of its obligations under the Professional Services Agreement and as permitted or required by law. Business Associate agrees to be in compliance with each applicable requirement of 45 CFR § 164.504(e) and all requirements of the HITECH Act applicable to Business Associate. 2.2 Compliance with Security Provisions. Business Associate shall: (a) implement and maintain administrative safeguards as required by 45 CFR § 164.308, physical safeguards as required by 45 CFR § 164.310 and technical safeguards as required by 45 CFR § 164.312; (b) implement and document reasonable and appropriate policies and procedures as required by 45 CFR § 164.316; (c) use its best efforts to implement and maintain technologies and methodologies that render PHI unusable, unreadable or indecipherable to unauthorized individuals as specified in the HITECH Act; and (d) be in compliance with all requirements of the HITECH Act related to security and applicable to Business Associate. 2.3 Breach of Unsecured PHI. (a) With respect to any suspected or actual unauthorized acquisition, access, use or disclosure (“Acquisition”) of Covered Entity’s PHI by Business Associate, its agents or subcontractors, and/or any Acquisition of data in violation of any applicable federal or state law, Business Associate shall (i) VIII-07 Page 3 of 11 investigate such Acquisition; (ii) determine whether such Acquisition constitutes a reportable Breach under HIPAA, the HITECH Act, and/or applicable federal or state law ; (iii) document and retain its findings under clauses (i) and (ii); and (iv) take any action pertaining to such Acquisition required by applicable federal or state law. (b) If Business Associate discovers that a Breach has occurred, Business Associate shall notify Covered Entity in writing without unreasonable delay and in no case later than five (5) days after discovery of the Breach. Business Associate’s written notice shall include all available information required by 45 CFR § 164.410 and other applicable law. Business Associate’s written report shall be promptly supplemented with any new or additional information. Business Associate agrees to cooperate with Covered Entity in meeting Covered Entity’s obligations under the HITECH Act and other applicable law with respect to such Breach. Covered Entity shall have sole control over the timing and method of providing notification of such Breach to the affected individual(s) or others as required by the HITECH Act and other applicable law. 2.4 Permitted Uses of PHI. Satisfactory performance of its obligations under the Professional Services Agreement by Business Associate may require Business Associate to receive or use PHI obtained from Covered Entity, or created or received by Business Associate on behalf of Covered Entity; provided, however, that Business Associate shall not use PHI other than for the purpose of performing Business Associate’s obligations under the Professional Services Agreement (including this Addendum), as permitted or required under the Professional Services Agreement (including this Addendum), or as required by law. Business Associate shall not use PHI in any manner that would constitute a violation of HIPAA if so used by Covered Entity. 2.5 Permitted Disclosures of PHI. Business Associate shall not disclose PHI other than for the purpose of performing Business Associate’s obligations under the Professional Services Agreement (including this Addendum), as permitted or required under the Professional Services Agreement (including this Addendum), or as required by law. Business Associate shall not disclose PHI in any manner that would constitute a violation of HIPAA if so disclosed by Covered Entity. To the extent that Business Associate discloses PHI to a third party in carrying out its obligations under the Professional Services Agreement, Business Associate must obtain, prior to making any such disclosure, (i) reasonable assurances from such third party that such PHI will be held confidential as provided pursuant to this Addendum and only disclosed as required by law or for the purposes for which it was disclosed to such third party, and (ii) an agreement from such third party to immediately notify Business Associate of any breaches of confidentiality of the PHI, to the extent the third party has obtained knowledge of such breach. 2.6 Minimum Necessary. Business Associate shall limit its use, disclosure or request VIII-07 Page 4 of 11 of PHI to only the minimum necessary as required by law. 2.7 Retention of PHI. Unless otherwise specified in the Professional Services Agreement, Business Associate shall maintain and retain PHI for the term of the Professional Services Agreement, and make such PHI available to Covered Entity as set forth in this Addendum. 2.8 Safeguarding PHI. Business Associate shall use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted by the Professional Services Agreement and this Addendum. Business Associate will appropriately safeguard electronic PHI in accordance with the standards specified at 45 CFR § 164.314(a). In particular, Business Associate will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. 2.9 Agents and Subcontractors. Business Associate shall ensure that any agents (including subcontractors) of Business Associate to whom Business Associate provides PHI received from Covered Entity, or PHI created or received by Business Associate on behalf of Covered Entity, agree in writing to the same restrictions and conditions that apply to Business Associate with respect to such PHI, including the requirement to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI. Business Associate shall implement appropriate sanctions against agents and subcontractors that violate such restrictions and conditions, including termination of the agency or subcontractor relationship, if feasible, and shall mitigate the effects of any such violations. 2.10 Reporting Unauthorized Use or Disclosure. Business Associate shall report in writing to Covered Entity any use or disclosure of PHI not provided for under the Professional Services Agreement or this Addendum as soon as possible after Business Associate becomes aware of such an incident but in no case later than five (5) days after the date on which Business Associate becomes aware of any such incident; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below). “Unsuccessful Security Incidents” will include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Business Associate shall take (i) prompt corrective action to cure any deficiencies that caused the unauthorized use or disclosure, and (ii) any corrective action required by applicable federal and state law. 2.11 Access to Information. Within five (5) days of Covered Entity’s request, Business Associate shall provide Covered Entity with access to Covered Entity’s PHI VIII-07 Page 5 of 11 maintained by Business Associate or its agents or subcontractors to enable Covered Entity to fulfill its obligations under the Privacy Standards, including, but not limited to, 45 CFR § 164.524. 2.12 Availability of PHI for Amendment. The parties acknowledge that the Privacy Standards permit an individual who is the subject of PHI to request certain amendments of their records. Upon Covered Entity’s request for an amendment of PHI or a record about an individual contained in a Designated Record Set, but not later than five (5) days after receipt of such request, Business Associate and its agents or subcontractors shall make such PHI available to Covered Entity for amendment and incorporate any such amendment to enable Covered Entity to fulfill its obligations under the Privacy Standards, including, but not limited to, 45 CFR § 164.526. If any individual requests an amendment of PHI directly from Business Associate or its agents or subcontractors, Business Associate must notify Covered Entity in writing within five (5) days of the request. Covered Entity has the sole authority to deny a request for amendment of PHI received or created under the terms of the Professional Services Agreement and maintained by Business Associate or its agents or subcontractors. 2.13 Accounting of Disclosures. Upon Covered Entity’s request, Business Associate, its agents and subcontractors shall make available the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under the Privacy Standards, including, but not limited to, 45 CFR § 164.528. For this purpose, Business Associate shall retain a record of disclosure of PHI for at least six (6) years from the date of disclosure. Business Associate agrees to implement a process that allows for an accounting to be collected and maintained by Business Associate and its agents or subcontractors for at least six (6) years prior to the request, but not before the effective date of the Professional Services Agreement. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of the individual’s authorization, or a copy of the written request for disclosure. Where a request for an accounting is delivered directly to Business Associate or its agents or subcontractors, Business Associate shall within five (5) days of a request forward it to Covered Entity in writing. It shall be Covered Entity’s responsibility to prepare and deliver any such reply to the requested accounting. 2.14 Agreement to Restriction on Disclosure. If Covered Entity is required to comply with a restriction on the disclosure of PHI pursuant to § 13405 of the HITECH Act, then Covered Entity shall provide written notice to Business Associate of the name of the individual requesting the restriction and the PHI affected thereby. Business Associate shall, upon receipt of such notification, not disclose the identified PHI to any health plan for the purposes of carrying out Payment or Health Care Operations, except as otherwise required by law. VIII-07 Page 6 of 11 2.15 Accounting of Disclosures of Electronic Health Records (“EHR”). If Business Associate is deemed to use or maintain an EHR on behalf of Covered Entity, then Business Associate shall maintain an accounting of any disclosures made through an EHR for Treatment, Payment and Health Care Operations, as required by law. Upon request by Covered Entity, Business Associate shall provide such accounting to Covered Entity in the time and manner specified by law. Alternatively, if Covered Entity responds to an individual’s request for an accounting of disclosures made through an EHR by providing the requesting individual with a list of all business associates acting on behalf of Covered Entity, then Business Associate shall provide such accounting directly to the requesting individual in the time and manner specified by the HITECH Act. 2.16 Access to Electronic Health Records. If Business Associate is deemed to use or maintain an EHR on behalf of Covered Entity with respect to PHI, then, to the extent an individual has the right to request a copy of the PHI maintained in such EHR pursuant to 45 CFR § 164.524 and makes such a request to Business Associate, Business Associate shall provide such individual with a copy of the PHI in the EHR in an electronic format and, if the individual so chooses, transmit such copy directly to an entity or person designated by the individual. Business Associate may charge a fee, not to exceed Contractor’s labor costs to respond, to the individual for providing the copy of the PHI. The provisions of 45 CFR § 164.524, including the exceptions to the requirement to provide a copy of PHI, shall otherwise apply and Business Associate shall comply therewith as if Business Associate were Covered Entity. At Covered Entity’s request, Business Associate shall provide Covered Entity with a copy of an individual’s PHI maintained in an EHR in an electronic format and in a time and manner designated by Covered Entity in order for Covered Entity to comply with 45 CFR § 164.524, as amended by the HITECH Act. 2.17 Remuneration for PHI. Business Associate agrees that it shall not, directly or indirectly, receive remuneration in exchange for any PHI of Covered Entity except as otherwise permitted by law. 2.18 Limitations on Use of PHI for Marketing Purposes. Business Associate shall not use or disclose PHI for the purpose of making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless such communication: (a) complies with the requirements of subparagraph (i), (ii) or (iii) of paragraph (1) of the definition of marketing contained in 45 CFR § 164.501, and (b) complies with the requirements of subparagraphs (A), (B) or (C) of § 13406(a)(2) of the HITECH Act. Covered Entity shall cooperate with Business Associate to determine if the foregoing requirements are met with respect to any such marketing communication. VIII-07 Page 7 of 11 2.19 Governmental Access to Books and Records. For purposes of determining Covered Entity’s compliance with the HIPAA, Business Associate agrees to make available to the Secretary its internal practices, books, and records relating to the use and disclosure of PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. 2.20 Data Ownership. Business Associate acknowledges that Business Associate has no ownership rights with respect to the PHI. 2.21 Insurance. Business Associate shall maintain commercial general liability insurance, with commercially reasonable liability limits, that includes coverage for damage to persons or property arising from any breach of the terms of this Addendum. 2.22 Audits, Inspection and Enforcement. Within ten (10) days of a written request by Covered Entity, Business Associate and its agents or subcontractors shall allow Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies and procedures relating to the use or disclosure of PHI pursuant to this Addendum for the purpose of determining whether Business Associate has complied with this Addendum; provided, however, that (i) Business Associate and Covered Entity shall mutually agree in advance upon the scope, timing and location of such an inspection; (ii) Covered Entity shall protect the confidentiality of all confidential and proprietary information of Business Associate to which Covered Entity has access during the course of such inspection; and (iii) Covered Entity shall execute a nondisclosure agreement, upon terms mutually agreed upon by the parties, if requested by Business Associate. Covered Entity and its authorized agents or contractors, may, at Covered Entity’s expense, examine Business Associate’s facilities, systems, procedures and records as may be necessary for such agents or contractors to certify to Covered Entity the extent to which Business Associate’s security safeguards comply with HIPAA, the HITECH Act or this Addendum, to the extent that Covered Entity determines that such examination is necessary to comply with Covered Entity’s legal obligations pursuant to HIPAA or the HITECH Act relating to certification of its security practices. The fact that Covered Entity inspects, or fails to inspect, or has the right to inspect, Business Associate’s facilities, systems, books, records, agreements, policies and procedures does not relieve Business Associate of its responsibility to comply with this Addendum, nor does Covered Entity’s (i) failure to detect or (ii) detection, but failure to notify Business Associate or require Business Associate’s remediation of any unsatisfactory practices, constitute acceptance of such practices or a waiver of Covered Entity’s enforcement rights under the Professional Services Agreement or this Addendum. 2.23 Return of PHI at Termination. Upon termination of the Professional Services Agreement, Business Associate shall, where feasible, destroy or return to Covered Entity all PHI received from Covered Entity, or created or received by Business Associate or its agents or subcontractors on behalf of Covered Entity. Where return VIII-07 Page 8 of 11 or destruction is not feasible, the duties of Business Associate under this Addendum shall be extended to protect the PHI retained by Business Associate. Business Associate agrees not to further use or disclose information for which the return or destruction is infeasible. Business Associate shall certify in writing the destruction of the PHI and to the continued protection of PHI that is not feasible to destroy. 2.24 Retention of PHI. Business Associate and its contractors or agents shall retain communications and documents required to be maintained by HIPAA for six (6) years after termination of the Professional Services Agreement. 2.25 Business Associate’s Performance of Obligations of Covered Entity. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under the HIPAA Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity when it carries out such obligation(s). Article 3: Duties of Covered Entity 3.1 Using Appropriate Safeguards. Covered Entity shall be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to the Professional Services Agreement, in accordance with the standards and requirements of HIPAA. Article 4: Term and Termination 4.1 Term. The provisions of this Addendum shall become effective on the Effective Date and shall continue in effect until all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy the PHI, protections are extended to such information in accordance with the termination provisions in Section 4.2 of this Addendum. 4.2 Termination by Covered Entity. (a) A breach by Business Associate of any material provision of this Addendum, as determined by Covered Entity, shall constitute a material breach of the Professional Services Agreement and shall provide grounds for immediate termination of the Professional Services Agreement by Covered Entity. (b) If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of Business Associate’s obligations under the provisions of this Addendum or another arrangement and does not terminate the Professional Services Agreement pursuant to Section 4.2(a) of this Addendum, then Business Associate shall take reasonable steps to cure such breach or end such violation, as applicable. If Business Associate’s efforts to cure such breach or end such VIII-07 Page 9 of 11 violation are unsuccessful, Covered Entity shall either (i) terminate the Professional Services Agreement, if feasible or (ii) if termination of the Professional Services Agreement is not feasible, Covered Entity shall report Business Associate’s breach or violation to the Secretary. 4.3 Termination by Business Associate. If Business Associate knows of a pattern of activity or practice of Covered Entity that constitutes a material breach or violation of Covered Entity’s obligations under the Professional Services Agreement or this Addendum, then Business Associate shall immediately notify Covered Entity. With respect to such breach or violation, Business Associate shall (i) take reasonable steps to cure such breach or end such violation, if possible; or (ii) if such steps are either not possible or are unsuccessful, upon written notice to Covered Entity, terminate the Professional Services Agreement; or (iii) if such termination is not feasible, report Covered Entity’s breach or violation to the Secretary. 4.4 Termination by Either Party. Either party may terminate the Professional Services Agreement, effective immediately, if (i) the other party is named as a defendant in a criminal proceeding for a violation of HIPAA, the HITECH Act or other security or privacy laws, or (ii) a finding or stipulation that the other party has violated any standard or requirement of HIPAA, the HITECH Act or other security or privacy laws is made in any administrative or civil proceeding in which the party has been joined. Article 5: Miscellaneous 5.1 Acknowledgment. Business Associate recognizes and agrees that it is obligated by law to comply with the applicable provisions of the HITECH Act. 5.2 Change in Law. The parties agree to promptly enter into negotiations concerning the terms of the Professional Services Agreement (including this Addendum), and to negotiate in good faith, if, in either party’s business judgment, modification of the Professional Services Agreement (including this Addendum) becomes necessary due to legislative, regulatory, or judicial developments regarding HIPAA or the HITECH Act. Covered Entity may terminate the Professional Services Agreement upon thirty (30) days written notice in the event (i) Business Associate does not promptly enter into negotiations to amend the Professional Services Agreement when requested by Covered Entity pursuant to this § 5.2, or (ii) Business Associate does not enter into an amendment to the Professional Services Agreement providing assurances regarding the safeguarding of PHI that Covered Entity, in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA and the HITECH Act. 5.3 Disclaimer. Covered Entity makes no warranty or representation that compliance by Business Associate with HIPAA, the HITECH Act or this Addendum will be adequate or satisfactory for Business Associate’s own purposes. Business Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI. VIII-07 Page 10 of 11 5.4 Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself, and any subcontractors, employees or agents assisting Business Associate in the performance of its obligations under the Professional Services Agreement or this Addendum, available to Covered Entity, at no cost to Covered Entity, to testify as witness, or otherwise, in the event of litigation or administrative proceedings being commenced against Covered Entity, its members/shareholders, managers/directors, officers or employees based upon a claimed violation of HIPAA or the HITECH Act or other laws relating to security and privacy, except where Business Associate, or its subcontractor, employee or agent is a named adverse party. 5.5 No Third-Party Beneficiaries. Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever. 5.6 Interpretation. Section titles in this Addendum are for convenience only, and shall not be used in interpreting this Addendum. Any ambiguity in this Addendum shall be resolved to permit the parties to comply with the requirements of HIPAA and the HITECH Act. In the event of conflict between the Professional Services Agreement and this Addendum, the provisions of this Addendum shall prevail. Any reference in this Addendum to a section in the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E, the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR part 164, subpart C, or the HITECH Act means the section as in effect or as amended. The parties hereto have executed this Rider on the day and year first above written on the Professional Services Agreement. THE CITY OF HASTINGS MN EMERGENCY SERVICE PERSPECTIVES (Covered Entity) (Business Associate) By: ____________________________ By: ____________________________ Name: __________________________ Name: BRIAN DESLAURIERS Title: ___________________________ Title: SOLE PROPRIETOR VIII-07 Page 11 of 11 Date: ________________________ Date: 03/19/2023 VIII-07