§ 4. BUSINESS ASSOCIATES.
   It shall be the policy of the department and the village to require all business associates of the department or the village to follow the protocols and procedures set forth herein as the same may be applicable to the relationships between the village, the department and the business associates.
   (A)   Business associate policy.
      (1)   A business associate is a person or entity who provides certain functions, activities, or services for or to the department or the village, involving the use and/or disclosure of PHI.
      (2)   A business associate is not a department or village employee.
      (3)   The department or the village is not liable for privacy violations of its business associates and is not required to actively monitor or oversee the means by which its business associates carry out safeguards, or the extent to which the business associates abide by the requirements of the contract. However, the department or the village is required to act if either becomes aware of a practice or pattern that constitutes a material breach of this policy.
   (B)   Business associate contracts and procedures. All personnel must strictly observe the following standard relating to business associates.
      (1)   The department or the village must enter into contracts with business associates that contain specific language.
      (2)   The contract must include language that provides that the business associate will:
         (a)   Not use or further disclose the information other than as permitted or required by the contract or as required by law;
         (b)   Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
         (c)   Report to the department or the village any use or disclosure of the information not provided for by its contract of which it becomes aware;
         (d)   Ensure that any agents, including any subcontractors, to whom it provides PHI received from, or created by, or on behalf of the department or the village, agree to the same restrictions and conditions that apply to the business associate with respect to such information;
         (e)   Make available PHI in accordance with the department or the village policy on patient access to PHI as set forth herein;
         (f)   Make available PHI for amendment and incorporate any amendments to PHI in accordance with the department or the village policy on patient's right to amend or correct PHI;
         (g)   Make available the information required to provide an accounting of disclosures in accordance with the department or the village policy on accounting of PHI disclosures;
         (h)   Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created by or on behalf of the department or the village, available to the Department of Health and Human Services ("DHHS") for purposes of determining the department or the village's compliance; and
         (i)   At termination of the contract, if feasible, return or destroy all PHI received from, or created by or on behalf of, the department or the village that the business associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
      (3)   In the event the department or the village becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate's obligations under its contract, the department or the village must take reasonable steps to cure the breach or to end the violation, as applicable.
      (4)   In the event that the business associate cannot or will not remedy the practice or pattern, the department or the village must terminate the contract if feasible. Where termination is not feasible, contact the department or the village privacy official for reporting to DHHS, as required.
   (C)   Enforcement. All supervisors are responsible for enforcing this policy. Individuals who violate this policy will be subject to the employee disciplinary process set forth in the Village Code, and, if applicable, in any relevant collective bargaining agreement.
   (D)   Sample contract. The standard form of business associate agreement is set forth below.
BUSINESS ASSOCIATE AGREEMENT FOR VILLAGE OF ROMEOVILLE FIRE DEPARTMENT/VILLAGE OF ROMEOVILLE
This Agreement is entered into by and between Village of Romeoville Fire Department/Village of Romeoville and ("Business Associate") to set forth the terms and conditions under which "protected health information", as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Regulations enacted thereunder, created or received by ("Business Associate") on behalf of Village of Romeoville Fire Department/Village of Romeoville may by used or disclosed.
This Agreement shall commence on (Date) and the obligations herein shall continue in effect so long as ("Business Associate") uses, discloses, creates or otherwise possesses any protected health information created or received on behalf of Village of Romeoville Fire Department/Village of Romeoville and until all protected health information created or received by ("Business Associate") on behalf of Village of Romeoville Fire Department/Village of Romeoville is destroyed or returned to Village of Romeoville Fire Department/Village of Romeoville pursuant to Paragraph 15 herein.
1.)   Village of Romeoville Fire Department/Village of Romeoville and ("Business Associate") hereby agree that ("Business Associate") shall be permitted to use and/or disclose protected health information created or received on behalf of Village of Romeoville Fire Department/Village of Romeoville for the following purpose(s):
   a.   The preparation of invoices to patients, carriers, insurers and others responsible for payment or reimbursement of the services provided by Village of Romeoville Fire Department to its patients;
   b.   Preparation of reminder notices and documents pertaining to collections of overdue accounts;
   c.   The submission of supporting documentation to carriers, insurers and other payers to substantiate the health care services provided by Village of Romeoville Fire Department to its patients or to appeal denials of payment for same.
   d.   Uses required for the proper management of the ("Business Associate") as a business associate.
   e.   The review and use of PHI and other information by any counsel representing the Village of Romeoville Fire Department/Village of Romeoville in reviewing HIPAA compliance or in other similar or comparable regulatory circumstances.
   f.   Other uses or disclosures of PHI as permitted by HIPAA privacy rule.
2.)   ("Business Associate") may use and disclose protected health information created or received by ("Business Associate") on behalf of Village of Romeoville Fire Department/Village of Romeoville if necessary for the proper management and administration of ("Business Associate") or to carry out ("Business Associate")'s legal responsibilities, provided that any disclosure is:
   a)   Required by law, or
   b)   ("Business Associate") obtains reasonable assurances from the person to whom the protected health information is disclosed that (i) the protected health information will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (ii) the ("Business Associate") will be notified of any instances of which the person is aware in which the confidentiality of the information is breached.
3.)   ("Business Associate") hereby agrees to maintain the security and privacy of all protected health information in a manner consistent with state and federal laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and Regulations thereunder, and all other applicable law.
4.)   ("Business Associate") further agrees not to use or disclose protected health information except as expressly permitted by this Agreement, applicable law, or for the purpose of managing ("Business Associate")'s own internal business processes consistent with Paragraph 2 herein.
5.)   ("Business Associate") shall not disclose protected health information to any member of its workforce unless ("Business Associate") has advised such person of ("Business Associate")'s privacy and security obligations under this Agreement, including the consequences for violation of such obligations. ("Business Associate") shall take appropriate disciplinary action against any member of its workforce who uses or discloses protected health information in violations of this Agreement and applicable law.
6.)   ("Business Associate") shall not disclose protected health information created or received by ("Business Associate") on behalf of Village of Romeoville Fire Department/Village of Romeoville to a person, including any agent or subcontractor of ("Business Associate") but not including a member of ("Business Associate")'s own workforce, until such person agrees in writing to be bound by the provisions of this Agreement and applicable Illinois or Federal law.
7.)   ("Business Associate") agrees to use appropriate safeguards to prevent use or disclosure of protected health information not permitted by this Agreement or applicable law.
8.)   ("Business Associate") agrees to maintain a record of all disclosures of protected health information, including disclosures not made for the purposes of this Agreement. Such record shall include the date of the disclosure, the name and, if known, the address of the recipient of the protected health information, the name of the individual who is the subject of the protected health information, a brief description of the protected health information disclosed, and the purpose of the disclosure. ("Business Associate") shall make such record available to an individual who is the subject of such information or Village of Romeoville Fire Department/Village of Romeoville within five (5) days of a request and shall include disclosures made on or after the date which is six (6) years prior to the request or April 14, 2003, whichever is later.
9.)   ("Business Associate") agrees to report to Village of Romeoville Fire Department/Village of Romeoville any unauthorized use or disclosure of protected health information by ("Business Associate") or its workforce or subcontractors and the remedial action taken or proposed to be taken with respect to such use or disclosure.
10.)   ("Business Associate") agrees to make its internal practices, books, and records relating to the use and disclosure of protected health information received from Village of Romeoville Fire Department/Village of Romeoville, or created or received by ("Business Associate") on behalf of Village of Romeoville Fire Department/Village of Romeoville, available to the Secretary of the United States Department of Health and Human Services, for purposes of determining the Covered Entity's compliance with HIPAA.
11.)    Within thirty (30) days of a written request by Village of Romeoville Fire Department/Village of Romeoville, ("Business Associate") shall allow a person who is the subject of protected health information, such person's legal representative, or Village of Romeoville Fire Department/Village of Romeoville to have access to and to copy such person's protected health information maintained by ("Business Associate"). ("Business Associate") shall provide protected health information in the format requested by such person, legal representative, or practitioner unless it is not readily producible in such format, in which case it shall be produced in standard hard copy format.
12.)   ("Business Associate") agrees to amend, pursuant to a request by Village of Romeoville Fire Department/Village of Romeoville, protected health information maintained and created or received by ("Business Associate") on behalf of Practitioner. ("Business Associate") further agrees to complete such amendment within thirty (30) days of a written request by Village of Romeoville Fire Department/Village of Romeoville, and to make such amendment as directed by Village of Romeoville Fire Department/Village of Romeoville.
13.)   In the event ("Business Associate") fails to perform the obligations under this Agreement, Village of Romeoville Fire Department/Village of Romeoville may, at its option:
   a)   Require ("Business Associate") to submit to a plan of compliance, including monitoring by Village of Romeoville Fire Department/Village of Romeoville and reporting by ("Business Associate"), as Village of Romeoville Fire Department/Village of Romeoville, in its sole discretion, determines necessary to maintain compliance with this Agreement and applicable law. Such plan shall be incorporated into this Agreement by amendment hereto; and
   b)   Require ("Business Associate") to mitigate any loss occasioned by the unauthorized disclosure or use of protected health information.
   c)   Immediately discontinue providing protected health information to ("Business Associate") with or without written notice to ("Business Associate").
14.)   Village of Romeoville Fire Department/Village of Romeoville may immediately terminate this Agreement and related agreements if Village of Romeoville Fire Department/Village of Romeoville determines that the ("Business Associate") has breached a material term of this Agreement. Alternatively, Village of Romeoville Fire Department/Village of Romeoville may choose to: (i) provide ("Business Associate") with ten (10) days written notice of the existence of an alleged material breach; and (ii) afford the ("Business Associate") an opportunity to cure said alleged material breach to the satisfaction of Village of Romeoville Fire Department/Village of Romeoville within ten (10) days. The ("Business Associate")'s failure to cure shall be grounds for immediate determination of this Agreement. Village of Romeoville Fire Department/ Village of Romeoville's remedies under this Agreement are cumulative, and the exercise of any remedy shall not preclude the exercise of any other.
15.)   Upon termination of this Agreement, ("Business Associate") shall return or destroy all protected health information received from Village of Romeoville Fire Department/Village of Romeoville, or created or received by ("Business Associate") on behalf of Village of Romeoville Fire Department/Village of Romeoville and that ("Business Associate") maintains in any form, and shall retain no copies of such information. If the parties mutually agree that return or destruction of protected health information is not feasible, ("Business Associate") shall continue to maintain the security and privacy of such protected health information in a manner consistent with the obligations of this Agreement and as required by applicable law, and shall limit further use of the information to those purposes that make the return or destruction of the information infeasible. The duties hereunder to maintain the security and privacy of protected health information shall survive the discontinuance of this Agreement.
16.)   Village of Romeoville Fire Department/Village of Romeoville may amend this Agreement by providing ten (10) days prior written notice to ("Business Associate") in order to maintain compliance with Illinois or Federal law. Such amendment shall be binding upon ("Business Associate") at the end of the ten (10) day period and shall not require the consent of ("Business Associate"). ("Business Associate") may elect to discontinue the Agreement within the ten (10) day period, but ("Business Associate")'s duties hereunder to maintain the security and privacy of PROTECTED HEALTH INFORMATION shall survive such discontinuance. Village of Romeoville Fire Department/Village of Romeoville and ("Business Associate") may otherwise amend this Agreement by mutual written agreement.
17.)   ("Business Associate") shall, to the fullest extent permitted by law, protect, defend, indemnify and hold harmless Village of Romeoville Fire Department/Village of Romeoville and its respective employees, directors, and agents ("Indemnitees") from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and expenses of every kind (including reasonable attorneys fees, including at trial and on appeal) asserted or imposed against any Indemnitees arising out of the acts or omissions of ("Business Associate") or any subcontractor of or consultant of ("Business Associate") or any of ("Business Associate's") employees, directors, or agents related to the performance or nonperformance of this Agreement.
                                          
Village of Romeoville Fire Department/
Village of Romeoville
Date
                               
("Business Associate")
Date
(Ord. 0030-03, passed 4-2-03)