Addendum to DAODAS Block Grant/Business Associate
Agreement
THIS DAODAS Block Grant/BUSINESS ASSOCIATE PRIVACY AGREEMENT (the “Agreement”), is made
by and between _______________________________ (the “Provider Agency”) and South Carolina Department of
Alcohol and Other Drug Abuse Services (DAODAS).
Introduction. The Provider Agency provides certain services on behalf of the DAODAS that requires
DAODAS to disclose certain identifiable health information of clients treated by the DAODAS to the Provider
Agency. The parties desire to enter into this Agreement to permit the Provider Agency to have access to such
information and comply with the business associate requirements of the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”) and its accompanying Provider Agency privacy regulations in accordance with
the terms and conditions set forth in this Agreement.
Agreement. In consideration of the foregoing, and the mutual promises contained herein and other
valuable consideration, the legal sufficiency of which is hereby acknowledged, the parties hereby agree as follows:
1. Protected Health Information. For purposes of this Agreement, “protected health information” means any
information, oral or recorded in any form or medium, and including demographic information, (but excluding
education records covered by the Family Educational Right and Privacy Act and records described at 20 U.S.C.
§ 1232g(a)(4)(B)(iv)), that:
(a) is created or received by a health care provider, health plan, employer or health care
clearinghouse;
(b) relates to the (i) past, present or future physical or mental condition of an individual, (ii) health
care provided to an individual, or (iii) past, present or future payment for health care provided to an
individual; and
(c) identifies the individual or there is a reasonable basis to believe the information can be used to
identify the individual.
2. Use of Protected Health Information. The Provider Agency shall not, and shall ensure that its directors,
officers, employees, contractors and agents do not, use protected health information received from the
DAODAS in any manner that would constitute a violation of the privacy standards promulgated under HIPAA as
set forth in 45 C.F.R. Parts 160 and 164 (the “Privacy Standards”). The permitted or required uses of protected
health information by the Provider Agency are set forth in Exhibit A, attached to this Agreement and
incorporated herein by reference.
3. Use of Protected Health Information for Provider Agency Business. Nothing herein shall be construed to
prevent the Provider Agency from disclosing or utilizing protected health information to the extent necessary to
carry out the administrative or management of the Provider Agency’s business or to comply with the legal
responsibilities of the Provider Agency; provided, however, the disclosure or use must be required by law or the
Provider Agency must obtain reasonable assurances from the third party that receives the protected health
information that they will (i) treat the protected health information confidentially and will only use or further
disclose the protected health information in a manner consistent with the purposes that the protected health
information was provided by the Provider Agency; and (ii) promptly report any breach of the confidentiality of
the protected health information to DAODAS.
4. Disclosure of Protected Health Information. The Provider Agency acknowledges that DAODAS is subject to
certain limitations on the use and disclosure of protected health information under HIPAA and 42 C.F.R. Part 2,
Confidentiality of Alcohol and Drug Abuse Client Treatment Records. The Provider Agency shall not, and shall
ensure that its directors, officers, employees, contractors and agents do not, disclose protected health
information received from the DAODAS in any manner unless such disclosure would be permitted by the
DAODAS under its HIPAA privacy policies or 42 C.F.R., or as otherwise expressly permitted under this
Agreement or required by law.
1
5. Compliance with DAODAS Privacy Policies. The Provider Agency shall comply with all applicable
HIPAA/HITECH and 42 C.F.R. policies adopted by DAODAS including, without limitation, DAODAS’s policies
on: (i) an individual’s access to their own protected health information; (ii) amendment of an individual’s
protected health information; and (iii) the provision of an accounting to an individual of disclosures of their
protected health information. DAODAS shall be responsible for providing the Provider Agency with a copy of
any HIPAA policy applicable to the Provider Agency.
6. Judicial Proceedings. The Provider Agency agrees to resist in judicial proceedings any efforts to obtain access
to any information pertaining to clients otherwise than expressly provided for in 42 C.F.R. Part 2.
7. Notification of Individual Requests. DAODAS shall notify the Provider Agency of any requests by individuals
received by DAODAS that require the Provider Agency to provide information to DAODAS to respond to the
request for access to, or an accounting or amendment of, protected health information. The Provider Agency
shall promptly forward any such individual requests received directly by the Provider Agency to DAODAS.
DAODAS shall be responsible for responding, or objecting, to all such individual requests in accordance with
DAODAS’s HIPAA policies.
8. Implementation of Appropriate Safeguards. The Provider Agency agrees to implement appropriate safeguards
to prevent the improper use or disclosure of protected health information and to ensure compliance with the
Provider Agency’s obligations hereunder. Upon request, the Provider Agency shall provide the DAODAS with a
description of its privacy safeguards.
9. Reports of Improper Uses or Disclosures. The Provider Agency shall promptly report to DAODAS any
knowledge of any use or disclosure of protected health information in violation of this Agreement by the
Provider Agency, its officers, directors, employees, contractors, agents or third party. The Provider Agency
agrees to implement an appropriate recordkeeping system to enable the Provider Agency to comply with the
requirements of this section.
10. Agreements with Subcontractors and Agents. To the extent that any of the Provider Agency’s agents or
subcontractors will have access to protected health information that is received from, or created or received by
the Provider Agency on behalf of DAODAS, the Provider Agency’s agreement with the subcontractor or agent
must require that the subcontractor or agent agree to be bound by the terms, restrictions and conditions
applicable to the Provider Agency under this Agreement.
11. Availability of Books and Records. The Provider Agency agrees to make its internal practices, books, and
records relating to the use and disclosure of protected health information received from DAODAS, or created by
the Provider Agency on behalf of DAODAS, available to DAODAS and the Secretary of Health and Human
Services to determine DAODAS’s compliance with the business associate requirements of HIPAA.
12. Return of Protected Health Information. Upon termination of this Agreement for any reason, the Provider
Agency agrees to return or destroy, if feasible, all copies, including the Provider Agency’s file copy, of protected
health information received or created by the Provider Agency under this Agreement and maintained in any
form. If it is not feasible to return or destroy the protected health information, then the Provider Agency must
extend protections of this Agreement to the retained protected health information and limit all further use or
disclosure to the purposes that require the Provider Agency to retain protected health information.
13. Term. This Agreement shall commence on the Effective Date and remain in effect for a period of one (1) year.
This Agreement shall thereafter automatically renew for successive one (1) year terms unless the Provider
Agency or DAODAS terminates this Agreement as provided herein.
14. Termination. This Agreement may be terminated by either party at any time, without cause, upon no less than
thirty (30) days notice to the other party. Both parties shall have the right to terminate this Agreement upon ten
(10) days written notice to the other party in the event such party shall breach a material provision hereof, and
such breach is not cured within that ten (10) day time period.
15. No Third Party Beneficiary Rights. Nothing express or implied in this Addendum is intended or shall be
interpreted to create or confer any rights, remedies, obligations or liabilities whatsoever in any third party.
16. Indemnification
2
a) Indemnification by Provider Agency. The Provider Agency shall protect, indemnify and hold harmless
DAODAS, its officers and employees from all claims, suits, actions, attorney’s fees, costs, expenses,
damages, judgments or decrees arising out of the failure by Provider Agency to comply with the
requirements of this Addendum, the Privacy Regulations and all Future Directives; provided however that
such indemnification shall be conditioned upon DAODAS giving prompt notice of any claims to Provider
Agency after discovery thereof and cooperating fully with Provider Agency concerning the defense and
settlement of claims.
b) Indemnification by DAODAS. DAODAS shall protect, indemnify and hold harmless the Provider Agency, its
officers and employees from all claims, suits, actions, attorney’s fees, costs, expenses, damages,
judgments or decrees arising out of the failure by DAODAS to comply with the requirements of this
Addendum, the Privacy Regulations, and all Future Directives; provided however that such indemnification
shall be conditioned upon Provider Agency giving prompt notice of any claims to DAODAS after discovery
thereof and cooperating fully with DAODAS concerning the defense and settlement of claims.
17. Notices. Any notice permitted or required by this Agreement will be considered made on the date personally
delivered in writing or mailed by certified mail, postage prepaid, to the other party at the address set forth on the
signature page of this Agreement or to such other person or address as either party may designate in writing.
18. Modification. This Agreement contains the entire understanding of the parties regarding the privacy obligations
of the Provider Agency under HIPAA and will be modified only by a written document signed by each party.
19. Waiver. The waiver by the Provider Agency or DAODAS of a breach of this Agreement will not operate as a
waiver of any subsequent breach. No delay in acting with regard to any breach of this Agreement will be
construed to be a waiver of the breach.
20. Assignment. This Agreement will not be assigned by either party without prior written consent of the other party.
This Agreement will be for the benefit of, and binding upon, the parties hereto and their respective successors
and permitted assigns.
21. Governing Law. The interpretation and enforcement of this Agreement will be governed by the laws of the State
of South Carolina.
22. Headings. The section headings contained in this Agreement are for reference purposes only and will not affect
the meaning of this Agreement.
23. Counterparts. This Agreement may be executed in counterparts, each of which will be deemed to be an
original, but all of which together will constitute one and the same.
IN WITNESS WHEREOF, the Provider Agency and the DAODAS have caused this instrument to be
executed to be effective as of the date first written below.
Notice Address:
FOR THE PROVIDER AGENCY:
______________________________
By: ______________________________
Name
_
_____________________________
Title
__
______________________________
FOR DAODAS:
By: _____________________________
Name
______
3
Manager, Division of Operations
Title
__
Exhibit A
Permitted Uses and Disclosures
(Examples)
1. No permitted disclosures.
2. Use permitted for treatment, payment, and healthcare operations only.
4
DAODAS Block Grant/Business Associate/Vendor
Compliance Verification/Attestation on HIPAA/42 CFR/HITECH
I, _________________________________, of ________________________________________
(agency name)
will implement the required safeguards to ensure compliance with HIPAA/42 CFR/HITECH.
Owner/CEO’s Signature: _______________________________________ Date: ____________
E-mail Address: __________________________________________ Phone #: _____________
Company Name: _______________________________________________________________
Address: ______________________________________________________________________
All of the items below must be initialed. If you cannot initial every item, please
contact your HIPAA Compliance Officer/Consultant to assist you with your
compliance efforts. NOTE for County Alcohol and Drug Abuse Authorities: All
required safeguards must be in place before any payments are issued under the
DAODAS Block Grant after October 1, 2015.
1.)
2.)
3.)
4.)
5.)
We have a written Sensitive Information Policy. Initial ______
We have a written Identity Theft Prevention Policy. Initial ______
We have a written Breach Notification Plan. Initial ______
We have conducted a Risk Assessment (HIPAA/HITECH). Initial ______
We use a Data Transfer Tracking form or other approved method for tracking data, as required by
law. Initial ______
6.) We have a written appointment of an Information Security Officer (ISO) (may be yourself or
current employee). Initial ______
7.) We have trained our employees regarding state and federal Identity Theft, Data Protection, and
Privacy laws; and HIPAA/HITECH (if required). Initial ______
8.) All employees have signed confidentiality documents acknowledging required annual training and
stating that they will follow state and federal laws and your policies and procedures, including
our DAODAS Block Grant/Business Associate Agreement. Initial ______
9.) We have complied with 42CFR requirements. Initial ______
10.) We have in place (and available for review) these and such other written documents and
procedures required by law. Initial ______
11.) We have a program available to ensure that all of our Business Associates/Vendors that have
physical access to our premises or electronic access to PII, NPI, or PHI have the same
safeguards, policies, procedures, and training in place in accordance with the Final Omnibus
Rule. Initial ______
If you have any questions concerning these requirements, please contact Sharon Peterson at 803896-1145; e-mail: speterson@daodas.sc.gov.
5