Skip to main content

Compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Learn about the federal regulations associated with HIPAA compliance.

(Terms used shall have the same meaning as those terms in the Privacy Rule, 45 Code of Federal Regulations (CFR) Parts 160 and 164.)

A. Obligations and Activities of the Contractor

  1. The Contractor agrees not to use or disclose protected health information other than as permitted or required by this Contract, HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH). The Contractor shall use and disclose protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of 45 CFR § 164.504(e). The Contractor is directly responsible for full compliance with the privacy provisions of HIPAA and HITECH that apply to business associates.
  2. The Contractor agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the protected health information that it creates, receives, maintains, or transmits on behalf of the County as required by 45 CFR, Part 164, Subpart C. The Contractor is directly responsible for compliance with the security provisions of HIPAA and HITECH that apply to business associates, including sections 164.308, 164.310, 164.312, and 164.316 of title 45 CFR.
  3. Within 2 business days of the discovery of a breach as defined at 45 CFR § 164.402 the Contractor shall notify the County of any breach of unsecured protected health information. The notification shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the Contractor to have been, accessed, acquired, or disclosed during such breach; a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; a description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); any steps individuals should take to protect themselves from potential harm resulting from the breach; a brief description of what the Contractor is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; the contact procedures of the Contractor for individuals to ask questions or learn additional information, which shall include a toll free number, an e-mail address, Web site, or postal address; and any other information required to be provided to the individual by the County pursuant to 45 CFR § 164.404, as amended. A breach shall be treated as discovered in accordance with the terms of 45 CFR § 164.410. The information shall be updated promptly and provided to the County as requested by the County.
  4. The Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to the Contractor of a use or disclosure of protected health information by the Contractor in violation of the requirements of this Contract or the law.
  5. The Contractor agrees to report in writing all unauthorized or otherwise improper disclosures of protected health information or security incident to the County within 2 days of the Contractor knowledge of such event.
  6. The Contractor agrees to ensure that any agent, including a subcontractor, to whom it provides protected health information received from, or created or received by the Contractor on behalf of the County, agrees to the same restrictions and conditions that apply through this Contract to the Contractor with respect to such information.
  7. The Contractor agrees to make available protected health information in accordance with 45 CFR § 164.524.
  8. The Contractor agrees to make available protected health information for amendment and incorporate any amendments to protected health information in accordance with 45 CFR § 164.526.
  9. The Contractor agrees to make internal practices, books, and records, including policies and procedures and protected health information, relating to the use and disclosure of protected health information received from, or created or received by the Contractor on behalf of King County, available to the Secretary, in a reasonable time and manner for purposes of the Secretary determining King County's compliance with HIPAA, HITECH or this Contract.
  10. The Contractor agrees to make available the information required to provide an accounting of disclosures in accordance with 45 CFR §164.528. Should an individual make a request to the County for an accounting of disclosures of his or her protected health information pursuant to 45 CFR § 164.528, Contractor agrees to promptly provide an accounting, as specified under 42 U.S.C. § 17935(c)(1) and 45 CFR §164.528, of disclosures of protected health information that have been made by the Contractor acting on behalf of the County. The accounting shall be provided by the Contractor to the County or to the individual, as directed by the County.
B. Permitted Uses and Disclosures by Business Associate
  1. The Contractor may use or disclose protected health information to perform functions, activities, or services for, or on behalf of, King County as specified in this Contract, provided that such use or disclosure would not violate HIPAA if done by King County or the minimum necessary policies and procedures of King County.

C. Effect of Termination

  1. Except as provided in paragraph C.2. of this Section, upon termination of this Contract, for any reason, the Contractor shall return or destroy all protected health information received from the County, or created or received by the Contractor on behalf of the County. This provision shall apply to protected health information that is in the possession of subcontractors or agents of the Contractor. The Contractor shall retain no copies of the protected health information.
  2. In the event the Contractor determines that returning or destroying the protected health information is infeasible, the Contractor shall provide to King County notification of the conditions that make return or destruction infeasible. Upon notification that return or destruction of protected health information is infeasible, the Contractor shall extend the protections of the Contract to such protected health information and limit further uses and disclosure of such protected health information to those purposes that make the return or destruction infeasible, for so long as the Contractor maintains such protected health information.

D. Reimbursement for Costs Incurred Due to Breach

  1. Contractor shall reimburse the County, without limitation, for all costs of investigation, dispute resolution, notification of individuals, the media, and the government, and expenses incurred in responding to any audits or other investigation relating to or arising out of a breach of unsecured protected health information by the Contractor.
expand_less