Loading...
CM Whole Person Care Data SharingDocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8 COUNTY OF MARIN WHOLE PERSON CARE DATA SHARING AGREEMENT This data sharing agreement ("Agreement") is made at San Rafael, California as of 1021/2020 ("Effective Date"), by and between the County of Marin ("County") and city of San Ra.TapIrtner"). County and Partner may be collectively referred to herein as "Parties" or in the singular as "Party," as the context requires. Background A. The County is the Lead Entity for the Whole Person Care ("WPC") program in Marin County as a business associate of the State of California's Department of Health Care Services ("DHCS"). WPC is a multi-year, statewide Medi -Cal waiver program that allows local communities to coordinate physical health, behavioral health, and social services for vulnerable individuals who are high users of multiple health care systems and continue to have poor outcomes. B. Partner is a provider of supportive services to individuals enrolled in WPC ("Clients") and/or is deemed by the County to merit partner status for WPC. C. The WPC pilot was approved by the Centers for Medicare and Medicaid Services ("CMS") as an amendment to California's Section 1115(a) demonstration ("Medi -Cal 2020"). This Agreement is being executed in part to facilitate the transfer of certain Client data from Partner to DHCS via the County in support of the public health intervention efforts under WPC. D. Data exchange, to the extent permitted by federal and state laws, is necessary to identify potential enrollees for the WPC pilot project and coordinate access and delivery of services to the identified population. In the exchange of data, the Parties desire to maintain the privacy and security of Protected Information (as defined below) in accordance with applicable laws. E. The County is signing separate Data Sharing Agreements ("DSAs") with all Partners who will share Protected Information for the WPC program with each other and/or with the County. All Partners are bound by the terms of the DSA for such sharing of Protected Information related to the WPC program. Based on the foregoing background, County and Partner agree as follows: 1. Purpose and Scope. In providing services for the WPC program, Partner will share Protected Information (as defined below) with the County and/or other Partners in Page 1 of 12 DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8 accordance with applicable state and federal laws and regulations for the following purposes: A. Identification of individuals potentially eligible for WPC enrollment (data may include, but is not limited to, demographics, referring entity detail, insurance coverage detail, housing status if known, Medical History relevant to enrollment criteria such as hospital emergency department and inpatient utilization, and known assessments/screenings). B. Monitoring of outcome measures and reporting. Data will be reported to the County or its designee for submission to DHCS for relevant services and outcomes, as per DHCS reporting requirements. The WPC team will work with Partner to determine which specific data each Partner will be responsible for reporting to County, depending on services provided and access to data sources. C. The coordination of health and human services, such as sharing of information for collaborative care planning (data may include, but is not limited to, event notifications including hospital emergency department and inpatient admit/discharge information, clinical care summaries, and care plan elements). The Parties will collaborate to define specific mutually agreeable data transmission methods. 2. Definitions. When presented as capitalized terms in this Agreement, the following terms have the meanings indicated below: A. "Authorized User" shall mean a Party's employees, agents, assigns, representatives, or independent contractors authorized to access, use or disclose information from another Party's System. B. "Breach" shall have the meaning given to such term under HIPAA, the HITECH Act, the HIPAA regulations, and the Final Omnibus Rule. C. "Business Associate Agreement" shall have the meaning given to such term under HIPAA, the HITECH Act, the HIPAA regulations, and Final Omnibus Rule. D. "Client" shall mean a person who is eligible for, and enrolled in, WPC. E. "Confidentiality Agreement" shall mean an agreement between a Party and one or more Authorized Users that establishes and defines restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Page 2 of 12 DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8 F. "Confidential Information" means any data, business, financial, operational, customer, member, user, vendor, provider, proprietary, personally identifiable, or other information disclosed by one Party to the other and not generally known by or disclosed to the public. G. "Court System" shall mean any agency that is part of the state or federal criminal judiciary system, including but not limited to the Courts, District Attorney, and Public Defender. H. "Covered Entity" shall have the meaning given to such term under HIPAA, the HITECH Act, the HIPAA regulations, and Final Omnibus Rule. "HIPAA Rules" means the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and any requirements and regulations promulgated thereunder. J. "Law Enforcement" shall mean any agency tasked with upholding, enforcing, and investigating the law, including but not limited to police, sheriff, and Federal law enforcement. K. "Lead Entity" means the organization responsible for coordinating and monitoring the WPC pilot and which serves as the single point of contact for the Department of Health Care Services. For the Marin WPC program ("WPC"), the County of Marin is the Lead Entity. L. "Medical History" includes information relating to a patient's past and present physical and mental health events, treatments and problems. M. "Partner(s)" means a Partner to the County in implementing the WPC program who has signed a Data Sharing Agreement with the County, including without limitation hospitals, managed health care plans, health services, specialty mental health agencies or departments, public agencies or departments, substance use disorder programs, human services agencies, housing authorities, public health departments, and community-based organizations. N. "Pll" shall mean that "Personally Identifiable Information which can be used to distinguish or trace an individual's identity, including without limitation the individual's name, social security number, or biometric records. 0. "PHI" shall mean "protected health information" as defined in 45 C.F.R. § 160.103. Page 3 of 12 DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8 P. "Proprietary Information" shall mean all materials, information and ideas of a Party including, without limitation: patient names, patient lists, patient records, patient information, operation methods and information, accounting and financial information, marketing and pricing information and materials, internal publications and memoranda and, if notice thereof is given, other matters considered confidential by a Party. Proprietary Information shall not include information which: (i) is readily available or can be readily ascertained through public sources; (ii) a Party has previously received from another entity unrelated to this Agreement; (iii) would cause a Party to be in violation of the law; (iv) negatively impacts Party's licensure, accreditation or participation in any federally or state funded healthcare program, including without limitation the Medicare and Medicaid programs; or (v) is information received by a Party that is used in compliance with Section 3(A) below and integrated into the records of the receiving Party. Q. "Protected Information" shall mean PII, PHI and Proprietary Information. R. "Substance Use Disorder" means a cluster of cognitive, behavioral, and physiological symptoms indicating that the individual continues using the substance despite significant substance -related problems such as impaired control, social impairment, risky use, and pharmacological tolerance and withdrawal. For the purposes of this Agreement, this definition does not include tobacco or caffeine use. S. "System" shall mean software, portal, platform, or other electronic medium controlled or utilized by a Party through which or by which the Party exchanges Protected Information under this Agreement. For purposes of this definition, it shall not matter whether the Party controls or utilizes the software, portal, platform or other medium through ownership, lease, license, or otherwise. 3. Compliance with Laws Governing the Disclosure of Client Protected Information. A. The use or disclosure of Client information qualifying as PHI shall be made in accordance with the HIPAA Rules. B. PHI shared under this Agreement shall be the minimally necessary PHI needed for treatment, coordination of care, and/or other health care operations under the WPC program. C. Any Client Protected Information that constitutes "medical information," as defined under the California Confidentiality of Medical Information Act ("CMIA"), shall be disclosed only in accordance with the requirements of all applicable laws and regulations, including CMIA. Page 4 of 12 DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8 D. If the disclosure of Client Protected Information would include information and records obtained in the course of providing mental health services from a facility subject to the additional privacy protections underthe Lanterman-Petris-Short Act ("Lanterman Act") or if it would be information originating from a federally assisted Substance Use Disorder program subject to the additional privacy protections provided by 42 C.F.R. Part 2 that identifies a patient as having or having had a substance use disorder ("SUD"), the Party making the disclosure will obtain the appropriate authorizations) or consent(s) required by the Lanterman Act and/or 42 C.F.R. Part 2 from the Client prior to making the disclosure, and will provide the prohibition of redisclosure statement required under 42 CFR Part 2 regulations. E. Any Client Protected Information that includes HIV results shall be disclosed in accordance with the requirements of all applicable laws and regulations, including Health and Safety ("H&S") Code 121065. F. Each Party is responsible for its own compliance obligations under the HIPAA Rules, CMIA, the Lanterman Act, and 42 C.F.R. Part 2, including any redisclosure restrictions G. Some of the information collected, stored, and/or exchanged for the WPC Program, may have been disclosed by a social services program, and may therefore be subject to other Welfare & Institutions Code, Civil Code and/or H&S Code provisions. H. The Parties shall not use or disclose Client Protected Information other than as permitted or required by this Agreement, in accordance with a Client's executed authorization for release of information, or otherwise permitted or required under state and/or federal regulation. I. The Parties intend and in good faith believe that this Agreement complies with all federal, state and local laws. If any provision of this Agreement is declared void by a court or binding arbitration, or rendered invalid by any law or regulation (including without limitation any regulation or requirement of accreditation, tax - exemption, federally funded health care program participation or licensure which (i) invalidates the provisions of this Agreement; (ii) would cause a Party to be in violation of the law; or (iii) jeopardizes the Party's licensure, accreditation or participation in any federally or state funded health care program, including without limitation Medicare and Medicaid programs), and if such provision is necessary to effectuate the purposes of this Agreement, the Parties agree to attempt to renegotiate in good faith the Agreement to comply with such law(s) to the satisfaction of all Parties. In the event the Parties are not able to mutually Page 5 of 12 DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8 agree to a new agreement within 60 days, then this Agreement shall automatically terminate. If any provision of this Agreement that is not necessary to effectuate the purposes of the Agreement is declared void or rendered invalid as specified above, the remainder of this Agreement shall not be affected thereby and shall be enforced to the greatest extent permitted by law. Each Party, whether providing, receiving, or using Protected Information shall comply with the following: (1) Establish and implement appropriate policies and procedures to prevent unauthorized access, use, and disclosure of Protected Information and ensure that such policies and procedures do not conflict with and are not less restrictive than this Agreement. (2) Regularly monitor and audit access to Protected Information and take prompt corrective action to remedy any Breach of Protected Information, mitigate to the extent practicable any harmful effect of a use or disclosure of Protected Information, and take any other action required by applicable federal and state laws and regulations pertaining to such Breach. (3) Notify the affected Party and the County within 48 hours of the discovery of unsecured Protected Information in electronic or other media related to a known or suspected compromise/breach of the System if: (1) the Protected Information was, or is reasonably believed to have been accessed or acquired by an unauthorized person, (2) there is any suspected security incident, intrusion or unauthorized access, (3) there is suspected use or disclosure of Protected Information in violation of this Agreement, or (4) there is potential loss of confidential data affecting this Agreement. The Parties shall take all reasonable steps to mitigate the Breach. For purposes of this paragraph, "affected Party" shall include any Party regarding which there is a reasonable possibility that the Party's System or data thereon could be negatively impacted by the Breach. The Parties acknowledge and agree that this Section constitutes notice by Partner to County of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents for which no additional notice to County shall be required. "Unsuccessful Security Incidents" shall include, but not be limited to, pings and other broadcast attacks on Partner's firewall, port scans, unsuccessful log -on attempts, denials of service, or any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Protected Information. (4) Provide all Authorized Users with appropriate education and training on the requirements of this Agreement. Page 6 of 12 DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8 (5) Provide, upon request, copies or detailed summaries of its privacy and security policies and procedures to the requesting Party and, upon reasonable request by another Party, demonstrate compliance with its policies and procedures. K. The provisions of Section J(3) shall survive termination of this Agreement. 4. Additional Protections for Data Sharing with the Criminal Justice System A. Data Sharing with Law Enforcement (1) Non -law enforcement Partners are not authorized to share Client data with law enforcement partners, absent explicit Client authorization, except under the following conditions and in accordance with Section 3 above: 1. Partners may share the name and contact information of a Client's case manager if doing so would likely improve Client's health or well-being. 2. Partners may share minimal data necessary to help protect the safety of a Client. Such disclosure is limited to the absolute minimum information needed to safeguard the Client's health or well-being. (For example, a case manager may tell local police that their Client has a particular reaction to loud noises, but may not disclose the circumstances that led to the reaction.) 3. Partners may share the following housing -related information if doing so would likely improve Client's health or well-being: VI- SPDAT total score, whether client has stable housing, and whether client has been selected for a voucher. 4. Partners may share data with designated outreach or behavioral health employees of law enforcement partners as if they were non -law enforcement partners. Employees must be designated by agreement of both law enforcement Partner and County. This exception shall not apply to any sworn officer and shall not authorize any redisclosure of data to non-social services or behavioral health employees. Employees found to violate the redisclosure clause will lose their designated status. 5. As required by law. (2) Law Enforcement partners are authorized to share client data with non - law enforcement partners under the terms of a Client Release of Information. B. Data Sharing with the Court System Page 7 of 12 DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8 (1) Non -court system partners are not authorized to share client data with court system partners, absent explicit client authorization, except under the following conditions and in accordance with Section 3 above: 1. Partners may share the name and contact information of a client's case manager if doing so would likely assist in favorable resolution of the Client's case. 2. Partners may share the following housing -related information if doing so would likely assist in favorable resolution of the Client's case: VI-SPDAT total score, whether client has stable housing, and whether client has been selected for a voucher. (Such information may, for instance, be used to impact a client's sentence.) 3. As required by law. (2) Court system Partners are authorized to share Client data with non -court system Partners under the terms of a Client Release of Information, so long as doing so would be likely improve Client's health or well-being or promote the favorable resolution of Client's case. Only the absolute minimum amount of information necessary to achieve these goals may be shared.. 5. Confidential Information. A. Each Party shall maintain the other Party's Confidential Information in confidence and will protect, at its own expense, any and all such Confidential Information which it comes to possess or control, wherever and however stored or maintained, in a commercially reasonable manner in accordance with current best practices. The safeguards employed by each Party in protecting the other's Confidential Information shall be consistent with the safeguards for protection of Confidential Information, and information of a similar character, as set forth in all applicable laws and regulations and shall include, but not be limited to, the following: (1) A security policy for employees related to the storage, access and transportation of data containing Confidential Information; (2) Reasonable restrictions on access to records containing Confidential Information; (3) Creating secure access controls to Confidential Information, including but not limited to passwords; and Page 8of12 DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8 (4) A process for reviewing policies and security measures on an ongoing basis. B. If a Party suffers any unauthorized disclosure, loss of, or inability to account for the Confidential Information of the other Party, then the compromised Party shall immediately notify the other Party and shall, at its own expense, take such actions as may be necessary or reasonably requested by the other Party to minimize the damage that may result therefrom. C. Except as provided in this Agreement, a Party shall not use or disclose (or allow the use or disclosure of) any Confidential Information of the other Party without the express prior written consent of such Party. If a Party is legally required to disclose the Confidential Information of the other Party, the Party required to disclose will, as soon as reasonably practicable, provide the other Party with written notice of the applicable order, subpoena, or other request creating the obligation to disclose so that such other Party may seek a protective order or other appropriate remedy. Regardless, the express prior written consent of the other Party, the Party subject to such disclosure obligation will only disclose that Confidential Information which the Party is advised by legal counsel as legally required to be disclosed. 6. Term and Termination. A. Term. This Agreement shall be effective from the Effective Date until this Agreement is terminated by either Party or December 31, 2021, whichever is earlier. Either Party may only terminate this Agreement for any reason if that Party is no longer sharing Protected Information for the County's WPC program. Termination shall be achieved by providing the other Party with sixty (60) days prior written notice. B. Temporary Termination of Access to Protected Information. Each Party reserves the right to temporarily and immediately terminate another Party's access to Protected Information at any time if the Party becomes aware that another Party has suffered a Breach of the security of its System or has violated any of the terms of this Agreement, including without limitation accessing any information that a Party would not otherwise be authorized to receive pursuant to this Agreement, improperly disclosing Protected Information, or otherwise failing to abide by the appropriate policies and procedures outlined in this Agreement. Access may be restored once the Breach is cured and/or adequate assurances have been provided that the breaching Party has resumed compliance with the terms of this Agreement. C. Effect of Termination. Upon termination or expiration of this Agreement, the Parties shall return or destroy all Protected Information received from any other Page 9 of 12 DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8 Party in any form, and retain no copies, if feasible. However, Parties acknowledge that return or destruction of Protected Information may not always be immediately feasible. In such a situation, the Parties shall take all necessary measures to maintain the privacy, confidentiality, and security of Protected Information until the Protected Information can be returned or destroyed. The provisions of this section shall survive expiration or termination of this Agreement. 7. Warranties. A. The Parties hereby disclaim all implied and express warranties regarding their respective Systems, whether arising from course of dealing or otherwise. No Party warrants that (i) the performance of a System or delivery of the Protected Information or (ii) the content of the Protected Information will be uninterrupted or error free. B. Without limiting any other provision of this Agreement, each Party and such Party's Authorized Users shall be solely responsible for all decisions and actions taken or not taken involving patient care, utilization management, and quality management for their respective patients and clients. 8. Insurance. Each Party must obtain at its own cost and expense, and keep in force and effect during the term of this Agreement, policies of insurance or programs of self- insurance with coverage amounts appropriate for the size and nature of each Party's activities pertaining to WPC, and in compliance with applicable laws and government program requirements. 9. Representatives. All communications pertaining to this Agreement shall be referred to the following representatives: Partner: County: Jim Schutz Charis Baz city Manager Acting Director, Whole Person care city of San Rafael HHS 10. Binding on Successors. This Agreement shall be binding on the heirs, executors, administrators, successors and assigns of the Parties. Page 10 of 12 DocuSign Envelope ID: BDC41958-73A3-4DOF-A5DD-C2F9BE3A63C8 11. Independent Contractor. At all times during the term of this Agreement, Partner shall be an independent contractor and no relationship of employer-employee shall exist between the County and Partner for any purpose whatsoever. Partner shall not be entitled to any benefits payable to employees of the County. 12. Subcontractors. Partner shall require any of its subcontractors that acquire, access, disclose, or use Protected Information to comply with the terms and conditions of this Agreement. 13. Partner Not Agent. Except as specified in writing, either Party's personnel shall have no authority, express or implied, to act on behalf of the other Party in any capacity whatsoever as an agent or to bind the other Party to any obligation whatsoever. 14. Entire Agreement. This Agreement, which includes all attachments and all documents that are incorporated by reference, contains the entire agreement between the Parties and supersedes whatever oral or written understanding they may have had prior to the execution of this Agreement. No alteration to the terms of this Agreement shall be valid unless approved in writing by Partner and by County. 15. Indemnification. Partner agrees to indemnify, defend, and hold County, its employees, officers, and agents, harmless from any and all liabilities including, but not limited to, litigation costs, attorney's fees, and state or federal fines or penalties arising from any and all claims and losses to anyone who may be injured or damaged by reason of Partner's negligence, recklessness or willful misconduct in the performance of this Agreement. 16. Enforcement of Agreement. This Agreement shall be governed, construed and enforced in accordance with the laws of the State of California. Venue of any litigation arising out of or connected with this Agreement shall lie in Marin County, and the Parties consent to jurisdiction over their persons and over the subject matter of any such litigation in such courts, and consent to service of process issued by such courts. 17. Waiver. No waiver by either party of any specific default, breach or condition precedent, shall be construed as a waiver of any provision of this Agreement, nor as a waiver of any other default, breach or condition precedent or any other right hereunder. No waiver shall be effective unless it is in writing and signed by the waiving Party. 18. Authority. The individuals signing this Agreement for the Parties represent and warrant that they are authorized to sign this Agreement on behalf of the Parties and to bind the Parties to the performance of their obligations hereunder. [Signature Page Follows] Page 11 of 12 DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8 Executed as of the day and year first above stated. COUNTY OF MARIN A California County By: Chari s Baz (La `S 6&l HHS Name and Title of County Signatory APPROVED AS TO FORM: County Attorney PARTNER city of San Rafael Name of Partner TYPE OF BUSINESS ENTITY (check one): Individual/Sole Proprietor Partnership Corporation (may require 2 signatures) Limited Liability Company Other (please specify: 30A S". Signature Jim Schutz Print Name city Manager Title Additional Signature (only if required) Print Name Title Federal I.D. No. State I.D. No. Page 12 of 12