HomeMy WebLinkAboutPD Whole Person Care Data SharingDocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8
COUNTY OF MARIN
WHOLE PERSON CARE
DATA SHARING AGREEMENT
This data sharing agreement ("Agreement") is made at San Rafael, California as of
1021/2020 ("Effective Date"), by and between the County of Marin ("County") and
city of San Ra.TapIrtner"). County and Partner may be collectively referred to herein as
"Parties" or in the singular as "Party," as the context requires.
Background
A. The County is the Lead Entity for the Whole Person Care ("WPC") program in Marin
County as a business associate of the State of California's Department of Health Care
Services ("DHCS"). WPC is a multi-year, statewide Medi -Cal waiver program that allows
local communities to coordinate physical health, behavioral health, and social services for
vulnerable individuals who are high users of multiple health care systems and continue to
have poor outcomes.
B. Partner is a provider of supportive services to individuals enrolled in WPC ("Clients")
and/or is deemed by the County to merit partner status for WPC.
C. The WPC pilot was approved by the Centers for Medicare and Medicaid Services ("CMS")
as an amendment to California's Section 1115(a) demonstration ("Medi -Cal 2020"). This
Agreement is being executed in part to facilitate the transfer of certain Client data from
Partner to DHCS via the County in support of the public health intervention efforts under
WPC.
D. Data exchange, to the extent permitted by federal and state laws, is necessary to identify
potential enrollees for the WPC pilot project and coordinate access and delivery of
services to the identified population. In the exchange of data, the Parties desire to
maintain the privacy and security of Protected Information (as defined below) in
accordance with applicable laws.
E. The County is signing separate Data Sharing Agreements ("DSAs") with all Partners who
will share Protected Information for the WPC program with each other and/or with the
County. All Partners are bound by the terms of the DSA for such sharing of Protected
Information related to the WPC program.
Based on the foregoing background, County and Partner agree as follows:
1. Purpose and Scope. In providing services for the WPC program, Partner will share
Protected Information (as defined below) with the County and/or other Partners in
Page 1 of 12
DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8
accordance with applicable state and federal laws and regulations for the following
purposes:
A. Identification of individuals potentially eligible for WPC enrollment (data may
include, but is not limited to, demographics, referring entity detail, insurance
coverage detail, housing status if known, Medical History relevant to enrollment
criteria such as hospital emergency department and inpatient utilization, and
known assessments/screenings).
B. Monitoring of outcome measures and reporting. Data will be reported to the
County or its designee for submission to DHCS for relevant services and outcomes,
as per DHCS reporting requirements. The WPC team will work with Partner to
determine which specific data each Partner will be responsible for reporting to
County, depending on services provided and access to data sources.
C. The coordination of health and human services, such as sharing of information for
collaborative care planning (data may include, but is not limited to, event
notifications including hospital emergency department and inpatient
admit/discharge information, clinical care summaries, and care plan elements).
The Parties will collaborate to define specific mutually agreeable data transmission
methods.
2. Definitions. When presented as capitalized terms in this Agreement, the following terms
have the meanings indicated below:
A. "Authorized User" shall mean a Party's employees, agents, assigns,
representatives, or independent contractors authorized to access, use or disclose
information from another Party's System.
B. "Breach" shall have the meaning given to such term under HIPAA, the HITECH Act,
the HIPAA regulations, and the Final Omnibus Rule.
C. "Business Associate Agreement" shall have the meaning given to such term under
HIPAA, the HITECH Act, the HIPAA regulations, and Final Omnibus Rule.
D. "Client" shall mean a person who is eligible for, and enrolled in, WPC.
E. "Confidentiality Agreement" shall mean an agreement between a Party and one
or more Authorized Users that establishes and defines restrictions on information
access and disclosure, including means for protecting personal privacy and
proprietary information.
Page 2 of 12
DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8
F. "Confidential Information" means any data, business, financial, operational,
customer, member, user, vendor, provider, proprietary, personally identifiable, or
other information disclosed by one Party to the other and not generally known by
or disclosed to the public.
G. "Court System" shall mean any agency that is part of the state or federal criminal
judiciary system, including but not limited to the Courts, District Attorney, and
Public Defender.
H. "Covered Entity" shall have the meaning given to such term under HIPAA, the
HITECH Act, the HIPAA regulations, and Final Omnibus Rule.
"HIPAA Rules" means the Health Insurance Portability and Accountability Act of
1996 ("HIPAA"), the Health Information Technology for Economic and Clinical
Health Act ("HITECH"), and any requirements and regulations promulgated
thereunder.
J. "Law Enforcement" shall mean any agency tasked with upholding, enforcing, and
investigating the law, including but not limited to police, sheriff, and Federal law
enforcement.
K. "Lead Entity" means the organization responsible for coordinating and monitoring
the WPC pilot and which serves as the single point of contact for the Department
of Health Care Services. For the Marin WPC program ("WPC"), the County of Marin
is the Lead Entity.
L. "Medical History" includes information relating to a patient's past and present
physical and mental health events, treatments and problems.
M. "Partner(s)" means a Partner to the County in implementing the WPC program
who has signed a Data Sharing Agreement with the County, including without
limitation hospitals, managed health care plans, health services, specialty mental
health agencies or departments, public agencies or departments, substance use
disorder programs, human services agencies, housing authorities, public health
departments, and community-based organizations.
N. "Pll" shall mean that "Personally Identifiable Information which can be used to
distinguish or trace an individual's identity, including without limitation the
individual's name, social security number, or biometric records.
0. "PHI" shall mean "protected health information" as defined in 45 C.F.R. § 160.103.
Page 3 of 12
DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8
P. "Proprietary Information" shall mean all materials, information and ideas of a
Party including, without limitation: patient names, patient lists, patient records,
patient information, operation methods and information, accounting and financial
information, marketing and pricing information and materials, internal
publications and memoranda and, if notice thereof is given, other matters
considered confidential by a Party. Proprietary Information shall not include
information which: (i) is readily available or can be readily ascertained through
public sources; (ii) a Party has previously received from another entity unrelated
to this Agreement; (iii) would cause a Party to be in violation of the law; (iv)
negatively impacts Party's licensure, accreditation or participation in any federally
or state funded healthcare program, including without limitation the Medicare
and Medicaid programs; or (v) is information received by a Party that is used in
compliance with Section 3(A) below and integrated into the records of the
receiving Party.
Q. "Protected Information" shall mean PII, PHI and Proprietary Information.
R. "Substance Use Disorder" means a cluster of cognitive, behavioral, and
physiological symptoms indicating that the individual continues using the
substance despite significant substance -related problems such as impaired
control, social impairment, risky use, and pharmacological tolerance and
withdrawal. For the purposes of this Agreement, this definition does not include
tobacco or caffeine use.
S. "System" shall mean software, portal, platform, or other electronic medium
controlled or utilized by a Party through which or by which the Party exchanges
Protected Information under this Agreement. For purposes of this definition, it
shall not matter whether the Party controls or utilizes the software, portal,
platform or other medium through ownership, lease, license, or otherwise.
3. Compliance with Laws Governing the Disclosure of Client Protected Information.
A. The use or disclosure of Client information qualifying as PHI shall be made in
accordance with the HIPAA Rules.
B. PHI shared under this Agreement shall be the minimally necessary PHI needed for
treatment, coordination of care, and/or other health care operations under the
WPC program.
C. Any Client Protected Information that constitutes "medical information," as
defined under the California Confidentiality of Medical Information Act ("CMIA"),
shall be disclosed only in accordance with the requirements of all applicable laws
and regulations, including CMIA.
Page 4 of 12
DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8
D. If the disclosure of Client Protected Information would include information and
records obtained in the course of providing mental health services from a facility
subject to the additional privacy protections underthe Lanterman-Petris-Short Act
("Lanterman Act") or if it would be information originating from a federally
assisted Substance Use Disorder program subject to the additional privacy
protections provided by 42 C.F.R. Part 2 that identifies a patient as having or
having had a substance use disorder ("SUD"), the Party making the disclosure will
obtain the appropriate authorizations) or consent(s) required by the Lanterman
Act and/or 42 C.F.R. Part 2 from the Client prior to making the disclosure, and will
provide the prohibition of redisclosure statement required under 42 CFR Part 2
regulations.
E. Any Client Protected Information that includes HIV results shall be disclosed in
accordance with the requirements of all applicable laws and regulations, including
Health and Safety ("H&S") Code 121065.
F. Each Party is responsible for its own compliance obligations under the HIPAA
Rules, CMIA, the Lanterman Act, and 42 C.F.R. Part 2, including any redisclosure
restrictions
G. Some of the information collected, stored, and/or exchanged for the WPC
Program, may have been disclosed by a social services program, and may
therefore be subject to other Welfare & Institutions Code, Civil Code and/or H&S
Code provisions.
H. The Parties shall not use or disclose Client Protected Information other than as
permitted or required by this Agreement, in accordance with a Client's executed
authorization for release of information, or otherwise permitted or required
under state and/or federal regulation.
I. The Parties intend and in good faith believe that this Agreement complies with all
federal, state and local laws. If any provision of this Agreement is declared void by
a court or binding arbitration, or rendered invalid by any law or regulation
(including without limitation any regulation or requirement of accreditation, tax -
exemption, federally funded health care program participation or licensure which
(i) invalidates the provisions of this Agreement; (ii) would cause a Party to be in
violation of the law; or (iii) jeopardizes the Party's licensure, accreditation or
participation in any federally or state funded health care program, including
without limitation Medicare and Medicaid programs), and if such provision is
necessary to effectuate the purposes of this Agreement, the Parties agree to
attempt to renegotiate in good faith the Agreement to comply with such law(s) to
the satisfaction of all Parties. In the event the Parties are not able to mutually
Page 5 of 12
DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8
agree to a new agreement within 60 days, then this Agreement shall automatically
terminate. If any provision of this Agreement that is not necessary to effectuate
the purposes of the Agreement is declared void or rendered invalid as specified
above, the remainder of this Agreement shall not be affected thereby and shall be
enforced to the greatest extent permitted by law.
Each Party, whether providing, receiving, or using Protected Information shall
comply with the following:
(1) Establish and implement appropriate policies and procedures to prevent
unauthorized access, use, and disclosure of Protected Information and
ensure that such policies and procedures do not conflict with and are not
less restrictive than this Agreement.
(2) Regularly monitor and audit access to Protected Information and take
prompt corrective action to remedy any Breach of Protected Information,
mitigate to the extent practicable any harmful effect of a use or disclosure
of Protected Information, and take any other action required by applicable
federal and state laws and regulations pertaining to such Breach.
(3) Notify the affected Party and the County within 48 hours of the discovery
of unsecured Protected Information in electronic or other media related
to a known or suspected compromise/breach of the System if: (1) the
Protected Information was, or is reasonably believed to have been
accessed or acquired by an unauthorized person, (2) there is any suspected
security incident, intrusion or unauthorized access, (3) there is suspected
use or disclosure of Protected Information in violation of this Agreement,
or (4) there is potential loss of confidential data affecting this Agreement.
The Parties shall take all reasonable steps to mitigate the Breach. For
purposes of this paragraph, "affected Party" shall include any Party
regarding which there is a reasonable possibility that the Party's System or
data thereon could be negatively impacted by the Breach.
The Parties acknowledge and agree that this Section constitutes notice by
Partner to County of the ongoing existence and occurrence of attempted
but Unsuccessful Security Incidents for which no additional notice to
County shall be required. "Unsuccessful Security Incidents" shall include,
but not be limited to, pings and other broadcast attacks on Partner's
firewall, port scans, unsuccessful log -on attempts, denials of service, or any
combination of the above, so long as no such incident results in
unauthorized access, use or disclosure of Protected Information.
(4) Provide all Authorized Users with appropriate education and training on
the requirements of this Agreement.
Page 6 of 12
DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8
(5) Provide, upon request, copies or detailed summaries of its privacy and
security policies and procedures to the requesting Party and, upon
reasonable request by another Party, demonstrate compliance with its
policies and procedures.
K. The provisions of Section J(3) shall survive termination of this Agreement.
4. Additional Protections for Data Sharing with the Criminal Justice System
A. Data Sharing with Law Enforcement
(1) Non -law enforcement Partners are not authorized to share Client data
with law enforcement partners, absent explicit Client authorization,
except under the following conditions and in accordance with Section 3
above:
1. Partners may share the name and contact information of a
Client's case manager if doing so would likely improve Client's
health or well-being.
2. Partners may share minimal data necessary to help protect the
safety of a Client. Such disclosure is limited to the absolute
minimum information needed to safeguard the Client's health or
well-being. (For example, a case manager may tell local police that
their Client has a particular reaction to loud noises, but may not
disclose the circumstances that led to the reaction.)
3. Partners may share the following housing -related information if
doing so would likely improve Client's health or well-being: VI-
SPDAT total score, whether client has stable housing, and whether
client has been selected for a voucher.
4. Partners may share data with designated outreach or behavioral
health employees of law enforcement partners as if they were
non -law enforcement partners. Employees must be designated by
agreement of both law enforcement Partner and County. This
exception shall not apply to any sworn officer and shall not
authorize any redisclosure of data to non-social services or
behavioral health employees. Employees found to violate the
redisclosure clause will lose their designated status.
5. As required by law.
(2) Law Enforcement partners are authorized to share client data with non -
law enforcement partners under the terms of a Client Release of
Information.
B. Data Sharing with the Court System
Page 7 of 12
DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8
(1) Non -court system partners are not authorized to share client data with
court system partners, absent explicit client authorization, except under
the following conditions and in accordance with Section 3 above:
1. Partners may share the name and contact information of a client's
case manager if doing so would likely assist in favorable resolution
of the Client's case.
2. Partners may share the following housing -related information if
doing so would likely assist in favorable resolution of the Client's
case: VI-SPDAT total score, whether client has stable housing, and
whether client has been selected for a voucher. (Such
information may, for instance, be used to impact a client's
sentence.)
3. As required by law.
(2) Court system Partners are authorized to share Client data with non -court
system Partners under the terms of a Client Release of Information, so long
as doing so would be likely improve Client's health or well-being or
promote the favorable resolution of Client's case. Only the absolute
minimum amount of information necessary to achieve these goals may be
shared..
5. Confidential Information.
A. Each Party shall maintain the other Party's Confidential Information in confidence
and will protect, at its own expense, any and all such Confidential Information
which it comes to possess or control, wherever and however stored or
maintained, in a commercially reasonable manner in accordance with current best
practices. The safeguards employed by each Party in protecting the other's
Confidential Information shall be consistent with the safeguards for protection of
Confidential Information, and information of a similar character, as set forth in all
applicable laws and regulations and shall include, but not be limited to, the
following:
(1) A security policy for employees related to the storage, access and
transportation of data containing Confidential Information;
(2) Reasonable restrictions on access to records containing Confidential
Information;
(3) Creating secure access controls to Confidential Information, including but
not limited to passwords; and
Page 8of12
DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8
(4) A process for reviewing policies and security measures on an ongoing
basis.
B. If a Party suffers any unauthorized disclosure, loss of, or inability to account for
the Confidential Information of the other Party, then the compromised Party shall
immediately notify the other Party and shall, at its own expense, take such actions
as may be necessary or reasonably requested by the other Party to minimize the
damage that may result therefrom.
C. Except as provided in this Agreement, a Party shall not use or disclose (or allow
the use or disclosure of) any Confidential Information of the other Party without
the express prior written consent of such Party. If a Party is legally required to
disclose the Confidential Information of the other Party, the Party required to
disclose will, as soon as reasonably practicable, provide the other Party with
written notice of the applicable order, subpoena, or other request creating the
obligation to disclose so that such other Party may seek a protective order or other
appropriate remedy. Regardless, the express prior written consent of the other
Party, the Party subject to such disclosure obligation will only disclose that
Confidential Information which the Party is advised by legal counsel as legally
required to be disclosed.
6. Term and Termination.
A. Term. This Agreement shall be effective from the Effective Date until this
Agreement is terminated by either Party or December 31, 2021, whichever is
earlier. Either Party may only terminate this Agreement for any reason if that Party
is no longer sharing Protected Information for the County's WPC program.
Termination shall be achieved by providing the other Party with sixty (60) days
prior written notice.
B. Temporary Termination of Access to Protected Information. Each Party reserves
the right to temporarily and immediately terminate another Party's access to
Protected Information at any time if the Party becomes aware that another Party
has suffered a Breach of the security of its System or has violated any of the terms
of this Agreement, including without limitation accessing any information that a
Party would not otherwise be authorized to receive pursuant to this Agreement,
improperly disclosing Protected Information, or otherwise failing to abide by the
appropriate policies and procedures outlined in this Agreement. Access may be
restored once the Breach is cured and/or adequate assurances have been
provided that the breaching Party has resumed compliance with the terms of this
Agreement.
C. Effect of Termination. Upon termination or expiration of this Agreement, the
Parties shall return or destroy all Protected Information received from any other
Page 9 of 12
DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8
Party in any form, and retain no copies, if feasible. However, Parties acknowledge
that return or destruction of Protected Information may not always be
immediately feasible. In such a situation, the Parties shall take all necessary
measures to maintain the privacy, confidentiality, and security of Protected
Information until the Protected Information can be returned or destroyed. The
provisions of this section shall survive expiration or termination of this Agreement.
7. Warranties.
A. The Parties hereby disclaim all implied and express warranties regarding their
respective Systems, whether arising from course of dealing or otherwise. No Party
warrants that (i) the performance of a System or delivery of the Protected
Information or (ii) the content of the Protected Information will be uninterrupted
or error free.
B. Without limiting any other provision of this Agreement, each Party and such
Party's Authorized Users shall be solely responsible for all decisions and actions
taken or not taken involving patient care, utilization management, and quality
management for their respective patients and clients.
8. Insurance. Each Party must obtain at its own cost and expense, and keep in force and
effect during the term of this Agreement, policies of insurance or programs of self-
insurance with coverage amounts appropriate for the size and nature of each Party's
activities pertaining to WPC, and in compliance with applicable laws and government
program requirements.
9. Representatives. All communications pertaining to this Agreement shall be referred to
the following representatives:
Partner: County:
Jim Schutz Charis Baz
city Manager Acting Director, Whole Person care
city of San Rafael HHS
10. Binding on Successors. This Agreement shall be binding on the heirs, executors,
administrators, successors and assigns of the Parties.
Page 10 of 12
DocuSign Envelope ID: BDC41958-73A3-4DOF-A5DD-C2F9BE3A63C8
11. Independent Contractor. At all times during the term of this Agreement, Partner shall be
an independent contractor and no relationship of employer-employee shall exist between
the County and Partner for any purpose whatsoever. Partner shall not be entitled to any
benefits payable to employees of the County.
12. Subcontractors. Partner shall require any of its subcontractors that acquire, access,
disclose, or use Protected Information to comply with the terms and conditions of this
Agreement.
13. Partner Not Agent. Except as specified in writing, either Party's personnel shall have no
authority, express or implied, to act on behalf of the other Party in any capacity
whatsoever as an agent or to bind the other Party to any obligation whatsoever.
14. Entire Agreement. This Agreement, which includes all attachments and all documents
that are incorporated by reference, contains the entire agreement between the Parties
and supersedes whatever oral or written understanding they may have had prior to the
execution of this Agreement. No alteration to the terms of this Agreement shall be valid
unless approved in writing by Partner and by County.
15. Indemnification. Partner agrees to indemnify, defend, and hold County, its employees,
officers, and agents, harmless from any and all liabilities including, but not limited to,
litigation costs, attorney's fees, and state or federal fines or penalties arising from any
and all claims and losses to anyone who may be injured or damaged by reason of Partner's
negligence, recklessness or willful misconduct in the performance of this Agreement.
16. Enforcement of Agreement. This Agreement shall be governed, construed and enforced
in accordance with the laws of the State of California. Venue of any litigation arising out
of or connected with this Agreement shall lie in Marin County, and the Parties consent to
jurisdiction over their persons and over the subject matter of any such litigation in such
courts, and consent to service of process issued by such courts.
17. Waiver. No waiver by either party of any specific default, breach or condition precedent,
shall be construed as a waiver of any provision of this Agreement, nor as a waiver of any
other default, breach or condition precedent or any other right hereunder. No waiver
shall be effective unless it is in writing and signed by the waiving Party.
18. Authority. The individuals signing this Agreement for the Parties represent and warrant
that they are authorized to sign this Agreement on behalf of the Parties and to bind the
Parties to the performance of their obligations hereunder.
[Signature Page Follows]
Page 11 of 12
DocuSign Envelope ID: 8DC4195B-73A3-4DOF-A5DD-C2F9BE3A63C8
Executed as of the day and year first above stated.
COUNTY OF MARIN
A California County
By:
Chari s Baz (La `S 6&l HHS
Name and Title of County Signatory
APPROVED AS TO FORM:
County Attorney
PARTNER
city of San Rafael
Name of Partner
TYPE OF BUSINESS ENTITY (check one):
Individual/Sole Proprietor
Partnership
Corporation (may require 2 signatures)
Limited Liability Company
Other (please specify:
30A S".
Signature
Jim Schutz
Print Name
city Manager
Title
Additional Signature (only if required)
Print Name
Title
Federal I.D. No.
State I.D. No.
Page 12 of 12