21-602S:\Legal\Our Documents\Ordinances\2 1\Ordinance Xferall (3).docx
ORDINANCE NO. 21-602
AN ORDINANCE OF THE CITY OF DENTON, TEXAS, AUTHORIZING THE INTERIM
CITY MANAGER, OR HER DESIGNEE, TO APPROVE A HIPAA BUSINESS ASSOCLATE
AGREEMENT WITH XFERALL LLC, TO PROVIDE A MOBILE APPLICATION THAT
SERVES TO AUTOMATE THE PATnNT TRANSFER PROCESS BETWEEN THE DENTON
POLICE DEPARTMENT MENTAL HEALTH DrvisioN CRISIS INTERVENTION
RESPONSE TEAM AND BEHAVIORAL HEALTH FACILITIES; AND PROVIDING AN
EFFECTIVE DATE.
WHEREAS, the City of Denton Police Department has created a Mental Health Division Crisis
Intervention Response Team (“Response Team”) to assist individuals experiencing a crisis or otherwise
needing mental health services; and
WHEREAS, the Response Team may determine that it is in the best interests of the individual
experiencing a crisis or otherwise needing mental health services that treatment in an appropriate
Behavioral Health Facility is warranted; and
WHEREAS, XFERALL LLC, is a limited liability corporation that provides a free mobile
application that serves to automate the patient transfer process for individuals in crisis or otherwise
needing mental health services that allows the sharing of Protected Health Information (“PHI”) between
the Response Team and XFERALL; and
WHEREAS, the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”), the
Federal Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH
Act”), and existing privacy and security standards of 45 Code of Federal Regulations Parts 160 and 164
imposes certain privacy and security obligations on Business Associates, like XFERALL, receiving PHI
from the Response Team; and
WHEREAS, a Business Associate Agreement is required to ensure the privacy and security of
PHI shared by a Covered Entity, as defined by HIPPA, and a Business Associate like XFERALL; NOW,
THEREFORE,
THE COUNCIL OF THE CITY OF DENTON HEREBY ORDAINS:
SECTION 1. The findings set forth in this Ordinance are hereby in all things approved.
SECTION 2: it is in the best interests of the City of Denton, the community it serves, and
individuals in crisis or in need of mental health services, that the City Council hereby approves the use
of the XFERALL mobile application by the Response Team.
S:\Legal\Our Documents\Ordinances\21 \Ordinance Xferall (3).docx
SECTION 3: While the Response Team is not considered a Covered Entity for HIPPA
purposes, the City Council finds that it is in the best interests of individuals in crisis or in need of mental
health services that the City of Denton and XFERALL enter into a Business Associate Agreement to
ensure the security and privacy of PHI shared between the Response Team and XFERALL.
SECTION 4. The City Council hereby approves the Interim City Manager or her designee,
on behalf of the City of Denton, executing a Busines Associate Agreement in the form of Exhibit “A“
of this Ordinance with XFERALL.
SECTION 5. The use of the XFERALL mobile application and the Business Associate
Agreement are effective April 1, 2021 through March 31, 2022, and shall automatically renew for
successive one-year periods unless terminated in accordance with the terms of the Business Associate
Agreement, without further action required by the City Council.
SECTION 6. The Interim City Manager or her designee is authorized to amend the
Business Associate Agreement as needed and consistent with its intent and applicable federal law
without further action required by the City Council.
SECTION 7. To the extent any Ordinance previously adopted by the City Council is
inconsistent with this Ordinance, it is hereby superseded.
SECTION 8. If any one or more sections or clauses of this Ordinance is judged to
be unconstitutional or invalid, such judgment shall not affect, impair, or invalidate the
remaining provisions of this Ordinance and the remaining provisions of the Ordinance shall be
interpreted as if the offending section or clause never existed.
SECTION 9
and approval.
This Ordinance shall become effective immediately upon its passage
Th, m,ti,n t, ,pp„W thi, O,di„,n„ w„ m,d, by >S5€ @101 S ,„d
seconded by 3 ahA &fan ; this Ordinan) y thefollowing vote [-1 - L] :
tI/S Nay Abstain Absent
Mayor Gerard Hudspeth:
Birdia Johnson, District 1 :
Connie Baker, District 2:
Jesse Davis, District 3 :
John Ryan, District 4:
Deb Armintor, At Large Place 5 :
Paul Meltzer, At Large Place 6:
\/
\/
V
\/’
\/7
PASSED AND APPROVED this the (C+day of Afcb' \, 2021.
GERARD HUDSPETH, MAYOR
ATTEST:
ROSA RIOS, CITY SECRETARY
BIll IIlIIe
APPROVED AS TO LEGAL FORM:
AARON LEAL. CITY ATrORNEY
EXHIBIT A
HIPAA BUSINESS ASSOCIATE AGREEMENT
This HIPAA Business Associate Agreement is made the 22nd day of
March 2021, ("Effective Date"), by and between City of Denton Police Department
with an address of 601 E. Hickory, Suite E , Denton, TX 76205
(“Covered Entity”) and XFERALL, LLC with an address at 111 Congress Ave., Ste.
400, Austin, TX 78701 (“Business Associate").
ARTICLE 1
Applicability
1.1 Business Associate provides a mobile application that serves to automate the
patient transfer process. During the course of the performance of such services,
Business Associate may have access to certain individually identifiable health
information maintained by Covered Entity. This Agreement applies to all present and
future contracts and relationships between Covered Entity and Business Associate,
written or unwritten, formal or informal, in which Covered Entity provides any Protected
Health Information to Business Associate in any form whatsoever. As of the Effective
Date, this Agreement automatically amends all existing agreements between Business
Associate and Covered Entity involving the use or disclosure of Protected Health
Information. This Agreement shall automatically be incorporated in all subsequent
agreements between Business Associate and Covered Entity involving the use or
disclosure of Protected Health Information, in which a business associate relationship
exists, whether or not specifically referenced therein. In the event of any conflict or
inconsistency between the provisions of this Agreement and the provisions of any other
agreement between Business Associate and Covered Entity, the provisions of this
Agreement shall control unless Covered Entity specifically agrees to the contrary in
writing
1.2 Business Associate acknowledges that the provisions of the Federal Health
Information Technology for Economic and Clinical Health Act (the “HITECH Act”) of
2009 imposes certain privacy and security obligations on Business Associate under the
HITECH Act and under existing privacy and security standards at 45 Code of Federal
Regulations Parts 160 and 164.
ARTICLE 2
Terms Used in this Agreement
2.1 “Breach” means the acquisition, access, use, or disclosure of protected
health information in a manner not permitted under the Privacy Standards of the HIPAA
Regulations which compromises the security or privacy of the protected health
information .
(a) For purposes of this definition, compromises the securIty or privacy of the
protected health InformatIon means poses a significant risk of financial
reputational, or other harm to the individual;
(b) A use or disclosure of protected health information that does not include the
1
identifiers listed at g 164.514(e)(2) of the HIPAA Regulations; date of birth, and
zip code does not compromise the security or privacy of the protected health
information .
Breach excludes:
(a) Any unintentional acquisition, access, or use of protected health information
for a workforce member or person acting under the authority of a covered entity
or a business associate, if such acquisition, access or use was made in good
faith and within the scope of authority and does not result in further use or
disclosure in a manner not permitted under the Privacy Standards of the HIPAA
Regulations.
(b) Any inadvertent disclosure by a person who is authorized to access protected
health information at a covered entity or business associate to another person
authorized to access protected health information at the same covered entity or
business associate, or organized health care arrangement in which the covered
entity participates, and the information received as a result of such disclosure is
not further used or disclosed in a manner not permitted under subpart E of the
HIPAA Regulations.
(c) A disclosure of protected health information where a covered entity or
business associate has a good faith belief that an unauthorized person to whom
the disclosure was made would not reasonably have been able to retain such
information .
2.2 "Designated Record Set" means a group of records maintained by or for
Covered Entity that is:
(a) The medical records and billing records about the individuals maintained by
or for the Covered Entity;
(b) The enrollment, payment, claims adjudication, and case or medical
management record systems maintained by or for a health plan; or
(c) Used, in whole or in part, by or for the Covered Entity to make decisions
about individuals. As used in this Agreement, the term "record" means any item,
collection or grouping of information that includes Protected Health Information
and is maintained, collected, used or disseminated by or for the Covered Entity.
2.3 "Electronic Protected Health Information or EPHI" means Protected Health
Information transmitted by or maintained in electronic media.
2.4 "Individually Identifiable Health Information" means information that is a
subset of health information, including demographic information collected from an
individual, and:
(a) is created or received by a health care provider, health plan,
employer, or health care clearinghouse; and
(b) Relates to the past, present or future physical or mental health or condition of
an individual; the provision of health care to an individual; or the past, present or
future payment for the provision of health care to an individual; and
(1 ) Identifies the individual; or
2
(2) With respect to which there is a reasonable basis to believe the
information can be used to identify the individual.
2.5 "Privacy Standards" means the Standards for Privacy of Individually
Identifiable Health Information, 45 CFR Part 160 and Part 164, subparts A and E.
2.6 "Protected Health Information or PHI" means Individually Identifiable Health
Information that is:
(a) Transmitted by electronic media;
(b) Maintained in any electronic medium; or
(c) Transmitted or maintained in any other form or medium.
2.7 "Security Standards" means the Security Standards for Protection of
Electronic Protected Health Information, 45 CFR Part 160 and Part 164, subparts A and
C
2.8 “Unsecured Health Information” means Protected Health Information that is
not rendered unusable, unreadable, or indecipherable to unauthorized individuals
through the use of a technology or methodology specified by the Secretary in the
guidance issued under Section 13402(h)(2) of Public Law 1 11-5 (HITECH Act) on the
HHS website.
2.9 Terms used but not otherwise defined in this Agreement shall have the same
meaning as those terms in the HIPAA Privacy Standards and Security Standards.
ARTICLE 3
Obligations of Business Associate
3.1 Use of Protected Health Information. Business Associate may use or disclose
Protected Health Information only as necessary to fulfill Business Associate’s
obligations under the Main Agreement or this Agreement or as required by law.
Business Associate shall use and disclose Protected Health Information only if such use
or disclosure is in compliance with each applicable requirement of the Privacy
Standards set forth at 45 C.F.R. 9164.504(e). Business Associate shall not, and shall
ensure that its directors, officers, employees, contractors and agents do not, use
Protected Health Information received from the Covered Entity in any manner that
would constitute a violation of the Privacy Standards if used by the Covered Entity,
except that Business Associate may use Protected Health Information (1 ) for Business
Associate's proper services under the Agreement, or (2) to carry out its legal
responsibilities.
3.2 Privacy Standards Requirements. Business Associate shall comply with the
HIPAA Privacy Standards to the same extent required by Covered Entities (as that term
is defined by 45 CFR 9 160.103) as required by the HITECH Act §§ 13401 and 13404.
3.3 Disclosure of Protected Health Information. Business Associate shall not, and shall
ensure that its directors, officers, employees, contractors and agents do not, disclose
Protected Health Information received from the Covered Entity in any manner that
3
would constitute a violation of the Privacy Standards if disclosed by the Covered Entity.
To the extent Business Associate discloses Protected Health Information to a third
party, Business Associate must obtain, prior to making any such disclosure: (1 )
reasonable assurances from such third party that such Protected Health Information will
be held confidential as provided pursuant to this Agreement and only disclosed as
required by law or for the purposes for which it was disclosed to such third party; and (2)
an agreement from such third party to immediately notify BusIness Associate of any
breaches of the confidentiality of the Protected Health Information to the extent it has
obtained knowledge of such breach. Business Associate shall disclose to its
subcontractors, agents or other third parties, and request from Covered Entity, only the
minimum PHI necessary to perform or fulfill a specific function required or permitted
hereunder.
3.4 Safeguards Against Misuse of Information. Business Associate agrees that it
will implement all appropriate safeguards to prevent the use or disclosure of Protected
Health Information other than pursuant to the terms and conditions of this Agreement.
3.5 Reporting of Disclosures of Protected Health Information. Business Associate
shall, within five (5) days of becoming aware of a disclosure of Protected Health
Information in violation of this Agreement by Business Associate, its officers, directors,
employees, contractors or agents, or by a third party to which Business Associate
disclosed Protected Health Information pursuant to Section 3.3 of this Agreement,
report any such disclosure to the Covered Entity.
3.6 Breach Notification. Business Associate shall comply with requirements for
notification of Covered Entity of Breach of Unsecured PHI as provided in 45 CFR g
164.400 et.seq .
3.7 Mitigation. Business Associate shall mitigate, to the extent practicable, any
harmful effect that is known to Business Associate arising from a use or disclosure of
Protected Health Information by Business Associate in violation of the requirements of
this Agreement or of Federal or state law or regulation.
3.8 Agreements with Third Parties. Business Associate shall enter into an
agreement with any agent or subcontractor that will have access to Protected Health
Information that is received from, or created and received by Business Associate on
behalf of the Covered Entity, pursuant to which such agent or subcontractor agrees to
be bound by the same restrictions, terms and conditions that apply to Business
Associate pursuant to this Agreement with respect to such Protected Health
Information .
3.9 Access to Information. Within five (5) days of a request by the Covered Entity
for access to Protected Health Information about an individual contained in a
Designated Record Set, Business Associate shall make available to the Covered Entity
such Protected Health Information for so long as such information is maintained by
Business Associate in the Designated Record Set. In the event any individual requests
access directly from Business Associate to Protected Health Information received from,
4
or created or received by Business Associate on behalf of, the Covered Entity, Business
Associate shall within two (2) days forward such request to the Covered Entity. Any
denials of access to the Protected Health Information requested shall be the
responsibility of the Covered Entity. If requested by Covered Entity, Business Associate
agrees to comply with covered Entity’s request to accommodate an individual’s access
to his or her PHI.
3.10 Availability of Protected Health Information for Amendment. Within ten (10)
days of receipt of a request from the Covered Entity for the amendment of an
individual’s Protected Health Information or a record regarding an individual contained in
a Designated Record Set (for so long as Business Associate maintains the Protected
Health Information in the Designated Record Set), Business Associate shall provide
such information to the Covered Entity for amendment and incorporate any such
amendments in the Protected Health Information as required by 45 CFR 9 164.526.
3.11 Accounting of Disclosures.
(a) Within ten (10) days of notice by the Covered Entity to Business Associate
that it has received a request for an accounting of disclosures of Protected
Health Information regarding an individual during the six (6) years prior to the
date on which the accounting was requested, Business Associate shall make
available to the Covered Entity such information as is in Business Associate's
possession and is required for the Covered Entity to make the accounting
required by 45 CFR g 164.528.
(b) At a minimum, Business Associate shall provide the Covered Entity with the
following information:
(1 ) The date of the disclosure;
(2) The name of the entity or person who received the Protected Health
Information, and if known, the address of such entity or person;
(3) A brief description of the Protected Health Information disclosed; and
(4) A brief statement of the purpose of such disclosure which includes an
explanation of the basis for such disclosure.
(c) in the event the request for an accounting is delivered directly to Business
Associate, Business Associate shall within two (2) days forward such request to
the Covered Entity. It shall be the Covered Entity's responsibility to prepare and
deliver any such accounting requested .
(d) Business Associate hereby agrees to implement an appropriate
recordkeeping process to enable it to comply with the requirements of this
Section
3.12 Availability of Books and Records. Business Associate hereby agrees to
make its internal practices, books and records relating to the use and disclosure of
Protected Health Information received from, or created or received by Business
Associate on behalf of, the Covered Entity available to the Secretary of the Department
of Health and Human Services for purposes of determining the Covered Entity's and
Business Associate's compliance with the Privacy Standards.
5
ARTICLE 4
Security of Electronic Protected Health Information
4.1 Security Safeguards. Business Associate shall implement administrative,
physical and technical safeguards that reasonably and appropriately protect the
confidentiality, integrity and availability of the electronic protected health information that
Business Associate creates, receives, maintains or transmits on behalf of the Covered
Entity as required by the Security Standards. Business Associate will ensure that any
agent, including a subcontractor, to whom Business Associate provides electronic
protected health information created, received, maintained or transmitted on behalf of
Covered Entity agrees to implement reasonable and appropriate safeguards to protect
that information .
4.2 Security Rule Provisions. Business Associate shall comply specifically with
HIPAA Security Rule provisions relating to: (a) Administrative Safeguards (45 CFR 9
164.308); (b) Physical Safeguards (45 CFR § 164.310); (c) Technical Safeguards (45
CFR g 164.312); and (d) Policies and Documentation (45 CFR g 164.316).
4.3 Reporting of Security or Privacy Breaches. Business Associate shall, within
five (5) days of becoming aware of a security or privacy breach by Business Associate,
its officers, directors, employees, contractors or agents, or by a third party to which
Business Associate provided electronic protected health information, report any such
breach to the Covered Entity.
4.4 Safeguards for Protection of PHI. Without limiting any other requirements set
forth in this Agreement, Business Associate agrees that it (a) will protect and safeguard
from any verbal and written disclosure all confidential information regardless of the type
of media on which it is stored (e.g. paper, fiche, electronic files, etc. ) with which it may
come into contact in accordance with applicable statutes and regulations, including but
not limited to HIPAA; (b) implement and maintain appropriate policies and procedures to
protect and safeguard the PHI; (c) use appropriate safeguards to prevent use and
disclosure of PHI other than as permitted by this agreement or as required by law.
Business Associate acknowledges that Covered Entity is relying on the administrative,
physical, and security safeguards of Business Associate in selecting Business
Associate to provide services.
ARTICLE 5
Term and Termination
5.1 Term. The Term of this Agreement shall begin upon the Effective Date and
shall terminate when all of the Protected Health Information provided by Covered Entity
to Business Associate, or created or received by Business Associate on behalf of
Covered Entity, is destroyed or returned to Covered Entity, or if it is infeasible to return
or destroy Protected Health Information, protections are extended to such information.
6
5.2 Destruction of PHI. At the termination of the Agreement for whatever reason,
Business Associate agrees to return or certify that it has destroyed all Protected Health
Information received from, or created or received by Business Associate on behalf of
Covered Entity and will not retain any copies. If return or destruction is not feasible,
Business Associate agrees to an extension of the protections of this Agreement for as
long as necessary to protect Covered Entity’s Protected Health Information and to limit
further uses and disclosures to those purposes that make the return or destruction of
Covered Entity’s Protected Health Information unfeasible.
5.3 Consequences of Breach by Business Associate. On Covered Entity’s
learning of a material breach of this Agreement by Business Associate, Covered Entity
shall provide an opportunity for Business Associate to cure the breach or end the
violation. If Business Associate does not cure the breach or end the violation within
fourteen (14) days of being notified by Covered Entity, or if cure or ending the violation
is not possible, Covered Entity may terminate this Agreement and those portions of the
Main Agreement that involve the disclosure to Business Associate of Covered Entity’s
Protected Health Information, or, if non-severable, the Main Agreement.
ARTICLE 6
Miscellaneous
6.1 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a
meaning that permits Covered Entity to comply with HIPAA and its applicable
implementing regulation.
6.2 Notices. All notices pursuant to this Agreement must be given in writing and
shall be effective when received if hand-delivered or sent by facsimile or upon dispatch
if sent by a reputable overnight delivery service or by U.S. Mail, certified, return receipt
requested and addressed as follows:
To Covered Entity:City of Denton Police Department
ATTN: Chief Frank Dixon
601 E. Hickory, Suite E
Denton, TX 76205
To Business Associate:XFERALL. LLC
ATTN: Privacy Officer
111 Congress Ave., Ste. 400
Austin, TX 78701
6.3 Change in Law. On the enactment of any federal law or regulation, or law or
regulation of any state to whose jurisdiction Covered Entity is subject, affecting the use
or disclosure of Covered Entity's Protected Health Information, or on the publication of
any decision of a court of the United States or of any state to whose jurisdiction
Covered Entity is subject relating to any such law, or the publication of any interpretive
policy or opinion of any governmental agency charged with the enforcement of any such
7
law or regulation, Covered Entity may, by written notice to Business Associate, amend
this Agreement in such manner as Covered Entity determines necessary to comply with
such law or regulation. If Business Associate disagrees with any such amendment, it
shaH so notify Covered Entity in writing within thirty (30) days of receipt of Covered
Entity's notice. If the parties are unable to agree on an amendment within thirty (30)
days thereafter, either of them may terminate this Agreement and those portions of the
Agreement that involve the disclosure to Business Associate of Covered Entity's
Protected Health Information, or, if nonseverable, the Agreement by written notice to the
other
6.4 Jurisdiction and Venue, This Agreement is governed by the laws of the State
of Texas and the federal government. Venue shall be in Travis County, Texas.
6.5 Severability. In the event that any provision of this Agreement violates any
applicable statute, ordinance or rule of law in any jurisdiction that governs this
Agreement, such provision shall be ineffective to the extent of such violation without
invalidating any other provision of this Agreement.
IN WITNESS WHEREOF, the parties hereto have set their hands and seals the day and
year written above.
BUSINESS ASSOCIATE:
Date: 3/22/2021
COVERED ENTITY:
City of Denton Police Department