Loading...
HomeMy WebLinkAboutCI Information Management - Records Off-Site Storage Agreement 041315Information P.O. Box 7346 - Kennewick, WA 99336 - 509-586-6090 Information Management Service Agreement This Information Management Agreement ("Agreement") is entered into as of this 13th, day of April, 2015("Effective Date") by a d between CI Support, LLC dba CI Information Management (Company), having a place of business at 900 S. Dayton, Kennewick, WA 99336 ("Company") and City of Pasco, having a place of business at PO Box 293, 525 N. 3 d Ave., Pasco, WA 99301 ("Client"). I. RECORDS MANAGEMENT SERVICES - Company hereby agrees to accept for storage and to service under its management system such materials (Stored Material) as Records, Media, and/or Materials Client requests, subject to all terms and conditions herein, including those incorporated as attachments hereof. Client agrees to pay Company for its services according to Company" current rate schedule, or any revisions thereto. The attached Schedule A- Information Management Fee Schedule, Schedule B - Standard Storage & Operating Procedures; Schedule C- "FACT Act" or "FACIA" Affidavit, Schedule D- Gram - Leach -Bliley; Schedule E - "HIPAA" or Business Associate Agreement; ScheduleF - Media Storage & Service Rates, and are incorporated herein and made a part hereof, Unless modified by specific provisions set forth in Schedule A, B, or F' the following terms and conditions shall apply to this Agreement. I.I. STORED MATERIAL - From and after the effective date fora period of one 1 service the Stored Records, Media and/or Material identified on the provided Intake Transmittal Form. Company l ent shall Com " an I y may modify or add to the record materials included in the Schedule of Stored Materials. Such additional Stored Material shall, unless otherwise agreed in writing, be deemed to be held under the same terms and conditions as the Stored Material. I.2. ACCESS TO STORED MATERIAL - a. Stored Material and information contained in said Stored Material shall be delivered only to Client's Authorized Representative. Client represents that the Authorized Representative has full authority to order any service for or removal of the Stored Material, and to deliver and receive such. Such order may be given via telephone, electronically, fax, or in writing. b. When any Stored Material is ordered out, a reasonable time shall be given to the Company to carry out said instructions; and if it is unable to do so (or to provide any other service herein contemplated) because of acts of God or public enemy, seizure or legal process, strikes, lockouts, riots and civil commotions, extreme weather or other reason beyond the Company's control, or because of loss or destruction of goods for which the Company is not liable, or because of any other excuse provided by law, the Company shall not be liable for failure to carry out such instructions or services. c. The Company reserves the right to deny access to or delivery of Stored Material until such time as Client has cured any default under this Agreement. d. Authorized representatives of Client shall have the right at reasonable times and upon reasonable notice to examine the records and/or media and compilations of data of the Company which pertain to the performance of the provisions of the Agreement. e. The Company shall not be liable for damage to client materials in transit, or to items which may receive sudden and accidental damage, pursuant to conditions specified in Section 3. L The Company shall have no liability to Client by granting access to any Records to any person authorized under this Section, unless the Company receives prior notice revoking the authorization. 1.3. DECLARATION OF EXCESS VALUATION - Client declares that the valuation of deposits made hereunder is $2.00 per carton, container, disk, tape, or disk pack and agreepayment shall be made simultaneously with the s to pay an additional monthly te of ra $ per $1000.00 of declared Excess Valuation, of which normal monthly rate specified herein. The Company may, at its discretion, elect to repair, replace or restore lost or damaged property up to the valuation declared by the Client, whether the property is lost in whole or in part. Client shall cause it s ers of dej waive any right of against the Company. 41 (Clientre) (Date) Page 1 of 6 CfIM v 04.07.14 Rec 1.4. DISPOSAL OF RECORDS I.4.1. FACTA - This Agreement adopts the standard of proper disposal set forth in the Federal Trade Commission's Rule, "Disposal of Consumer Report Information and Records" (16 CFR Part 682), hereinafter referred to as e "FTC Disposal Rule", (Schedule C). At the time of signing this Agreement Client shall sign, or designate an Authorized Representative of the Client to sign a copy of the attached Fair and Accurate Credit Transactions Act ("FACT Act" or "FACTA") Affidavit (Schedule Q. I.4.2. PROCEDURE - Upon written instruction from the Client or its Authorized Representative or upon ti (3 0) days advance written notice to Client regarding the occurrence of any Events of Default, pursuant to sectio V.2(b), the Company may facilitate proper disposal of Stored Material. The Client releases the Company from liability by reason of the destruction of such Stored Material pursuant to such authority or notice. The Compan shall facilitate such proper disposal in accordance with the FTC Disposal Rule requirements in effect at the ti of the final disposition. The Client shall bear the costs at the then current market rate of such proper disposal directed by this affidavit. II. RATES - Client agrees to pay company for its services according the attached Information Management Fee Schedule (Schedule A). Fees may increase, and will be accepted by Client up to three percent per year (3%). Monthly storage/retention chat shall be due in advance. For Stored Material received during a month or stored for a portion of a month, charges will be assessed according to Schedule A. Company reserves the right to request amendment of Schedule A in the event of an unexpected and severe increase in vendor -driven operating expenses which are beyond the control of Company. Additional service charges and late payment fees, if any, shall be paid simultaneously with the monthly storage/retention charges. If the Client fails to pay the charges when due, Client shall be liable for late charges at the rate of 18% per annum, and Client shall also be liable for all expenses incurred in collecting charges which are in arrears, including reasonable attorneys' fees. III. LIMITATIONS OF LIABILITY 111.1. STORED MATERIAL — The Company shall not be liable for any loss or damage to Stored Material, however caused, unless such loss or damage resulted from the failure by the Company to exercise such care in regard thereto as a reasonably careful person would exercise in like circumstances. The Company is not responsible for the repair, replacement or restoration of lost or damaged property, subject to the conditions and limitations imposed by this Agreement. Company's liability if any, for loss damage, or destruction to part or all of the Stored Material stored hereunder shall be limited to $2.00 per carton, cubic foot, container, X-ray, disk, tape, disk pack or hard drive which amount Client declares to be the value of Stored Materials, unless Client declares an excess valuation and pays an additional monthly charge for said excess valuation, as provided in Section I.3. In such case, Company liability shall be limited to the amount of the excess valuation per carton, cubic foot, container, X-ray, disk, tape, disk pack or hard drive. Such limitation of liability shall apply irrespective of the cause of loss, damage, or destruction of the Stored Material. The Company accepts no liability for the deterioration of media in storage. Client shall cause its insurers of deposits to waive any right of subrogation against the Company. IIIA. CLAIMS FOR LOSS - Claims by the Client for loss, damage, or destruction must be presented in writing to the Company within a reasonable time and in no event longer than ninety (90) days after Client is notified by the Company or otherwise receives notice that loss, damage or destruction to part or all of the Stored Material has occurred, whichever time is shorter. No action or suit may be maintained by the Client or others against the Company for loss, damage or destruction of the Stored Material, unless timely written claim has been given, and unless such action or suit is commenced either within nine (9) months after date of delivery or return by the Company, or within nine (9) months after the Client is notified or otherwise receives notice that loss, damage or destruction to part or all of said Stored Material has occurred, whichever is shorter. III.5. COMMON CARRIER - Although some ancillary transportation may be furnished in connection with the delivery and pickup of Stored Material and other services, the Company is not and shall not be deemed a contract or common carrier, and the limitations on liability and claims procedure in this Agreement shall apply to any such ancillary transportation services. IV. TERM AND TERMINATION Page 2 of 6 CfIM vp4.04.14 Rec IV -1- TERM AND RENEWAL - The Initial Term of this Agreement shall commence at the date of the Agreemen continue for one year. After the Initial Term, the term shall be automatically extended and be renewed for successive pe of one year each (a "Renewal Term") unless either party gives notice to the other of termination, in writing, at least sixt days in advance of the Initial Term or Renewal Term. Upon giving such notice, this Agreement shall terminate at the en the then current term. Such notice of termination shall specify an address for delivery of the Stored Materials. N.2. TERMINATION - In the event of termination, all amounts due for services rendered and storage fees through the effective Initial or Renewal Term shall become due and payable in accordance with Schedule A. If, without notification termination, substantially all of the Stored Items are withdrawn from storage, this withdrawal will be considered a Termination. On termination or expiration of this Agreement, Client shall promptly return any property belonging to C (such as keys, containers, etc.) and CIIM shall remove and deliver all Stored Material and other property in CIIM's possession or Premises, at Client's expense, to Client at Client's designated address. V. DEFAULT VI. 1. The occurrence of any one or more of the following events shall constitute a default Events of Default: a. Failure to pay any sum due hereunder within thirty (30) days of invoice date; or b. Breach of any provisions of this Agreement; or c. Either party becomes insolvent or files, or has filed against it, any proceeding in federal or state court seeking debtor relief. and (60) of VI.2. Upon the occurrence of any of the Events of Default, Company, at its sole option, may exercise any or all of following remedies without terminating the Agreement: the a. Demand payment in advance by certified check, cashier's check, money order, or wire transfer prior to the performance of any services on behalf of the client. b. Demand in writing that Client pick up the Stored Material; or deliver the Stored Material to the Delivery Address, if none specified, to the Client Address. C. Upon thirty (30) days advance written notice to Client, Company may facilitate proper disposal of Stored Material, as set forth in I.4.2, above. (In this regard, the Client recognizes that, since the Stored Material has little or no market value, that sale of the material would be impossible, and disposal of client materials is the only way for the Company to mitigate its damage.) d. If this Agreement shall not have been terminated, Client shall continue to pay all sums due under this Agreement up to and including the date of delivery of the Stored Material as provided in (b) above. e. Terminate this Agreement, whereupon Company shall recover all damages suffered by reason of such termination, including reasonable attorneys' fees. VI.3. In the event Company takes any action pursuant to this Section, it shall have no liability to Client or anyone claiming through Client. The exercise by Company of any one or more of the remedies provided in this Agreement shall not prevent the subsequent exercise by Company of any one or more of the other remedies herein provided. All remedies provided for in this Agreement are cumulative and may, at the election of Company, be exercised alternatively, successively or in any other manner and are in addition to any of the rights provided by law. Company shall be entitled to include all reasonable attorneys' fees and costs incurred in connection with the enforcement of this Agreement. VI. OWNERSHIP WARRANTY - The Client warrants that it is the owner or legal custodian of the Stored Material, or otherwise has full authority to store or destroy said record material in accordance with the terms of this Agreement. Customer shall reimburse Company for any expenses reasonably incurred by Company (including reasonable legal fees) by reason of Company complying with its obligations under this Agreement to destroy or store such materials in the event of a dispute concerning the handling of the materials provided by Customer to Company. VII. INDEMNIFICATION - Unless caused by the negligence of the Company, the Client agrees to fully indemnify and hold harmless the Company, its officers, employees and agents for any liability, cost or expense, including reasonable attorneys' fees, that the Company may suffer or incur as a result of claims, demands, costs or judgments against it arising out of its relations with the Client or third parties pursuant to this Agreement. VIH. RULES AND RESPONSIBILITIES VIII.1. OPERATING PROCEDURES - The Client agrees to comply with the attached Schedule B -Standard Storage and Q I M v 04.04.14 Ree Page 3 of 6 Operating Procedures, VIII.2. RIGHT TO RELY ON INSTRUCTIONS - Company may act in reliance upon any instruction, instrument, or signature reasonably believed by Company to be genuine, and may assume that any of Customer's employees or any employee of Customer's affiliates or subsidiaries giving any written notice, request, or instruction has the authority to do so. VIII.3. COMPLIANCE WITH CONTRACTS, LAWS AND REGULATIONS - Customer shall be responsible for, and warrant compliance with, all contractual restrictions and all applicable laws, rules and regulations, including but not limited to environmental Iaws and contractual restrictions and Iaws governing the confidentiality, retention and disposition of information contained in any materials delivered to Company. Company shall comply with applicable laws, statutes, regulations and ordinances. VIIIA. COOPERATION AND ASSISTANCE - Customer shall cooperate with Company with regard to the performance of the Services, subject to normal security requirements and in a manner that is not unnecessarily disruptive to Customer's business operations, by providing to Company such information, data, access to premises, management decisions and approvals as may be reasonable to permit Company to perform the Services hereunder. VIII.5. DISALLOWED ITEMS - The Client shall not, at any time, store with the Company, any narcotics, materials considered to be highly flammable, explosive, toxic, radioactive, organic material which may attract vermin 3r insects, or any other materials which are otherwise illegal, dangerous and unsafe to store or handle in an enclosed area. The Company reserves the right to open and inspect any record materials tendered from storage and refuse acceptance o any record materials which fail to comply with the Company's storage restrictions and guidelines. Client shall no store negotiable instruments, jewelry, check stock, ticket stock or other items which have intrinsic market value. In the event of the accidental or negligent custodial transfer of hazardous or regulated waste, including bio -hazard, Client agrees to arrange to appropriately, safely and legally assume custody of such hazardous materials at their expense and further to indemnify the Company from any property damage or personal injury resulting from such transfer of material. VIII.b. MATERIAL VARIANCES TO DESCRIPTIONS - Itemized lists or descriptions of contents of materials submitted by the Client to the Company shall be generally considered for recordkeeping, reconciliation, and reference purposes only, and are not to be considered proof that said documents contained on such lists and descriptions are in fact contained in the materials accepted. Company will make provision for validation of such document contents in advance and under special terms and fess at the request of the Customer VIII.$. ACCEPTANCE - In the absence of an executed contract, the act of tendering said material for storage and/or other services by Company constitute acceptance by client to the terms, conditions and rates of this contract. VIII.9. INVENTORY SHORTAGE - Unless the Company is contracted by the Client to inventory the contents of all materials stored, the Company shall not be liable for loss of goods due to inventory shortage or unexplained or mysterious disappearance of goods; and the Company shall not be liable for such loss unless the Client establishes such loss occurred because of the Company's failure to exercise the care required under Section III, above. IX. CONFIDENTIALITY - The Company shall exercise the same degree of care in safeguarding Stored Material entrusted to it by Client which a reasonable and careful company would exercise with respect to similar records of its own provided; however, that liability of the Company to Client shall be limited as set forth in Section I I I above. The Company may comply with any subpoena or similar order related to the stored records, provided that the Company notifies Client promptly upon receipt thereof, unless such notice is prohibited by law. Client shall pay Company's reasonable charges, including attorneys' fees, for such compliance. X. DISPUTE RESOLUTION - Except as necessary to secure injunctive relief, any claims or disputes arising out of this agreement, the parties hereby agree to submit the same to binding arbitration pursuant to RCW 7.04A at a location to be mutually agreed upon in Benton County, Washington, In the event the parties are unable to promptly agree upon an arbitrator, the same shall be selected by the presiding judge for Benton County Superior Court at the request of either party. The ruandatory arbitration rules, as implemented in Benton County Superior Court, shall be binding as to procedure. The prevailing party in any such dispute shall be entitled to recover reasonable attorney's fees. XI. MISCELLANEOUS Page 4 of 6 CIIM v 04.04.14 Rec XIA. ENTIRE AGREEMENT - This Agreement constitutes the entire agreement between Company and Customer with respect to the subject matter of this Agreement. No change, waiver, or discharge of this Agreement shall be valid unless in writing and executed by the party against whom such change, waiver, or discharge is sought to be enforced. Except as provided in Section III, this Agreement may be amended only by an amendment in writing signed by Customer and Company. No waiver of any right or remedy shall be effective unless in writing and nevertheless, shall not operate as a waiver of any other right or remedy on a future occasion. The term "Agreement" as used herein shall be deemed to include all such schedules. All words and phrases in this Agreement shall be construed to include the singular or plural number, and the masculine, feminine or neuter gender, as the context requires. XI.2. BINDING NATURE AND ASSIGNMENT - This Agreement shall be binding on the parties and their respective successors and assigns. Company shall have the right of assignment to successor with sixty days (60) days written notification to Client. XI.3. INVALIDITY - Every provision of this Agreement is intended to be severable. If any term or provision is illegal; invalid or unenforceable, there shall be added automatically as part of this Agreement, a provision as similar in terms as necessary to render such provision legal, valid and enforceable. This Agreement shall be constructed in accordance with the laws of Washington State without giving effect to its conflict of laws or principles. In addition, the Company shall have, and may exercise, all rights granted to warehousemen by the Uniform Commercial Code as adopted in Washington State. All Schedules, if any, attached hereto are hereby incorporated by reference and made a part hereof. XIA. FORCE MAJEURE - Each party shall be excused from any delay or failure in performance under this Agreement for any period if and to the extent that such delay or failure is caused by acts of God, governmental actions, labor unrest, riots, unusual traffic delays or other causes beyond its control. XI,S. RELATIONSHIP OF PARTIES - Company is acting as an independent contractor hereunder and has the sole right and obligation to supervise, manage, contract, direct, procure, perform, or cause to be performed all work to be performed by Company under this Agreement. Nothing in this Agreement shall be deemed or construed to constitute or create a partnership, association, joint venture, agency or fiduciary relationship between the parties hereto. XI.6. EXCLUSIVITY - Customer agrees to retain Company on an exclusive basis at all facilities covered by this agreement for the term of this contract. XI.7. NOTICES - All notices under this Agreement shall be in writing. Unless delivered personally, all notices shall be addressed to the appropriate addresses noted herein, or as otherwise noted in writing in accordance with this provision. Notices shall be effective upon receipt unless mailed by certified or registered mail, in which event notices shall be deemed to have been received as of the third business day after the date of posting. IN WITNESS WHEREOF, each of the parties have caused this Agreement to be executed by its duly authorized representative as of the Effective Date first set forth above. Upon execution, this contract replaces previous contracts between Client and Customer for the same services. Page 5 of 6 C I I M vC14.04.14 Rec By l�y�p Signature Ue ZAC,,t Print Name and Title Company Mailing/Billing Address 0 WA Y3 a Cify, State, Zip Code CI Information Mana meat By Sig t Jeff Thom Son Print Name Director of Operations Tithe +'� I Er`rective Date THIS IS A SIX PAGE SERVICE AGREEMENT WITH THREE (3) REQUIRED ATTACHMENTS: SCHEDULE A - INFORMATION MANAGEMENT AND DOCUMENT DESTRUCTION SERVICE RATES; SCHEDULE B- STANDARD STORAGE & OPERATING PROCEDURES; SCHEDULE C -"FACT ACT" AFFIDAVIT AND APPENDIX. THREE (3) OPTIONAL ATTACHMENTS: SCHEDULED - GRAMM-LEACH-BLILEY ACT (GLBA); SCHEDULE E- BUSINESS ASSOCIATE AGREEMENT (HIPAA); AND SCHEDULE F -MEDIA STORAGE AND SUCH BECOME AN INTEGRAL PART OF THIS SERVICE AGREEMENT. SERVICE RATES; AND AS ClIM v 04.04.14 Rec Page 6 of 6 City of Pasco Date: April 13, 2015 Schedule 'A' Information Management and Document Destruction Fee Schedule Ci Information Management criM v.s za.zois 586-6090 ext 400 542-0600 fax Information Management City Of Pasco Schedule `B' - Standard Storage and Operating Procedures OBJECTIVE: The purpose of this document is to provide both parties with a set of procedures and rules for our mutually successful partnership. These procedures are intended to allow us to manage the day-to-day workflow in an efficient manner so that we may provide superior customer service at a reasonable price. The ordering/authorization procedures are required as part of our commitment to manage your vital records with the highest levels of security. OPERATING HOURS: L Regular operating hours are 8:00 AM to 4:30 PM Monday through Friday. 2. Holidays are: New Year's Day, President's Day, Memorial Day, Fourth of July, Labor Day, Thanksgiving Day and the day after, and Christmas Day. 3. All orders requiring retrieval and/or delivery outside of regular operating hours are subject to After Hours retrieval and/or delivery charges. REGULAR ORDERS: I, Orders placed before 10:00 am will generally be delivered the next business day. RUSH ORDERS: I. RUSH retrievals/deliveries will be delivered within three Operating Hours, and will be charged at RUSK retrieval and delivery rates. 2. RUSH requests that cause the 3 -hour delivery window to fail outside of normal operating hours will be charged the After Hours rates. ORDERING: Faxed requests on CIIM forms are preferred, with full details of material being requested, including container name and number or CIIM's Barcode Number as provided in your regular reports. Requests must be signed by an Authorized Individual, with the specified delivery address that has been designated by an Authorized Management Representative. Telephoned requests must be followed by a faxed request, thereby generating an acceptable audit trail, preferably on an C1IM Form, if a CIIM form is not available, then faxes must be sent on company letterhead or company fax form, with all required information. All RUSH requests must be made by an Authorized Individual by a telephone call, relating what material is being requested to assure timely receipt of the request. A confirming fax must be sent for all RUSH requests. AUTHORIZATIONS I . Orders will be processed only if requested by a Management Authorized Individual. 2. Items will only be delivered to an authorized location, and delivery receipts being signed by a Management Authorized Individual. 3. Exceptions to the authorized list will only be made with a written request on company letterhead, and signed by an Authorized Management Individual. STORAGE CHARGES: 1. Odd sized items (other than the standard record storage cartons) will be charged based on volume of cubic feet displacement in the storage facility, or by the linear foot. 2. Unstable Record Storage Cartons will be repacked at Client expense, at the current rate for Repacking an Unstable Container. All files retrieved from inside cartons will be indexed by CUM at the then current indexing fee. Media Tapes will be retrieved from inside containers only if CIIM has previously indexed the tapes in the container. Any exceptions to these rules and procedures shall be noted below and signed by the same individual that signed the Information Management Agreement, Signature of Cie Date CIIM V4.07.14 of CI City of Pasco Schedule V- Fair and Accurate Credit Transactions Act ("FACT Act" or "FACTA") Affidavit This affidavit is designed to facilitate compliance with the rule of the Federal Trade Commission, "Disposal of Consumer Report Information and Records" (16 CFR Part 682), hereinafter referred to as the "FTC Disposal Rule". The initial FTC Disposal Rule is attached as an appendix to this affidavit. Any future amendments to this rule's duties and obligations are automatically incorporated in the definition of "FTC's Disposal Rule". The FTC Disposal Rule was promulgated pursuant to the FACT Act, and it sets for the standard for proper disposal as follows: "Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." 16 CFR § 682.3(a) "`Consumer information' means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data." 16 GFR § 682.1(b) In signing this attachment to the Service Agreement, ("THE CLIENT") acknowledges that CI Information Management has made THE CLIENT aware of its obligation to properly dispose of "consumer information". In order to facilitate compliance with the FACT Act, THE CLIENT hereby certifies that its records and information materials provided to CI Information Management for offsite information management on [date] ("Stored Material") comply with one of the following conditions indicated below: I hereby certify that NO Stored Material contains any "consumer information" as defined in 16 CFR § 682,1(b). I hereby certify that all Stored Material which contains "consumer information" as defined in 16 CFR § 682.1(b) has been identified clearly. THE CLIENT further directs C! Information Management to facilitate proper disposal of all identified "consumer information" at its final disposition date, in accordance with the FTC Disposal Rule. I hereby certify that, because it is not known whether aII Stored Material does or does not contain "consumer information" as defined by 16 CFR § 682.1(b), THE CLIENT directs CI Information Management to facilitate proper disposal of all information owned by THE CLIENT for which C1 Information Management is custodian at its final disposition date, in accordance with the FTC Disposal Rule. I, the undersigned, certify that I have read the information contained in this Addendum to the Service Agreement and have informed CI In Management of the true condition of the records owned by THE CLIENT. Representing THE CLIENT, -2k�l '&► sae. 4 -les Name (Signature) Title Name (Print) Page 1 of 2 CIIM V10.8.13 Date Appendix 16 CFR Part 682—Disposal of Consumer Report Information and Records § 682.1 Definitions. (a) In general. Except as modified by this part or unless the context otherwise requires, the terms used in this part have the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. (b) "Consumer information" means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information. that does not identify individuals, such as aggregate information or blind data. (c) "Dispose", "disposing", or "disposal" means: (1) The discarding or abandonment of consumer information, or (2) The sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored. § 682.2 Purpose and scope. (a) Purpose. This part ("rule") implements section 216 of the Fair and Accurate Credit Transactions Act of 2003, which is designed to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information. (b) Scope. This rule applies to any person over which the Federal Trade Commission has jurisdiction, that, for a business purpose, maintains or otherwise possesses consumer information. § 682.3 Proper disposal of consumer information. (a) Standard. Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. (b) Examples. Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal include the following examples. These examples are illustrative only and are not exclusive or exhaustive methods for complying with the rule in this pari. (1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed. (2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed. (3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company. (4) For persons or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to this part, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (b)(1) and (2) of this section. (5) For persons subject to the Gramm -Leach -Bliley Act, 15 U.S.C. 6081 et seq., and the Federal Trade Commission's Standards for Safeguarding Customer Information, 16 CFR part 314 ("Safeguards Rule"), incorporating the proper disposal of consumer information as required by this rule into the information security program required by the Safeguards Rule. § 682.4 Relation to other laws. Nothing in the rule in this part shall be construed: (a) To require a person to maintain or destroy any record pertaining to a consumer that is not imposed under other law; or (b) To alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record. § 682.5 Effective date, The rule in this part is effective on lune 1, 2005. Page 2 of 2 C11M v-10,813 City of Pasco Schedule 'E'— Business Associate Addendum to Records Storage and Service Agreement — "HIPAA" This Addendum to Records Storage and Service Agreement ("Addendum") dated is made a part of the Records Storage and Service Agreement, including the Schedules (exhibits) thereto, between CI Information Management and City of Pasco dated April 13, 2015 ("Agreement"). Any inconsistency between the Agreement and this Addendum shall be governed by this Addendum. Section I. Definitions a. Breach. "Breach" shall have the same meaning as the term "breach" in 45 CFR § 164.402. b. Business Associate. "Business Associate" shall mean CI Information Management C. Covered Enti "Covered Entity" shall mean CLIENT NAME d. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). e. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts Ar and E. f. Protected Health Information "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. g. Re wired B Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.103. h. Secr_ etarv, "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. i. Security Rule `Security Rule' shall mean the Standards for Security of Individually Identifiable Health Information at 45 CFR part164, subparts A and C). j. Storage and Service A eement. Prior agreement signed between Covered Entity and Business Associate in which the Business Associate regularly Uses and/or Discloses protected health information in its performance of services for the Covered Entity. k. Unsecured Protected Health Information. "Unsecured Protected Health Information" means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the Use of a technology or methodology specified by the Secretary in guidance issued under section 13402(h)(2) of Public Law 111-5. Capitalized terms Used but not otherwise defined in this Agreement shall have the same meaning as ascribed to those terms in 45 CFR Parts 160 and 164. Section H, Obligations and Activities of Business Associate a. Business Associate agrees to not Use or Disclose Protected Health Information other than as permitted or required by this Agreement, the Records Storage and Service Agreement and the HITECH Act, or as Required By Law. Business Associate may Use and Disclose Covered Entity's PHI only if such Use or disclosure is in compliance with each applicable requirement of the Privacy Rule's Business Associate Contract standard [sec. 164.504(e)]. Page 1 of 5 C11M U 3.20,14 b. Business Associate agrees to Use appropriate safeguards to prevent Use or Disclosure of the Protected Health Information other than as provided for by this Agreement or the Record Storage and Service Agreement or to carry out other legal responsibilities of Business Associate. c. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by the Privacy Rule, Security Rule, and HITECH Act. d. Business Associate recognizes that, as of February 18, 2010, the administrative, physical, and technical standards and implementation specifications of the Security Rule apply to Business Associate in the same manner that they apply to Covered Entity. e. Business Associate agrees to report to Covered Entity any Use or Disclosure of the Protected Health Information not provided for by this Agreement or the Records Storage and Service Agreement of which it becomes aware. Such notice shall be given promptly, and in any event within the timeframe required by 45 CPR 164.410. f. Business Associate shall, following the discovery of a Breach, notify the Covered Entity of such breach promptly and in any event within sixty (60) days after the Breach was discovered or should have been discovered. Such notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or Disclosed during such breach if Business Associate knows such information. g. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same privacy and security restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. h. If PHI is in a Designated Records Set, Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner agreed by both parties, to Protected Health Information in such Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524. i. If PHI is in a Designated Records Set, Business Associate agrees to make any amendment(s) to Protected Health Information in such Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and manner agreed by both parties. j. Business Associate agrees to document disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with the Privacy Rule and the HITECH Act. Business Associate agrees to provide to Covered Entity, in time and manner consistent with terms in the Records Storage and Service Agreement, information collected to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with the Privacy Rule and the HITECH Act. k. Business Associate agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the Use and Disclosure of Protected Health Information created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner consistent with the terms of the Records Storage and Service Agreement or designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule, Security Rule, or the HITECH Act. 1. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner consistent with the terms and conditions of the Records Storage and Service Agreement, information collected in accordance with Section II. of this Agreement, to permit Covered Entity to respond to a request by an Page 2of5 CIII~JJI V 3.20.14 Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. Section M. Permitted Uses and Disclosures by Business Associate General Use and Disclosure Provisions a. Services Business Associate provides services for Covered Entity that involve the Use and Disclosure of Protected Health Information, which services are described in the Storage and Services Agreement. Except as otherwise specified herein, the Business Associate may make any and all Uses of Protected Health Information necessary to perform its obligations as set forth in the Records Storage and Service Agreement . Additionally, Business Associate may Disclose Protected Health Information for the purposes authorized by this Agreement only (a) to its employees, subcontractors and agents, in accordance with Section I -VI, or (b) as directed by the Covered Entity, if such Use or Disclosure of Protected Health Information would not violate the Privacy Rule or HITECH Act Section IV. Specific Use and Disclosure Provisions Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. a. Except as otherwise limited in this Agreement, Business Associate may Disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and Used or further Disclosed only as Required By Law or for the purpose for which it was Disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. b. Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(c)(2)(i)(B). Section V. Qbli ations of Covered Enfity a. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's Use or Disclosure of Protected Health Information. b. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose Protected Health Information, to the extent that such changes may affect Business Associate's Use or disclosure of Protected Health Information. c. Covered Entity will not ask the Business Associate to undertake any acts inconsistent with the Security Rule, the Privacy Rule or the HITECH Act. d. Covered Entity agrees to provide Business Associate with information about Disclosures requested by individuals. e. Covered Entity shall notify Business Associate of any restriction to the Use or Disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522, and the HITECH Act to the extent that such restriction may affect Business Associate's Use or Disclosure of Protected Health Information. Page 3 of 5 CIIM V 3,20.14 Section VI. Permissible Requests by Covered Entity Covered Entity shall not request Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under the Security Rule, Privacy Rule or the HITECH Act if done by Covered Entity unless these activities are permitted under Section IV. of this Agreement. Covered Entity shall reimburse Business Associate for any damages, costs, fines or penalties incurred by reason of actions taken by Business Associate pursuant to Covered Entity instructions that are in breach of this provision. Section VIL Term and Termination a. Term, The Term, Termination and Effects of Termination of this Agreement shall be the same as the terms and conditions identified in the Records Storage and Service Agreement. The obligations of Business Associate shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in the Records Storage and Service Agreement. b. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall first: I. Provide a reasonable opportunity, in no case less than 60 days, for Business Associate to cure the breach or, at the discretion of Business Associate, end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity and by this section; 2. Immediately terminate this Agreement, subject to the remainder of the terms of the Records Storage and Service Agreement, if Business Associate has breached a material term of this Agreement and cure is not possible; or 3. If neither cure nor termination is feasible, Covered Entity shall report the violation to the Secretary. C. Effect of Termination. 1. Except as provided in the Records Storage and Service Agreement and paragraph (2) of this section, upon termination of this Agreement in accordance with the provisions of this agreement and the Records Storage and Service Agreement, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information. 2. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon the Covered Entity's acceptance that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further Uses and Disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. Business Associate shall be entitled to compensation for continued maintenance of Protected Health Information as provided for in Schedule B of the Records Storage and Service Agreement. Miscellaneous Page 4of5 CIIM V 3.20.94 a. Re lata References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended. b. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Parties to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 and regulations issued thereunder, unless such requirements would be not commercially reasonable or would cause a Party to be out of compliance with its legal obligations.. C. Survival. The respective rights and obligations of Business Associate under Section 7. Term of this Agreement shall survive the termination of this Agreement. d. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule and the HITECH Act. �4 Signature: Signal Name: Name r" Title: Title: Date: Date: Page 5 of 5 CIIM V 3.20.14