|
B. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
<br /> 1.Use and Disclosure of PHI.Business Associate shall not use or further disclose PHI other than as
<br /> permitted by this Agreement or as required by law. To the extent practicable,Business Associate shall
<br /> limit its use or disclosure of PHI or requests for PHI to a limited data set, or if necessary,to the minimum
<br /> necessary to accomplish the intended purpose of such use, disclosure or request.
<br /> .2. Safeguards. Business Associate shall use appropriate safeguards to prevent the use or disclosure of PHI
<br /> other than pursuant to the terms and conditions of this Agreement, including establishing procedures that
<br /> limit access to PHI within its organization to those employees with a need to know the information.
<br /> Business Associate agrees that it will implement reasonable administrative,physical,and technical
<br /> safeguards to protect the confidentiality,integrity and availability of electronic PHI that it creates,receives,
<br /> maintains or transmits on behalf of the Covered Entity, as required by the HIPAA Privacy Rule.
<br /> Effective February 17,2010,the requirements of 45 C.F.R. Sections 164.308, 164.310 and 164.312
<br /> applicable to such administrative,physical and technical safeguards shall apply to Business Associate in the
<br /> same manner that such sections apply to Covered Entity.Further, effective February 17,2010,Business
<br /> Associate shall implement, and maintain in written form,reasonable and appropriate policies and
<br /> procedures to comply with the standards, implementation specifications or other requirements of the
<br /> HIPAA Security Rule,in accordance with 45 C.F.R. Section 164.316,which shall apply to Business
<br /> Associate in the same manner that such sections apply to Covered Entity.
<br /> 3. Unauthorized Disclosures of PHI. Business Associate shall, within ten(10)business days of becoming
<br /> aware of a disclosure of PHI in violation of this Agreement by Business Associate, its officers, directors,
<br /> employees, contractors, or agents or by a third parry to which Business Associate disclosed PHI,report to
<br /> Covered Entity any such disclosure.Business Associate agrees to mitigate,to the extent practicable, any
<br /> harmful effect of the unauthorized disclosure. This section shall also apply to any breach of unsecured PHI
<br /> where the breach is applicable to new regulations and is discovered on or after 30 days from the issuance of
<br /> those new regulations. Notice of any such breach shall include the identification of any individual whose
<br /> unsecured PHI has been, or is reasonably believed by Business Associate, to have been accessed, acquired or
<br /> disclosed during such breach and any other information required by the applicable regulations.
<br /> 4. Security Incidents.Business Associate shall promptly report to Covered Entity any Security Incident of
<br /> which it becomes aware,in accordance with the HIPAA Security Rule.
<br /> 5.Agreements With Third Parties.Business Associate agrees to ensure that any agent, including a
<br /> subcontractor, to whom it provides PHI received from, or created or received by Business Associate on
<br /> behalf of the Covered Entity, agrees to the same restrictions and conditions that apply through this
<br /> Agreement to Business Associate with respect to such information.
<br /> 6.Access to Information. Within ten(10)business days of a request by the Covered Entity for access to PHI
<br /> about an individual contained in a Designated Record Set,Business Associate shall make available to the
<br /> Covered Entity such PHI for so long as such information is maintained in a Designated Record Set.In the
<br /> event any individual requests access to PHI directly from the Business Associate,Business Associate shall
<br /> respond to the request for PHI within ten(10)business days.Any denials of access to the PHI requested
<br /> shall be the responsibility of the Business Associate.
<br /> 7. Availability of PHI for Amendment.Business Associate agrees to make any amendments to PHI in a
<br /> Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the
<br /> request of the Covered Entity or an individual, and in the time and manner designated by Covered Entity.
<br /> 8. Inspection of Books and Records.Business Associate agrees to make its internal practices, books, and
<br /> records relating to the use and disclosure of PHI received from, or created or received by Business
<br /> Associate on behalf of Covered Entity, available to the Covered Entity, or at the request of the Covered
<br /> Entity,to the Secretary of the U.S. Department of Health and Human Services or its designee(the
<br /> "Secretary"), in a time and manner designated by the Covered Entity or the Secretary, for purposes of the
<br /> Secretary determining Covered Entity's compliance with HIPAA.
<br /> 9.Accounting of Disclosures. Business Associate agrees to maintain and make available to the Covered
<br /> Entity an accounting of disclosures of PHI as would be required for Covered Entity to respond to a request by an
<br /> individual made in accordance with 45 CFR 164.528. Business Associate shall provide an accounting of
<br /> disclosures made during the six (6) years.prior to the date on which the accounting is requested (or during the
<br /> three (3) years prior to the date the accounting is requested for PHI maintained in an electronic_health record,
<br /> beginning on the applicable effective date pursuant to the American Recovery and Reinvestment Act of 2009).
<br /> At a minimum, the accounting of disclosures shall include the following information:
<br /> 1
<br />
|