|
DocuSign Envelope ID:98C1 EFCE-16F1-463F-82E1-11 E2C75006F5
<br /> Information by Business Associate in violation of the requirements of this Agreement, as well as to
<br /> provide complete cooperation to Covered Entity should Covered Entity elect to review or investigate such
<br /> noncompliance or Security Incident. Business Associate shall cooperate in Covered Entity's breach
<br /> analysis and/or risk assessment, if requested. Furthermore, Business Associate shall cooperate with
<br /> Covered Entity in the event that Covered Entity determines that any third parties must be notified of a
<br /> Breach,provided that Business Associate shall not provide any such notification except at the direction of
<br /> Covered Entity.
<br /> (f) Breach Reporting. Business Associate shall report in writing to Covered Entity's Privacy
<br /> Officer (see Exhibit A), any use or disclosure of Protected Health Information that is not in compliance
<br /> with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of
<br /> which it becomes aware, without unreasonable delay, and in no event later than forty-eight (48) hours of
<br /> such discovery. For purposes of this Agreement, "Security Incident" means the attempted or successful
<br /> unauthorized access, use, disclosure, modification, or destruction of information or interference with
<br /> system operations in an information system. Such notification shall contain the elements required by 45
<br /> C.F.R. § 164.410. Parties agree that notice is hereby deemed given for Unsuccessful Security Incidents, as
<br /> defined hereafter and this notice shall satisfy any notices required of Business Associate to Covered
<br /> Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents, for which no
<br /> additional notice to Covered Entity shall be given or required. An "Unsuccessful Security Incident"
<br /> means a security incident that does not result in: (1)the unauthorized access, use, disclosure, modification
<br /> or destruction of information; or (2) material interference with system operations in an information
<br /> system, including, without limitation, activity such as pings and other broadcast attacks on Business
<br /> Associate's firewall,port scans, unsuccessful log-on attempts, denial of service and/or any combination of
<br /> the above, so long as no such incident results in unauthorized access,use or disclosure of Electronic PHI.
<br /> (g) Compliance. To the extent applicable, Business Associate will comply with (i) Covered
<br /> Entity's Notice of Privacy Practices; (ii) any limitations to which Covered Entity has agreed in regard to
<br /> an Individual's permission to use or disclose his or her Protected Health Information; and (iii) any
<br /> restrictions to the use or disclosure of Protected Health Information to which Covered Entity has agreed
<br /> or is required to agree.
<br /> (h) Government Access. Business Associate will make its internal practices, books and
<br /> records available to the Secretary of the Department of Health and Human Services for purposes of
<br /> determining compliance with the terms of the HIPAA Security and Privacy Rule, and, at the request of
<br /> the Secretary, will comply with any investigations and compliance reviews,permit access to information,
<br /> and cooperate with any complaints, as Required by Law. Without unreasonable delay and, in any event,
<br /> no more than 48 hours of receipt of the request or notification, Business Associate will notify Covered
<br /> Entity in writing of any request by any governmental entity, or its designee, to review Business
<br /> assessment of any kind.
<br /> (i) Electronic Transactions. If Business Associate conducts any Standard Transactions for or
<br /> on behalf of Covered Entity, Business Associate shall comply with the requirements under the Electronic
<br /> Transaction Rule.
<br /> (j) Audit. Business Associate shall permit Covered Entity, in its discretion, to conduct an
<br /> audit of Business Associate's compliance with this Agreement, HIPAA, and HITECH. Such audit may
<br /> consist of an onsite visit, a series of inquiries that require written responses, or both. Business Associate
<br /> shall promptly and completely respond to Covered Entity's requests for information in support of the
<br /> audit, which shall not be conducted more than once annually except in cases of an actual or reasonably
<br /> suspected Security Incident or reasonably suspected noncompliance with this Agreement, HIPAA or
<br /> HITECH. Each Party shall bear its own costs associated with the audit.
<br /> 3
<br /> October 2013
<br />
|