|
3
<br />July 2024
<br />
<br />(d) Agents and Subcontractors. In accordance with 45 CFR 164.502(e)(1)(ii) and
<br />164.308(b)(2), if applicable, Business Associate shall ensure that any agents or subcontractors that create
<br />receive, maintain, or transmit protected health information on behalf of the business associate agree by
<br />written contract to the same, or greater, restrictions, conditions, and requirements that apply to the Business
<br />Associate with respect to such information, and to agree to implement reasonable and appropriate
<br />safeguards to protect any of such information that is Electronic Protected Health Information. In addition,
<br />Business Associate agrees to take reasonable steps to ensure that it s employees’ actions or omissions do
<br />not cause Business Associate to breach the terms of this Agreement.
<br />
<br />(e) Mitigation of Breach. Business Associate agrees to mitigate, to the extent practicable, any
<br />harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information
<br />by Business Associate in violation of the requirements of this Agreement, as well as to provide complete
<br />cooperation to Covered Entity should Covered Entity elect to review or investigate such noncompliance or
<br />Security Incident. Business Associate shall cooperate in Covered Entity’s breach analysis and/or risk
<br />assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the event
<br />that Covered Entity determines that any third parties must be notified of a Breach, provided that Business
<br />Associate shall not provide any such notification except at the direction of Covered Entity.
<br />
<br />(f) Breach Reporting. Business Associate shall report in writing to Covered Entity’s Privacy
<br />Officer (see Exhibit A), any use or disclosure of Protected Health Information that is not in compliance
<br />with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of
<br />which it becomes aware, without unreasonable delay, and in no event later than forty-eight (48) hours of
<br />such discovery. For purposes of this Agreement, “Security Incident” means the attempted or successful
<br />unauthorized access, use, disclosure, modification, or destruction of information or interference with system
<br />operations in an information system. Such notification shall contain the elements required by 45 CFR
<br />164.410.
<br />
<br />(g) Compliance. To the extent applicable, Business Associate will comply with (i) Covered
<br />Entity’s Notice of Privacy Practices; (ii) any limitations to which Covered Entity has agreed regarding an
<br />Individual’s permission to use or disclose his or her Protected Health Information; and (iii) any restrictions
<br />to the use or disclosure of Protected Health Information to which Covered Entity has agreed or is required
<br />to agree.
<br />
<br />(h) Government Access. Business Associate will make its internal practices, books and
<br />records available to the Department of Health and Human Services for purposes of determining compliance
<br />with the terms of the HIPAA Security and Privacy Rule, and, at the request of the Department of Health
<br />and Human Services, will cooperate with any investigations and compliance reviews, permit access to
<br />information, and address any complaints, as Required by Law. Without unreasonable delay and, in any
<br />event, no more than 48 hours of receipt of the request or notification, Business Associate will notify
<br />Covered Entity in writing of any request by any governmental entity, or its designee, to review Business
<br />Associate’s information of any kind.
<br />
<br />(i) Electronic Transactions. If Business Associate conducts any Standard Transactions for or
<br />on behalf of Covered Entity, Business Associate shall comply with the requirements under Federal
<br />Electronic Transaction Rules.
<br />
<br />(j) Audit. Business Associate shall permit Covered Entity, in its discretion, to conduct an
<br />audit of Business Associate’s compliance with this Agreement, HIPAA, and HITECH. Such audit may
<br />consist of an onsite visit, a series of inquiries that require written responses, or both. Business Associate
<br />shall promptly and completely respond to Covered Entity’s requests for information in support of the audit,
<br />which shall not be conducted more than once annually except in cases of an actual or reasonably suspected
<br />Security Incident or reasonably suspected noncompliance with this Agreement, HIPAA or HITECH. Each
<br />Party shall bear its own costs associated with the audit.
<br />Docusign Envelope ID: 1CF66486-1DB7-491A-9655-4FEEFEFF6BEE
<br />In Process
<br />Docusign Envelope ID: 990FE6D3-EA62-4090-A5F1-B27674BBDED5
|