2012-09-26 CC Packet - Laserfiche WebLink

Home Browse Search

TERMS AND CONDITIONS 1. Definitions a. Breach shall have the meaning given to such term under the HITECH Act [42 U.S.C. Section 17921]. b. Business Associate shall mean Total Administrative Services Corporation. c. Covered Entity shall mean the party identified above. d. Data Aggregation shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.501. e. Designated Record Set shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.501. f. Electronic Protected Health Information means Protected Health Information that is maintained in or transmitted by electronic media. g. Electronic Health Record shall have the meaning given to such term in the HITECH Act, including, but not limited to, 42 U.S.C. Section 17921. h. Health Care Operations shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.501. Privacy Rule shall mean the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and E. j. Protected Health Information or PHI means any information, whether oral or recorded in any form or medium: (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.501. Protected Health Information includes Electronic Protected Health Information [45 C.F.R. Sections 160.103, 164.501]. k. Protected Information shall mean PHI provided by Covered Entity to Business Associate or created or received by Business Associate on Covered Entity's behalf. Security Rule shall mean the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and C. m. Unsecured PHI shall have the meaning given to such term under the HITECH Act and any guidance issued pursuant to such Act including, but not limited to, 42 U.S.C. Section 17932(h). 2. Obligations of Business Associate a. Permitted Uses. Business Associate shall not use Protected Information except for the purpose of performing Business Associate's obligations under the SLA and as permitted under the SLA and this Agreement. Further, Business Associate shall not use Protected Information in any manner that would constitute a violation of the Privacy Rule or the HITECH Act if so used by Covered Entity. However, Business Associate may use Protected Information (i) for the proper management and administration of Business Associate; (ii) to carry out the legal responsibilities of Business Associate; or (iii) for Data Aggregation purposes for the Health Care Operations of Covered Entity [45 C.F.R. Sections 164.504(e)(2)(i), 164.504(e)(2)(ii)(A) and 164.504(e)(4)(i)]. b. Permitted Disclosures. Business Associate shall not disclose Protected Information except for the purpose of performing Business Associate's obligations under the SLA and as permitted under the SLA and this Agreement. Business Associate shall not disclose Protected Information in any manner that would constitute a violation of the Privacy Rule or the HITECH Act if so disclosed by Covered Entity. However, Business Associate may disclose Protected Information (i) for the proper management and administration of Business Associate; (ii) to carry out the legal responsibilities of Business Associate; (iii) as required by law; or (iv) for Data Aggregation purposes for the Health Care Operations of Covered Entity. If Business Associate discloses Protected Information to a third party, Business Associate must obtain, prior to making any such disclosure, (i) reasonable assurances from such third party that such Protected Information will be held confidential as provided pursuant to this Agreement and only disclosed as required by law or for the purposes for which it was disclosed to such third party, and (ii) an agreement from such third party to immediately notify Business Associate of any breaches of confidentiality of the Protected Information, to the extent it has obtained knowledge of such breach [42 U.S.C. Section 17932; 45 C.F.R. Sections 164.504(e)(2)(i), 164.504(e)(2)(i)(B), 164.504(e)(2)(ii)(A) and 164.504(e)(4)(ii)]. c. Prohibited Uses and Disclosures. Business Associate shall not use or disclose Protected Information for fundraising or marketing purposes. Business Associate shall not disclose Protected Information to a health plan for payment or health care operation purposes if the patient has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates [42 U.S.C. Section 17935(a)]. Business Associate shall not directly or indirectly receive remuneration in exchange for Protected Information, except with the prior written consent of Covered Entity and as permitted by the HITECH Act, 42 U.S.C. Section 17935(d)(2); however, this prohibition shall not affect payment by Covered Entity to Business Associate for services provided pursuant to the SLA. d. Appropriate Safeguards. Business Associate shall implement appropriate safeguards as are necessary to prevent the use or disclosure of Protected Information otherwise than as permitted by the SLA or this Agreement, including, but not limited to, administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Protected Information, in accordance with 45 C.F.R. Sections 164.308, 164.310, and 164.312. [45 C.F.R. Section 164.504(e)(2)(ii)(B); 45 C.F.R. Section 164.308(b)]. Business Associate shall comply with the policies and procedures and documentation requirements of the HIPAA Security Rule, including, but not limited to, 45 C.F.R. Section 164.316 [42 U.S.C. Section 17931]. e. Reporting of Improper Access, Use or Disclosure. Business Associate shall report to Covered Entity any access, use or disclosure of Protected Information not permitted by the SLA and this Agreement, and any Breach of Unsecured PHI of which it becomes aware without unreasonable delay and in no case later than 60 calendar days after discovery [42 U.S.C. Section 17921; 45 C.F.R. Section 164.504(e)(2)(ii)(C); 45 C.F.R. Section 164.308(b)]. f. Business Associate's Agents. Business Associate shall ensure that any agents, including subcontractors, to whom it provides Protected Information, agree to the same restrictions and conditions that apply to Business Associate with respect to such PHI and implement the safeguards required by subparagraph d above with respect to Electronic PHI [45 C.F.R. Section 164.504(e)(2)(ii)(D); 45 C.F.R. Section 164.308(b)]. g. Access to Protected Information. Within thirty (30) days of receiving a written request from Covered Entity, Business Associate shall make Protected Information maintained by Business Associates or its agents or subcontractors in Designated Record Sets available to Covered Entity, in reasonable time and manner, for inspection and copying to enable Covered Entity to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.524 [45 C.F.R. Section 164.504(e)(2)(ii)(E)]. If Business Associate maintains an Electronic Health Record, Business Associate shall provide such information in electronic format to enable Covered Entity to fulfill its obligations under the HITECH Act, including, but not limited to, 42 U.S.C. Section 17935(e). Tc- 3923 - 080111 Employer Initial II 28