|
h. Amendment of PHI. Business Associate or its agents or subcontractors shall, in a reasonable time and manner, make Protected Information
<br /> available to Covered Entity for amendment and incorporate any such amendment to enable Covered Entity to fulfill its obligations under the
<br /> Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.526. If any individual requests an amendment of Protected Information directly
<br /> from Business Associate or its agents or subcontractors, Business Associate shall notify Covered Entity of the request. Any approval or denial of
<br /> an amendment of Protected Information maintained by Business Associate or its agents or subcontractors shall be the responsibility of Covered
<br /> Entity [45 C.F.R. Section 164.504(e)(2)(ii)(F)].
<br /> Accounting Rights. Business Associate and its agents or subcontractors shall, in a reasonable time and manner, make available to Covered
<br /> Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under the Privacy Rule,
<br /> including, but not limited to, 45 C.F.R. Section 164.528, and the HITECH Act, including but not limited to, 42 U.S.C. Section 17935(c). In the event
<br /> that the request for an accounting is delivered directly to Business Associate or its agents or subcontractors, Business Associate shall forward it
<br /> to Covered Entity. It shall be Covered Entity's responsibility to prepare and deliver any such accounting requested. Business Associate shall not
<br /> disclose any Protected Information except as set forth in Sections 2.b. of this Agreement [45 C.F.R. Sections 164.504(e)(2)(ii)(G) and 165.528].
<br /> The provisions of this subparagraph i shall survive the termination of this Agreement.
<br /> j. Governmental Access to Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of
<br /> Protected Information available to the Secretary of the U.S. Department of Health and Human Services (the "Secretary") for purposes of
<br /> determining Business Associate and /or Covered Entity's compliance with the Privacy Rule [45 C.F.R. Section 164.504(e)(2)(ii)(H)].
<br /> k. Minimum Necessary. Business Associate (and its agents or subcontractors) shall request, use and disclose only the minimum amount of
<br /> Protected Information necessary to accomplish the purpose of the request, use or disclosure [42 U.S.C. Section 17935(b); 45 C.F.R. Section
<br /> 164.514(d)(3)]. Business Associate and Covered Entity acknowledge and agree that the definition of "minimum necessary" is in flux and shall
<br /> keep themselves informed of guidance issued by the Secretary with respect to what constitutes "minimum necessary."
<br /> 1. Notification of Breach. During the term of the SLA, Business Associate shall notify Covered Entity, as soon as practicable after discovery, of any
<br /> suspected or actual breach of security, intrusion or unauthorized use or disclosure of PHI of which Business Associate becomes aware.
<br /> m. Breach Pattern or Practice by Covered Entity. Pursuant to 42 U.S.C. Section 17934(b), if Business Associate knows or learns of a pattern of
<br /> activity or practice of Covered Entity that constitutes a material breach or violation of Covered Entity's obligations under the SLA, this
<br /> Agreement or other arrangement, Business Associate shall take reasonable steps to cure the breach or end the violation or cause Covered
<br /> Entity to cure the breach or end the violation. If the steps are unsuccessful, Business Associate is legally obligated to terminate the SLA or other
<br /> arrangement if feasible, or if termination is not feasible, report the problem to the Secretary of DHHS. Notwithstanding anything to the
<br /> contrary in the SLA, Business Associate shall not be liable for any damages suffered by Covered Entity as a result of the termination of the SLA
<br /> to satisfy this obligation.
<br /> 3. Obligations of Covered Entity. Covered Entity shall promptly notify Business Associate, in writing and in a timely manner, of any of the following:
<br /> a. Changes in the form of notice of privacy practices ( "NPP ") that Covered Entity provides to individuals pursuant to 45 C.F.R. Section 164.520, and
<br /> provide Business Associate a copy of the NPP currently in use.
<br /> b. Changes in, or withdrawal of, the consent or authorization provided to Covered Entity by individuals pursuant to 45 C.F.R. Sections 164.506 or
<br /> 164.508.
<br /> c. Any arrangements permitted or required of Covered Entity that may impact in any manner the use and /or disclosure of Protected Information
<br /> by Business Associate under the SLA or this Agreement, including but not limited to, restrictions on use and /or disclosure of Protected
<br /> Information as provided for in 45 C.F.R. Sections 164.522.
<br /> 4. Termination
<br /> a. Material Breach. In the event that Covered Entity determines Business Associate has materially breached this Agreement, Covered Entity shall
<br /> provide an opportunity for Business Associate to cure the breach or end the violation. If Business Associate does not cure the breach or end the
<br /> violation within a reasonable time, Covered Entity may terminate this Agreement. [45 C.F.R. Section 164.504(e)(2)(iii)].
<br /> b. Effect of Termination. Upon termination of the Contract for any reason, Business Associate shall, to the extent feasible, return or destroy all
<br /> Protected Information that Business Associate or its agents or subcontractors still maintain in any form, and shall retain no copies of such
<br /> Protected Information. If return or destruction is not feasible, as determined by Business Associate, Business Associate shall continue t� extend
<br /> the protections of Section 2 of this Agreement to such information, and limit further use of such PHI to those purposes that make the return or
<br /> destruction of such PHI infeasible [45 C.F.R. Section 164.504(e)].
<br /> 5. Amendment to Comply with Law. The parties acknowledge that state and federal laws relating to data security and privacy are rapidly evolving and that
<br /> amendment of the SLA or this Agreement may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to
<br /> take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule and other applicable laws
<br /> relating to the security or confidentiality of PHI. Upon the request of Business Associate, Covered Entity agrees to promptly, an in no case later than thirty (30) days
<br /> from Business Associate's request, enter into an amendment to this Agreement embodying written assurances consistent with the standards and requirements of
<br /> HIPAA, the HITECH Act, the Privacy Rule, the Security Rule or other applicable laws.
<br /> 6. No Third -Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other
<br /> than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
<br /> 7. Effect on SLA. Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all terms of
<br /> the SLA shall remain in force and effect.
<br /> 8. Interpretation. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Act, the Privacy Rule and
<br /> the Security Rule. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the
<br /> HITECH Act, the Privacy Rule and the Security Rule.
<br /> 9. Counterparts. This Agreement may be executed and delivered (including by facsimile or Portable Document Format (PDF) transmission) in one or more
<br /> counterparts, all of which will be considered one and the same agreement and will become effective when one or more counterparts have been signed by each of the
<br /> parties and delivered to the other party. Any such facsimile documents and signatures shall, subject to applicable legal requirements, have the same force and effect
<br /> as manually- signed originals and shall be binding on the parties hereto.
<br /> TC- 3923 - 080111
<br /> Employer Initial 1 'll` TASC
<br /> 29
<br />
|