Laserfiche WebLink
<br /> <br />IV. Electronic Security Provisions <br />A. Introduction. This section applies where Business Associate, on behalf of Covered <br />Entity, performs or assists in the performance of functions and activities that may involve <br />the creation, maintenance, receipt, or transmission of Electronic Protected Health <br />Information. This Section IV along with the other sections of the Business Associate <br />Agreement are (1) <br />provisions of Security Rule, and (2) govern the terms and conditions under which the <br />Business Associate may create, maintain, receive, and transmit Electronic Protected <br />Health Information on behalf of Covered Entity. In general, Business Associate agrees <br />and intends to act such that (1) Covered Entity can fulfill its responsibilities under HIPAA; <br />(2) Business Associate can fulfill its responsibilities under HIPAA; and (3) Business <br />Associate can fulfill its contractual obligations under this Agreement. <br />B. Obligations of Business Associate. In accordance with the Security Rule, Business <br />Associate agrees to: <br />1. Conduct a security risk assessment (in accordance with 45 C.F.R. Section <br />164.308(a)(1)(ii)(A)) and adopt and implement policies and procedures designed to <br />ensure compliance with the Security Rule and this Agreement including, but not <br />limited to, identifying a security officer and training personnel. This Paragraph IV.B.1 <br />shall be effective as of the compliance date applicable under the final regulations <br />issued under HITECH that address this requirement. <br />2. Implement administrative, physical and technical safeguards (including written <br />policies and procedures) that reasonably and appropriately protect the <br />confidentiality, integrity, and availability of the Electronic Protected Health <br />Information that Business Associate creates, maintains, receives, or transmits on <br />behalf of Covered Entity; <br />3. Report to Covered Entity any Security Incident of which Business Associate becomes <br />aware within ten (10) business days of its discovery by the Business Associate; <br />4. Promptly mitigate, to the extent practicable, any harmful effect of a Security Incident <br />that is known to Business Associate; and <br />5. Enter into a written contract with any agent or Subcontractor to whom Business <br />Associate provides Electronic Protected Health Information that requires such agent <br />or Subcontractor to comply with the same restrictions and conditions that apply <br />under this Section IV to Business Associate, including, but not limited to, <br />implementing reasonable and appropriate safeguards to protect such information. <br />C. Obligations of Covered Entity. Covered Entity shall not request or direct Business <br />Associate to create, maintain, receive, or transmit Electronic Protected Health <br />Information in any manner that would not be permissible under the Security Rule. <br />V. Breach Notification Requirements <br />If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or <br />otherwise holds, uses, or discloses Unsecured Protected Health Information, Business Associate <br />shall notify Covered Entity of a Breach of such Unsecured Protected Health Information without <br />MEDSURETY, LLC <br />33 <br />Administration Agreement (Non-ERISA) Exhibit <br />Business Associate Agreement <br /> <br />