Laserfiche WebLink
e-MDs BUSINESS ASSOCIATE AGREEMENT 7!■Ds <br />protected health information has been, or is reasonably believed to have been, accessed, acquired, used, <br />or disclosed during the breach. Either at the time of the original notification, or promptly thereafter as the <br />information becomes available, Business Associate shall provide to the Covered Entity, to the extent <br />possible, any other available information that the Covered Entity is required to include in its notification to <br />affected individuals under 45 C.F.R. § 164.404(c).; <br />4. make its procedures, policies, and documentation of safeguards available to the Secretary of Health and <br />Human Services (the "Secretary") for purposes of demonstrating compliance with the Security <br />Regulations; and <br />5. authorize termination of the Agreement by the Covered Entity, if the Covered Entity determines that the <br />Business Associate has violated a material term of the Agreement, as set forth more fully in section 4.2 of <br />this Agreement. <br />f. To the extent Business Associate discloses PHI to a third party as permitted by this Agreement, Business <br />Associate must obtain, prior to making any such disclosure: (i) reasonable assurances from such third party <br />that such PHI will be held confidential as provided pursuant to this Agreement, and only disclosed as required <br />by law or for the purposes for which it was disclosed to such third party; and (ii) an agreement from such third <br />party to immediately notify Business Associate of any breaches of confidentiality of PHI, to the extent it has <br />knowledge of such breach. <br />g. Business Associate agrees that it will incorporate in all agreements with its contractors and vendors, such <br />HIPAA compliance provisions as are substantially in the form set forth in this Agreement so that each shall be <br />bound thereunder to the same extent as Business Associate is bound hereunder. <br />In. In the event Business Associate (i) is ordered by any court of competent jurisdiction or governmental agency <br />to disclose PHI (ii) receives a request from the Secretary to inspect Business Associate's books and records <br />relating to the use and disclosure of PHI, Business Associate agrees to promptly notify the Covered Entity <br />and cooperate with the Covered Entity in connection with any reasonable and appropriate action the Covered <br />Entity deems necessary with respect to such PHI. In particular, Business Associate agrees to make its <br />internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for <br />purposes of demonstrating compliance with the Privacy Regulations. <br />Document such disclosures of PHI and information related to such disclosures as would be required for <br />Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance <br />with 45 CFR § 164.528. <br />Within 30 days of receiving a written request from the Covered Entity, provide to the Covered Entity such <br />information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an <br />individual for an accounting of the disclosures of the individual's PHI in accordance with 45 C.F.R. § 164.528. <br />In the event a request is received directly by the Business Associate from an individual requesting an <br />accounting of disclosures, Business Associate will notify Covered Entity within five (5) business days and <br />only act as instructed by the Covered Entity. <br />k. At the request of, and in the time and manner designated by the Covered Entity, provide access to the PHI in <br />a Designated Record Set created or maintained by the Business Associate to the Covered Entity or the <br />individual to whom such PHI relates or his or her authorized representatives in order to meet a request by <br />such individual under 45 C.F.R. § 164.524. In the event a request is received directly by the Business <br />Associate from an individual requesting access to their PHI, Business Associate will notify Covered Entity <br />within five (5) business days and only act as instructed by the Covered Entity. <br />I. At the request of, and in a commercially reasonable time and manner designated by the Covered Entity, <br />make any amendment(s) to the PHI that the Covered Entity directs pursuant to 45 C.F.R. § 164.526. Where <br />the Covered Entity denies, in whole or in part, the individual's request to amend, and the individual files a <br />Statement of Disagreement, the Covered Entity's initial denial, the individual's Statement of Disagreement <br />and the Covered Entity's Rebuttal Statement, if any, must be retained by the Business Associate and <br />appended or linked to the PHI in that individual's Designated Record Set which was the subject of the <br />requested amendment. In the event a request is received directly by the Business Associate from an <br />individual requesting an amendment to the PHI in that individual's Designated Record Set whether or not <br />maintained by the Business Associate, Business Associate will notify Covered Entity within five (5) business <br />days and only act as instructed by the Covered Entity. <br />e -MDs BAA — Page 2 of 7 <br />Revised 5/7/2010 <br />