Laserfiche WebLink
accordance with 45 C.F.R. § 164.524. Business Associate will provide such PHI in an <br />electronic format upon request by Covered Entity unless it is not readily producible in such <br />format in which case Business Associate will provide Covered Entity a readable electronic <br />format as agreed to by Covered entity and Individual. <br />3.7. Compliance with Requirements. To the extent Business Associate is to carry out Covered <br />Entity's obligation under HIPAA, Business Associate will comply with the requirement <br />applicable to such obligation. <br />3.8. Amendment of PHI. Where PHI held by Business Associate is contained in a Designated <br />Record Set, within fifteen (15) days of receiving a written request from Covered Entity or an <br />Individual, Business Associate will make any requested amendment(s) or correction(s) to PHI <br />in accordance with 45 C.F.R. § 164.526. <br />3.9. Disclosure Documentation. Business Associate will document its disclosure of PHI and <br />information related to such disclosures as would be required for Covered Entity to respond to <br />a request by an Individual for an accounting of disclosures of PHI in accordance with C.F.R. § <br />164.528. <br />3.10. Accounting of Disclosures. Within thirty (30) days of receiving a request from Covered Entity, <br />Business Associate will provide to Covered Entity information collected in accordance with <br />Section 3.8 of this Agreement, as necessary to permit Covered Entity to make an accounting <br />of disclosures of PHI about an Individual in accordance with 45 C.F.R. § 164.528. <br />3.11. Access to Business Associate's Internal Practices. Business Associate will make its internal <br />practices, books, and records, including policies and procedures and PHI, relating to the use <br />and disclosure of PHI, including EPHI, created, used, disclosed, received, maintained, <br />accessed, or transmitted by Business Associate on behalf of Covered Entity, available to the <br />Secretary or to Covered Entity, in a time and manner designated by the Secretary or reasonably <br />specified by Covered Entity, for purposes of the Secretary determining Business Associate or <br />Covered Entity's compliance with the HIPAA Privacy Regulations and HIPAA Security <br />Regulations. <br />3.12. Breach Notification. Business Associate, following the discovery of a Breach of Unsecured <br />Protected Health Information, shall notify Covered Entity of such Breach. Except as otherwise <br />required by law, Business Associate shall provide such notice in writing without unreasonable <br />delay, and in no case later than ten (10) calendar days after discovery of the Breach. <br />3.12.1. Notice to Covered Entity required by this Section 3.12 shall include (i) to the extent <br />possible, the names of the individual(s) whose Unsecured Protected Health <br />Information has been, or is reasonably believed by Business Associate to have been <br />accessed, acquired, used or disclosed during the Breach; (ii) a brief description of what <br />happened including the date of the Breach and the date of the discovery of the Breach, <br />if known; (iii) a description of the types of Unsecured Protected Health Information <br />that were involved in the Breach; (iv) a brief description of what Business Associate is <br />doing or will be doing to investigate the Breach to mitigate harm to the individual(s) <br />and to protect against further Breaches; and (v) any other information that Covered <br />Page 4 of 9 <br />