Laserfiche WebLink
<br /> <br /> <br />8 <br />B. Receiving Remuneration in Exchange for PHI. <br />Neither Business Associate nor any of its Representatives will, directly or indirectly, receive remuneration in <br />exchange for any use, transfer or access to any PHI or Confidential Personal Information of an Individual <br />unless the Covered Entity or Business Associate obtained from the Individual a prior valid authorization that <br />complies with applicable law that includes a specification of whether the PHI or Confidential Personal <br />Information can be further exchanged for remuneration by the entity receiving PHI of that Individual. <br />SECTION 4 SAFEGUARDS <br />A. Implement Safeguards to Protect Confidentiality. <br /> Business Associate will develop, implement, use and maintain appropriate administrative, technical, and <br />physical safeguards, consistent with the size and complexity of Business Associate’s operations to ensure <br />that PHI or Confidential Personal Information is not used or disclosed other than as provided by this <br />Agreement or as Required by Law. Business Associate will implement administrative, physical and technical <br />safeguards in compliance with Subpart C of 45 CFR Part 164 to reasonably and appropriately protect the <br />confidentiality, integrity, and availability of any paper or electronic PHI it creates, receives, maintains, or <br />transmits on behalf of Covered Entity in a manner consistent with the terms of this Agreement, the Service <br />Agreement and applicable law. <br />Business Associate will assure that all PHI will be secured when accessed by Business Associate’s <br />Representatives. Any access to PHI by Business Associate’s Representatives will be limited to legitimate <br />business needs while working with PHI. Any personnel changes by Business Associate eliminating the <br />legitimate business needs for such Representative to access to PHI – either by revision of duties or termination <br />– will be immediately reported to Covered Entity. Such reporting will be made no later than the third business <br />day after the personnel change becomes effective. <br />B. Implement Safeguards to Protect Electronic Protected Health Information. <br />Business Associate will develop, implement, and use appropriate administrative, physical, and technical <br />safeguards consistent with applicable law and this Agreement that reasonably and appropriately protect the <br />confidentiality, integrity, and availability of the PHI and Confidential Personal Information that it creates, <br />receives, maintains or transmits on behalf of Covered Entity. Business Associate will ensure that PHI and <br />Confidential Personal Information contained in portable devices or removable media is encrypted. <br />Such safeguards will include, without limitation, implementing written policies and procedures in compliance <br />with HIPAA and ARRA, conducting a security risk assessment, and training Business Associate employees <br />who will have access to PHI with respect to the policies and procedures required by applicable HIPAA Rules. <br />C. Annual Guidance. <br />Business Associate will, at its own cost and effort, monitor the issuance of guidance by the Secretary on the <br />most effective and appropriate technical safeguards for use in carrying out the security standards in subpart <br />C of part 164 of title 45, Code of Federal Regulations.