Laserfiche WebLink
<br /> <br /> <br />9 <br />D. Privacy Provisions. <br />The enhanced HIPAA privacy requirements including but not necessarily limited to accounting for certain PHI <br />disclosures for treatment, restrictions on the sale of PHI, restrictions on marketing and fundraising <br />communications, payment and health care operations contained Subtitle D of the HITECH Act that apply to <br />the Covered entity will equally apply to the Business Associate. <br /> <br />SECTION 5 REPORTING OF BREACHES, IMPROPER DISCLOSURES, <br />AND SECURITY INCIDENTS <br />A. Breaches. <br />(1) Reporting of Privacy or Security Breach. <br />Business Associate will report to Covered Entity any use or disclosure of PHI by Business Associate or any <br />Representatives not permitted by this Agreement and the Service Agreement along with any Breach or <br />possible Breach of Unsecured PHI. Business Associate will treat the Breach or possible Breach as being <br />discovered in accordance with 45 CFR § 164.410. Business Associate will make the report to Covered Entity’s <br />Privacy Official immediately following the discovery of a breach of such information. Initial notification of the <br />breach does not need to be in compliance with Sub Title D Title IV Section 13402 of the HITECH Act; however, <br />Business Associate must provide to Covered Entity in writing all information necessary for Covered Entity to <br />comply with Sub Title D Title IV Section 13402 of the HITECH Act without delay, and in no case later than 15 <br />days following the discovery of the breach. If a delay in notification is requested by a law-enforcement official <br />in accordance with 45 CFR § 164.412, Business Associate may delay notifying Covered Entity for the <br />applicable time period. Business Associate will prepare a written assessment of the risk of harm to the <br />Individuals affected by the Breach and provide the same to the Covered Entity as soon as reasonably possible <br />after discovery of the Breach. Business Associate will update its assessment as additional information is <br />obtained and will provide all updated assessments to Covered Entity as soon as reasonably possible but not <br />later than five (5) days after Business Associate obtains additional information. <br />(2) Contents of Report of Breach. <br />Business Associate’s written report of a Breach and assessment required under paragraph (1) above <br />pertaining to a Breach or possible Breach will include, at a minimum: (a) the identification of each Individual <br />whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the <br />Breach; (b) the date of the Breach, possible Breach, or other non-permitted use, access or disclosure, if <br />known; (c) the nature and scope of the Breach, possible Breach, or other non-permitted use or disclosure; (d) <br />who impermissibly used or to whom the information was impermissibly disclosed or committed the Breach; <br />(e) the investigational actions Business Associate took or will take to prevent further non-permitted uses or <br />disclosures; (f) the Business Associate’s written assessment of whether there is a low probability that the PHI <br />has been compromised, along with the basis for its assessment; (g) a description of the Business Associate’s <br />response to the Breach, including steps taken to mitigate the risk of harm; (h) steps affected Individuals should <br />take to protect themselves; and (i) if the Business Associate asserts that the impermissible use or disclosure <br />falls within one of the exceptions to the definition of “breach” under 45 CFR § 164.402, which exception. <br />The Business Associate will promptly notify Covered Entity, in writing, of any additional information relevant <br />to the impermissible use, access or disclosure of information as it becomes available. The Business