Laserfiche WebLink
MariBMI Audit Services <br /> 1.7 "Protected Health Information"or"PHI"shall have the meaning given to such term in the <br /> Privacy Rule at 45 CFR 160.103. <br /> 1.8 "Security Incident" has the meaning set out in the Security Rule. Generally, a "Security <br /> Incident" means any attempted or successful unauthorized access, use, disclosure, modification, <br /> or destruction of information or systems operations in an electronic information system. <br /> 1.9 "Security Rule" means the Security Standards and Implementation Specifications at 45 <br /> C.F.R. Parts 160 and 164. <br /> 1.10 "Unsecured PHI"means PHI that is not rendered unusable,unreadable, or indecipherable <br /> to unauthorized individuals through the use of either the encryption method or the destruction <br /> method, as defined in Department of HHS guidance Issued under section 13403(h)(2) of Public <br /> Law 111-5. <br /> SECTION 2 <br /> PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE <br /> 2.1 General Permitted Uses and Disclosures. Except as otherwise limited in this Agreement, <br /> Business Associate may use or disclose PHI to perform functions,activities, or services for, or on <br /> behalf of, Covered Entity as specified in the Services Agreement, provided that such use or <br /> disclosure would not violate the Privacy Rule(or Covered Entity's policies and procedures)if done <br /> by Covered Entity. Business Associate will, in its performance of the functions, activities, <br /> services, and operations specified above or detailed in the Services Agreement, make reasonable <br /> efforts to use, to disclose, and to request only the minimum amount of Covered Entity's PHI <br /> reasonably necessary to accomplish the intended purpose of the use, disclosure or request, except <br /> that Business Associate will not be obligated to comply with this minimum-necessary limitation if <br /> neither Business Associate nor Covered Entity is required to limit its use, disclosure or request to <br /> the minimum necessary. Business Associate and Covered Entity acknowledge that the phrase <br /> "minimum necessary"shall be interpreted in accordance with the Health Information Technology <br /> for Economic and Clinical Health Act("HITECH Act"),passed as part of the American Recovery <br /> and Reinvestment Act of 2009, Public Law 111-5, and government guidance of the definition. <br /> 2.2 Permitted Uses and Disclosures for Legal Responsibilities. Except as otherwise limited in <br /> this Agreement, Business Associate may use PHI for the proper management and administration <br /> of Business Associate or to carry out the legal responsibilities of Business Associate. <br /> 2.3 Permitted Uses and Disclosures for Administration. Except as otherwise limited in this <br /> Agreement, Business Associate may disclose PHI for the proper management and administration <br /> of Business Associate,provided that disclosures are required by law or Business Associate obtains <br /> reasonable assurances from the person to whom the information is disclosed that it will remain <br /> confidential and be used or further disclosed only as required by law or for the purpose for which <br /> it was disclosed to the person,and the person notifies Business Associate of any instances of which <br /> he/she is aware in which the confidentiality of the information has been breached. <br /> 2.4 Permitted Uses and Disclosures for Data Aggregation. Except as otherwise limited in this <br /> Agreement, Business Associate may use PHI to provide to Covered Entity Data Aggregation <br /> services that relate to the health care operations of Covered Entity. <br /> Business Associate Agreement 2 <br />