Laserfiche WebLink
BMI Audit Services <br /> (iii) a description of the type of Unsecured .PHI involved (e.g., <br /> social security number, diagnosis, or disability code), including the <br /> type of media, but not the Breached PHI itself; <br /> (iv) a description of the safeguards in place prior to the Breach <br /> (e.g., firewalls, packet filtering, secure browser sessions, strong <br /> authentication); and <br /> (v) a description of the actions taken in response to the Breach <br /> (e.g., additional safeguards, mitigation, sanctions, policies and <br /> procedures). <br /> (d) Notification to Individuals . When a Business Associate discovers <br /> a Breach of Unsecured PHI that occurs while the Business Associate is <br /> responsible for the privacy and security of the information, the Covered <br /> Entity shall notify each affected individual in accordance with the <br /> requirements of 45 C.F.R. § 164.404. <br /> (e) Notification to Media. When a Business Associate discovers a <br /> Breach of Unsecured PHI affecting more than 500 individuals that occurs <br /> while the Business Associate is responsible for the privacy and security of <br /> the information, the Covered Entity shall provide a notice in the form of a <br /> press release to a prominent media outlet in accordance with the <br /> requirements of 45 C.F.R. § 164.406. <br /> (0 Documentation and Retention. The Business Associate must retain <br /> a copy of all risk assessment documentation and notifications created or sent <br /> in compliance with this Section 3.14 for six years. Upon request, the <br /> Business Associate shall provide to the Plan a copy of any documentation <br /> or notification created or sent in compliance with this Section 3.14 that was <br /> not previously required to be provided to the Covered Entity. <br /> 3.15 Sale of PHI. Business Associate is prohibited from exchanging PHI for direct or indirect <br /> remuneration without obtaining the individual's authorization. <br /> 3.16 Compliance. Business Associate shall make its internal practices, books, and records, <br /> including policies and procedures relating to the use and disclosure of PHI received from, or <br /> created or received by Business Associate on behalf of, Covered Entity, documentation required <br /> by the Security Rule relating to safeguards,and documentation required by the Breach Notification <br /> Rule available to Covered Entity, or to the Secretary, for purposes of the Secretary determining <br /> Covered Entity's compliance with the Privacy Rule, Security Rule, and Breach Notification Rule. <br /> 3.17 Compliance With.E ectrotic Transactions Rule. If Business Associate conducts in whole <br /> or part electronic Transactions on behalf of Covered Entity for which HHS has established <br /> standards, Business Associate will comply, and will require any of its own subcontractors it <br /> involves with the conduct of such Transactions to comply,with each applicable requirement of the <br /> Electronic Transactions Rule and of any operating rules adopted by HHS with respect to <br /> Transactions. <br /> Business Associate Agreement 6 <br />