Laserfiche WebLink
Upon Business Associate's receipt of the Requests,either from the Covered Entity or directly from <br /> the Individual, the Claims Administrator shall: (a) evaluate each Request consistent with the <br /> HIPAA Rules and the Business Associate's policies, procedures and practices; (b) for Requests <br /> that may affect the policies, procedures or practices of the Covered Entity, coordinate with the <br /> Covered Entity about evaluation of the Requests and mutually agree on the result;(c)for Requests <br /> that may involve the Covered Entity's other business associates, request information from the <br /> business associate identified by the Covered Entity necessary for fulfilling the Requests; (d) <br /> communicate the result of the evaluation directly to the Individual within the legal timeframes <br /> established for each type of Request; (e) notify the Covered Entity of the outcome of each <br /> Requested identified by the Covered Entity at the time of notice to the Claims Administrator; and <br /> (f) implement each Request that is granted. <br /> 2.8 Use of Subcontractors and Agents. Business Associate shall require each of its agents <br /> and subcontractors that receive PHI from Business Associate to execute a written agreement <br /> obligating the agent or subcontractor to comply with the same or substantially similar restrictions <br /> and conditions that apply to the Business Associate as set forth in HIPAA,the Privacy <br /> Regulations and Security Regulations, and this Agreement. <br /> 2.9 Agreement to Mitigate. Business Associate agrees to mitigate,to the extent practicable <br /> as determined by the Business Associate, any harmful effect that is known to Business Associate <br /> of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this <br /> Agreement, and to promptly communicate to Covered Entity any actions taken pursuant to this <br /> paragraph. <br /> 2.10 Business Associate Practices, Policies and Procedures. Business Associate's privacy and <br /> security policies and practices shall meet current standards set by RCW 70.02.050 and the <br /> HIPAA Privacy and Security Standards (as may be amended from time to time)governing the <br /> protection of PHI including, without limitation, user authentication, data encryption,monitoring <br /> and recording of access rights to system(s), and internal privacy standards, all designed to <br /> provide assurances that the requirements of this Agreement are met. <br /> 2.11 Reporting Breach of Unsecured PHI. Business Associate shall report promptly to <br /> Covered Entity a breach of Unsecured Protected Health Information without unreasonable delay, <br /> but not later than five (5)days, following Business Associate's discovery of such breach, where <br /> such report will include the identification of each individual whose Unsecured PHI has been or is <br /> reasonably believed to have been breached and other information as requested by Covered <br /> Entity. For purposes of the foregoing obligation, "breach" shall mean the acquisition,access, <br /> use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Regulations which <br /> compromises the security or privacy of such information, i.e.,poses a significant risk of <br /> financial, reputational, or other harm to the individual,and as further defined in 45 CFR Section <br /> 164.402. <br /> Schedule 4, Page 3 <br />