Laserfiche WebLink
1.15 "Unsecured Protected Health Information" or "Unsecured PHI" shall have the meaning <br />assigned to such term in 45 C.F.R. § 164.402 and guidance issued thereunder. <br />2. OBLIGATIONS OF THE PARTIES <br />2.1 Gehring Group shall safeguard all PHI and Electronic PHI created or received by <br />Gehring Group on behalf of Client in accordance with HIPAA. Gehring Group shall <br />implement administrative, physical and technical safeguards that prevent use or <br />disclosure of the Electronic Protected Health Information other than as permitted by the <br />Security Rules. Specifically, Gehring Group agrees to implement policies and <br />procedures in accordance with 45 C.F.R. § 164.316 that: <br />i. Prevent, detect, contain and correct security violations in accordance with the <br />administrative safeguards set forth in 45 C.F.R. § 164.308; <br />ii. Limit physical access to electronic information systems and the facility or <br />facilities in which they are housed, while ensuring that properly authorized access <br />is allowed in accordance with the physical safeguards set forth in 45 C.F.R. <br />§ 164.310; and <br />iii. Allow access to electronic information systems that maintain Electronic PHI to <br />only those persons or software programs that have been granted access rights in <br />accordance with the technical safeguards set forth in 45 C.F.R. § 164.312. <br />2.2 Gehring Group shall not use or disclose PHI or Electronic PHI except as permitted or <br />required by Article 3 of this Agreement or as Required by Law. Gehring Group shall <br />notify Client of all requests for the disclosure of PHI and Electronic PHI from a law <br />enforcement or government official, or pursuant to a subpoena, court or administrative <br />order, or other legal request as soon as possible prior to making the requested disclosure. <br />Gehring Group shall provide to Client all PHI and Electronic PHI necessary to respond <br />to these requests as soon as possible, but no later than ten (10) business days following its <br />receipt of a written request from Client. <br />2.3 Client shall provide to Gehring Group, and Gehring Group shall request from Client, <br />disclose to its affiliates, subsidiaries, agents and subcontractors or other third parties, only <br />a Limited Data Set or, if necessary or otherwise permitted by HHS regulations, the <br />minimum PHI or Electronic PHI necessary to perform or fulfill a specific function <br />required or permitted under the Agreement. "Minimum necessary" shall be interpreted in <br />accordance with HITECH, and in any event shall not include any direct identifiers of <br />individuals such as names, street addresses, phone numbers or social security numbers, <br />except for a unique identifier assigned by Client as necessary for the strategic analysis. <br />2.4 Gehring Group shall comply with all granted restrictions on the use and/or disclosure of <br />PHI, pursuant to 45 C.F.R. § 164.522(a), upon written notice from Client; provided, <br />however, that Client shall not grant any restriction that affects Gehring Group's use or <br />disclosure of PHI without first consulting with Gehring Group. <br />Page 3 of 8 <br />17535410v 1 <br />