Laserfiche WebLink
that is not provided for or permitted by this Agreement or under HIPAA. Service Provider shall <br />be responsible for all reasonable costs of notification associated with a breach or impermissible <br />disclosure. <br />(b) Service Provider agrees to report to Client and Gehring Group the <br />aggregate number of unsuccessful, unauthorized attempts to access, use, disclose, modify or <br />destroy electronic versions of any of PHI or interfere with systems operations in an Information <br />System containing PHI, of which Service Provider becomes aware, provided that: (a) such <br />reports will be provided only as frequently as the Parties mutually agree, but no more than once <br />per month; and, (b) if the definition of "Security Incident' is amended under the Security Rule to <br />remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy <br />electronic PHI, this Section 2.3 shall no longer apply as of the effective date of such amendment. <br />(c) Service Provider shall notify Client and Gehring Group of a Breach of <br />unsecured PHI within ten (10) business days after discovery of such a Breach in accordance with <br />45 CFR 164.410. The notice required by this Section 2.3(c) shall include, to the extent possible, <br />the identification of each individual whose unsecured protected health information has been, or is <br />reasonably believed by Service Provider to have been, accessed, acquired, used, or disclosed <br />during the breach. Such notice shall also include, any of the following information, if available: <br />(i) A brief description of what happened, including the date of the <br />breach and the date of the discovery of the breach, if known; <br />(ii) A description of the types of unsecured protected health <br />information that were involved in the breach; and <br />(iii) A brief description of what the breaching Party is doing to <br />investigate the breach, to mitigate harm to individuals, and to protect against any <br />further breaches. <br />2.4 Use of Subcontractors. <br />(a) Service Provider shall not delegate the performance of any Services <br />without the prior written consent of Gehring Group and Client. <br />(b) To the extent that Service Provider uses one or more subcontractors or <br />agents to perform its obligations under the Service Provider Agreement, and such subcontractors <br />or agents receive or have access to PHI, Service Provider agrees to obtain written Service <br />Providers that any such subcontractor or agent agrees to the same restrictions and conditions that <br />apply to Service Provider with respect to such PHI, including the requirement that subcontractors <br />and agents agree to implement reasonable and appropriate safeguards to protect electronic PHI <br />that is disclosed to subcontractors and agents by Subcontractor. Service Provider will disclose to <br />any such subcontractor no more than a limited data set or the Minimum Necessary, as applicable, <br />pursuant to HIPAA requirements. <br />(c) If, pursuant to future regulations promulgated by HHS, subcontractors of <br />business associates are deemed to be business associates, Service Provider will (i) ensure its <br />subcontractors comply with all of the provisions of HIPAA applicable to business associates; and <br />3 <br />17670672v.2 <br />81 <br />