My WebLink
|
Help
|
About
|
Sign Out
Home
Browse
Search
2018-075S
CBCC
>
Official Documents
>
2010's
>
2018
>
2018-075S
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
12/29/2020 11:17:01 AM
Creation date
5/1/2018 1:15:57 PM
Metadata
Fields
Template:
Official Documents
Official Document Type
Agreement
Approved Date
04/17/2018
Control Number
2018-075S
Agenda Item Number
12.D.1.
Entity Name
Benefit Express Services, LLC
BenefitExpress
Subject
Technology and Services Agreement
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
18
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
A t <br />,,' ? benefitcx��rc�ss <br />�rlltrli M[.t it��l1'.h�E�l'' ��I ,��'1: <br />Benefit Express Services, LLC <br />Technology and Services Agreement <br />Associate made the disclosure, (3) a brief description of the Covered Entity's Protected Health Information disclosed, <br />and (4) a brief statement of the purpose of the disclosure. <br />2. Disclosure Information for Repetitive Disclosures. For repetitive disclosures of the Covered Entity's Protected Health <br />Information that the Business Associate makes for a single purpose to the same person or entity (including the Covered <br />Entity), the Disclosure Information that the Business Associate must record is either the Disclosure Information <br />specified above for each accountable disclosure, or (1) the Disclosure Information specified above for the first of the <br />repetitive accountable disclosures; (2) the frequency, periodicity, or number of the repetitive accountable disclosures; <br />and (3) the date of the last of the repetitive accountable disclosures. <br />iv. Availability of Disclosure Information. The Business Associate will maintain the Disclosure Information for at least 6 years <br />following the date of the accountable disclosure to which the Disclosure Information relates (3 years for disclosures related to <br />an Electronic Health Record, starting with the date specified by HHS). The Business Associate will make the Disclosure <br />Information available to the Covered Entity within fifty (50) calendar days following the Covered Entity's request for such <br />Disclosure Information to comply with an individual's request for disclosure accounting. Effective as of the date specified by <br />HHS, with respect to disclosures related to an Electronic Health Record, the Business Associate shall provide the accounting <br />directly to an individual making such a disclosure request, if a direct response is requested by the individual. To the extent the <br />Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with <br />the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and make its internal <br />practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. <br />(d) Restriction Agreements and Confidentiol Communications. The Covered Entity shall notify the Business Associate of any limitations <br />in the notice of privacy practices of Covered Entity under 45 CFR §164.520, to the extent that such limitation may affect the Business <br />Associate's use or disclosure of Protected Health Information. The Business Associate will comply with any agreement that the <br />Covered Entity makes that either (i) restricts use or disclosure of the Covered Entity's Protected Health Information pursuant to 45 <br />CFR §164.522(a), or (ii) requires confidential communication about the Covered Entity's Protected Health Information pursuant to 45 <br />CFR §164.522(b), provided that the Covered Entity notifies the Business Associate in writing of the restriction or confidential <br />communication obligations that the Business Associate must follow. The Covered Entity will promptly notify the Business Associate <br />in writing of the termination of any such restriction agreement or confidential communication requirement and, with respect to <br />termination of any such restriction agreement, instruct the Business Associate whether any of the Covered Entity's Protected Health <br />Information will remain subject to the terms of the restriction agreement. Effective February 17, 2010 (or such other date specified <br />as the effective date by HHS), the Business Associate will comply with any restriction request if: (i) except as otherwise required by <br />law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of <br />carrying out treatment); and (ii) the Protected Health Information pertains solely to a health care item or service for which the health <br />care provider involved has been paid out-of-pocket in full. <br />VII. Breaches and Security Incidents <br />(a) Reporting <br />L Impermissible Use or Disclosure. The Business Associate will report to Covered Entity any use or disclosure of Protected Health <br />Information not permitted by this Addendum not more than fifteen (15) calendar days after Business Associate becomes aware <br />of such non -permitted use or disclosure. <br />ii. Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity's <br />Protected Health Information not permitted by this Addendum of which it becomes aware, including breaches of Unsecured <br />Protected Health Information as required by 45 CFR 164.404, and any Security Incident of which it becomes aware. The Business <br />Associate will make the report to the Covered Entity's Privacy Official not more than fifteen (15) calendar days after the Business <br />Associate becomes aware of such non -permitted use or disclosure. If a delay is requested by a law-enforcement official in <br />accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. <br />The Business Associate's report will at least: <br />1. Identify the nature of the Breach or other non -permitted use or disclosure, which will include a brief description of what <br />happened, including the date of any Breach and the date of the discovery of the Breach; <br />2. Identify the Covered Entity's Protected Health Information that was subject to the non -permitted use or disclosure or <br />Breach (such as whether full name, social security number, date of birth, home address, account number or other <br />information were involved) on an individual basis; <br />3. Identify who made the non -permitted use or disclosure and who received the non -permitted use or disclosure; <br />4. Identify what corrective or investigational action the Business Associate took or will take to prevent further non - <br />permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; <br />5. Identify what steps the individuals who were subject to a Breach should take to protect themselves; and <br />6. Provide such other information, including a written report and risk assessment under 45 CFR §164.410, as the Covered <br />Entity may reasonably request. <br />
The URL can be used to link to this page
Your browser does not support the video tag.