My WebLink
|
Help
|
About
|
Sign Out
Home
Browse
Search
2018-075S
CBCC
>
Official Documents
>
2010's
>
2018
>
2018-075S
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
12/29/2020 11:17:01 AM
Creation date
5/1/2018 1:15:57 PM
Metadata
Fields
Template:
Official Documents
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
18
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
A t <br />,,' ? benefitcx��rc�ss <br />�rlltrli M[.t it��l1'.h�E�l'' ��I ,��'1: <br />Benefit Express Services, LLC <br />Technology and Services Agreement <br />Associate made the disclosure, (3) a brief description of the Covered Entity's Protected Health Information disclosed, <br />and (4) a brief statement of the purpose of the disclosure. <br />2. Disclosure Information for Repetitive Disclosures. For repetitive disclosures of the Covered Entity's Protected Health <br />Information that the Business Associate makes for a single purpose to the same person or entity (including the Covered <br />Entity), the Disclosure Information that the Business Associate must record is either the Disclosure Information <br />specified above for each accountable disclosure, or (1) the Disclosure Information specified above for the first of the <br />repetitive accountable disclosures; (2) the frequency, periodicity, or number of the repetitive accountable disclosures; <br />and (3) the date of the last of the repetitive accountable disclosures. <br />iv. Availability of Disclosure Information. The Business Associate will maintain the Disclosure Information for at least 6 years <br />following the date of the accountable disclosure to which the Disclosure Information relates (3 years for disclosures related to <br />an Electronic Health Record, starting with the date specified by HHS). The Business Associate will make the Disclosure <br />Information available to the Covered Entity within fifty (50) calendar days following the Covered Entity's request for such <br />Disclosure Information to comply with an individual's request for disclosure accounting. Effective as of the date specified by <br />HHS, with respect to disclosures related to an Electronic Health Record, the Business Associate shall provide the accounting <br />directly to an individual making such a disclosure request, if a direct response is requested by the individual. To the extent the <br />Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with <br />the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and make its internal <br />practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. <br />(d) Restriction Agreements and Confidentiol Communications. The Covered Entity shall notify the Business Associate of any limitations <br />in the notice of privacy practices of Covered Entity under 45 CFR §164.520, to the extent that such limitation may affect the Business <br />Associate's use or disclosure of Protected Health Information. The Business Associate will comply with any agreement that the <br />Covered Entity makes that either (i) restricts use or disclosure of the Covered Entity's Protected Health Information pursuant to 45 <br />CFR §164.522(a), or (ii) requires confidential communication about the Covered Entity's Protected Health Information pursuant to 45 <br />CFR §164.522(b), provided that the Covered Entity notifies the Business Associate in writing of the restriction or confidential <br />communication obligations that the Business Associate must follow. The Covered Entity will promptly notify the Business Associate <br />in writing of the termination of any such restriction agreement or confidential communication requirement and, with respect to <br />termination of any such restriction agreement, instruct the Business Associate whether any of the Covered Entity's Protected Health <br />Information will remain subject to the terms of the restriction agreement. Effective February 17, 2010 (or such other date specified <br />as the effective date by HHS), the Business Associate will comply with any restriction request if: (i) except as otherwise required by <br />law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of <br />carrying out treatment); and (ii) the Protected Health Information pertains solely to a health care item or service for which the health <br />care provider involved has been paid out-of-pocket in full. <br />VII. Breaches and Security Incidents <br />(a) Reporting <br />L Impermissible Use or Disclosure. The Business Associate will report to Covered Entity any use or disclosure of Protected Health <br />Information not permitted by this Addendum not more than fifteen (15) calendar days after Business Associate becomes aware <br />of such non -permitted use or disclosure. <br />ii. Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity's <br />Protected Health Information not permitted by this Addendum of which it becomes aware, including breaches of Unsecured <br />Protected Health Information as required by 45 CFR 164.404, and any Security Incident of which it becomes aware. The Business <br />Associate will make the report to the Covered Entity's Privacy Official not more than fifteen (15) calendar days after the Business <br />Associate becomes aware of such non -permitted use or disclosure. If a delay is requested by a law-enforcement official in <br />accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. <br />The Business Associate's report will at least: <br />1. Identify the nature of the Breach or other non -permitted use or disclosure, which will include a brief description of what <br />happened, including the date of any Breach and the date of the discovery of the Breach; <br />2. Identify the Covered Entity's Protected Health Information that was subject to the non -permitted use or disclosure or <br />Breach (such as whether full name, social security number, date of birth, home address, account number or other <br />information were involved) on an individual basis; <br />3. Identify who made the non -permitted use or disclosure and who received the non -permitted use or disclosure; <br />4. Identify what corrective or investigational action the Business Associate took or will take to prevent further non - <br />permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; <br />5. Identify what steps the individuals who were subject to a Breach should take to protect themselves; and <br />6. Provide such other information, including a written report and risk assessment under 45 CFR §164.410, as the Covered <br />Entity may reasonably request. <br />
The URL can be used to link to this page
Your browser does not support the video tag.