Laserfiche WebLink
'Is <br />�. benefit����>l <br />Benefit Express Services, LLC <br />Technology and Services Agreement <br />Exhibit C - Business Associate Addendum <br />This Health Insurance Portability & Accountability Act Business Associate Addendum ("HIPAA Addendum") is an <br />addendum to this Agreement (and incorporated therein by reference) by and between Benefit Express Services, LLC ("BE" or <br />"Business Associate") and Employer ("Client" or "Covered Entity"). In order, to provide such services to Employer, the Business <br />Associate must have access to certain protected health information ("Protected Health Information" or "PHI"), as defined in the <br />Standards for Privacy of Individually Identifiable Health Information (the "Privacy Standards") set forth by the U.S. Department of <br />Health and Human Services ("HHS") pursuant to the Health Insurance Portability and Accountability Act of 1996, ("HIPAA") and <br />amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act'), part of the American Recovery <br />and Reinvestment Act of 2009 ("ARRA"), the Genetic Information Nondiscrimination Act of 2008 ("GINA"), and the final regulations <br />to such Acts promulgated in January 2013; <br />To comply with the requirements of the Privacy Standards, the Covered Entity must enter into this Business Associate Addendum <br />with the Business Associate. Now, therefore, in consideration of the mutual covenants and agreements hereinafter contained, and <br />other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, and intending to be legally <br />bound hereby, the parties hereto agree as follows: <br />Definitions <br />The following terms used in this Addendum shall have the same meaning as those terms in the Privacy Rules: Breach, Data <br />Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, <br />Secretary, Subcontractor, and Use. If other terms are used, but not otherwise defined under this Business Associate Addendum, such <br />terms shall then have the same meaning as those terms in the Privacy Rule. <br />(a) Business Associate. 'Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR <br />160.103. <br />(b) Covered Electronic Transactions. "Covered Electronic Transactions" shall have the meaning given the term "transaction"" in 45 <br />CFR §160.103. <br />(c) Covered Entity. "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103. <br />(d) Electronic Protected Health Information. "Electronic Protected Health Information" shall have the same meaning as the term <br />"electronic protected health information" in 45 CFR §160.103. <br />(e) Genetic Information. "Genetic Information" shall have the same meaning as the term "genetic information" in 45 CFR §160.103 <br />(f) HIPAA Rules. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and <br />Part 164. <br />(g) Individual. "Individual' shall have the same meaning as the term "individual' in 45 CFR §160.103 and shall include a person who <br />qualifies as a personal representative in accordance with 45 CFR §164.502(8). <br />(h) Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part <br />160 and Part 164, subparts A and E. <br />(i) Protected Health Information (PHI). "Protected Health Information (PHI)' shall have the same meaning as the term "protected <br />health information" in 45 CFR §160.103, limited to the information created or received by Business Associate from or on behalf <br />of a Covered Entity pursuant to this Addendum. <br />0) Required By Law. "Required By Law" shall have the same meaning as the term "required bylaw" in 45 CFR §164.103. <br />(k) Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. <br />(1) Standards for Electronic Transactions Rule. "Standards for Electronic Transactions Rule" means the final regulations issued by <br />HHS concerning standard transactions and code sets under the Administration Simplification provisions of HIPAA, 45 CFR Part <br />160 and Part 162. <br />(m) Security Incident. "Security Incident' shall have the same meaning as the term "security incident' in 45 CFR §164.304. <br />(n) Security Rule. "Security Rule" shall mean the Security Standards and Implementation Specifications at 45 CFR Part 160 and Part <br />164, subpart C. <br />(o) Subcontractor. "Subcontractor" shall have the same meaning as the term subcontractor in 45 CFR §160.103. <br />(p) Transaction. "Transaction" shall have the meaning given the term "transaction" in 45 CFR §160.103 <br />(q) Unsecured Protected Health Information. "Unsecured Protected Health Information" shall have the meaning given the term <br />"unsecured protected health information" in 45 CFR §164.402. <br />II. Safeguarding Privacy and Security of Protected Health Information <br />(a) Permitted Uses and Disclosures. The Business Associate is permitted to use and disclose Protected Health Information that it creates or <br />receives on the Covered Entity's behalf or receives from the Covered Entity (or another business associate of the Covered Entity) and to <br />