benefitexprcss
<br />Benefit Express Services, LLC
<br />Technology and Services Agreement
<br />request Protected Health Information on the Covered Entity's behalf (collectively, "Covered Entity's Protected Health Information")
<br />only:
<br />i) Functions and Activities on the Covered Entity's Behalf. To perform those services referred in the Exhibit A.
<br />ii) Business Associate's Operations. For the Business Associate's proper management and administration or to carry out the
<br />Business Associate's legal responsibilities, provided that, with respect to disclosure of the Covered Entity's Protected Health
<br />Information, either:
<br />(a) The disclosure is Required by Law; or
<br />(b) The Business Associate obtains reasonable assurance from any person or entity to which the Business Associate
<br />will disclose the Covered Entity's Protected Health Information that the person or entity will:
<br />(i) Hold the Covered Entity's Protected Health Information in confidence and use or further disclose the Covered
<br />Entity's Protected Health Information only for the purpose for which the Business Associate disclosed the
<br />Covered Entity's Protected Health Information to the person or entity or as Required by Law; and
<br />(ii) Promptly notify the Business Associate (who will in turn notify the Covered Entity in accordance with the
<br />breach notification provisions) of any instance of which the person or entity becomes aware in which the
<br />confidentiality of the Covered Entity's Protected Health Information was breached.
<br />(c) To de -identify the information in accordance with 45 CFR 164.514 as necessary to perform those services required
<br />under the Addendum.
<br />iii) Minimum Necessary. The Business Associate will, in its performance of the functions, activities, services, and operations
<br />specified above, make reasonable efforts to use, to disclose, and to request only the minimum amount of the Covered
<br />Entity's Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure or
<br />request, except that the Business Associate will not be obligated to comply with this minimum -necessary limitation if neither
<br />the Business Associate nor the Covered Entity is required to limit its use, disclosure or request to the minimum necessary.
<br />The Business Associate and the Covered Entity acknowledge that the phrase "minimum necessary" shall be interpreted in
<br />accordance with the HITECH Act.
<br />(b) Prohibition on Unauthorized Use or Disclosure. The Business Associate will neither use nor disclose the Covered Entity's Protected
<br />Health Information, except as permitted or required by this Addendum or in writing by the Covered Entity or as Required by Law.
<br />This Agreement does not authorize the Business Associate to use or disclose the Covered Entity's Protected Health Information in a
<br />manner that will violate Subpart E of 45 CFR Part 164 if done by the Covered Entity.
<br />(c) Information Safeguards.
<br />i) Privacy of the Covered Entity's Protected Health Information. The Business Associate will develop, implement, maintain,
<br />and use appropriate administrative, technical, and physical safeguards to protect the privacy of the Covered Entity's
<br />Protected Health Information. The safeguards must reasonably protect the Covered Entity's Protected Health Information
<br />from any intentional or unintentional use or disclosure in violation of the Privacy Rule and limit incidental uses or disclosures
<br />made to a use or disclosure otherwise permitted by this Addendum.
<br />ii) Security of the Covered Entity's Electronic Protected Health Information. The Business Associate will develop, implement,
<br />maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the
<br />confidentiality, integrity, and availability of Electronic Protected Health Information that the Business Associate creates,
<br />receives, maintains, or transmits on the Covered Entity's behalf as required by the Security Rule. The Business Associate will
<br />comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent use or
<br />disclosure of protected health information other than as provided for by the Addendum.
<br />iii) No Transfer of PHI Outside United States. Business Associate will not transfer Protected Health Information outside the
<br />United States without the prior written consent of the Covered Entity. In this context, a "transfer" outside the United States
<br />occurs if Business Associate's workforce members, agents, or subcontractors physically located outside the United States
<br />are able to access, use, or disclose Protected Health Information.
<br />iv) Policies and Procedures. The Business Associate shall maintain written policies and procedures, conduct a risk analysis, and
<br />train and discipline of its workforce.
<br />(d) Subcontractors and Agents. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, the Business Associate will
<br />ensure that any of its Subcontractors and agents that create, receive, maintain, or transmit Protected Health information on behalf
<br />of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with
<br />respect to such information.
<br />(e) Prohibition on Sale of Records. As of the effective date specified by HHS in final regulations to be issued on this topic, the Business
<br />Associate shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an individual
<br />unless the Covered Entity or Business Associate obtained from the individual, in accordance with 45 CFR §164.508, a valid
<br />authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration
<br />by the entity receiving Protected Health Information of that individual, except as otherwise allowed under the HITECH Act.
<br />(f) Prohibition on Use or Disclosure of Genetic Information. Business Associate shall not use or disclose Genetic Information for
<br />underwriting purposes in violation of the HIPAA rules.
<br />
|