Laserfiche WebLink
benefitexprcss <br />Benefit Express Services, LLC <br />Technology and Services Agreement <br />request Protected Health Information on the Covered Entity's behalf (collectively, "Covered Entity's Protected Health Information") <br />only: <br />i) Functions and Activities on the Covered Entity's Behalf. To perform those services referred in the Exhibit A. <br />ii) Business Associate's Operations. For the Business Associate's proper management and administration or to carry out the <br />Business Associate's legal responsibilities, provided that, with respect to disclosure of the Covered Entity's Protected Health <br />Information, either: <br />(a) The disclosure is Required by Law; or <br />(b) The Business Associate obtains reasonable assurance from any person or entity to which the Business Associate <br />will disclose the Covered Entity's Protected Health Information that the person or entity will: <br />(i) Hold the Covered Entity's Protected Health Information in confidence and use or further disclose the Covered <br />Entity's Protected Health Information only for the purpose for which the Business Associate disclosed the <br />Covered Entity's Protected Health Information to the person or entity or as Required by Law; and <br />(ii) Promptly notify the Business Associate (who will in turn notify the Covered Entity in accordance with the <br />breach notification provisions) of any instance of which the person or entity becomes aware in which the <br />confidentiality of the Covered Entity's Protected Health Information was breached. <br />(c) To de -identify the information in accordance with 45 CFR 164.514 as necessary to perform those services required <br />under the Addendum. <br />iii) Minimum Necessary. The Business Associate will, in its performance of the functions, activities, services, and operations <br />specified above, make reasonable efforts to use, to disclose, and to request only the minimum amount of the Covered <br />Entity's Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure or <br />request, except that the Business Associate will not be obligated to comply with this minimum -necessary limitation if neither <br />the Business Associate nor the Covered Entity is required to limit its use, disclosure or request to the minimum necessary. <br />The Business Associate and the Covered Entity acknowledge that the phrase "minimum necessary" shall be interpreted in <br />accordance with the HITECH Act. <br />(b) Prohibition on Unauthorized Use or Disclosure. The Business Associate will neither use nor disclose the Covered Entity's Protected <br />Health Information, except as permitted or required by this Addendum or in writing by the Covered Entity or as Required by Law. <br />This Agreement does not authorize the Business Associate to use or disclose the Covered Entity's Protected Health Information in a <br />manner that will violate Subpart E of 45 CFR Part 164 if done by the Covered Entity. <br />(c) Information Safeguards. <br />i) Privacy of the Covered Entity's Protected Health Information. The Business Associate will develop, implement, maintain, <br />and use appropriate administrative, technical, and physical safeguards to protect the privacy of the Covered Entity's <br />Protected Health Information. The safeguards must reasonably protect the Covered Entity's Protected Health Information <br />from any intentional or unintentional use or disclosure in violation of the Privacy Rule and limit incidental uses or disclosures <br />made to a use or disclosure otherwise permitted by this Addendum. <br />ii) Security of the Covered Entity's Electronic Protected Health Information. The Business Associate will develop, implement, <br />maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the <br />confidentiality, integrity, and availability of Electronic Protected Health Information that the Business Associate creates, <br />receives, maintains, or transmits on the Covered Entity's behalf as required by the Security Rule. The Business Associate will <br />comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent use or <br />disclosure of protected health information other than as provided for by the Addendum. <br />iii) No Transfer of PHI Outside United States. Business Associate will not transfer Protected Health Information outside the <br />United States without the prior written consent of the Covered Entity. In this context, a "transfer" outside the United States <br />occurs if Business Associate's workforce members, agents, or subcontractors physically located outside the United States <br />are able to access, use, or disclose Protected Health Information. <br />iv) Policies and Procedures. The Business Associate shall maintain written policies and procedures, conduct a risk analysis, and <br />train and discipline of its workforce. <br />(d) Subcontractors and Agents. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, the Business Associate will <br />ensure that any of its Subcontractors and agents that create, receive, maintain, or transmit Protected Health information on behalf <br />of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with <br />respect to such information. <br />(e) Prohibition on Sale of Records. As of the effective date specified by HHS in final regulations to be issued on this topic, the Business <br />Associate shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an individual <br />unless the Covered Entity or Business Associate obtained from the individual, in accordance with 45 CFR §164.508, a valid <br />authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration <br />by the entity receiving Protected Health Information of that individual, except as otherwise allowed under the HITECH Act. <br />(f) Prohibition on Use or Disclosure of Genetic Information. Business Associate shall not use or disclose Genetic Information for <br />underwriting purposes in violation of the HIPAA rules. <br />