My WebLink
|
Help
|
About
|
Sign Out
Home
Browse
Search
2019-097C
CBCC
>
Official Documents
>
2010's
>
2019
>
2019-097C
Metadata
Thumbnails
Annotations
Entry Properties
Last modified
12/27/2019 1:36:00 PM
Creation date
7/23/2019 3:31:25 PM
Metadata
Fields
Template:
Official Documents
Official Document Type
Agreement
Approved Date
06/18/2019
Control Number
2019-097C
Agenda Item Number
12.D.1.
Entity Name
Save on SP, LLC
Subject
specialty pharmacy co-pay assistance program
arrangement with Express Scripts Holding Company
There are no annotations on this page.
Document management portal powered by Laserfiche WebLink 9 © 1998-2015
Laserfiche.
All rights reserved.
/
9
PDF
Print
Pages to print
Enter page numbers and/or page ranges separated by commas. For example, 1,3,5-12.
After downloading, print the document using a PDF reader (e.g. Adobe Reader).
View images
View plain text
2.10 Demands for Production of PHI. <br />(a) Receipt by Business Associate. If Business Associate receives a subpoena, civil or <br />administrative demand, or any other demand for production of PHI, other than an <br />Individual right request, Business Associate shall provide a copy of such demand to <br />Covered Entity within five (5) business days of receipt. To the extent the PHI that is the <br />subject of the demand is in the possession of Business Associate and a response is <br />warranted according to the standards set forth under HIPAA, Business Associate shall <br />timely respond to the document demand. <br />Receipt by Covered Entity. If Covered Entity receives a subpoena, civil or administrative <br />demand, or any other demand for production of PHI, other than an Individual right request, <br />Business Associate shall provide to Covered Entity any PHI responsive to such demand <br />and shall assist and cooperate with Covered Entity in responding to such document demand <br />in a timely manner and in accordance with the standards set forth under HIPAA. <br />SECTION 3 — PERMITTED USES AND DISCLOSURES <br />3.1 Business Associate Services. Business Associate may use or disclose PHI as only required by <br />law, or as necessary to perform its obligations and services set forth in the Program or this BAA, provided <br />that such use or disclosure would not violate HIPAA if carried out by Covered Entity. <br />3.2 Minimum Necessary. Business Associate will comply with the minimum necessary standard as <br />defined under HIPAA in its uses and disclosures of, and requests for, PHI and, to the extent practicable, <br />will restrict its uses and disclosures to a Limited Data Set. <br />3.3 Other Permitted Uses. Business Associate may also, but only if necessary and as specifically <br />permitted or required by the Program and in accordance with HIPAA, use and disclose PHI as follows: <br />(i) for the proper management and administration, or to carry out the legal responsibilities, of Business <br />Associate, provided any disclosures are required by law or Business Associate obtains reasonable <br />assurances from the person to whom the information is disclosed that the information will remain <br />confidential and only used or further disclosed as required by law or for the purposes for which it was <br />disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in <br />which the confidentiality of the information has been breached; and (ii) if applicable, for the provision of <br />data aggregation services to the Covered Entity relating to the health care operations of Covered Entity. <br />SECTION 4 — BREACH IDENTIFICATION AND NOTIFICATION <br />4.1 Monitoring and Reporting Incidents. Throughout the term of this BAA, Business Associate will <br />take reasonable steps to monitor the unauthorized acquisition, access, use, and disclosure (subsequently <br />referred to collectively as use or disclosure) of PHI, and will have a policy that requires any unauthorized <br />use or disclosure of PHI to be reported promptly to Business Associate's Privacy Officer or designated <br />individual as well as to Covered Entity. <br />4.2 Determination Whether Unauthorized Use or Disclosure Constitutes Breach. Upon receiving <br />a report of unauthorized use or disclosure, Business Associate will undertake a risk assessment to determine <br />whether the unauthorized use or disclosure constitutes a Breach of Unsecured PHI. Business Associate will <br />make and retain records of such determinations, including the basis for determinations that unauthorized <br />uses or disclosures are not Breaches of Unsecured PHI. All risk assessments and determinations will be <br />shared with Covered Entity as soon as possible, and in no event later than ten (10) business days following <br />
The URL can be used to link to this page
Your browser does not support the video tag.