|
A TRUE COPY
<br />CERTIFICATION ON LAST PAGE
<br />J.R. SMITH, CLERK
<br />anything herein to the contrary, the provisions of this Section 5.3 shall only be applicable to Breaches that are Discovered on
<br />or after the date that is thirty (30) days after the date of publication of interim final regulations promulgated by the Secretary
<br />that address notifications of Breaches of Unsecured PHI.
<br />5.4 Business Associate agrees to indemnify and hold harmless, Covered Entity, its Officers, directors,
<br />shareholders, agents, and employees against all liability claims, damages, suits, demands, expenses, and civil monetary
<br />penalties (including but not limited to, court costs and reasonable attorneys' fees) of every kind arising out of the negligent
<br />errors and omissions or willful misconduct of Business Associate, its agents, servants, employees and independent contractors
<br />(excluding Covered Entity) in the performance of or conduct relating to this Section 5.
<br />6. Agents and Subcontractors. If Business Associate discloses PHI received from Covered Entity, or created or received
<br />by Business Associate on behalf of Covered Entity, to agents, including a subcontractor (collectively, "Recipients"), Business
<br />Associate shall require Recipients to agree in writing to the same restrictions and conditions that apply to the Business
<br />Associate under this BAA.
<br />Individual Rights to Access and Amendment.
<br />7.1 Access. If Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business
<br />Associate shall permit an Individual to inspect or copy PHI contained in that set about the Individual in accordance with the
<br />Privacy Standards set forth in 45 C.F.R. § 164.524, as it may be amended from time to time, unless excepted or a basis for
<br />denial exists under 45 C.F.R. § 164.524, as determined by the Covered Entity. In the event a Business Associate uses or
<br />maintains an Electronic Health Record on behalf of Covered Entity, then, as of the date required by ARRA, an Individual's
<br />right of access under 45 C.F.R. § 164.524 shall include the right to obtain a copy of the PHI in an electronic format and, if the
<br />Individual chooses in a clear, conspicuous and specific manner, to direct the Business Associate to transmit such copy to any
<br />person designated by the Individual. Business Associate shall respond to any request from Covered Entity for access by an
<br />Individual within five (5) days of such request unless otherwise agreed to by Covered Entity. The information shall be
<br />provided in the form or format requested, if it is readily producible in such form or format, or in summary, if the Individual
<br />has agreed in advance to accept the information in summary form. A reasonable, cost based fee may be charged for copying
<br />PHI or providing a summary of PHI in accordance with 45 C.F.R. § 164.524(c)(4), provided that any such fee relating to a
<br />copy or summary of PHI provided in an electronic form may not be greater than the labor costs incurred in response to the
<br />request for the copy or summary.
<br />7.2 Amendment. Business Associate shall accommodate an Individual's right to amend PHI or a record
<br />about the Individual in a Designated Record Set in accordance with the Privacy Standards set forth at 45 C.F.R. § 164.526, as
<br />it may be amended from time to time, unless excepted or a basis for denial exists under 45 C.F.R. § 164.526, as determined
<br />by the Covered Entity. Covered Entity shall determine whether a denial to an amendment request is appropriate or an
<br />exception applies. Business Associate shall notify Covered Entity within five (5) days of receipt of any request for
<br />amendment by an Individual and shall make any amendment requested by Covered Entity within ten (10) days of such
<br />request. Business Associate shall have a process in place for requests for amendments and for appending such requests to the
<br />Designated Record Set.
<br />Accounting of Disclosures.
<br />8.1 General Accounting Provisions. Business Associate shall make available to Covered Entity in response
<br />to a request from an Individual, information required for an accounting of Disclosures of PHI with respect to the Individual,
<br />in accordance with 45 C.F.R. § 164.528, as it may be amended from time to time, unless an exception to such Accounting
<br />exists under 45 C.F.R. § 164.528. Such Accounting is limited to Disclosures that were made in the six (6) years prior to the
<br />request and shall not include any Disclosures that were made prior to the compliance date of the Privacy Standards. Business
<br />Associate shall provide such information necessary to provide an accounting within thirty (30) days of Covered Entity's
<br />request.
<br />8.2 Special Provisions for Disclosures made through an Electronic Health Record. As of the date required
<br />by ARRA, if Covered Entity uses or maintains an Electronic Health Record with respect to PHI and if Business Associate
<br />makes Disclosures of PHI for Treatment, Payment or Health Care Operations purposes through such Electronic Health
<br />Record, Business Associate will provide an accounting of Disclosures that Covered Entity has determined were for Covered
<br />Entity's Treatment, Payment and/or Health Care Operations purposes to Individuals who request an accounting directly from
<br />Business Associate. Any accounting made pursuant to this Section 8.2 shall be limited to Disclosures made in the three (3)
<br />years prior to the Individual's request for the accounting. The content of the accounting shall be in accordance with 45
<br />C.F.R. § 164.528, as it may be amended from time to time.
<br />8.3 Fees for an Accounting. Any accounting provided under Section 8.1 or Section 8.2 must be provided
<br />without cost to the Individual or to Covered Entity if it is the first accounting requested by an Individual within any twelve
<br />
|