|
A TRUE COPY
<br />CERTIFICATION ON LAST PAGE
<br />J.R. SMITH, CLERK
<br />(12) month period; however, a reasonable, cost based fee may be charged for subsequent accountings if Business Associate
<br />informs the Covered Entity and the Covered Entity informs the Individual in advance of the fee, and the Individual is
<br />afforded an opportunity to withdraw or modify the request.
<br />9. Withdrawal of Consent or Authorization. If the use or disclosure of PHI in this BAA is based upon an Individual's
<br />specific consent or authorization for the use of his or her PHI, and (i) the Individual revokes such consent or authorization in
<br />writing, (ii) the effective date of such authorization has expired, or (iii) the consent or authorization is found to be defective in
<br />any manner that renders it invalid, Business Associate agrees, if it has notice of such revocation or invalidity, to cease the
<br />Use and Disclosure of any such Individual's PHI except to the extent it has relied on such Use or Disclosure, or where an
<br />exception under the Privacy Standards expressly applies.
<br />10. Records and Audit. Business Associate shall make available to Covered Entity and to the Secretary or her agents, its
<br />internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received by,
<br />Business Associate on behalf of Covered Entity for the purpose of determining Covered Entity's compliance with the Privacy
<br />Standards and the Security Standards or any other health oversight agency, in a timely a manner designated by Covered
<br />Entity or the Secretary. Except to the extent prohibited by law, Business Associate agrees to notify Covered Entity
<br />immediately upon receipt by Business Associate of any and all requests served upon Business Associate by or on behalf of
<br />any and all government authorities relating to PHI received from, or created or received by, Business Associate on behalf of
<br />Covered Entity.
<br />11. Notice of Privacy Practices. Covered Entity shall provide to Business Associate its Notice of Privacy Practices
<br />("Notice"), including any amendments to the Notice. Business Associate agrees that it will abide by any limitations set forth
<br />in the Notice, as it may be amended from time to time, of which it has knowledge. An amended Notice shall not affect
<br />permitted Uses and Disclosures on which Business Associate has relied prior to receipt of such Notice.
<br />12. Sec urit . Business Associate will (i) implement Administrative, Physical and Technical Safeguards that reasonably
<br />and appropriate protect the confidentiality, integrity and availability of the Electronic Protected Health Information that it
<br />creates, receives, maintains, or transmits on behalf of Covered Entity; and (ii) ensure that any agent, including a
<br />subcontractor, to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate
<br />safeguards to protect such information. Further, as of the date required by ARRA, Business Associate shall comply with the
<br />standards and implementation specifications set forth in 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 with respect to
<br />such Administrative, Physical and Technical Safeguards.
<br />13. Term and Termination.
<br />13.1 This BAA shall commence on the effective date of the Agreement and shall remain in effect
<br />until terminated in accordance with the terms of this Section 13, provided, however, that any termination shall not affect the
<br />respective obligations or rights of the parties arising under this BAA prior to the effective date of termination, all of which
<br />shall continue in accordance with their terms.
<br />13.2 Covered Entity shall have the right to terminate this BAA for any reason upon thirty (30) days
<br />written notice to Business Associate.
<br />13.3 Covered Entity, at its sole discretion, may immediately terminate this BAA and shall have no
<br />further obligations to Business Associate hereunder if any of the following events shall have occurred and be continuing:
<br />(i) Business Associate shall fail to observe or perform any material covenant or agreement contained in
<br />this BAA for ten (10) days after written notice thereof has been given to Business Associate by Covered Entity; or
<br />(ii) A violation by Business Associate of any provision of the Privacy Standards, Security Standards, or
<br />other applicable federal or state privacy law.
<br />13.4 Upon the termination of the Agreement, this BAA shall terminate simultaneously without
<br />additional notice.
<br />13.5 Upon termination of this BAA for any reason, Business Associate agrees either to return to
<br />Covered Entity or to destroy all PHI received from Covered Entity or otherwise created through the performance of the
<br />Agreement Services for Covered Entity, that is in the possession or control of Business Associate or its agents. In the case of
<br />information for which it is not feasible to "return or destroy," Business Associate shall continue to comply with the covenants
<br />in this BAA with respect to such PHI and shall comply with other applicable state or federal law, which may require a
<br />specific period of retention, redaction, or other treatment. Termination of this BAA shall be cause for Covered Entity to
<br />terminate the Agreement.
<br />14. Compliance with Red Flag Policies. Covered Entity shall provide to Business Associate any policies and procedures
<br />adopted by the Covered Entity to detect, prevent and mitigate the risk of identity theft in accordance with the "Red Flag
<br />
|