|
SCHEDULE B
<br />HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
<br />This Schedule to the Administrative Services Agreement between Clarity and Client (the "Agreement") is incorporated by
<br />reference therein. Client represents that it has the authority to execute, and hereby executes, this Schedule C for and on
<br />behalf of the Plan Sponsor's plan(s) for which Clarity provides plan administration services ("the Plan" for the purposes of
<br />this Schedule C).
<br />In conformity with the regulations at 45 C.F.R. Parts 160-164 (the "Privacy and Security Rules") Clarity will under the
<br />following conditions and provisions have access to, maintain, transmit, create and/or receive certain Protected Health
<br />Information:
<br />1. Definitions, The following terms shall have the meaning set forth below:
<br />(a) ARRA. "ARRA" means the American Recovery and Reinvestment Act of 2009
<br />(b) Breach, "Breach" has the meaning assigned to such term in 45 C.F,R. 164.402.
<br />(c) G.F.R. "C.F.R," means the Code of Federal Regulations.
<br />(d) Designated Record Set, "Designated Record Set" has the meaning assigned to such term in 45 C.F.R. 164.501.
<br />(e) Discovery. "Discovery" shall mean the f rst day on which a Breach Is known to Clarity (including any person, other
<br />than the individual committing the breach, that is an employee, officer, or other agent of Clarity), or should
<br />reasonably have been known to Clarity, to have occurred.
<br />(f) Electronic Protected Health Information. "Electronic Protected Health Information" means Information that comes
<br />within paragraphs 1(i) or 1(H) of the definition of "Protected Health Information", as defined in 45 C,F.R. 160.103.
<br />(g) Individual. "Individual" shall have the same meaning as the term "individual" In 45 C,F.R. 160.103 and shall
<br />Include a person who qualifies as a personal representative in accordance with 45 C,F.R. 164.502 (g),
<br />(h) Protected Health Information "Protected Health Information" shall have the same meaning as the term "Protected
<br />Health Information", as defined by 45 C.F,R. 160.103, limited to the Information created or received by Clarity from
<br />or on behalf of Client,
<br />(i) Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 C.F,R.
<br />164.103.
<br />(j) Secretary. "Secretary' shall mean the Secretary of the Department of Health and Human Services or his designee.
<br />(k) Security Incident. "Security Incident" has the meaning assigned to such term In 45 C.F.R. 164.304.
<br />(1) Standard Transactions, "Standard Transactions" means the electronic health care transactions for which HIPAA
<br />standards have been established, as set forth In 45 C.F.R., Parts 160-162.
<br />(m) Unsecured Protected Health Information, "Unsecured Protected Health Information" means Protected Health
<br />Information that Is not secured through the use cf a technology or methodology specified by guidance Issued by
<br />the Secretary from time to time.
<br />Obligations and Activities of Clarity
<br />(a) Clarity agrees to not use or disclose Protected Health Information other than as permitted or required by this
<br />Schedule or as Required by Law,
<br />(b) Clarity agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other
<br />than as provided for by this Schedule.
<br />(c) Clarity agrees to mitigate, to the extent practicable, any harmful effect that is known to Clarity of a use or
<br />disclosure of Protected Health Information by Clarity in violation of the requirements of this Schedule.
<br />(d) Clarity agrees to report to Client any Security Incident of the Protected Health Information not allowed by this
<br />Schedule of which it becomes aware, except that, for purposes of the Security Incident reporting requirement, the
<br />term "Security Incident" shall not include inconsequential incidents that occur on a daily basis, such as scans,
<br />"pings" or other unsuccessful attempts to penetrate computer networks or servers containing electronic PHI
<br />maintained by Clarity,
<br />(e) Clarity agrees to report to Client any Breach of Unsecured Protected Health Information without unreasonable
<br />delay and in no case later than sixty (60) calendar days after Discovery of a
<br />Breach. Such notice shall include the identification of each Individual whose Unsecured Protected Health
<br />Information has been, or is reasonably believed by Clarity, to have been, accessed, acquired, or disclosed In
<br />connection with such Breach. In addition, Clarity shall provide any additional Information reasonably requested by
<br />Client for purposes of investigating the Breach. Clarity's notification of a Breach under this section shall comply in
<br />all respects with each applicable provision of Section 13400 of Subtitle ID (Privacy) of ARRA, 45 C.F.R. 164.410,
<br />and related guidance issued by the Secretary from time to time.
<br />(f) Clarity agrees to ensure that any subcontractors triat create, receive, maintain, or transmit Protected Health
<br />Information on behalf of Clarity agree in writing to the same restrictions and conditions that apply through this
<br />Schedule to Clarity with respect to such Information, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and
<br />164.308(b)(2), if applicable.
<br />860520
<br />11.2.2016
<br />13 54
<br />
|