Laserfiche WebLink
for an accounting from an Individual, Business Associate shall notify Client of the request and <br />shall provide such accounting of disclosures to the Individual. Business Associate shall not <br />disclose any PHI unless such disclosure is required by law or is in accordance with this BAA <br />and shall document such disclosures. <br />h. Governmental Access to Records. Business Associate shall make its internal practices, books <br />and records relating to the use and disclosure of Protected Health Information available to <br />Client and to the Secretary of Health and Humans Services (HISS) for purposes of determining <br />Client's compliance with the Privacy and Security Rule. <br />i. Minimum Necessary. Business Associate and its agents or subcontractors shall request, use, <br />and disclose only the minimum amount of PHI necessary to accomplish the purpose of the <br />request, use, or disclosure. <br />j. Notification to Client of Breach or Unauthorized Disclosure. Everside shall notify Client within <br />twenty (20) business days of any suspected or actual breach of security, intrusion or <br />unauthorized access, use or disclosure of PHI not permitted by the Agreement and this BAA <br />of which Business Associate becomes aware, and/or any actual or suspected Breach of <br />unsecured PHI of which Business Associate becomes aware. A breach shall be treated as <br />discovered in accordance with 45 CFR §164.410. The notification shall include the <br />identification of each individual whose PHI or unsecured PHI has been, or is reasonably <br />believed by the Business Associate to have been, accessed, acquired, or disclosed during such <br />breach, a brief description of what happened including the date of the breach, the date of <br />discovery of the breach and a description of the types of PHI or unsecured PHI that were <br />involved in the Breach. Business Associate agrees to mitigate, to the extent practicable, any <br />harmful effect that is known to Business Associate of a use or disclosure of PHI or unsecured <br />PHI by Business Associate in violation of the requirements of this BAA. <br />k. Breach Pattern or Practice by Client. If Business Associate knows of a pattern of activity or <br />practice of the Client that constitutes a material breach or violation of the Client's obligations <br />under the Agreement, this BAA, or the Privacy and Security Rule, Business Associate must <br />take reasonable steps to cure the breach or end the violation. <br />1. Audits, Inspection and Enforcement. Within twenty (20) days of a written request by Client, <br />Business Associate and its agents or subcontractors shall allow Client to conduct a reasonable <br />inspection of the facilities, systems, books, records, agreements, policies and procedures of <br />Business Associate relating to the use or disclosure of PHI pursuant to this BAA. <br />e. Termination <br />a. Term. The term of this BAA shall be effective as of the date of execution and shall remain in <br />effect until the later of one (1) year from the effective date or the expiration or termination of <br />the underlying Agreement. Any provision related to the use, disclosure, access, or protection <br />of PHI shall survive termination of the BAA and Agreement. <br />b. Material Breach. A breach by Business Associate, or its agents or subcontractors, of any <br />provision of this BAA or of the data provisions of the Agreement, as determined by Client, <br />shall constitute a material breach of the Agreement and shall be grounds for immediate <br />termination of this BAA. Client may terminate this BAA effective immediately, if (i) Business <br />Associate is a defendant in a criminal proceeding for a violation of HIPAA, HITECH, the <br />Privacy and Security Rule, or other security or privacy laws or (ii) there is a finding or <br />2022 L'vetside Ilealth. U.C. .All rights reserved. Confidential. <br />26 <br />