Laserfiche WebLink
for the purposes for which it was disclosed to such third party, and (ii) an agreement from such <br />third party to immediately notify Business Associate of any breaches of confidentiality of the <br />PHI, to the extent it has obtained knowledge of such breach. <br />c) Appropriate Safeguards. <br />i) Business Associate will comply with all applicable federal and states laws and regulations <br />and implement administrative, physical, and technical safeguards that reasonably and <br />appropriately protect the confidentiality, integrity, and availability of EPHI that it creates, <br />receives, maintains, or transmits on behalf of the Covered Entity as required by the Security <br />Rule and as of the Compliance Date of 42 U.S.C. § 17931, comply with the Security Rule <br />requirements set forth in 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316; <br />ii) Business Associate agrees to ensure that any agent, including a subcontractor, to whom <br />it provides EPHI agrees to implement reasonable and appropriate safeguards to protect it; <br />and <br />iii) Business Associate will report to Covered Entity as soon as reasonably practicable (i) any <br />use or disclosure of protected health information not provided for by this BAA of which it <br />becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C); and/or (ii) any <br />security incident affecting EPHI of which Business Associate becomes aware in <br />accordance with 45 C.F.R. § 164.314(a)(2)(C) provided, however, that the Parties <br />acknowledge and agree that this Section constitutes notice by Business Associate to <br />Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents <br />for which no additional notice to Ameritas shall be required; and <br />iv) Business Associate agrees to promptly report to Covered Entity any Breach of which it <br />becomes aware as soon as reasonably practicable following Business Associate's discovery <br />of any Breach involving Covered Entity's unsecured PHI. The foregoing report shall <br />include identification of each Individual whose PHI Business Associate reasonably <br />believes to have been accessed, acquired, or disclosed during such Breach. As soon as <br />possible thereafter, and to the extent known, Business Associate shall also provide Covered <br />Entity with a description of (i) what happened, including the date of the Breach and the <br />date of the discovery, (ii) the types of unsecured PHI involved in the Breach, (iii) any steps <br />individuals should take to protect themselves from potential harm from the Breach, and <br />(iv) what Business Associate is doing to investigate the Breach, to mitigate harm to <br />individuals, and to protect against any further Breaches. <br />d) Restrictions on Disclosures. Business Associate will restrict its disclosures of the Individual's <br />PHI in the same manner as would be required for Covered Entity. If Business Associate <br />receives an Individual's request for restrictions, Business Associate shall forward such request <br />to Covered Entity within ten (10) business days. <br />e) Subcontractors. Business Associate shall ensure that any Subcontractor, to whom it provides <br />PHI agree in writing to the same or substantially similar restrictions and conditions that apply <br />to Business Associate with respect to such PHI. Business Associate will advise Covered Entity <br />if any such Subcontractor breaches its agreement with Business Associate with respect to the <br />disclosure or use of Covered Entity's Protected Health Information or EPHI. <br />