Laserfiche WebLink
con]|')liiiltce lvith the privacy provisions of law that apply to the BLrsiness Associatc- to the <br />same extent as the Covered Entity. <br />B. Security: Irrrplemcnt administrative. physical, and technical safeguards that reasonably <br />and appropriately protect the cont'ideritiality, integrity, and availability of the PLII that it <br />creates, receives, tnaintains, or transnrits on behalf of the Covered Entity as required by <br />larv. The Business Associate is directly responsible tbr cornpliance r,vith the security <br />provisions of HIPAA and I-IITECH to the sarne extent as the Covered Entiry. <br />C. lmproper Disclosures: Report all unauthorized or otherwise improper disclosures of PI{I, <br />or security incidcnt, to the Covered Entiry within tr.vo (2) days of the Business <br />Associate's knou'ledge of such event. <br />D. Notice of Breach: Within trvo [2) business days of the discovery of a breach ns defined at <br />45 CFR s\164.40? notily the Covered Entity of any breach of unsecurctl PHI. Notification <br />shall by tlte most rapid nreans reasonably possible, such as telephonic notice made <br />directly to an appropriate person rvithin the covered entity and not including a voice mail <br />or similar message. Writtett notification shall follow rvithirr that tir o (2) period by fax and <br />be continrted by direct contact lvith the interrded recipient, and include the identiflcation <br />of each individual whose unsecured PHI has been. or is reasonably believed by the <br />Business Associate to have been, accessed, acquired, or disclosed durirrg such breach; a <br />brief description of what happened, including the date of the breach and tlre date of the <br />discovery of the breach. if,known; a clescriptiorr of the types of unsecured PHI thal" were <br />involved in the breach (such as whether fullname, socialsecurity number, date of birth, <br />horne acldress, account nuntber, diagnosis, disability code, or other t-vpes of inlormation <br />u'ere involved); any steps individuals should take to proteci themselves fi'om potential <br />harm resulting from the breach; a brief description of what the Business Associate is <br />doing to investigate the breach, to rnitigate harm to individuals, and to protect against any <br />further breaches; the contact pr-ocedurcs of the Business Associate for individuals to ask <br />questions or learn additional inft:nnation. r.vhich shall include a toll free number, an e- <br />mail address, Web site, or postal address; and any other infomration required to be <br />provided to the individual by the Covered Entity pumuant to 45 CFR $ 164.40-1, as <br />amended. A br:each shall be tleated as discovered in accordance rvith the temrs ol'45 CFR <br />$164.410. The infomratiori shall be updated promptly and provided to the Coveted Entity <br />as requested by the Covered Entity. <br />E. IMitigation: Mitigate, to the extent practicable, any hannful effect that is known to <br />Business Associnte of a use or disclosure of PHI by Business Associatc in violation of the <br />requirements of this Addendum or the law. <br />F. Agents: Ensure that any agent, irrcludirrg all of its employees, representatives, and <br />subconfractors, to lvhom it provides PHI received from, or created or received by <br />Business Associate on behalf of Covered Entity agrees to the same restrictions and <br />B. A. A. Attachrnent Page 2 of 5