|
compliance with the privacy provisions of law'that apply to the Business Associate to the
<br />same extent as the Covered Entity.
<br />B. Security: Implement administrative, physicai, and technical safeguards that reasonably
<br />and appropriately protect the confidentiality, integrity, and availability of the PHI that it
<br />creates, receives, maintains, or transmits on behalf of the Covered Entity as reqr,rired by
<br />lar.v. The Br.rsiness Associate is directly responsible for compliance r,vith the secr-rrity
<br />provisions of HIPAA and HITECH to the same extent as the Covered Entity.
<br />C. Improper Disclosr-rres:Reporl all r-rnauthorized or otherwise improper disclosures of PHI,
<br />or security incident, to the Covered Entity r,vithin two (2) days of the Business
<br />Associate's knor,lledge of such event.
<br />D. Notice of Breach: Within trvo (2) business days of the discovery of a breacir as defined at
<br />45 CFR ss164.402 notify the Covered Entity'of any breach of unsecured PHL Notification
<br />shali by the most rapicl means reasonably possible. such as telephonic notice made
<br />directly to an appropriate person r,vithin the covered entity and not including a voice mail
<br />or sirnilar message. Writterl notification shall follorv,,vithin that tr,vo (2) period by fax and
<br />be confirmed by direct contact r,vith the intended recipient, and include the identification
<br />of each individual r.vhose unsecured PHI has been, or is reasonably believed by the
<br />Business Associate to have been, accessed, acquired, or disclosed during sr"rch breachl a
<br />brief description of r,vhat l-rappened, including the date of the breach and tl-re date of the
<br />discovery of the breach, if knor,vn; a description of the types of unsecured PHI that i,vere
<br />involved in the breach (sr"rch as r.vhether full name. social secLrrity number, date of birth,
<br />horne address, account number, diagnosis. disability code. or other types of information
<br />w'ere involved); any steps individr.rals shor-rld take to protect themselves tiom potential
<br />harrn resulting frorn the breach; a brief description of what the Business Associate is
<br />doing to inl'estigate the breach. to mitigate harm to individtrals, and to protect against an1'
<br />ftrrther breaches; the contact procedures of the Br,rsiness Associate for individLrals to ask
<br />qr-restions or learn additional information. r,vhich shall inch-rde a toll free number. an e-
<br />mail address, Web site, or postal address; and any other information reqr"rired to be
<br />provided to the individual by the Covered Entity plrrslrant to 45 CFR $164.404, as
<br />arnended. A breach shall be treated as discovered in accordance with the terms of 45 CFR
<br />$ 164.410. The intbrmation shall be updated promptly and provided to the Covered Entitl'
<br />as requested by the Covered Entity.
<br />E. Mitigation: Mitigate. to the extent practicable, any harmful eft-ect that is known to
<br />Br"rsiness Associate of a use or disclosure of PHI by Business Associate in violation of the
<br />requirements of this Addendr,rm or the lai,v.
<br />F. Agents: E,nsure that any agent, including all of its employees, representatives, and
<br />subcontractors, to r.vhom it provides PHI received fiom, or created or received by
<br />Br-rsiness Associate on behalf of Covered Entity agrees to the same restrictions and
<br />B. A. A. Attachment Page 2 of 5
|