Laserfiche WebLink
ATTACHMENT A <br />HIPAA AND DATA SECURITY REQUIREMENTS <br />5. Access. <br />a. Business Associate shall make available PHI that it holds that is part of a Designated <br />Record Set when requested by DOC or the Individual as necessary to satisfy DOC's <br />obligations under 45 CFR 164.524 (Access of Individuals to Protected Health <br />Information). <br />b. When the request is made by the Individual to the Business Associate or if DOC asks <br />the Business Associate to respond to a request, the Business Associate shall comply <br />with requirements in 45 CFR 164.524 (Access of Individuals to Protected Health <br />Information) on form, time and manner of access. When the request is made by DOC, <br />the Business Associate shall provide the records to DOC within ten (10) business <br />days. <br />6. Amendment. <br />a. If DOC amends, in whole or in part, a record or PHI contained in an Individual's <br />Designated Record Set and DOC has previously provided the PHI or record that is the <br />subject of the amendment to Business Associate, then DOC will inform Business <br />Associate of the amendment pursuant to 45 CFR 164.526(c)(3) (Amendment of <br />Protected Health Information). <br />b. Business Associate shall make any amendments to PHI in a Designated Record Set <br />as directed by DOC or as necessary to satisfy DOC's obligations under 45 CFR <br />164.526 (Amendment of Protected Health Information). <br />7. Subcontracts and other Third Party Agreements. In accordance with 45 CFR <br />164.502(e)(1)(ii), 164.504(e)(1)(i), and 164.308(b)(2), Business Associate shall ensure <br />that any agents, Subcontractors, independent contractors or other third parties that create, <br />receive, maintain, or transmit PHI on Business Associate's behalf, enter into a written <br />contract that contains the same terms, restrictions, requirements, and conditions as the <br />HIPAA compliance provisions in this Agreement with respect to such PHI. The same <br />provisions must also be included in any contracts by a Business Associate's Subcontractor <br />with its own business associates as required by 45 CFR 164.314(a)(2)(b) and <br />164.504(e)(5). <br />8. Obligations. To the extent the Business Associate is to carry out one or more of DOC's <br />obligation(s) under Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable <br />Health Information), Business Associate shall comply with all requirements that would <br />apply to DOC in the performance of such obligation(s). <br />9. Liability. Within ten (10) business days, Business Associate must notify DOC of any <br />complaint, enforcement or compliance action initiated by the Office for Civil Rights based <br />on an allegation of violation of the HIPAA Rules and must inform DOC of the outcome of <br />that action. Business Associate bears all responsibility for any penalties, fines or <br />Washington State K14078 Page 5 of 19 <br />Department of Corrections Attachment A 26RAD <br />