Laserfiche WebLink
DocuSign Envelope ID: 26BOC939-3E65-4374-8EBE-308B214EB5C7 <br />to Business Associate. Business Associate shall follow the procedures set forth <br />herein for Disclosures of PHI Required By Law. <br />j) Breach. If Business Associate has knowledge or a reasonable belief that a Breach <br />of Unsecured Protected Health Information has occurred or may have occurred, <br />Business Associate shall promptly (but in no event later than thirty (30) days after <br />it has knowledge that a Breach or reasonable belief that a Breach has or may have <br />occurred) notify the Covered Entity in accordance with the requirements of 45 <br />CFR § 164.410. For avoidance of doubt, Business Associate shall notify Covered <br />Entity if it has knowledge of a potential Breach so that Covered Entity may <br />determine and confirm whether a Breach has occurred. Such notification shall <br />include, to the extent possible, the identification of each Individual whose PHI has <br />been or is reasonably believed to have been accessed, acquired, used or disclosed <br />during the Breach, along with any other information that the Covered Entity will <br />be required to include in its notification to the Individual, the media and/or the <br />Secretary, as applicable, including, without limitation, a description of the Breach, <br />the date of the Breach and its discovery, the types of Unsecured Protected Health <br />Information involved and a description of the Business Associate's investigation, <br />mitigation, and prevention efforts. <br />k) Remuneration in Exchange for PHI. Except as permitted by the HITECH Act or <br />regulations issued by the Department of Health and Human Services ("HHS") in <br />accordance with the HITECH Act, and as of the effective date of such regulations, <br />Business Associate shall not directly or indirectly receive remuneration in <br />exchange for any PHI unless Covered Entity notifies Business Associate that it <br />obtained a valid authorization from the Individual specifying that the Individual's <br />PHI may be exchanged for remuneration by the entity receiving such Individual's <br />PHI. <br />1) Minimum Necessary. Business Associate agrees to follow any guidance issued <br />by HHS regarding what constitutes "minimum necessary" with respect to the use <br />or disclosure of PHI. Until the time that any such guidance is issued, Business <br />Associate shall limit its use or disclosure of PHI, to the extent practicable, to the <br />limited data set (as defined in section 45 CFR § 164.514 (e)(2)) or, to the <br />minimum necessary to accomplish the intended purpose of such use, disclosure, <br />or request, respectively. <br />m) Marketing. Unless otherwise permitted in the Underlying Agreement, Business <br />Associate must obtain or confirm that Covered Entity has obtained an <br />authorization for any use or disclosure of PHI for marketing, unless the marketing <br />communication is made without any form of remuneration (i) to describe medical <br />services or products provided by Covered Entity or Business Associate; (ii) for <br />treatment of the Individual; or (iii) for case management or care coordination for <br />the Individual or to direct or recommend alternative treatments, therapies, <br />providers or settings. <br />Revised <br />5/21/2020 <br />