Laserfiche WebLink
Master Contract No. 902012 <br />Procurement Contract No. 24823 <br />Exhibit E <br />Page 3 of 7 <br /> <br /> <br /> <br />Business Associate may only use or disclose PHI: <br /> <br />A. As necessary to perform functions, activities, or services for, or on behalf of, Covered Entity as specified <br />in the Agreement, provided that such use or Disclosure would not violate the Privacy Rule if done by <br />Covered Entity; <br /> <br />B. As required by law; and <br /> <br />C. For the proper management and administration of Business Associate or to carry out the legal <br />responsibilities of Business Associate, provided the disclosures are required by law, or Business <br />Associate obtains reasonable assurances from the person to whom the information is disclosed that <br />the information will remain confidential and used or further disclosed only as required by law or for the <br />purposes for which it was disclosed to the person, and the person notifies Business Associate of any <br />instances of which it is aware in which the confidentiality of the information has been breached. <br /> <br />V. PROTECTION OF PHI BY BUSINESS ASSOCIATE <br /> <br />A. Scope of Exhibit. Business Associate acknowledges and agrees that all PHI that is created or <br />received by Covered Entity and disclosed or made available in any form, including paper record, oral <br />communication, audio recording and electronic display, by Covered Entity or its operating units to <br />Business Associate, or is created or received by Business Associate on Covered Entity’s behalf, shall <br />be subject to this Exhibit. <br /> <br />B. PHI Disclosure Limits. Business Associate agrees to not use or further disclose PHI other than as <br />permitted or required by the HIPAA Regulations, this Exhibit, or as required by law. Business <br />Associate may not use or disclose PHI in a manner that would violate the HIPAA Regulations if done <br />by Covered Entity. <br /> <br />C. Minimum Necessary Rule. When the HIPAA Privacy Rule requires application of the Minimum <br />Necessary Rule, Business Associate agrees to use, disclose, or request only the Limited Data Set, or <br />if that is inadequate, the minimum PHI necessary to accomplish the intended purpose of that use, <br />Disclosure, or request. Business Associate agrees to make uses, Disclosures, and requests for PHI <br />consistent with any of Covered Entity’s existing Minimum Necessary policies and procedures. <br />D. HIPAA Security Rule. Business Associate agrees to use appropriate administrative, physical and <br />technical safeguards, and comply with the Security Rule and HIPAA Security Regulations with respect to <br />Electronic PHI, to prevent the use or Disclosure of the PHI other than as provided for by this Exhibit. <br /> <br />E. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is <br />known to Business Associate of a use or Disclosure of PHI by Business Associate in violation of the <br />requirements of this Exhibit. Mitigation includes, but is not limited to, the taking of reasonable steps to <br />ensure that the actions or omissions of employees or agents of Business Associate do not cause <br />Business Associate to commit a Contractual Breach. <br /> <br />F. Notification of Breach. During the term of the Agreement, Business Associate shall notify Covered