|
3. "Representative" includes Business Associate's managing members (as applicable), trustees, general partners (as applicable), financial and legal
<br />advisors and all other individuals, including employees, who are performing functions related to the subject matter of this Agreement.
<br />C. Responsibilities of Business Associate
<br />1. Scope of Responsibilities. All services performed by Infinisource in accordance with the Agreement other than those set forth in Section D below
<br />will be considered performed on behalf of the Plan and are subject to the provisions set forth in this Section C.
<br />2. Confidentiality. At all times, both during and after the termination of its relationship with the Plan for any reason, Business Associate and its
<br />Representatives will not use, disclose or give others any of the PHI in any manner whatsoever, except as provided in Sections C.3 and CA of this
<br />Appendix, and will hold and maintain the PHI in confidence. Business Associate will ensure that appropriate safeguards are in place to prevent the use
<br />or disclosure of the PHI otherwise than as permitted by this Agreement or HIPAA.
<br />3. Permitted Uses and Disclosures:
<br />a. Except as otherwise limited in this Appendix, Business Associate may use or disclose PHI, provided that the use or disclosure of PHI would
<br />not violate the HIPAA Rules, as follows: (€) as permitted or required in this Appendix and in the Agreement; (€1) as otherwise permitted by the
<br />HIPAA Rules; (III) as Required by Law; (iv) for the proper management and administration of Business Associate; (v) to fulfill any present or future
<br />legal responsibilities; (vi) for Data Aggregation services, only as permitted or required by this Agreement or the HIPAA Rules; or (0) any use or
<br />disclosure of PHI that has been de -identified as defined by the Privacy Security/Security Rules.
<br />b. Business Associate shall document any disclosures of PHI and the information related to those disclosures to respond to an accounting of
<br />disclosures of PHI if requested by Employer in accordance with the HIPAA Rules and to provide the documentation to the Plan as it may request
<br />from time to time.
<br />c. If Business Associate maintains PHI in a Designated Record Set, Business Associate shall provide access to the PHI to the Individual or the
<br />Individual's designee as necessary to satisfy the Plan's obligations under the HIPAA Rules. Business Associate shall amend PHI that it maintains in
<br />a Designated Record Set as directed or agreed to by the Plan and to incorporate any amendments to PHI.
<br />d. Business Associate may disclose PHI to its agents or Subcontractors with a bona fide need to know the PHI, but only if, prior to the disclosure,
<br />these agents or Subcontractors will agree to the same restrictions, conditions and requirements that apply to Business Associate with respect to
<br />PHI.
<br />e. Business Associate may disclose PHI to other third party vendors provided that Business Associate has received instruction to do so from
<br />Employer. Business Associate may assume upon instruction from Employer that the third party vendor has properly entered Into a Business
<br />Associate Agreement where required.
<br />f. Business Associate shall make reasonable efforts to use or disclose no more than the minimum amount of PHI necessary to accomplish the
<br />intended purpose. The Minimum Necessary standard will not apply in these situations:
<br />• Disclosures to or requests by a healthcare provider for treatment
<br />• Uses or disclosures made to an Individual regarding the Individual's PHI or as authorized by the Individual In writing
<br />• Disclosures to the Secretary or as required by law
<br />• Uses or disclosures required for compliance with HIPAA
<br />4. Required Uses and Disclosures. Business Associate may disclose the PHI revealed to it by the Plan only to the extent the disclosure is required by
<br />Law or is in compliance with a court order. Business Associate shall make its internal practices, books and records, relating to the use and disclosure
<br />of PHI received from or created or received by Business Associate on behalf of the Plan, available to the Secretary for purposes of determining the
<br />Plan's compliance with the HIPAA Rules.
<br />S. Required Notice to Business Associate. In accordance with HIPAA, and to the extent that the limitation may affect Business Associate's use or
<br />disclosure of PHI, Employer, acting on behalf of the Plan, shall notify Business Associate of any limitation(s) in its notice of privacy practices, including
<br />but not limited to any change in, or revocation of, permission by an Individual to use or disclose PHI. Employer, acting on behalf of the Plan, shall also
<br />notify Business Associate of any restriction to the use or disclosure of PHI that It has agreed to in accordance with HIPAA, to the extent that the
<br />restriction may affect Business Associate's use or disclosure of PHI. The Plan shall not request Business Associate to use or disclose PHI in any manner
<br />that would violate the HIPAA Rules if done by the Plan, except for Data Aggregation or management and administration and legal responsibilities of
<br />the Business Associate,
<br />G. Required Notice to the Plan. Business Associate shall notify the Plan of any use or disclosure of PHI otherwisethan as provided by this Agreement,
<br />including but not limited to any Security Incident of which it becomes aware, as soon as possible but no later than within ten days of becoming aware
<br />of the prohibited use of disclosure. Notice to one of the employees designated by Employer in accordance with Section C.7 is considered notice to the
<br />Plan.
<br />7. Disclosure to Employees of Employer:
<br />a. When Business Associate discloses PHI to Employer, the Plan acknowledges and agrees that Business Associate shall only disclose PHI to the
<br />employees who are identified in the Notice of Privacy Practices distributed by Employer as having access to PHI and employees whom the
<br />Employer has designated as HIPAA contacts. The Plan agrees and acknowledges that these disclosures are solely for purposes of carrying out Plan
<br />administration functions that Employer performs for its Plan.
<br />b. Employer shall timely notify Business Associate in writing of any changes to the names or positions of employees listed in the Notice of
<br />Privacy Practices and changes to a HIPAA designated contact. Business Associate has no duty to inquire whether Employer's list of designated
<br />HIPAA contacts is accurate or up to date.
<br />c. Employer shall indemnify and hold harmless Business Associate (and Its employees) for any and all liability Business Associate may Incur as
<br />a result of any improper use or disclosure of PHI by Employer or Its employees. Business Associate shall Indemnify and hold harmless Employer
<br />(and its employees) for any and all liability Employer may incur as a result of any improper use or disclosure of PHI by Business Associate.
<br />8, Electronic Data Interchange (EDI). Business Associate agrees to comply with the EDI standard transaction requirements in the HIPAA Rules to the
<br />extent applicable.
<br />9. Security. Business Associate shall:
<br />a. Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and
<br />availability of electronic PHI that it creates, receives, maintains or transmits on behalf of the Plan and prevent use or disclosure of electronic PHI
<br />other than as provided for by this Appendix.
<br />31� .4EYII,E_,EEEI, ., . t , ,. .: :.0 y
<br />EJr„i � ii 4.EH37.1 E [.. 3. C;41f1
<br />All,
<br />
|