Laserfiche WebLink
50 <br /> <br />Attachment H <br />Health Insurance Portability and Accountability Act (HIPAA) <br />Business Associate Requirements <br />I. DEFINITIONS <br /> <br />Terms used, but not otherwise defined, in this Schedule shall have the same meaning as those terms are <br />defined in 45 Code of Federal Regulations (CFR) sections 160.103, 164.304, and <br />164.501. All regulatory references in this Schedule are to Title 45 of the Code of Federal Regulations <br />unless otherwise specified. <br />a. Business Associate. “Business Associate" shall generally have the same meaning as the <br />term "business associate" at 45 CFR 160.103, and in reference to the parties to this <br />agreement shall mean Contractor. <br />b. Covered Entity. "Covered entity" shall generally have the same meaning as the term <br />“covered entity” at 45 CFR 160.103, and in reference to the party to this agreem ent shall <br />mean County. <br />c. HIPAA Rules. "HIPAA rules" shall mean the Privacy, Security, Breach Notification and <br />Enforcement Rules at 45 CFR part 160 and part 164, as amended and supplemented by <br />Subtitle D of the Health Information Technology for Economic and Clinical Health Act <br />provisions of the American Recovery and Reinvestment Act of 2009. <br />d. Designated Record Set. "Designated Record Set" shall have the same meaning as the <br />term "designated record set" in Section 164.501. <br />e. Electronic Protected Health Information. "Electronic Protected Health Information" <br />(EPHI) means individually identifiable health information that is transmitted or maintained in <br />electronic media; it is limited to the information created, received, maintained or transmitted <br />by Business Associate from or on behalf of Covered Entity. <br />f. Individual. "Individual" shall have the same meaning as the term "individual" in Section 164.501 <br />and shall include a person who qualifies as a personal representative in accordance with <br />Section 164.502(g). <br />g. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually <br />Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E. <br />h. Protected Health Information. "Protected Health Information" (PHI) shall have the same <br />meaning as the term "protected health information" in Section 164.503 and is limited to the <br />information created or received by Business Associate from or on behalf of County. <br />i. Required By Law. "Required by law" shall have the same meaning as the term "required by <br />law" in Section 164.501. <br />j. Secretary. "Secretary" shall mean the Secretary of the United States Department of Health and <br />Human Services or his or her designee. <br />k. Breach. The acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule that <br />compromises the security or privacy of the PHI and subject to the exclusions set forth in Section <br />164.402. Unless an exception applies, an impermissible use or disclosure of PHI is presumed to <br />be a breach, unless it can be demonstrated there is a low probability that the PHI has been <br />compromised based upon, at minimum, a four-part risk assessment: <br />1. Nature and extent of PHI included, identifiers and likelihood of re-identification; <br />2. Identity of the unauthorized person or to whom impermissible disclosure was made; <br />3. Whether PHI was actually viewed or only the opportunity to do so existed; <br />4. The extent to which the risk has been mitigated. <br />l. Security Rule. "Security Rule" shall mean the Security Standards for the Protection of <br />Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C. <br />DocuSign Envelope ID: 6C491BB9-BC86-4B49-A708-70DFC750A9BD