Laserfiche WebLink
REV:01-20-23 MI <br />1.12. Secretary. “Secretary” shall mean the U.S. Secretary of the Department of Health and <br />Human Services or his or her designee. <br />1.13. Security Incident. “Security Incident” shall have the same meaning as the term <br />“security incident” in 45 CFR 164.304. <br />1.14. Security Rule. “Security Rule” shall mean the Security Standards and Implementation <br />Specifications at 45 CFR Part 160 and Part 164, subparts A and C. <br />1.15. Standards for Electronic Transactions Rule. “Standards for Electronic Transactions <br />Rule” means the final regulations issued by HHS concerning standard transactions and <br />code sets under the Administration Simplification provisions of HIPAA, 45 CFR Part <br />160 and Part 162. <br />1.16. Subcontractor. “Subcontractor” shall have the same meaning as the term <br />“subcontractor” in 45 CFR 160.103. <br />1.17. Unsecured Protected Health Information. “Unsecured Protected Health Information” <br />shall have the same meaning given the term “unsecured protected health information” <br />in 45 CFR 164.402. <br />2. Obligations and Activities of Business Associate <br />2.1. Business Associate agrees to not use or disclose PHI other than as permitted or <br />required by this Agreement or as Required by Law. <br />2.2. Business Associate agrees to take reasonable efforts to limit its use and disclosure of, <br />and requests for, PHI to the minimum necessary to accomplish the intended purpose of <br />the use, disclosure, or request. The foregoing minimum necessary standard does not <br />apply to: 1) disclosures or requests by a health care provider for treatment purposes; <br />(2) disclosures to the Individual who is the subject of the information; (3) uses or <br />disclosures made pursuant to an Individual’s authorization; (4) uses or disclosures <br />required for compliance with HIPAA; (5) disclosures to HHS when disclosure of <br />information is required under the Privacy Rule for enforcement purposes; (6) uses or <br />disclosures that are required by other law. <br />2.3. Business Associate agrees to develop, implement, maintain, and use appropriate <br />administrative, technical, and physical safeguards to protect the privacy of PHI and <br />comply with applicable requirements under the Security Rule. <br />2.4. Business Associate shall notify Covered Entity of any Breach of Unsecured PHI of <br />which it becomes aware. Such notice shall include, to the extent possible, the <br />information listed in Section 2.6. A Breach shall be treated as discovered as of the <br />first day on which such Breach is known, or by exercising reasonable diligence would <br />have been known, to any person, other than the individual committing the Breach, <br />who is an employee, officer, or other agent of Business Associate. <br />2.5. Notice shall be made without unreasonable delay and in no case later than sixty (60) <br />calendar days after the discovery of a Breach by Business Associate. <br />2.6. Notice of a Breach shall include, to the extent possible the following: <br />2.6.1. Identification of each individual whose Unsecured PHI has been or is <br />reasonably believed to have been accessed, acquired, used, or disclosed as a <br />result of the breach. <br />2.6.2. A brief description of what happened, including the date of the Breach and the <br />date of the discovery of the Breach, if known. <br />2.6.3. A description of the types of Unsecured PHI that were involved in the Breach <br />(such as full name, Social Security number, date of birth, home address, or <br />account number). <br />2.6.4. The steps Individuals should take to protect themselves from potential harm <br />resulting from the Breach. <br />ATTY/AGR.2023.010/Navia Benefit Solutions (Navia Services (Dental HRA) 2023) (Page 37 of 42)