Model Business Associate Agreement Template Page 5
ADVERTISEMENT
1
2
3
4
5
6
7
8
9
105.
Accounting of Disclosures. Business Associate shall make available to Covered Entity
in response to a request from an individual, information required for an accounting of
disclosures of PHI with respect to the individual in accordance with 45 CFR § 164.528, as
amended by Section 13405(c) of the HITECH Act and any related regulations or guidance
issued by HHS in accordance with such provision.
6.
Records and Audit. Business Associate shall make available to the United States
Department of Health and Human Services or its agents, its internal practices, books, and
records relating to the use and disclosure of PHI received from, created, or received by Business
Associate on behalf of Covered Entity for the purpose of determining Covered Entity’s
compliance with the Confidentiality Requirements or the requirements of any other health
oversight agency, in a time and manner designated by the Secretary.
7.
Implementation of Security Standards; Notice of Security Incidents. Business
Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as
expressly permitted under this Agreement. Business Associate will implement administrative,
physical and technical safeguards that reasonably and appropriately protect the confidentiality,
integrity and availability of the PHI that it creates, receives, maintains or transmits on behalf of
Covered Entity. Business Associate acknowledges that the HITECH Act requires Business
Associate to comply with 45 C.F.R. §§164.308, 164.310, 164.312 and 164.316 as if Business
Associate were a Covered Entity, and Business Associate agrees to comply with these
provisions of the Security Standards and all additional security provisions of the HITECH Act.
Furthermore, to the extent feasible, Business Associate will use commercially reasonable
efforts to secure PHI through technology safeguards that render such PHI unusable, unreadable
and indecipherable to individuals unauthorized to acquire or otherwise have access to such PHI
in accordance with HHS Guidance published at 74 Federal Register 19006 (April 17, 2009), or
such later regulations or guidance promulgated by HHS or issued by the National Institute for
Standards and Technology (“NIST’) concerning the protection of identifiable data such as PHI.
Lastly, Business Associate will promptly report to Covered Entity any successful Security
Incident of which it becomes aware. At the request of Covered Entity, Business Associate shall
identify: the date of the Security Incident, the scope of the Security Incident, the Business
Associate’s response to the Security Incident and the identification of the party responsible for
causing the Security Incident, if known.
8.
Data Breach Notification and Mitigation.
8.1
HIPAA Data Breach Notification and Mitigation. Business
Associate agrees to implement reasonable systems for the discovery and prompt
reporting to Covered Entity of any “breach” of “unsecured PHI” as those terms are
defined by 45 C.F.R. § 164.402.
Specifically, a breach is an unauthorized
acquisition, access, use or disclosure of unsecured PHI, including ePHI, which
compromises the security or privacy of the PHI/ePHI. A breach compromises the
security or privacy of PHI/ePHI if it poses a significant risk of financial,
reputational, or other harm to the individual whose PHI/ePHI was compromised
(hereinafter a “HIPAA Breach”). The parties acknowledge and agree that 45 C.F.R.
§ 164.404, as described below in this Section 8.1, governs the determination of the
THSA– Model Business Associate Agreement
Page 5
ADVERTISEMENT
0 votes
Related Articles
Related forms
Related Categories
Parent category: Business