2.2.7 “Underlying Services” shall mean the services performed by Business Associate for Covered Entity, pursuant to an Underlying Services Agreement, as defined below, only to the extent that said services involve the creation, maintenance, use, disclosure or transmission of PHI.
2.2.8 “Underlying Services Agreement” shall mean the written agreement(s), other than this Agreement, by and between the parties as amended from time to time pursuant to which Business Associate has access to, receives, maintains, creates or transmits PHI for or on behalf of Covered Entity in connection with the provision of the Underlying Services or performance of Business Associate’s obligations under said agreements.
OBLIGATIONS OF BUSINESS ASSOCIATE
Business Associate agrees to:
3.1 Use and Disclosure. Not use or further disclose PHI other than as permitted or required by this Agreement or as Required By Law.
3.2 Appropriate Safeguards. Use appropriate physical, technical, and administrative safeguards (a) to prevent use or disclosure of PHI other than as permitted under this Agreement or as Required By Law and (b) to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
3.3 Assurances. Provide Covered Entity with written assurances that any PHI placed on any type of mobile media, including, but not limited to: laptop computers, tablets, mobile phones, etc., is encrypted in accordance with guidance issued by the Secretary of the U.S. Department of Health & Human Services (“Secretary”).
3.4 Breach Reporting. Report in writing to Covered Entity within two (2) business days after discovery, any suspected or actual: (a) access, use or disclosure of PHI not permitted by this Agreement; (b) Breach of unsecured PHI in accordance with 45 CFR 164.410; (c) security breach or intrusion; (d) use or disclosure of PHI in violation of any applicable federal or state laws or regulations. Business Associate has implemented or will implement a reasonable system for discovery of Breaches.
3.5 Mitigation. Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
3.6 Agents and Subcontractors. Ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions and requirements that apply through this Agreement to Business Associate with respect to such information.
3.7 Access to PHI. In the event that the Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to provide access, within ten (10) days of a request by Covered Entity in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524.
3.8 Amendment of PHI. In the event that the Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, within ten (10) days of receipt of a request from Covered Entity and in the time and manner designated by Covered Entity.