What is Dermani Medspa's Business Associate's obligation regarding the disclosure of PHI?

pacity of a member of the workforce of such business associate.

• j. "Unsecured PHI" shall have the same meaning as the term "Unsecured PHI" in 45 C.F.R. § 164.402.

Business Associate acknowledges and agrees that all PHI that is created or received by Covered Entity and disclosed or made available in any form by Covered Entity to Business Associate, or is created, received, maintained or transmitted by Business Associate on Covered Entity's behalf, will be subject to this Agreement. This Agreement will commence upon the Effective Date and will continue as long as Business Associate has use, custody or access to PHI subject to this Agreement, and thereafter for the period required by the Regulations.

II. Obligations and Activities of Business Associate

• a. Use and Disclosure. Business Associate will not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate will not use or disclose PHI in a manner that would violate the Regulations if done by Covered Entity.

• b. HIPAA Security Rule. Business Associate will develop, implement, maintain and use appropriate safeguards, and comply with the Security Rule at Subpart C of 45 C.F.R. Part 164, with respect to EPHI, to prevent use or disclosure of the PHI other than as provided for by this Agreement.

• c. HIPAA Privacy Rule. Business Associate will comply with all requirements of the Privacy Rule at Subpart E of 45 C.F.R. Part 164 that apply to business associates.

• d. Mitigation. Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

• e. Subcontractors. In accordance with the requirements of the Regulations, Business Associate will ensure that any Subcontractor that creates, receives, maintains or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions that apply to Business Associate with respect to that PHI.

• f. Reports of Impermissible Use or Disclosure of PHI; Security Incident. Business Associate will report to Covered Entity any use or disclosure of PHI not provided for or permitted by this Agreement of which it becomes aware, or any Security Incident of EPHI of which it becomes aware, within five (5) days of the date on which Business Associate first discovers the use, disclosure or Security Incident. In addition to its other obligations under this Agreement, Business Associate will take prompt action to correct any Security Incident or use or disclosure of PHI not permitted under this Agreement and any action pertaining to such Security Incident or unauthorized use or disclosure as required by applicable federal or state laws and regulations. Notwithstanding the foregoing, the Parties acknowledge and agree that Business Associate need not report all attempted but unsuccessful Security Incidents to Covered Entity, and that this Agreement constitutes notice to Covered Entity that such unsuccessful Security Incidents occur periodically. Unsuccessful Security Incidents include, but are not limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as such incidents do not result in actual unauthorized access, use, or disclosure of PHI.

• g. Breaches of Unsecured PHI. Business Associate will report to Covered Entity any Breach of Unsecured PHI by Business Associate or any of its officers, directors, employees, Subcontractors or agents. All notifications of Breach of Unsecured PHI will be made by Business Associate to Covered Entity without unreasonable delay and in no event later than five (5) days of discovery. Business Associate will use the standard at 45 C.F.R. § 164.410(a) to determine when the Breach is treated as discovered. All notifications will comply with Business Associate's obligations under, and include the information specified in, 45 C.F.R. § 164.410 and include any other available information that Covered Entity is required to include in its notification to individuals pursuant to 45 C.F.R. § 164.404(c). In the event of a Breach by Business Associate, Business Associate will cooperate with Covered Entity to notify, (i) individuals whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed, and (ii) the media, as required pursuant to 45 C.F.R. § 164.406, if the legal requirements for media notification are triggered by the circumstances of such Breach.

• h. Access. In the event an Individual requests access to PHI in a Designated Record Set from Business Associate, Business Associate will provide Covered Entity with notice of the same within five (5) days. Business Associate will provide access, within ten (10) days of a request of Covered Entity and in the manner designated by Covered

Entity, to PHI in a Designated Record Set to Covered Entity, or, as directed by Covered Entity, to an Individual or the Individual's designee in order to meet the requirements under 45 C.F.R. § 164.524 (Access). If the PHI that is the subject of a request is maintained by the Business Associate in a Designated Record Set electronically, Business Associate will provide an electronic copy of such information to the Covered Entity, or, as directed by the Covered Entity, to the Individual or the Individual's designee, in the format required by the Regulations and as directed by Covered Entity, in order to meet the Covered Entity's obligations under 45 C.F.R. § 164.524.

• i. Amendment. In the event Business Associate receives a request from an Individual for an amendment to PHI in a Designated Record Set, Business Associate will provide Covered Entity with notice of the same within five (5) days. Business Associate will make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 (Amendment) within ten (10) days of a request of Covered Entity or an Individual and in the manner designated by Covered Entity, in order to meet the Covered Entity's obligations under 45 C.F.R. § 164.526. Business Associate will incorporate any amendments to PHI it receives from Covered Entity and will notify Covered Entity of any amended PHI that it receives from third parties relating to Covered Entity's PHI.

• j. Accounting of Disclosures. Business Associate will document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to fulfill its obligations under the Regulations, including, but not limited to, responding to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. § 164.528, and will provide such information to Covered Entity or an Individual, in the time and manner designated by Covered Entity. Except in the case of a direct request from an Individual for an accounting related to treatment, payment or healthcare operations disclosures through an electronic health record, if the request for an accounting is delivered directly to Business Associate or its agents or subcontractors, Business Associate will, within five (5) days of a request, notify Covered Entity of the request. Covered Entity will either inform Business Associate to provide such information directly to the Individual, or it will request the information to be immediately forwarded to Covered Entity for compilation and distribution to such Individual, and Business Associate will provide such information in its possession within ten (10) days of Covered Entity's request. In the case of a direct request for an accounting from an Individual related to treatment, payment or healthcare operations disclosures through electronic health records, Business Associate will provide such accounting to the Individual in accordance with Section 13405(c) of HITECH and such regulations as are adopted thereunder. Covered Entity and Business Associate agree that the provisions of this section related to accounting of disclosures for treatment, payment and healthcare operations purposes from an electronic health record will only be effective as of such date such accountings of disclosures are required under HITECH. Business Associate and any agent or Subcontractors will maintain the information required for purposes of complying with this section for such period of time as is required under the Regulations and HITECH.

• k. Covered Entity's Obligations Under Privacy Rule. To the extent that Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 C.F.R. Part 164, Business Associate will comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.

• l. Records. Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Covered Entity or to the Secretary for purposes of determining Covered Entity's compliance with the Regulations. Business Associate will notify Covered Entity regarding any PHI that Business Associate provides to the Secretary concurrently with providing such PHI to the Secretary, and upon request by Covered Entity, will provide Covered Entity with a duplicate copy of such PHI.

• m. Inspections; Audits. Within five (5) days of a written request by Covered Entity, Business Associate will allow Covered Entity to conduct a reasonable inspection of the books and records relating to the use or disclosure of PHI pursuant to this Agreement for the purpose of determining whether Business Associate has complied with this Agreement and the requirements of the Regulations;

Source: Item 23 — RECEIPTS (FDD pages 66–311)