Laserfiche WebLink
0113C0NEXIS <br />human resourceful® <br />SECTION 2.0 OBLIGATIONS OF CONEXIS IN ITS CAPACITY AS BUSINESS ASSOCIATE <br />2.1 Not use or disclose PHI other than as permitted or required by this Schedule; <br />2.2 Use appropriate safeguards, and comply with the Security Rule to prevent use or disclosure of PHI <br />other than as provided for by this HIPAA Schedule. Except as otherwise set forth in Section 2.3, <br />CONEXIS will report to the Plan any use or disclosure of PHI than as otherwise provided by this <br />Agreement, including but not limited to any Privacy Breaches and any successful Security Incidents, as <br />soon as reasonably possible, but in no event later than thirty (30) calendar days, of becoming aware of <br />such use or disclosure. CONEXIS will periodically report any unsuccessful Security Incidents, as <br />determined necessary by CONEXIS; <br />2.3 If CONEXIS determines that any such use or disclosure is a Privacy Breach, it will provide notice to the <br />Plan in accordance with 45 CFR § 164.410 and 45 CFR § 164.412. With respect to any Privacy <br />Breaches, CONEXIS may, in its sole discretion, provide any of the following: (i) notice to affected <br />individuals, including any substitute notice as necessary in accordance with 45 CFR § 164.404; (ii) if <br />required, notice to a media outlet in accordance with 45 CFR § 164.406; <br />2.4 In accordance with 45 CFR § 164.502(e)(1)(ii) and 45 CFR § 164.308(b)(2), if applicable, ensure that <br />any subcontractors that create receive, maintain, or transmit PHI on behalf of CONEXIS on or after <br />September 23, 2014 agree to the same restrictions, conditions, and requirements that apply to. <br />CONEXIS with respect to such information. Prior to September 23, 2014, CONEXIS agrees to obtain <br />reasonable assurances from any subcontractors who receive PHI from CONEXIS that such <br />subcontractors will use and disclose PHI received from CONEXIS according to terms and conditions <br />that are substantially similar to those applicable to CONEXIS herein; <br />2.5 Make available PHI in a designated record set to the Individual in accordance with 45 CFR § 164.524. <br />If the individual makes the request directly to the Plan and Plan requests such PHI from CONEXIS, <br />CONEXIS will provide such information to the Plan as soon as reasonably possible but not later than <br />ten (10) business days following the request; <br />2.6 Make any amendment(s) to Protected Health Information in a designated record set as directed or <br />agreed to by the Plan pursuant to 45 CFR § 164.526, or take other measures as necessary to satisfy <br />Plan's obligations under 45 CFR § 164.526; <br />2.7 Maintain and make available the information required to provide an accounting of disclosures to the <br />individual in accordance with 45 CFR § 164.528. If the individual makes the request directly to the Plan <br />and Plan requests such PHI from CONEXIS, CONEXIS will provide such information to the Plan as <br />soon as reasonably possible but not later than ten (10) business days following the request; <br />2.8 To the extent CONEXIS agrees to carry out one or more of Plan's obligation(s) under the Privacy Rule, <br />CONEXIS will comply with the requirements of the Privacy Rule that apply to the Plan in the <br />performance of such obligation(s); and <br />2.9 Make its internal practices, books, and records available to the Secretary for purposes of determining <br />compliance with the HIPAA Rules, <br />Direct Client Services Agreement 11 V10.0-050114 <br />