Business Associate Addendum For Healthcare Facilities

by law and that the third-party will notify Business Associate if it becomes aware of any breach of

confdentiality; or

2.2.3. As otherwise permitted or required by law.

Business Associate will make reasonable efforts to limit PHI that Business Associate requests, uses or

discloses to the minimum necessary to accomplish permissible uses and disclosures. Business Associ-

ate will not use or disclose PHI other than in accordance with this Business Associate Addendum or as

required by law. Covered Entity will not request Business Associate to use or disclose PHI in any

manner that would not be permissible under HIPAA if done by the Covered Entity.

2.3.

Authorizations. Covered Entity has determined that “authorizations” as de-

fined by HIPAA need not be obtained for Business Associate’s use and disclosure of PHI under the

Agreement. However, should it be determined that HIPAA requires an authorization for any such

services, Covered Entity will obtain and maintain the required authorization and promptly notify Busi-

ness Associate of any changes in, or revocation of, such authorization.

3. Security of PHI. Business Associate will implement safeguards that it deems appropriate

to prevent the use or disclosure of PHI other than as permitted by this Business Associate Addendum.

4. Agents. Business Associate will instruct its employees, subcontractors and other agents to

whom Business Associate provides PHI that they are subject to the restrictions and conditions concern-

ing PHI that apply to Business Associate hereunder.

5. Reporting. Business Associate will report to Covered Entity uses or disclosures of PHI not

permitted hereunder of which Business Associate becomes aware.

6. Third-Party Requests.

6.1.

Requests.

6.1.1. Requests to Business Associate. Patients of Covered Entity who are

customers of Business Associate may directly submit requests to Business Associate for (i) access to,

or (ii) protections or restrictions on the use or disclosure of, the patient’s PHI in Business Associate’s

records. For all other third-party requests that concern Business Associate’s records and seek (i) access

to, (ii) amendment of, (iii) protections or restrictions on the use or disclosure of, or (iv) an accounting

of disclosures of, the PHI of any patient or client of Covered Entity, Business Associate will refer the

third-party to submit the request directly to Covered Entity for review and response.

6.1.2. Requests to Covered Entity. Covered Entity may forward to Business

Associate third-party requests concerning Business Associate’s records that seek (i) access to, (ii) amend-

ment of, (iii) protections or restrictions on the use or disclosure of, or (iv) an accounting of disclosures

of, the PHI of any patient or client of Covered Entity. Covered Entity shall forward each such request

to Business Associate, attention: HIPAA Compliance Liaison, within two (2) days of the request, to

provide a reasonable time period for response.

Page 3 of 5

Business Associate Addendum For Healthcare Facilities - 2003 Page 3