Business Associate Addendum For Healthcare Facilities

6.2.

Responses to Requests.

6.2.1. Requests to Business Associate. For patient requests under Section

6.1.1 for (i) access to or (ii) protections or restrictions on the use or disclosure of the patient’s PHI in

Business Associate’s records, Business Associate will respond directly to the patient within twenty-

five (25) days of Business Associate’s receipt of the request, as Business Associate deems appropriate

under HIPAA. Business Associate will act reasonably to keep records of such requests and disclosures.

6.2.2. Requests to Covered Entity. For third-party requests that Covered En-

tity forwards to Business Associate under Section 6.1.2, Business Associate will act reasonably to

make available to Covered Entity the relevant, responsive information in Business Associate’s records,

and Covered Entity will be responsible for responding to the third-party. Additionally, Business Asso-

ciate will incorporate into Business Associate’s records such amendments of PHI as requested by

Covered Entity, if required by 45 C.F.R. § 165.504(e); provided, however, that Business Associate

shall determine, in its discretion, how and where each such amendment should be made to Business

Associate’s records.

6.3.

Subpoenas. If Business Associate receives a subpoena to disclose PHI gov-

erned by this Business Associate Addendum, Business Associate will notify Covered Entity of the

subpoena within five (5) business days of its receipt.

7. Audits. Business Associate will make its internal practices, books, records and policies

relating to the use and disclosure of PHI received from Covered Entity, or created or received by

Business Associate on behalf of Covered Entity, available to the Secretary of the United States Depart-

ment of Health and Human Services (“Secretary”) upon request by the Secretary or by Covered Entity,

for purposes of determining Covered Entity’s compliance with HIPAA.

8. Return or Destruction of PHI. Upon termination of the Agreement, Business Associate

will either return to Covered Entity or destroy all PHI governed by this Business Associate Addendum,

and all copies thereof, that Business Associate still maintains; provided, however, that if Business

Associate concludes that the return or destruction of PHI is not feasible, Business Associate will so

notify Covered Entity, extend the protections of this Business Associate Addendum to the PHI and

limit further uses or disclosures of the PHI to those purposes that make its return or destruction infea-

sible.

9. Cooperation. The parties agree to cooperate in good faith to cure any alleged breach of this

Business Associate Addendum. If Covered Entity determines in good faith that Business Associate has

materially breached this Business Associate Addendum, Covered Entity will provide written notice to

Business Associate of the breach and an opportunity for Business Associate to cure such breach within

thirty (30) days or such other period as the parties mutually agree. If Covered Entity determines in

good faith that the breach is not cured, Covered Entity may terminate the Agreement as amended

herein, upon providing thirty (30) days written notice to Business Associate, or may instead report the

breach to the Secretary. Business Associate does not agree to indemnify Covered Entity for any liabil-

ity, claims, suits, awards, damages, judgments, penalties, costs, attorneys’ fees or other expenses in-

curred by Covered Entity from any alleged breach of this Business Associate Addendum. However,

Business Associate will cooperate with Covered Entity in Covered Entity’s defense of any such action

or administrative proceeding.

Page 4 of 5

Business Associate Addendum For Healthcare Facilities - 2003 Page 4