Egnyte Hipaa Business Associate Agreement (Page 4 of 6) in pdf

HIPAA Business Associate Agreement

g. Business Associate will promptly report to Covered Entity any unauthorized acquisition,

access, use, or disclosure of Protected Health Information in violation of the HIPAA Rules or

other applicable law, or in violation of the terms of this BAA. Such report will be made as soon

as reasonably possible but in no event later than ten business days after discovery by Business

Associate of such breach. Each report of a breach will include, to the extent possible, the

following information: (i) a description of the facts pertaining to the breach, including without

limitation, the date of the breach and the date of discovery of the breach, (ii) a description of

the Protected Health Information involved in the breach, (iii) the names of the individuals who

committed or were involved in the breach, (iv) the names of the unauthorized individuals or

entities to whom Protected Health Information has been disclosed, (v) a description of the

action taken or proposed by the Business Associate to mitigate the financial, reputational or

other harm to the individual who is the subject of the breach, and (vi) provide such other

information as Covered Entity may reasonably request including, without limitation, the

information, data and documentation required by Covered Entity to timely comply with the

HITECH Act and the regulations promulgated thereunder, including the Breach Notification

Rule.

h. Business Associate agrees to comply with the administrative requirements imposed on it, in

its capacity as a business associate, by HIPAA, HIPAA Regulations, HITECH, and the Breach

Notification Regulations thereunder.

4. OBLIGATIONS OF CUSTOMER AS COVERED ENTITY.

a. Covered Entity will not request that Business Associate use or disclose PHI in any manner

that would not be permissible under the HIPAA Rules if done by Covered Entity.

b. Covered Entity will notify Business Associate in writing of any limitation in its notice of

privacy practices adopted in accordance with the Privacy Rules, to the extent that such

limitation may affect Business Associate’s use or disclosure of Protected Health Information.

c. Covered Entity will provide Business Associate with written notice of any revocations,

amendments or restrictions in Covered Entity’s use or disclosure of Protected Health

Information if such changes affect Business Associate’s permitted or required uses and

disclosure of Protected Health Information under this BAA or the Services Agreement.

5. AVAILABILITY OF PROTECTED HEALTH INFORMATION.

a. Covered Entity acknowledges and agrees that Business Associate, due to the nature of the

technology utilized by Business Associate, has no access, direct or indirect, to the Protected

Health Information supplied by Covered Entity to Business Associate.

b. The parties agree that, due to the nature of the technology utilized by Business Associate,

Business Associate cannot make Protected Health Information available (i) to the extent and in

Egnyte Hipaa Business Associate Agreement Page 4