Unless there is legal protection or a prohibition on discovery or disclosure, business associates, books and internal records, including policies and procedures (together “compliance information”) relating to the use or disclosure of protected health information and its protection, are available to the insured unit or secretary to determine compliance by the regulated entity with HIPAA rules and the HITECH Act. The counterparty has a reasonable period of time to respond to requests for access and/or demonstrable evidence in accordance with this agreement. Under no circumstances can demonstrable access or evidence be required in less than ten (10) working days from the receipt of such a request by the counterparty, unless otherwise provided by the secretary. All other agreements between covered entities and Business Associate, which are not related to this purpose, remain fully in force and effective. Unless this agreement is limited, Business Associate may use protected health information to provide data aggregation services to the covered entity, as provided for on 45 CFR 164.504 (e) (2) (i) (b). Business Associate agrees that these data aggregation services are only provided to the covered entity if these services are related to healthcare operations. Business Associate also agrees that these services should not be provided in a manner that would lead to the disclosure of protected health information to another covered body that was not the author and/or rightful owner of this protected health information. In addition, Business Associate agrees that such unlawful disclosure of protected health information constitutes a direct violation of this agreement and is notified to the insured agency immediately after the publication of such disclosure and, under no circumstances, no later than three (3) working days thereafter. If Business Associate is an agent of the insured entity, Business Associate agrees that any breach of the insured entity`s unsecured protected health information will be reported immediately after notification of the breach, and under no circumstances later than one (1) next business day. Business Associate also agrees that any compromise on protected health information, with a violation of unsecured protected health information in accordance with item 2 (c) of this agreement, will be notified to the covered entity within ten (10) working days after the discovery of this compromise or an attempt to compromise. In the event that Business Associate finds that it is not possible to return or destroy protected health information, Business Associate provides the insured unit, within ten (10) working days, with a notification of the conditions rendering restitution or destruction unenforceable.
Under this provision, the consideration extends the protection of this contract to protected health information and limits the subsequent use and disclosure of this protected health information for purposes that render restitution or destruction unenforceable, provided that business Associate has such protected health information. Business Associate is committed to ensuring that any subcontractor that provides the business partner with protected health information accepts the same restrictions and conditions as those applicable to counterparties with respect to this information under this agreement. The counterparty also accepts that the restrictions and conditions imposed on these subcontractors are imposed by a written agreement meeting all the requirements of Section 164.504 (e) (2) and that the counterparty may only provide these subcontractors with protected health information in accordance with Section 13405 (b) of the HITECH Act.