Oﬃce Ally Inc. | PO Box 872020 Vancouver, WA 98687 | Phone: (360) 975-7000 | Fax: (360) 314-2184 | www.OﬃceAlly.com | Revised: 7/07/2020 | Page 3
xi. Authorization. Business Associate may use and disclose PHI as authorized by an Individual using an
authorization that complies with the requirements of 45 CFR § 164.508.
c. Safeguards. Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than
as provided for by this Agreement.
d. Security Rule. With respect to ePHI, Business Associate shall comply with the applicable requirements of the
e. Reporting of Impermissible Uses and Disclosures, Security Incidents, and Breaches. Business Associate
agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement or any Security
Incident of which Business Associate becomes aware, except that this section shall hereby serve as notice, and no
additional reporting shall be required, of the regular occurrence of unsuccessful attempts at unauthorized access,
use, disclosure, modification, or destruction of ePHI or interference with system operations in an information system
containing ePHI. After discovery of an impermissible Use, Disclosure or Security Incident, Business Associate shall
report such incident to the Covered Entity promptly without unreasonable delay. In the event that such use or
disclosure or Security Incident constitutes a Breach of Unsecured Protected Health Information, such notice shall
include the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business
Associate to have been accessed, acquired, used, or disclosed in connection with such Breach and any additional
information set forth at 45 CFR § 164.410, to the extent possible. In addition, Business Associate shall provide any
additional information reasonably requested by Covered Entity for the purpose of investigating and responding to the
Breach. Notification of Breach, or potential Breach, under this Agreement shall be made to Covered Entity as
indicated in Section (X)(c) below.
f. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that becomes
known to Business Associate as a result of a Breach, or use or disclosure of PHI, by Business Associate in
violation of the requirements of this Agreement.
g. Use of Subcontractors. Business Associate shall ensure that any of Subcontractors that create, receive,
maintain, or transmit protected health information on behalf of the Business Associate agrees to the same or more
stringent restrictions, conditions, and requirements that apply to the Business Associate with respect to such
information, including compliance with the applicable requirements of the Security Rule.
h. Availability of Information to Covered Entity. Within five (5) business days of receipt of a request from Covered Entity,
Business Associate shall make available to Covered Entity PHI in a Designated Record Set as necessary to allow Covered
Entity to satisfy its obligations under 45 CFR § 164.524. If an Individual requests such information directly from Business
Associate, Business Associate must notify Covered Entity in writing within five (5) business days. Business Associate shall not
give the Individual access to the information unless access is approved by Covered Entity. Covered Entity shall have full
discretion to determine whether the Individual shall be given access.
i. Amendment of PHI. Within five (5) business days of receipt of a request from Covered Entity, Business Associate
shall make Covered Entity’s PHI available to Covered Entity so that Covered Entity may fulfill its obligations to amend
such PHI pursuant to the Privacy Rule, including but not limited to, 45 CFR § 164.526. If an Individual requests that
Business Associate amend the Individual’s PHI, Business Associate must notify Covered Entity in writing within five (5)
business days and the Covered Entity may then amend the PHI through the use of the services. Covered Entity shall have full
discretion to determine whether to accept an Individual’s request for amendment.
j. Accounting of Disclosures of PHI. Within five (5) business days of receipt of a request from Covered Entity, Business
Associate shall make available to Covered Entity a list of disclosures of PHI as required for Covered Entity to fulfill its
obligations to provide an accounting pursuant to the Privacy Rule, including but not limited to, 45 CFR § 164.528. Business
Associate shall implement a process that allows for such an accounting. If an Individual requests such an accounting directly
from Business Associate, Business Associate must notify Covered Entity in writing within five (5) business days.
k. Availability of Books and Records. Business Associate shall make its internal practices, books and records
relating to the use and disclosure of PHI, created or received pursuant to this Agreement, available to the
Secretary of the United States Department of Health and Human Services, for the purpose of determining Covered
Entity’s compliance with the Privacy and Security Rules as set forth in 45 CFR § 160.310.