(b) Subcontractor Protection of PHI
(1) Subcontractor agrees to implement administrative, physical, technical and policy and documentation safeguards that reasonably and appropriately protect the privacy, security, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits under this Agreement. At a minimum, Subcontractors safeguards will include all Required Implementation Specifications contained in sections 164.308, 164.310, 164.312 and 164.316 of title 45 of the Code of Federal Regulations, as required by Section 13401 of The Act and any subsequent amendments and regulations promulgated thereunder.
(2) No later than the date that Section 13402 of The Act becomes effective, Subcontractor agrees to implement and use administrative, physical and/or technical safeguards to protect PHI received from or created that meet or exceed the Secretarys promulgated standards to avoid classification as unsecured PHI. In the event Subcontractor is unable to implement safeguards that avoid the classification as unsecured PHI, Subcontractor will notify Business Associate of that fact. Subcontractor agrees it will be solely and completely liable and responsible for all notices and notifications of Business Associate, affected patients, and the Secretary, of any Breach of PHI, in accordance with Section 13402 of Act, and agrees to coordinate immediately with Business Associate in the event that notifications of a Breach arising from the Subcontractor is required.
(c) Subcontractor agrees to promptly mitigate, to the extent practicable, any harmful effect of a use or disclosure of Facility Data by Subcontractor in violation of the Services Agreement or this BAA.
(d) Subcontractor Notice to the Business Associate of Non-Authorized Use, Disclosure Access or Breach of PHI
(1) Subcontractor agrees to promptly report to Business Associate any use or disclosure of Facility Data not provided for by the Services Agreement and/or this BAA, including any requests for inspection, copying or amendment of such information and including any security incident involving Facility Data. Subcontractor shall maintain a record of all such requests for inspection, copying and amendment(s) of Facility Data not provided for by the Services Agreement, including those initiated by Patient, Business Associate, or third parties, and to promptly provide such documentation to Business Associate upon request.
(2) Subcontractor agrees to promptly notify the Business Associate of any Breach of any unsecured PHI of the Business Associate in its possession, but in any event no later than thirty (30) days of the occurrence of the Breach, as required by Section 13402(b) of The Act. The content of the Subcontractor notice to the Business Associate shall conform to the requirements of Section 13402(b) of The Act and any subsequent amendments and resulting regulations.
(e) Subcontractor agrees to ensure in writing that any agent, including a subcontractor, to whom it provides Facility Data agrees to the same restrictions and conditions that apply to Subcontractor with respect to such information, including appropriate and comparable safeguards, as defined in paragraph 3(b), above.