Accounting Rights. Within ten (10) business days of notice by CE of a request for an accounting of disclosures of Protected Information, BA and its agents or subcontractors shall make available to CE the information required to provide an accounting of disclosures to enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.528, and the HITECH Act, including but not limited to 42 U.S.C. Section 17935(c), as determined by CE. BA agrees to implement a process that allows for an accounting to be collected and maintained by BA and its agents or subcontractors for at least six (6) years prior to the request. However, accounting of disclosures from an Electronic Health Record for treatment, payment or health care operations purposes are required to be collected and maintained for only three (3) years prior to the request, and only to the extent that BA maintains an Electronic Health Record and is subject to this requirement. At a minimum, the information collected and maintained shall include: (i) the date of disclosure; (ii) the name of the entity or person who received Protected Information and, if known, the address of the entity or person; (iii) a brief description of Protected Information disclosed and (iv) a brief statement of purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individuals’ authorization, or a copy of the written request for disclosure. In the event that the request for an accounting is delivered directly to BA or its agents or subcontractors, BA shall within five (5) business days of a request forward it to CE in writing. However, it shall be BA’s responsibility to prepare and deliver any such accounting requested and to do so in accordance with law. BA shall not disclose any Protected Information except as set forth in Sections 2.b. of this Exhibit “M” [45 C.F.R. Sections 164.504(e)(2)(ii)(G) and 165.528].
Appears in 6 contracts
Samples: Professional Services Contract, Professional Services Contract, Professional Services Contract
Accounting Rights. Within ten (10) business days of notice by CE of a request for an accounting of disclosures of Protected Information, BA and its agents or subcontractors shall make available to CE the information required to provide an accounting of disclosures to enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.528, and the HITECH Act, including but not limited to 42 U.S.C. Section 17935(c), as determined by CE. BA agrees to implement a process that allows for an accounting to be collected and maintained by BA and its agents or subcontractors for at least six (6) years prior to the request. However, accounting of disclosures from an Electronic Health Record for treatment, payment or health care operations purposes are required to be collected and maintained for only three (3) years prior to the request, and only to the extent that BA maintains an Electronic Health Record and is subject to this requirement. At a minimum, the information collected and maintained shall include: (i) the date of disclosure; (ii) the name of the entity or person who received Protected Information and, if known, the address of the entity or person; (iii) a brief description of Protected Information disclosed and (iv) a brief statement of purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individuals’ authorization, or a copy of the written request for disclosure. In the event that the request for an accounting is delivered directly to BA or its agents or subcontractors, BA shall within five (5) business days of a request forward it to CE in writing. However, it shall be BA’s responsibility to prepare and deliver any such accounting requested and to do so in accordance with law. BA shall not disclose any Protected Information except as set forth in Sections 2.b. of this Exhibit “M” [45 C.F.R. Sections 164.504(e)(2)(ii)(G) and 165.528].Sections
Appears in 2 contracts
Samples: Professional Services, Professional Services
Accounting Rights. Within ten (10) business days of notice by CE of a request for an accounting of disclosures of Protected Information, BA and its agents or subcontractors shall make available to CE the information required to provide an accounting of disclosures to enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.528, and the HITECH Act, including but not limited to 42 U.S.C. Section 17935(c), as determined by CE. BA agrees to implement a process that allows for an accounting to be collected and maintained by BA and its agents or subcontractors for at least six (6) years prior to the request. However, accounting of disclosures from an Electronic Health Record for treatment, payment or health care operations purposes are required to be collected and maintained for only three (3) years prior to the request, and only to the extent that BA maintains an Electronic Health Record and is subject to this requirement. At a minimum, the information collected and maintained shall include: (i) the date of disclosure; (ii) the name of the entity or person who received Protected Information and, if known, the address of the entity or person; (iii) a brief description of Protected Information disclosed and (iv) a brief statement of purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individuals’ authorization, or a copy of the written request for disclosure. In the event that the request for an accounting is delivered directly to BA or its agents or subcontractors, BA shall within five (5) business days of a request forward it to CE in writing. However, it shall be BA’s responsibility to prepare and deliver any such accounting requested and to do so in accordance with law. BA shall not disclose any Protected Information except as set forth in Sections 2.b. of this Exhibit “M” [45 C.F.R. Sections 164.504(e)(2)(ii)(G) and 165.528]. Governmental Access to Records. BA shall make its internal practices, books and records relating to the use, disclosure and privacy protection of Protected Information available to CE and to the DHHS Secretary for purposes of determining BA’s compliance with the Privacy Rule [45 C.F.R. Section 164.504(e)(2)(ii)(H)]. BA shall provide to CE a copy of any Protected Information that BA provides to the DHHS Secretary concurrently with providing such Protected Information to the DHHS Secretary. Minimum Necessary. BA and its agents or subcontractors shall request, use and disclose only the minimum amount of Protected Information necessary to accomplish the purpose of the request, use, or disclosure. [42 U.S.C. Section 17935(b); 45 C.F.R. Section 164.514(d)(3)] BA understands and agrees that the definition of “minimum necessary” is in flux and shall keep itself informed of guidance issued by the DHHS Secretary with respect to what constitutes “minimum necessary.” Data Ownership. BA acknowledges that BA has no ownership rights with respect to the Protected Information. Notification of Breach. Unless stricter reporting requirements apply in accordance with federal or state laws or regulations, other provisions of the Agreement, or this Exhibit “M”, BA shall notify CE within twenty-four (24) hours of any suspected or actual breach of security, intrusion or unauthorized use or disclosure of PHI of which BA becomes aware and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. Unless CE provides BA with written notice that it will undertake such obligations on behalf of BA, BA shall take (i) prompt corrective action to cure any such deficiencies and (ii) any action pertaining to such unauthorized disclosure required by applicable federal and state laws and regulations. The parties agree that CE has the sole discretion to determine whether or not it will undertake such obligations on behalf of BA and that, if it does, CE has the right to require BA to pay for any or all costs associated therewith. Breach Pattern or Practice by Covered Entity. Pursuant to 42 U.S.C. Section 17934(b), if the BA knows of a pattern of activity or practice of the CE that constitutes a material breach or violation of the CE’s obligations under the Agreement or this Exhibit “M” or other arrangement, the BA must take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, the BA must terminate the Agreement or other arrangement if feasible, or if termination is not feasible, report the problem to the DHHS Secretary. BA shall provide written notice to CE of any pattern of activity or practice of the CE that BA believes constitutes a material breach or violation of the CE’s obligations under the Agreement or this Exhibit “M” or other arrangement within five (5) business days of discovery and shall meet with CE to discuss and attempt to resolve the problem as one of the reasonable steps to cure the breach or end the violation. Audits, Inspection and Enforcement. Within ten (10) days of a written request by CE, BA and its agents or subcontractors shall allow CE to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies and procedures relating to the use or disclosure of Protected Information pursuant to this Exhibit “M” for the purpose of determining whether BA has complied with this Exhibit; provided, however, that (i) BA and CE shall mutually agree in advance upon the scope, timing and location of such an inspection, (ii) CE shall protect the confidentiality of all confidential and proprietary information of BA to which CE has access during the course of such inspection; and (iii) CE shall execute a nondisclosure agreement, upon terms mutually agreed upon by the parties, if requested by BA. The fact that CE inspects, or fails to inspect, or has the right to inspect, BA’s facilities, systems, books, records, agreements, policies and procedures does not relieve BA of its responsibility to comply with this Exhibit “M”, nor does CE’s (i) failure to detect or (ii) detection, but failure to notify BA or require BA’s remediation of any unsatisfactory practices, constitute acceptance of such practice or a waiver of CE’s enforcement rights under the Agreement or this Exhibit “M”. BA shall notify CE within ten (10) business days of learning that BA has become the subject of an audit, compliance review, or complaint investigation by the Office for Civil Rights.
Appears in 2 contracts
Samples: Professional Services Contract, Professional Services Contract
Accounting Rights. Within ten (10) business days of notice by CE Department of a request for an accounting of disclosures of Protected Information, Information BA and its agents or subcontractors shall make available to CE Department the information required to provide an accounting of disclosures to enable CE Department to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.528, and the HITECH Act, including but not limited to 42 U.S.C. Section 17935(c), as determined by CEDepartment. BA agrees to implement a process that allows for an accounting to be collected and maintained by BA and its agents or subcontractors for at least six (6) years prior to the request. However, accounting of disclosures from an Electronic Health Record for treatment, payment or health care operations purposes are required to be collected and maintained for only three (3) years prior to the request, and only to the extent that BA maintains an Electronic Health Record electronic health record and is subject to this requirement. At a minimum, the information collected and maintained shall include: (i) the date of disclosure; (ii) the name of the entity or person who received Protected Information and, if known, the address of the entity or person; (iii) a brief description of Protected Information disclosed disclosed; and (iv) a brief statement of purpose of the disclosure that reasonably informs the Individual individual of the basis for the disclosure, or a copy of the Individuals’ individual's authorization, or a copy of the written request for disclosure. In the event that the request for an accounting is delivered directly to BA or its agents or subcontractors, BA shall within five (5) business days of a request forward it to CE Department in writing. However, it It shall be BA’s Department s responsibility to prepare and deliver any such accounting requested and to do so in accordance with law. BA shall not disclose any Protected Information except as set forth in Sections 2.b. of this Exhibit “M” Addendum [45 C.F.R. Sections 164.504(e)(2)(ii)(G) and 165.528]. The provisions of this subparagraph shall survive the termination of this Agreement.
Appears in 1 contract
Samples: Independent Contractor Agreement