Common use of Additional Responsibilities of Business Associate with Respect to EPHI Clause in Contracts

Additional Responsibilities of Business Associate with Respect to EPHI. In the event that Business Associate has access to EPHI, in addition to the other requirements set forth in this Agreement relating to PHI, Business Associate shall: (a) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity as required by 45 C.F.R. Part 164, Subpart C; (b) ensure that any subcontractor or agent to whom Business Associate provides any EPHI agrees in writing to implement reasonable and appropriate safeguards to protect such EPHI; and (c) report to the privacy officer of Covered Entity, in writing, any Security Incident involving EPHI of which Business Associate becomes aware within two (2) days of Business Associate’s discovery of such Security Incident. For purposes of this Section, a Security Incident shall mean (consistent with the definition set forth at 45 C.F.R. § 164.304), the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system. In such event, the Business Associate shall, in consultation with the Covered Entity, mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of such improper use or disclosure.

Additional Responsibilities of Business Associate with Respect to EPHI. In the event that Business Associate has access to EPHI, in addition to the other requirements set forth in this Agreement relating to PHIProtected Health Information, Business Associate shall: (a) a. implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity as required by 45 C.F.R. Part 164, Subpart C; (b) b. ensure that any subcontractor or agent to whom Business Associate provides any EPHI agrees in writing to implement reasonable and appropriate safeguards to protect such EPHI; and (c) c. report to the privacy officer of Covered Entity, in writing, any Security Incident involving EPHI of which Business Associate becomes aware within two ten (210) business days of Business Associate’s discovery of such Security Incident. For purposes of this Section, a Security Incident shall mean (consistent with the definition set forth at 45 C.F.R. § 164.304), the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system. In such event, the Business Associate shall, in consultation with the Covered Entity, mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of such improper use or disclosure.