BA Obligations. The parties agree that BA shall: 2.1. Not use or disclose PHI other than as permitted by this Addendum, the Underlying Agreement, the Privacy Rule, or as Required By Law; 2.2. Use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Addendum. BA shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. BA shall comply with the applicable requirements of Subpart C of Part 164 of the Security Rule; 2.3. Limit any uses, disclosures, and requests for PHI to the minimum amount necessary to perform or fulfill a specific function required or permitted by this Addendum in accordance with the HIPAA Rules; 2.4. Mitigate to the extent practicable, any harmful effect that is known to BA from a use or disclosure of PHI by BA in violation of this Addendum; 2.5. Timely report to Covered Entity any use or disclosure of PHI of which BA becomes aware that is not provided for or allowed by this Addendum or the HIPAA Rules, including Breaches of Unsecured PHI that BA discovers as required by, and in the manner set forth at, 45 C.F.R. § 164.410, and any Security Incident of which BA becomes aware. The parties acknowledge and agree that this section constitutes notice by BA to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but are not limited to, pings and other broadcast attacks on BA’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized acquisition, access, use, or disclosure of PHI; 2.6. In accordance with 45 C.F.R. §§ 164.308(b)(2) and 164.502(e)(1)(ii), require any of its agents or subcontractors that maintain, create, receive, and/or transmit PHI on behalf of BA to agree, in writing, to the same restrictions, conditions and obligations with respect to the use and disclosure of PHI that apply to BA under this Addendum; 2.7. Make available to Covered Entity such information in such form as Covered Entity may require to fulfill Covered Entity’s obligations to provide an Individual with access to, amendment of, and an accounting of disclosures of PHI pursuant to 45 C.F.R. §§ 164.524, 164.526, and 164.528, respectively; 2.8. Make available to the Secretary its internal practices, books and records relating to the use and disclosure of PHI received from, or created by, BA on behalf of Covered Entity, for purposes of determining Covered Entity’s compliance with the HIPAA Rules; and 2.9. To the extent BA is delegated to carry out any of Covered Entity’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such delegated obligations.
Appears in 2 contracts
Samples: 340b Contract Pharmacy Services Agreement, 340b Contract Pharmacy Services Agreement
BA Obligations. The parties agree BA covenants and agrees that BA it shall:
2.1. Not (1) Only use and disclose PHI if such use or disclosure is in compliance with each applicable requirement of 45 C.F.R. § 164.504(e) of the Privacy Rule and not use or further disclose PHI other than as permitted by or required under this Addendum, the Underlying Agreement, the Privacy Rule, Addendum or as Required By Law;.
2.2. (2) Use appropriate safeguards safeguards, including but not limited to written policies and procedures, as necessary to prevent the use or disclosure of PHI other than as provided permitted under this Addendum or as Required By Law.
(3) Fully comply with the requirements under the Privacy Rule and the Security Rule applicable to “business associates” as that term is defined in the Privacy Rule and the Security Rule. BA acknowledges that 45 C.F.R. §§ 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of the Security Rule apply to BA, and BA agrees to fully comply with these regulations.
(4) Mitigate and establish procedures for mitigating, to the greatest extent possible, any deleterious effects from use and/or disclosure of PHI by BA in violation of this Addendum and/or the Privacy Rule and/or the Security Rule.
(5) Report, in writing, to the designated privacy or security official, as such position is defined in the Privacy Rule and the Security Rule, of Covered Entity, any use and/or disclosure of PHI or electronic PHI that is not permitted or required by this AddendumAddendum of which BA becomes aware, or should have been aware, within three (3) business days of BA’s discovery of such unauthorized use and/or disclosure, with supplemental notice by facsimile, email, and/or telephone should be made as soon as practicable to: Walgreen Privacy Office 200 Xxxxxx Road, MS 9000 Xxxxxxxxx, Xxxxxxxx 00000 Phone: (000) 000-0000 Fax: (000) 000-0000 Email: xxxxxxx.xxxxxx@xxxxxxxxx.xxx Attn: Privacy Official BA is responsible for ensuring that its agents or subcontractors, or other third parties, with which BA does business that are provided, maintain, create, and/or receive PHI or electronic PHI on behalf of Covered Entity, report to BA immediately any use and/or disclosure of PHI or electronic PHI that is not permitted or required by this Addendum in order for BA to comply with the provisions of this section. BA shall implement further agrees to promptly furnish to Covered Entity all known details and assist Covered Entity in investigating and/or preventing the reoccurrence of such unpermitted possession, use, knowledge, disclosure, or loss of protected health information in any form.
(6) Not directly or indirectly receive remuneration in exchange for any PHI of an Individual that is disclosed, provided, or made available to BA from Covered Entity.
(7) Maintain a written information security program that includes implementation of administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity integrity, and availability of Electronic electronic PHI that it createscreated, receivesreceived, maintainsmaintained, or transmits transmitted by BA on behalf of Covered Entity. This includes using technology commercially available to BA shall comply to protect PHI against any reasonably anticipated threats or hazards. BA understands it has an affirmative duty to perform a regular review or assessment of security risks, conduct active management, and supply best efforts to assure that only authorized persons and devices access its computing systems and information storage and that only authorized transactions are allowed. BA will maintain appropriate documentation of its compliance with the applicable requirements Privacy Rule and the Security Rule including, but not limited to, policies, procedures, records of Subpart C training, and sanctions of Part 164 members of the Security Rule;workforce.
2.3. Limit (8) Secure all PHI by a technology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with any usesguidance and/or standards issued by the Secretary specifying the technologies and methodologies that render PHI unusable, disclosuresunreadable, and requests for PHI or indecipherable to the minimum amount necessary unauthorized individuals including, but not limited to, standards developed pursuant to perform or fulfill a specific function required or permitted by this Addendum in accordance with the HIPAA Rules;HITECH.
2.4. Mitigate (9) Notwithstanding requirement C(8), to the extent practicablethat any PHI cannot be secured as described in C(8), report, in writing, to the designated privacy official, whose contact information is provided in Section C(5) above, of Covered Entity any harmful effect that breach of unsecured PHI, as defined in § 13402(h)(1)(A) of the HITECH, within three (3) business days of when the breach is known to BA from a use or disclosure of PHI by BA in violation of this Addendum;
2.5. Timely report to Covered Entity any use or disclosure of PHI of which BA becomes aware that is not provided for or allowed by this Addendum or the HIPAA Rules, including Breaches of Unsecured PHI that BA discovers as required by, and in the manner set forth at, 45 C.F.R. § 164.410, and any Security Incident of which BA becomes aware. The parties acknowledge and agree that this section constitutes notice should reasonably have been known by BA to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice have occurred. Such notification to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but are not limited to, pings and other broadcast attacks on BA’s firewall, port scans, unsuccessful log-on attempts, denials include the identification of service and any combination of the above, so long as no such incident results in unauthorized acquisition, access, useeach Individual whose unsecured PHI has been, or disclosure is reasonably believed by BA to have been accessed, acquired, or disclosed during such breach. BA shall implement policies and procedures regarding this notification process and shall fully document any and all information related to the breach and notification of Covered Entity and shall retain such documentation for a minimum of six (6) years. BA shall fully cooperate with Covered Entity to provide all information in a timely manner and as needed for Covered Entity to make, or direct BA to make, any legally required notifications to any Individuals affected by a breach of unsecured PHI;, or to HHS and/or the media, if applicable. BA shall not make any notifications to Individuals, HHS, or media without prior approval from Covered Entity. BA shall pay costs and expenses associated with such notifications and remediation, including reasonable legal fees.
2.6. In accordance with 45 C.F.R. §§ 164.308(b)(2(10) and 164.502(e)(1)(ii), require Require any of its agents or subcontractors subcontractors, or other third parties with which BA does business that are provided, maintain, create, receive, and/or transmit receive PHI or electronic PHI on behalf of BA Covered Entity, to agree, in writinga written contract executed by all parties, to implement reasonable and appropriate safeguards and to adhere to the same restrictions, conditions and obligations with respect to the use and disclosure of use, disclosure, protection, custody and/or creation of, or access to, PHI and/or electronic PHI that apply to BA under this Addendum;. Such written agreement shall identify Covered Entity as a third party beneficiary with rights of enforcement and indemnification from such subcontractors or agents in the event of any violation of the written agreement.
2.7. (11) Make available to Covered Entity Entity, within five (5) days of receiving an oral or written request from Covered Entity, such information in such form as Covered Entity may require is necessary to fulfill Covered Entity’s obligations to provide PHI: (a) pursuant to an Individual with access toIndividual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); and (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526. BA shall also, amendment ofas directed by Covered Entity, and incorporate any amendments to PHI into copies of such PHI maintained by BA.
(12) Provide an accounting of disclosures of PHI and information related to such disclosures to the Walgreen Privacy Office, as identified in Section C(5) above, in accordance with 45 C.F.R. § 164.528(b), for disclosures, except for those outlined in 45 C.F.R. § 164.528(a)(1):
(i) to carry out treatment, payment and health care operations as provided in § 164.506;
(ii) to individuals of protected health information about them as provided in § 164.502;
(iii) incident to a use or disclosure otherwise permitted or required by this subpart, as provided in § 164.502;
(iv) pursuant to an authorization as provided in § 164.508;
(v) for national security or intelligence purposes as provided in § 164.512(k)(2);
(vi) to correctional institutions or law enforcement officials as provided in § 164.512(k)(5);
(vii) as part of a limited data set in accordance with § 164.514(e); or
(viii) that occurred prior to the compliance date for Covered Entity. In the event that there are modifications to HIPAA, BA will assist Covered Entity with developing a process for accounting of disclosures for the purposes including treatment, payment and healthcare operations at the time of each disclosure, if an electronic health record is used or maintained. Regardless of whether an electronic health record is used or maintained, BA further agrees to document and retain documentation related to the accounting of such disclosures as required by 45 C.F.R. §§ 164.524164.530(j) including, 164.526but not limited to, the information required to be included in the accounting, the written accounting that is provided, and 164.528the titles of the persons or offices responsible for receiving and processing requests for an accounting. BA further agrees to provide to Covered Entity, respectively;in the time and manner designated by Covered Entity, information collected in accordance with this Addendum to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and/or any related regulations related thereto.
2.8. (13) Make available to the Secretary its of the U.S. Department of Health and Human Services and/or Covered Entity all internal practices, books and records records, including policies and procedures, relating to the use and disclosure of PHI received from, or created by, BA on behalf of Covered Entity, for purposes of determining Covered Entity’s and/or BA’s compliance with the HIPAA Rules; and
2.9. To the extent BA is delegated to carry out any of Covered Entity’s obligations under the Privacy Rule, comply the Security Rule, and/or related statutes and regulations.
(14) During the term of this Addendum and as required by C(5) above, notify Covered Entity as soon as possible, but not later than three (3) days after discovery, of any suspected or actual Security Incident, intrusion, breach, or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. BA shall also (i) establish policies and procedures for mitigating, to the extent practicable, any adverse effects from any access, use or disclosure of PHI in a manner contrary to or inconsistent with this Addendum or the requirements HIPAA Regulations, and (ii) promptly remedy any violation of any term of this Addendum, and certify the Privacy Rule that apply same to Covered Entity in writing.
(15) Limit any use or disclosure of PHI to its subcontractors, agents or other third parties, and request from Covered Entity, to only the performance minimum amount necessary to perform or fulfill a specific function required or permitted by this Addendum in accordance with the Privacy Rule and the Security Rule. BA represents that all of such delegated obligationsits uses and disclosures of PHI shall be the minimum necessary in accordance with the Privacy Rule and the Security Rule.
(16) Not use or disclose PHI in any form via any medium with any third party beyond the boundaries and jurisdiction of the United States without express written authorization from Covered Entity.
(17) Ensure that members of BA’s workforce (including its agents or subcontractors, or other third parties with which BA does business) have completed required training on the policies and procedures with respect to protected health information and documented that the training has been provided.
Appears in 1 contract
Samples: Software License and Services Agreement (Greenway Medical Technologies Inc)
BA Obligations. The parties agree BA covenants and agrees that BA it shall:
2.1. Not (1) Only use and disclose PHI if such use or disclosure is in compliance with each applicable requirement of 45 C.F.R. § 164.504(e) of the Privacy Rule and not use or further disclose PHI other than as permitted by or required under this Addendum, the Underlying Agreement, the Privacy Rule, Addendum or as Required By Law;.
2.2. (2) Use appropriate safeguards safeguards, including but not limited to written policies and procedures, as necessary to prevent the use or disclosure of PHI other than as provided permitted under this Addendum or as Required By Law.
(3) Fully comply with the requirements under the Privacy Rule and the Security Rule applicable to “business associates” as that term is defined in the Privacy Rule and the Security Rule. BA acknowledges that 45 C.F.R. §§ 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of the Security Rule apply to BA, and BA agrees to fully comply with these regulations.
(4) Mitigate and establish procedures for mitigating, to the greatest extent possible, any deleterious effects from use and/or disclosure of PHI by BA in violation of this Addendum and/or the Privacy Rule and/or the Security Rule.
(5) Report, in writing, to the designated privacy or security official, as such position is defined in the Privacy Rule and the Security Rule, of Covered Entity, any use and/or disclosure of PHI or electronic PHI that is not permitted or required by this AddendumAddendum of which BA becomes aware, or should have been aware, within three (3) business days of BA's discovery of such unauthorized use and/or disclosure, with supplemental notice by facsimile, email, and/or telephone should be made as soon as practicable to: Privacy & Security: Walgreen Privacy Office 200 Xxxxxx Road, MS 9000 Xxxxxxxxx, Xxxxxxxx 00000 Phone: (000) 000-0000 Fax: (000) 000-0000 Email: xxxxxxx.xxxxxx@xxxxxxxxx.xxx Attn: Privacy Official BA is responsible for ensuring that its agents or subcontractors, or other third parties, with which BA does business that are provided, maintain, create, and/or receive PHI or electronic PHI on behalf of Covered Entity, report to BA immediately any use and/or disclosure of PHI or electronic PHI that is not permitted or required by this Addendum in order for BA to comply with the provisions of this section. BA shall implement further agrees to promptly furnish to Covered Entity all known details and assist Covered Entity in investigating and/or preventing the reoccurrence of such unpermitted possession, use, knowledge, disclosure, or loss of protected health information in any form.
(6) Not directly or indirectly receive remuneration in exchange for any PHI of an Individual that is disclosed, provided, or made available to BA from Covered Entity.
(7) Maintain a written information security program that includes implementation of administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity integrity, and availability of Electronic electronic PHI that it createscreated, receivesreceived, maintainsmaintained, or transmits transmitted by BA on behalf of Covered Entity. This includes using technology commercially available to BA shall comply to protect PHI against any reasonably anticipated threats or hazards. BA understands it has an affirmative duty to perform a regular review or assessment of security risks, conduct active management, and supply best efforts to assure that only authorized persons and devices access its computing systems and information storage and that only authorized transactions are allowed. BA will maintain appropriate documentation of its compliance with the applicable requirements Privacy Rule and the Security Rule including, but not limited to, policies, procedures, records of Subpart C training, and sanctions of Part 164 members of the Security Rule;workforce.
2.3. Limit (8) Secure all PHI by a technology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with any usesguidance and/or standards issued by the Secretary specifying the technologies and methodologies that render PHI unusable, disclosuresunreadable, and requests for PHI or indecipherable to the minimum amount necessary unauthorized individuals including, but not limited to, standards developed pursuant to perform or fulfill a specific function required or permitted by this Addendum in accordance with the HIPAA Rules;HITECH.
2.4. Mitigate (9) Notwithstanding requirement C(8), to the extent practicablethat any PHI cannot be secured as described in C(8), report, in writing, to the designated privacy official, whose contact information is provided in Section C(5) above, of Covered Entity any harmful effect that breach of unsecured PHI, as defined in § 13402(h)(1)(A) of the HITECH, within three (3) business days of when the breach is known to BA from a use or disclosure of PHI by BA in violation of this Addendum;
2.5. Timely report to Covered Entity any use or disclosure of PHI of which BA becomes aware that is not provided for or allowed by this Addendum or the HIPAA Rules, including Breaches of Unsecured PHI that BA discovers as required by, and in the manner set forth at, 45 C.F.R. § 164.410, and any Security Incident of which BA becomes aware. The parties acknowledge and agree that this section constitutes notice should reasonably have been known by BA to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice have occurred. Such notification to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but are not limited to, pings and other broadcast attacks on BA’s firewall, port scans, unsuccessful log-on attempts, denials include the identification of service and any combination of the above, so long as no such incident results in unauthorized acquisition, access, useeach Individual whose unsecured PHI has been, or disclosure is reasonably believed by BA to have been accessed, acquired, or disclosed during such breach. BA shall implement policies and procedures regarding this notification process and shall fully document any and all information related to the breach and notification of Covered Entity and shall retain such documentation for a minimum of six (6) years. BA shall fully cooperate with Covered Entity to provide all information in a timely manner and as needed for Covered Entity to make, or direct BA to make, any legally required notifications to any Individuals affected by a breach of unsecured PHI;, or to HHS and/or the media, if applicable. BA shall not make any notifications to Individuals, HHS, or media without prior approval from Covered Entity. BA shall pay costs and expenses associated with such notifications and remediation, including reasonable legal fees.
2.6. In accordance with 45 C.F.R. §§ 164.308(b)(2(10) and 164.502(e)(1)(ii), require Require any of its agents or subcontractors subcontractors, or other third parties with which BA does business that are provided, maintain, create, receive, and/or transmit receive PHI or electronic PHI on behalf of BA Covered Entity, to agree, in writinga written contract executed by all parties, to implement reasonable and appropriate safeguards and to adhere to the same restrictions, conditions and obligations with respect to the use and disclosure of use, disclosure, protection, custody and/or creation of, or access to, PHI and/or electronic PHI that apply to BA under this Addendum;. Such written agreement shall identify Covered Entity as a third party beneficiary with rights of enforcement and indemnification from such subcontractors or agents in the event of any violation of the written agreement.
2.7. (11) Make available to Covered Entity Entity, within five (5) days of receiving an oral or written request from Covered Entity, such information in such form as Covered Entity may require is necessary to fulfill Covered Entity’s obligations to provide PHI: (a) pursuant to an Individual with access toIndividual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); and (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526. BA shall also, amendment ofas directed by Covered Entity, and incorporate any amendments to PHI into copies of such PHI maintained by BA.
(12) Provide an accounting of disclosures of PHI and information related to such disclosures to the Walgreen Privacy Office, as identified in Section C(5) above, in accordance with 45 C.F.R. § 164.528(b), for disclosures, except for those outlined in 45 C.F.R. § 164.528(a)(1):
(i) to carry out treatment, payment and health care operations as provided in § 164.506;
(ii) to individuals of protected health information about them as provided in § 164.502;
(iii) incident to a use or disclosure otherwise permitted or required by this subpart, as provided in § 164.502;
(iv) pursuant to an authorization as provided in § 164.508;
(v) for national security or intelligence purposes as provided in § 164.512(k)(2);
(vi) to correctional institutions or law enforcement officials as provided in § 164.512(k)(5);
(vii) as part of a limited data set in accordance with § 164.514(e); or (viii) that occurred prior to the compliance date for Covered Entity. In the event that there are modifications to HIPAA, BA will assist Covered Entity with developing a process for accounting of disclosures for the purposes including treatment, payment and healthcare operations at the time of each disclosure, if an electronic health record is used or maintained. Regardless of whether an electronic health record is used or maintained, BA further agrees to document and retain documentation related to the accounting of such disclosures as required by 45 C.F.R. §§ 164.524164.530(j) including, 164.526but not limited to, the information required to be included in the accounting, the written accounting that is provided, and 164.528the titles of the persons or offices responsible for receiving and processing requests for an accounting. BA further agrees to provide to Covered Entity, respectively;in the time and manner designated by Covered Entity, information collected in accordance with this Addendum to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and/or any related regulations related thereto.
2.8. (13) Make available to the Secretary its of the U.S. Department of Health and Human Services and/or Covered Entity all internal practices, books and records records, including policies and procedures, relating to the use and disclosure of PHI received from, or created by, BA on behalf of Covered Entity, for purposes of determining Covered Entity’s and/or BA’s compliance with the HIPAA Rules; and
2.9. To the extent BA is delegated to carry out any of Covered Entity’s obligations under the Privacy Rule, comply the Security Rule, and/or related statutes and regulations.
(14) During the term of this Addendum and as required by C(5) above, notify Covered Entity as soon as possible, but not later than three (3) days after discovery, of any suspected or actual Security Incident, intrusion, breach, or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. BA shall also (i) establish policies and procedures for mitigating, to the extent practicable, any adverse effects from any access, use or disclosure of PHI in a manner contrary to or inconsistent with this Addendum or the requirements HIPAA Regulations, and (ii) promptly remedy any violation of any term of this Addendum, and certify the Privacy Rule that apply same to Covered Entity in writing.
(15) Limit any use or disclosure of PHI to its subcontractors, agents or other third parties, and request from Covered Entity, to only the performance minimum amount necessary to perform or fulfill a specific function required or permitted by this Addendum in accordance with the Privacy Rule and the Security Rule. BA represents that all of such delegated obligationsits uses and disclosures of PHI shall be the minimum necessary in accordance with the Privacy Rule and the Security Rule.
(16) Not use or disclose PHI in any form via any medium with any third party beyond the boundaries and jurisdiction of the United States without express written authorization from Covered Entity.
(17) Ensure that members of BA’s workforce (including its agents or subcontractors, or other third parties with which BA does business) have completed required training on the policies and procedures with respect to protected health information and documented that the training has been provided.
Appears in 1 contract
Samples: Software License and Services Agreement (Greenway Medical Technologies Inc)
