Business Activities of the Business Associate and Other Specific Uses and Disclosures. Unless otherwise limited herein and if permitted under the Privacy and Security Rules, the Business Associate may:
Business Activities of the Business Associate and Other Specific Uses and Disclosures. Unless otherwise limited herein and if permitted under the Privacy and Security Rules, the Business Associate may: Use the PHI in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of the Business Associate provided that such uses are permitted under state and Federal confidentiality laws. Disclose the PHI in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the Business Associate, provided that the Business Associate Use and maintain appropriate safeguards and comply with Subp art C o f 45 CFR Part 164 with respect to Electronic PHI, including, without limitation, implementing administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI to prevent use or disclosure of PHI other than as provided for by the Agreement. Such safeguards must meet the requirements set forth in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316 and be undertaken in a manner consistent with any guidance issued by the Secretary commencing on the effective date of such guidance. The Business Associate shall document and keep these safeguards current as proscribed by the Security Rule. Upon request by Covered Entity, Business Associate will provide evidence of all such safeguards utilized by Business Associate to safeguard Electronic PHI; Report to Covered Entity the following occurrences relating to PHI (“PHI Incident”), including those PHI Incidents by the Business Associate’s employees, representatives, agents or subcontractors: (i) any access, acquisition, use or disclosure of PHI not provided for by this Agreement, (ii) any breach of unsecured PHI (actual or suspected), and (iii) any security incident of which it becomes aware. Business Associate shall notify Covered Entity by telephone call within twenty-four (24) hours from which Business Associate knows, discovers or by exercising reasonable diligence would have known of or discovered the PHI Incident. Within forty-eight (48) hours of verbal notice, the Business Associate shall provide a full written report of the PHI Incident to the Covered Entity, including, without limitation, (i) the names and contact information of each Individual whose PHI has been or is reasonably believed by the Business Associate to have been accessed, acquired, used or disclosed during ...
