Common use of Business Associate Contract Obligations Clause in Contracts

Business Associate Contract Obligations. The obligations set out in this Section 3.1 apply with respect to SGO’s Use or Disclosure of PHI, other than Limited Data Set Information. (a) SGO agrees not to Use or Disclose PHI other than as permitted or required by this Agreement or as Required By Law. (b) Use or Disclose PHI consistent with Participant’s minimum necessary policy and in accordance with the HIPAA Regulations. (c) SGO agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing, SGO further agrees to: (i) implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a); (ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) report promptly to the Participant any Security Incident or Breach of Unsecured PHI of which SGO becomes aware. (d) SGO agrees to report promptly to Participant any Use or Disclosure of PHI which is not authorized by this Agreement of which SGO becomes aware. (e) SGO agrees to ensure that any Subcontractor that creates, receives, maintains, or transmits PHI, on behalf of SGO, will agree in writing to comply with the same restrictions and conditions with respect to such information that apply through this Agreement to SGO. For the purposes of this Agreement, all PHI provided at SGO’s direction to a Subcontractor of SGO will be deemed to have been provided to SGO. (f) If PHI provided to SGO, or to which SGO otherwise has access, constitutes a Designated Record Set, SGO agrees to provide Participant with timely access to such PHI, upon reasonable advance notice and during regular business hours, or, at Participant’s request, to provide an Individual with access to his or her PHI in order to meet the requirements under 45 CFR 164.524 concerning access of Individuals to PHI. In the event an Individual contacts SGO directly about gaining access to his or her PHI, SGO will not provide such access but rather will forward such request to Participant within five (5) business days of such contact. (g) If PHI provided to SGO, or to which SGO otherwise has access, constitutes a Designated Record Set, SGO agrees to make timely amendment(s) to such PHI as Participant may direct or agree to pursuant to 45 CFR 164.526. In the event an Individual contacts SGO directly about making amendments to his or her PHI, SGO will not make such amendments, but rather will forward such request to Participant within five (5) business days. (h) SGO agrees to make internal practices, books and records relating to the Use and Disclosure of PHI and its policies, procedures and documentation required by the Security Rule relating to Safeguards available to the Secretary of the United States Department of Health and Human Services, during regular business hours, for purposes of the Secretary’s determining compliance with the HIPAA Regulations. (i) SGO agrees to document Disclosures of PHI and information related to such Disclosures as would be required for Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. In addition, SGO agrees to provide promptly to Participant or an Individual, upon Participant’s reasonable request, information collected in accordance with this Section 3.1(i) in order to permit Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. Notwithstanding the foregoing, this Section 3.1(i) will not apply with respect to Disclosures for which an accounting is not required by 45 CFR 164.528 as amended. (j) In the event that SGO determines that a “Breach” (as such term is defined by the HIPAA Regulations) has occurred resulting in the use, access, acquisition or disclosure of Unsecured PHI, SGO will notify Participant of the Breach without unreasonable delay and in no case later than sixty (60) business days after Discovery. Such report to Participant shall include: (i) The identification of each individual whose Unsecured PHI has been or is reasonably believes to have been access, acquired, used, or disclosed during the Breach; (ii) A description of the incident, including the date of the Breach and the date of Discovery, identification of the individual involved and the circumstances giving rise to the Breach; (iii) A description of the type of Unsecured PHI that was involved (e.g., name, Social Security number, procedure, diagnosis, treatment, etc.); and (iv) A description of what SGO and its consultants or subcontractors are doing to investigate, mitigate harm, and protect against future similar breaches. (k) SGO shall mitigate, to the extent practicable, any adverse effects from any improper Use and/or Disclosure of Protected Health Information by SGO that are known to SGO.

Business Associate Contract Obligations. The obligations set out in this Section Subsection 3.1 apply with respect to SGOAQI’s Use or Disclosure of PHI, other than Limited Data Set Information. (a) SGO AQI agrees not to Use or Disclose PHI other than as permitted or required by this Agreement or as Required By Law. (b) Use or Disclose PHI consistent with Participant’s minimum necessary policy and in accordance with the HIPAA Regulations. (c) SGO AQI agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing, SGO AQI further agrees to: (i) implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a); (ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) report promptly to the Participant any Security Incident or Breach of Unsecured PHI of which SGO AQI becomes aware. (dc) SGO AQI agrees to report promptly to Participant any Use or Disclosure of PHI which is not authorized by this Agreement of which SGO AQI becomes aware. (ed) SGO AQI agrees to ensure that any Subcontractor that creates, receives, maintains, or transmits PHI, on behalf of SGOAQI, will agree in writing to comply with the same restrictions and conditions with respect to such information that apply through this Agreement to SGOAQI. For the purposes of this Agreement, all PHI provided at SGOAQI’s direction to a Subcontractor of SGO AQI will be deemed to have been provided to SGOAQI. (fe) If PHI provided to SGOAQI, or to which SGO AQI otherwise has access, constitutes a Designated Record Set, SGO AQI agrees to provide Participant with timely access to such PHI, upon reasonable advance notice and during regular business hours, or, at Participant’s request, to provide an Individual with access to his or her PHI in order to meet the requirements under 45 CFR 164.524 concerning access of Individuals to PHI. In the event an Individual contacts SGO AQI or its Subcontractor directly about gaining access to his or her PHI, SGO AQI will not provide such access but rather will forward such request to Participant within five three (53) business days of such contact. (gf) If PHI provided to SGOAQI, or to which SGO AQI otherwise has access, constitutes a Designated Record Set, SGO AQI agrees to make timely amendment(s) to such PHI as Participant may direct or agree to pursuant to 45 CFR 164.526. In the event an Individual contacts SGO AQI or its Subcontractor directly about making amendments to his or her PHI, SGO AQI will not make such amendments, but rather will forward such request to Participant within five three (53) business days. (hg) SGO AQI agrees to make internal practices, books and records relating to the Use and Disclosure of PHI and its policies, procedures and documentation required by the Security Rule relating to Safeguards available to the Secretary of the United States Department of Health and Human Services, during regular business hours, for purposes of the Secretary’s determining compliance with the HIPAA Regulations. (ih) SGO AQI agrees to document Disclosures of PHI and information related to such Disclosures as would be required for Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. In addition, SGO AQI agrees to provide promptly to Participant or an Individual, upon Participant’s reasonable request, information collected in accordance with this Section 3.1(iSubsection 3.1(h) in order to permit Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. Notwithstanding the foregoing, this Section 3.1(iSubsection 3.1(h) will not apply with respect to Disclosures for which an accounting is not required by 45 CFR 164.528 as amended. (j) In the event that SGO determines that a “Breach” (as such term is defined by the HIPAA Regulations) has occurred resulting in the use, access, acquisition or disclosure of Unsecured PHI, SGO will notify Participant of the Breach without unreasonable delay and in no case later than sixty (60) business days after Discovery. Such report to Participant shall include: (i) The identification of each individual whose Unsecured PHI has been or is reasonably believes to have been access, acquired, used, or disclosed during the Breach; (ii) A description of the incident, including the date of the Breach and the date of Discovery, identification of the individual involved and the circumstances giving rise to the Breach; (iii) A description of the type of Unsecured PHI that was involved (e.g., name, Social Security number, procedure, diagnosis, treatment, etc.); and (iv) A description of what SGO and its consultants or subcontractors are doing to investigate, mitigate harm, and protect against future similar breaches. (k) SGO AQI shall mitigate, to the extent practicable, any adverse effects from any improper Use and/or Disclosure of Protected Health Information by SGO AQI that are known to SGOAQI.

Business Associate Contract Obligations. The obligations set out in this Section Subsection 3.1 apply with respect to SGOAQI’s Use or Disclosure of PHI, other than Limited Data Set Information. (a) SGO . AQI agrees not to Use or Disclose PHI other than as permitted or required by this Agreement or as Required By Law. (b) Use or Disclose PHI consistent with Participant’s minimum necessary policy and in accordance with the HIPAA Regulations. (c) SGO . AQI agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing, SGO AQI further agrees to: (i) : implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a); (ii) ; ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) and report promptly to the Participant any Security Incident or Breach of Unsecured PHI of which SGO AQI becomes aware. (d) SGO . AQI agrees to report promptly to Participant any Use or Disclosure of PHI which is not authorized by this Agreement of which SGO AQI becomes aware. (e) SGO . AQI agrees to ensure that any Subcontractor that creates, receives, maintains, or transmits PHI, on behalf of SGOAQI, will agree in writing to comply with the same restrictions and conditions with respect to such information that apply through this Agreement to SGOAQI. For the purposes of this Agreement, all PHI provided at SGOAQI’s direction to a Subcontractor of SGO AQI will be deemed to have been provided to SGO. (f) AQI. If PHI provided to SGOAQI, or to which SGO AQI otherwise has access, constitutes a Designated Record Set, SGO AQI agrees to provide Participant with timely access to such PHI, upon reasonable advance notice and during regular business hours, or, at Participant’s request, to provide an Individual with access to his or her PHI in order to meet the requirements under 45 CFR 164.524 concerning access of Individuals to PHI. In the event an Individual contacts SGO AQI or its Subcontractor directly about gaining access to his or her PHI, SGO AQI will not provide such access but rather will forward such request to Participant within five three (53) business days of such contact. (g) . If PHI provided to SGOAQI, or to which SGO AQI otherwise has access, constitutes a Designated Record Set, SGO AQI agrees to make timely amendment(s) to such PHI as Participant may direct or agree to pursuant to 45 CFR 164.526. In the event an Individual contacts SGO AQI or its Subcontractor directly about making amendments to his or her PHI, SGO AQI will not make such amendments, but rather will forward such request to Participant within five three (53) business days. (h) SGO . AQI agrees to make internal practices, books and records relating to the Use and Disclosure of PHI and its policies, procedures and documentation required by the Security Rule relating to Safeguards available to the Secretary of the United States Department of Health and Human Services, during regular business hours, for purposes of the Secretary’s determining compliance with the HIPAA Regulations. (i) SGO . AQI agrees to document Disclosures of PHI and information related to such Disclosures as would be required for Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. In addition, SGO AQI agrees to provide promptly to Participant or an Individual, upon Participant’s reasonable request, information collected in accordance with this Section 3.1(iSubsection 3.1(h) in order to permit Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. Notwithstanding the foregoing, this Section 3.1(iSubsection 3.1(h) will not apply with respect to Disclosures for which an accounting is not required by 45 CFR 164.528 as amended. (j) In the event that SGO determines that a “Breach” (as such term is defined by the HIPAA Regulations) has occurred resulting in the use, access, acquisition or disclosure of Unsecured PHI, SGO will notify Participant of the Breach without unreasonable delay and in no case later than sixty (60) business days after Discovery. Such report to Participant shall include: (i) The identification of each individual whose Unsecured PHI has been or is reasonably believes to have been access, acquired, used, or disclosed during the Breach; (ii) A description of the incident, including the date of the Breach and the date of Discovery, identification of the individual involved and the circumstances giving rise to the Breach; (iii) A description of the type of Unsecured PHI that was involved (e.g., name, Social Security number, procedure, diagnosis, treatment, etc.); and (iv) A description of what SGO and its consultants or subcontractors are doing to investigate, mitigate harm, and protect against future similar breaches. (k) SGO AQI shall mitigate, to the extent practicable, any adverse effects from any improper Use and/or Disclosure of Protected Health Information by SGO AQI that are known to SGOAQI.

Business Associate Contract Obligations. The obligations set out in this Section 3.1 apply with respect to SGO’s Use or Disclosure of PHI, other than Limited Data Set Information. (a) SGO agrees not to Use or Disclose PHI other than as permitted or required by this Agreement or as Required By Law. (b) Use or Disclose PHI consistent with Participant’s minimum necessary policy and in accordance with the HIPAA Regulations. (c) SGO agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing, SGO XXX further agrees to: (i) implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a); (ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) report promptly to the Participant any Security Incident or Breach of Unsecured PHI of which SGO becomes aware. (d) SGO agrees to report promptly to Participant any Use or Disclosure of PHI which is not authorized by this Agreement of which SGO becomes aware. (e) SGO agrees to ensure that any Subcontractor that creates, receives, maintains, or transmits PHI, on behalf of SGO, will agree in writing to comply with the same restrictions and conditions with respect to such information that apply through this Agreement to SGO. For the purposes of this Agreement, all PHI provided at SGO’s direction to a Subcontractor of SGO will be deemed to have been provided to SGO. (f) If PHI provided to SGO, or to which SGO otherwise has access, constitutes a Designated Record Set, SGO agrees to provide Participant with timely access to such PHI, upon reasonable advance notice and during regular business hours, or, at Participant’s request, to provide an Individual with access to his or her PHI in order to meet the requirements under 45 CFR 164.524 concerning access of Individuals to PHI. In the event an Individual contacts SGO directly about gaining access to his or her PHI, SGO will not provide such access but rather will forward such request to Participant within five (5) business days of such contact. (g) If PHI provided to SGO, or to which SGO otherwise has access, constitutes a Designated Record Set, SGO agrees to make timely amendment(s) to such PHI as Participant may direct or agree to pursuant to 45 CFR 164.526. In the event an Individual contacts SGO directly about making amendments to his or her PHI, SGO will not make such amendments, but rather will forward such request to Participant within five (5) business days. (h) SGO agrees to make internal practices, books and records relating to the Use and Disclosure of PHI and its policies, procedures and documentation required by the Security Rule relating to Safeguards available to the Secretary of the United States Department of Health and Human Services, during regular business hours, for purposes of the Secretary’s determining compliance with the HIPAA Regulations. (i) SGO agrees to document Disclosures of PHI and information related to such Disclosures as would be required for Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. In addition, SGO agrees to provide promptly to Participant or an Individual, upon Participant’s reasonable request, information collected in accordance with this Section 3.1(i) in order to permit Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. Notwithstanding the foregoing, this Section 3.1(i) will not apply with respect to Disclosures for which an accounting is not required by 45 CFR 164.528 as amended. (j) In the event that SGO determines that a “Breach” (as such term is defined by the HIPAA Regulations) has occurred resulting in the use, access, acquisition or disclosure of Unsecured PHI, SGO will notify Participant of the Breach without unreasonable delay and in no case later than sixty (60) business days after Discovery. Such report to Participant shall include: (i) The identification of each individual whose Unsecured PHI has been or is reasonably believes to have been access, acquired, used, or disclosed during the Breach; (ii) A description of the incident, including the date of the Breach and the date of Discovery, identification of the individual involved and the circumstances giving rise to the Breach; (iii) A description of the type of Unsecured PHI that was involved (e.g., name, Social Security number, procedure, diagnosis, treatment, etc.); and (iv) A description of what SGO and its consultants or subcontractors are doing to investigate, mitigate harm, and protect against future similar breaches. (k) SGO shall mitigate, to the extent practicable, any adverse effects from any improper Use and/or Disclosure of Protected Health Information by SGO that are known to SGO.

Business Associate Contract Obligations. The obligations set out in this Section Subsection 3.1 apply with respect to SGOAAOS’s Use or Disclosure of PHI, other than Limited Data Set Information. (a) SGO AAOS agrees not to Use or Disclose PHI other than as permitted or required by this Agreement or as Required By LawLaw and agrees to maintain the security and privacy of all PHI in a manner consistent with all applicable laws; provided that Participant will inform AAOS of any specific state laws that it believes are applicable to PHI submitted by Participant and would require AAOS to take compliance steps beyond those required under the HIPAA regulations. (b) Use or Disclose PHI consistent with Participant’s minimum necessary policy and in accordance with the HIPAA Regulations. (c) SGO AAOS agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing, SGO XXXX further agrees to: (i) implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a)164.308, 164.310, and 164.312; (ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and (iii) report promptly promptly, but in no case later than five (5) business days after Discovery, to the Participant any Security Incident or Breach of Unsecured PHI of which SGO becomes aware. (d) SGO agrees that is known to report promptly or reasonably should be known to Participant any Use or Disclosure of PHI which is not authorized by this Agreement of which SGO becomes aware. (e) SGO agrees to ensure that any Subcontractor that creates, receives, maintains, or transmits PHI, on behalf of SGO, will agree in writing to comply with the same restrictions AAOS and conditions with respect to such information that apply through this Agreement to SGO. For the purposes of this Agreement, all PHI provided at SGO’s direction to a Subcontractor of SGO will be deemed to have been provided to SGO. (f) If PHI provided to SGO, or to which SGO otherwise has access, constitutes a Designated Record Set, SGO agrees to provide Participant with timely access to such PHI, upon reasonable advance notice and during regular business hours, or, at Participant’s request, to provide an Individual with access to his or her PHI in order to meet the requirements under 45 CFR 164.524 concerning access of Individuals to PHI. In the event an Individual contacts SGO directly about gaining access to his or her PHI, SGO will not provide such access but rather will forward such request to Participant within five (5) business days of such contact. (g) If PHI provided to SGO, or to which SGO otherwise has access, constitutes a Designated Record Set, SGO agrees to make timely amendment(s) to such PHI as Participant may direct or agree to pursuant to 45 CFR 164.526. In the event an Individual contacts SGO directly about making amendments to his or her PHI, SGO will not make such amendments, but rather will forward such request to Participant within five (5) business days. (h) SGO agrees to make internal practices, books and records relating to the Use and Disclosure of PHI and its policies, procedures and documentation required by the Security Rule relating to Safeguards available to the Secretary of the United States Department of Health and Human Services, during regular business hours, for purposes of the Secretary’s determining compliance with the HIPAA Regulations. (i) SGO agrees to document Disclosures of PHI and information related to such Disclosures as would be required for Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. In addition, SGO agrees to provide promptly to Participant or an Individual, upon Participant’s reasonable request, information collected in accordance with this Section 3.1(i) in order to permit Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. Notwithstanding the foregoing, this Section 3.1(i) will not apply with respect to Disclosures for which an accounting is not required by 45 CFR 164.528 as amended. (j) In the event that SGO determines that a “Breach” (as such term is defined by the HIPAA Regulations) has occurred resulting in the use, access, acquisition or disclosure of Unsecured PHI, SGO will notify Participant of the Breach without unreasonable delay and in no case later than sixty (60) business days after Discovery. Such report to Participant shall include: (i) The identification of each individual whose Unsecured PHI has been or is reasonably believes to have been access, acquired, used, or disclosed during the Breach; (ii) A description of the incident, including the date of the Breach and the date of Discovery, identification of the individual involved and the circumstances giving rise to the Breach; (iii) A description of the type of Unsecured PHI that was involved (e.g., name, Social Security number, procedure, diagnosis, treatment, etc.); and (iv) A description of what SGO and its consultants or subcontractors are doing to investigate, mitigate harm, and protect against future similar breaches. (k) SGO shall mitigate, to the extent practicable, any adverse harmful effects from of said Security Incident or Breach; provided however, that the Parties acknowledge and agree that this Section 3.1 b(iii) constitutes notice by AAOS to Participant of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Participant shall be required. "Unsuccessful Security Incidents" means, without limitation, pings and other broadcast attacks on firewalls, port scans, unsuccessful log-on attempts, denial of service attacks, and any improper Use and/or Disclosure combination of Protected Health Information by SGO that are known to SGOthe above, so long as no such incident results in unauthorized access, use or disclosure of PHI.