Business Associate Obligations Sample Clauses

Business Associate Obligations. Business Associate agrees to comply with applicable federal confidentiality and security laws, specifically the provisions of the HIPAA Rules and the HITECH Act applicable to business associates, including: 2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement, the HIPAA Rules, or applicable law, Business Associate shall not make any uses or disclosures of PHI except as necessary to provide services to, or on behalf of, Covered Entity as described in the Underlying Agreement, and shall not use or disclose PHI that would violate the HIPAA Rules or HITECH Act if used or disclosed by Covered Entity; provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities, consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate may not use or disclose PHI which it creates, receives, maintains or transmits for or on behalf of the Covered Entity for any purpose except as otherwise provided by the Agreement and this BAA. Business Associate agrees to review and understand any state privacy and security laws to the extent that such laws are not preempted by HIPAA, as may be amended from time to time. Business Associate acknowledges that it shall comply specifically with the HIPAA Security Rule, and, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, it shall comply with the requirements of the Privacy Rule which apply to Covered Entity in the performance of such obligation(s). Business Associate shall in such cases: 2.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HIPAA Rules and this Agreement; 2.1.2 obtain reasonable assurances, in writing from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held in confidence and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and 2.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expre...

Business Associate Obligations. Business Associate agrees to comply with applicable federal confidentiality and security laws, specifically the provisions of the HIPAA Rules and the HITECH Act applicable to business associates, including:

Business Associate Obligations. Business Associate may receive from Covered Entity, or create or receive on behalf of Covered Entity, health information that is protected under applicable state and/or federal law, including without limitation, PHI and EPHI. All capitalized terms not otherwise defined in this Agreement shall have the meanings set forth in the Privacy Standards, Security Standards or the HITECH Act, as applicable (collectively referred to hereinafter as the “Confidentiality Requirements”). All references to PHI herein shall be construed to include EPHI. Business Associate agrees not to use or disclose (or permit the use or disclosure of) PHI in a manner that would violate the Confidentiality Requirements if the PHI were used or disclosed by Covered Entity in the same manner.

Business Associate Obligations. Business Associate agrees to: (a) not use and/or further disclose PHI except as necessary to provide the Services, as permitted or required by this BAA, and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), or as otherwise Required by Law; (b) to the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of those obligations; (c) without unreasonable delay, report to Covered Entity: (i) any use or disclosure of PHI not provided for by this BAA of which it becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C), and/or (ii) any Security Incident of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C); The parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity's Electronic PHI (d) in the event of a Breach, and without unreasonable delay, and in any event no later than sixty (60) calendar days after Discovery, Business Associate shall provide Covered Entity with written notification in accordance with 45 C.F.R. § 164.410; (e) implement and use appropriate administrative, physical and technical safeguards with respect to PHI, and comply with applicable Security Rule requirements with respect to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of PHI and EPHI (f) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Business Associate that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those that apply to Business Associate with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI;

Business Associate Obligations. Business Associate may receive from Covered Entity, or create or receive or maintain on behalf of Covered Entity, health information that is protected under applicable state and/or federal law, including without limitation, PHI and EPHI. All references to PHI herein shall be construed to include EPHI. Business Associate agrees not to use or disclose (or permit the use or disclosure of) PHI in a manner that would violate the Privacy Standards, Security Standards the HITECH Act, or Texas law, including without limitation the provisions of Texas Health and Safety Code Chapters 181 and 182 as amended by HB 300 (82nd Legislature), effective September 1, 2012, in each case including any implementing regulations as applicable (collectively referred to hereinafter as the “Confidentiality Requirements”) if the PHI were used or disclosed by Covered Entity in the same manner.

Business Associate Obligations. (a) Business Associate shall not submit duplicate transmissions unless so requested by Covered Entity. (b) Business Associate shall only perform those transactions, which are authorized by Covered Entity. Furthermore, Business Associate assumes all liability for any damage, whether direct or indirect, to the electronic data or to Covered Entity's systems caused by Business Associate's unauthorized use of such transactions. (c) Business Associate shall hold Covered Entity harmless from any claim, loss or damage of any kind, whether direct or indirect, whether to person or property, arising out of or related to (1) Business Associate's use or unauthorized disclosure of the electronic data; or (2) Business Associate’s submission of data, including but not limited to the submission of incorrect, misleading, incomplete or fraudulent data. (d) Business Associate agrees to maintain adequate back-up files to recreate transmissions in the event that such recreations become necessary. Back-up tapes shall be subject to this Agreement to the same extent as original data. (e) Business Associate agrees to trace lost or indecipherable transmissions and make reasonable efforts to locate and translate the same. Business Associate shall bear all costs associated with the recreation of incomplete, lost or indecipherable transmissions if such loss is the result of an act or omission of Business Associate. (f) Business Associate shall maintain, for seven (7) years, true copies of any source documents from which it produces electronic data. (g) Except encounter data furnished by Business Associate to Covered Entity, Business Associate shall not (other than to correct errors) modify any data to which it is granted access under this Agreement or derive new data from such existing data. Any modification of data is to be recorded, and a record of such modification is to be retained by Business Associate for a period of seven (7) years. (h) Business Associate shall not disclose security access codes to any third party in any manner without the express written consent of Covered Entity. Business Associate furthermore acknowledges that Covered Entity may change such codes at any time without notice. Business Associate shall assume responsibility for any damages arising from its disclosure of the security access codes or its failure to prevent any third party use of the system without the express written consent of Covered Entity. (i) Business Associate shall maintain general liability...

Business Associate Obligations. As permitted by the HIPAA Requirements, Business Associate also may use or disclose PHI received by the Business Associate in its capacity as a Business Associate to the Covered Entity for Business Associate’s own operations if: (1) the use relates to: (1) the proper management and administration of the Business Associate or to carry out legal responsibilities of the Business Associate, or (2) data aggregation services relating to the health care operations of the Covered Entity; or (2) the disclosure of information received in such capacity will be made in connection with a function, responsibility, or services to be performed by the Business Associate, and such disclosure is required by law or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential and the person agrees to notify the Business Associate of any breaches of confidentiality.

Business Associate Obligations. (a) Business Associate shall develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards (“Safeguards”), that reasonably and appropriately protect the integrity, confidentiality, and availability of, and to prevent non-permitted or violating use or disclosure of, Electronic Protected Health Information created, transmitted, maintained, or received in connection with the services functions, and/or transactions to be provided under the Agreement which this Addendum amends. (b) Business Associate shall document and keep these Safeguards current. These Safeguards shall extend to transmission, processing, and storage of Electronic Protected Health Information. Transmission of Electronic Protected Health Information shall include transportation of storage media, such as magnetic tape, disks or compact disk media, from one location to another. Upon Company’s request, Business Associate shall provide Company access to, and copies of, documentation regarding such Safeguards. (c) Business Associate agrees that it shall fully implement the requirements of the HIPAA Security Standards (45 CFR Parts 160, 162, and 164, issued on February 20, 2003) which shall include: (i) Implementing administrative, physical, and technicalsafeguards consistent with (and as required by) the HIPAA Security Standards that reasonably protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of a health plan or Covered Entity; (ii) Ensuring that any agent, including a subcontractor, to whom Business Associate provides such information agrees to implement reasonable and appropriate safeguards to protect such information; (iii) Reporting and tracking all Security Incidents as described below: (A) Business Associate shall report to Company any Security Incident that results in (i) unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information, or (ii) interference with Business Associate’s system operations in Business Associate’s information systems, of which Business Associate becomes aware; (B) Business Associate shall report to Company within a reasonable time after Business Associate learns of such non-permitted or violating use or disclosure, and the report must meet the format and content requirements imposed by Company. For any other Security Incident, Business Associate shall aggregate the data an...

Business Associate Obligations. Business Associate covenants and agrees that it (1) Not use or further disclose PHI other than as permitted or required under this Agreement or as required by applicable law or regulation. (2) Implement the administrative, physical and technical safeguards set forthin 45 C.F.R § 164.302-318 and otherwise reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity and to use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted under this Agreement. (3) Use appropriate safeguards to maintain the security of and prevent unauthorized access to Covered Entity’s PHI. Such safeguards will include a written information security program. (4) Require any of its agents or subcontractors, or other third parties with which Business Associate does business that are provided PHI or electronic PHI on behalf of Covered Entity, to agree, in writing, to adhere to substantially similar restrictions and conditions on the use and disclosure of PHI that apply to Business Associate under this Agreement. (5) To the extent Business Associate maintains PHI in a Designated Record Set, make available to Covered Entity upon written request from Covered Entity, such information as is necessary to fulfill Covered Entity’s obligations to provide PHI: (a) pursuant to an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); or (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526. Business associate will track disclosures of PHI as necessary to provide an accounting of disclosures pursuant to 45 C.F.R. § 164.528. In the event of a request by an individual directly to Business Associate for an accounting, Business Associate will inform Covered Entity and cooperate with Covered Entity so that Covered Entity may provide such an accounting in accordance with regulations and standards adopted by the Secretary of the U.S. Department of Health and Human Services (the “Secretary”). Business Associate shall also, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate. (6) Make available to the Secretary all internal practices, books and records relating to the use and disclosure of PHI received from, or created by, Business Associate on behalf of Covered Entity, for purposes of determining Covered Entity...

Business Associate Obligations a. Limits on Use and Further Disclosure Established by Contract and Law. Business Associate agrees that information provided or made available by Covered Entity shall not be further used or disclosed other than as permitted or required by the Contract or as Required by Law.