Business Associate Obligations. Business Associate agrees to: (a) not use and/or further disclose PHI except as necessary to provide the Services, as permitted or required by this BAA, and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), or as otherwise Required by Law; (b) to the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of those obligations; (c) without unreasonable delay, report to Covered Entity: (i) any use or disclosure of PHI not provided for by this BAA of which it becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C), and/or (ii) any Security Incident of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C); The parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity's Electronic PHI (d) in the event of a Breach, and without unreasonable delay, and in any event no later than sixty (60) calendar days after Discovery, Business Associate shall provide Covered Entity with written notification in accordance with 45 C.F.R. § 164.410; (e) implement and use appropriate administrative, physical and technical safeguards with respect to PHI, and comply with applicable Security Rule requirements with respect to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of PHI and EPHI (f) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Business Associate that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those that apply to Business Associate with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI;
Appears in 1 contract
Samples: Business Associate Agreement
Business Associate Obligations. Business Associate agrees to:The obligations set out in this Subsection 3.1 apply with respect to AANI’s Use or Disclosure of PHI, other than Limited Data Set Information.
(a) XXXX agrees not use and/or further disclose to Use or Disclose PHI except as necessary to provide the Services, other than as permitted or required by this BAA/DUA or as Required By Xxx and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA Regulations.
b) XXXX agrees to use appropriate safeguards, and in compliance comply with each applicable requirement Subpart C of 45 C.F.R. § 164.504(e)CFR Part 164 with respect to Electronic PHI, to prevent Use or as otherwise Required by Law;
(b) to the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of those obligations;
(c) without unreasonable delay, report to Covered Entity:
(i) any use or disclosure Disclosure of PHI not other than as provided for by this BAA BAA/DUA. Without limiting the generality of which the foregoing, XXXX further agrees to:
i. implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it becomes aware creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a);
ii. ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and
iii. report promptly, but in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C)no case later than five (5) business days after Discovery, and/or
(ii) to the Participant any Security Incident or Breach of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C)Unsecured PHI that is known to or reasonably should be known to AANI and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach; The parties provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by Business Associate AANI to Covered Entity Participant of the ongoing existence and occurrence or attempts of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity Participant shall be required. “Unsuccessful Security Incidents” shall includemeans, but not be limited towithout limitation, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity's Electronic PHI
(d) in the event of a Breach, and without unreasonable delay, and in any event no later than sixty (60) calendar days after Discovery, Business Associate shall provide Covered Entity with written notification in accordance with 45 C.F.R. § 164.410;
(e) implement and use appropriate administrative, physical and technical safeguards with respect to PHI, and comply with applicable Security Rule requirements with respect to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of PHI and EPHI (f) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Business Associate that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those that apply to Business Associate with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI;.
Appears in 1 contract
Samples: Participation Agreement
Business Associate Obligations. Business Associate agrees to:The obligations set out in this Subsection 3.1 apply with respect to APA’s Use or Disclosure of PHI, other than Limited Data Set Information.
(a) APA agrees not use and/or further disclose to Use or Disclose PHI except as necessary to provide the Services, other than as permitted or required by this BAA, and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), /DUA or as otherwise Required By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with all applicable laws; provided that Participant will inform APA of any specific state laws that it believes are applicable to PHI submitted by Law;Participant and would require APA to take compliance steps beyond those required under the HIPAA regulations.
(b) APA agrees to the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Ruleuse appropriate safeguards, Business Associate will and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA/DUA. Without limiting the requirements generality of the Privacy Rule that apply to Covered Entity in the performance of those obligations;
(c) without unreasonable delayforegoing, report to Covered EntityAPA further agrees to:
(i) any use implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or disclosure transmits on behalf of PHI not provided for Participant as required by this BAA of which it becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C)CFR 164.308, and/or164.310, and 164.312;
(ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and
(iii) report promptly, but in no case later than five (5) business days after Discovery, to the Participant any Security Incident or Breach of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C)Unsecured PHI that is known to or reasonably should be known to APA and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach of Unsecured PHI; The parties provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by Business Associate APA to Covered Entity Participant of the ongoing existence and occurrence or attempts of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity Participant shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity's Electronic PHI
(d) in the event of a Breach, and without unreasonable delay, and in any event no later than sixty (60) calendar days after Discovery, Business Associate shall provide Covered Entity with written notification in accordance with 45 C.F.R. § 164.410;
(e) implement and use appropriate administrative, physical and technical safeguards with respect to PHI, and comply with applicable Security Rule requirements with respect to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of PHI and EPHI (f) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Business Associate that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those that apply to Business Associate with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI;.
Appears in 1 contract
Samples: Business Associate Agreement and Data Use Agreement
Business Associate Obligations. Business Associate agrees to:The obligations set out in this Subsection 3.1 apply with respect to AANI’s Use or Disclosure of PHI, other than Limited Data Set Information.
(a) AANI agrees not use and/or further disclose to Use or Disclose PHI except as necessary to provide the Services, other than as permitted or required by this BAA, and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), /DUA or as otherwise Required by Law;By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA Regulations.
(b) AANI agrees to the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Ruleuse appropriate safeguards, Business Associate will and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA/DUA. Without limiting the requirements generality of the Privacy Rule that apply to Covered Entity in the performance of those obligations;
(c) without unreasonable delayforegoing, report to Covered EntityAANI further agrees to:
(i) any use implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or disclosure transmits on behalf of PHI not provided for Participant as required by this BAA of which it becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(CCFR 164.314(a), and/or;
(ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and
(iii) report promptly, but in no case later than five (5) business days after Discovery, to the Participant any Security Incident or Breach of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C)Unsecured PHI that is known to or reasonably should be known to AANI and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach; The parties provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by Business Associate AANI to Covered Entity Participant of the ongoing existence and occurrence or attempts of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity Participant shall be required. “Unsuccessful Security Incidents” shall includemeans, but not be limited towithout limitation, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity's Electronic PHI.
(c) AANI agrees to report promptly, but in no case later than five (5) business days after Discovery, to Participant any Use or Disclosure of PHI which is not authorized by this BAA/DUA of which AANI becomes aware.
(d) AANI agrees to ensure that any Subcontractor that creates, receives, maintains, or transmits PHI, on behalf of AANI, will agree in writing to comply with the same restrictions and conditions with respect to such information that apply through this BAA/DUA to AANI. For the purposes of this BAA/DUA, all PHI provided at AANI’s direction to a Subcontractor of AANI will be deemed to have been provided to AANI.
(e) If PHI provided to AANI, or to which AANI otherwise has access, constitutes a Designated Record Set, AANI agrees to provide Participant with timely access to such PHI, upon reasonable advance notice and during regular business hours, or, at Participant’s request, to provide an Individual with access to his or her PHI in order to meet the requirements under 45 CFR 164.524 concerning access of Individuals to Protected Health Information. In the event an Individual contacts AANI or its Subcontractor directly about gaining access to his or her PHI, AANI will not provide such access but rather will forward such request to Participant within three (3) business days of such contact, unless otherwise required by law.
(f) If PHI provided to AANI, or to which AANI otherwise has access, constitutes a BreachDesignated Record Set, AANI agrees to make timely amendment(s) to such PHI as Participant may direct or agree to pursuant to 45 CFR 164.526. In the event an Individual contacts AANI or its Subcontractor directly about making amendments to his or her PHI, AANI will not make such amendments, but rather will promptly forward such request to Participant, unless otherwise required by law.
(g) AANI agrees to make internal practices, books and without unreasonable delayrecords relating to the Use and Disclosure of PHI available to the Secretary of the United States Department of Health and Human Services, during regular business hours, for purposes of the Secretary’s determining compliance with the HIPAA Regulations.
(h) AANI agrees to document Disclosures of PHI and in any event no later than sixty (60) calendar days after Discovery, Business Associate shall provide Covered Entity with written notification information related to such Disclosures as would be required for Participant to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.410;
(eCFR 164.528. In addition, AANI agrees to provide promptly to Participant or an Individual, upon Participant’s reasonable request, information collected in accordance with this Subsection 3.1(h) implement and use appropriate administrative, physical and technical safeguards with respect in order to PHI, and comply with applicable Security Rule requirements with respect permit Participant to ePHI, respond to reasonably and appropriately protect the confidentiality, integrity and availability a request by an Individual for an accounting of Disclosures of PHI and EPHI (f) in accordance with 45 C.F.R. § 164.502(e)(1)(iiCFR 164.528. Notwithstanding the foregoing, this Subsection 3.1(h) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Business Associate that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those that will not apply to Business Associate with respect to that PHIDisclosures made to carry out Participant’s Health Care Operations or the Disclosure of Limited Data Set Information, including complying in accordance with the applicable Security Rule requirements with respect exceptions to ePHI;45 CFR 164.528 as set forth in the HIPAA Regulations, provided that this exception shall not apply to Disclosures of PHI through an electronic health record.
(i) AANI shall mitigate, to the extent practicable, any adverse effects from any improper
Appears in 1 contract
Samples: Registry Participation Agreement
Business Associate Obligations. Business Associate The obligations set out in this Section 3.1 apply with respect to XXXX’s Use or Disclosure of PHI, other than Limited Data Set Information.
3.1 ASAM agrees not to Use or Disclose PHI other than as permitted or required by this Agreement or as Required By Xxx and agrees to maintain the security and privacy of all PHI in a manner consistent with all applicable laws.
3.2 ASAM agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing, XXXX further agrees to:
(a) not use and/or further disclose implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI except that it creates, receives, maintains, or transmits on behalf of Participant as necessary to provide the Services, as permitted or required by this BAA, 45 CFR 164.308; 164.310; and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), or as otherwise Required by Law164.312;
(b) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate will PHI and comply with the requirements Subpart C of the Privacy Rule that apply 45 CFR Part 164 with respect to Covered Entity in the performance of those obligations;Electronic PHI; and
(c) without unreasonable delayreport promptly, report to Covered Entity:
but in no case later than five (i5) any use or disclosure of PHI not provided for business days after discovery (as defined by this BAA of which it becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(CCFR 164.410(a)), and/or
(ii) to the Participant any Security Incident or Breach of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C)Unsecured PHI that is known to or reasonably should be known to ASAM and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach; The parties provided however, that the Parties acknowledge and agree that this Section Subsection 3.2(c) constitutes notice by Business Associate ASAM to Covered Entity Participant of the ongoing existence and occurrence or attempts of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity Participant shall be required. “Unsuccessful Security Incidents” shall includemeans, but not be limited towithout limitation, pings and other broadcast attacks on Business Associate's firewallfirewalls, port scans, unsuccessful log-on attempts, denials denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use Use or disclosure Disclosure of Covered Entity's Electronic PHI
(d) in the event of a Breach, and without unreasonable delay, and in any event no later than sixty (60) calendar days after Discovery, Business Associate shall provide Covered Entity with written notification in accordance with 45 C.F.R. § 164.410;
(e) implement and use appropriate administrative, physical and technical safeguards with respect to PHI, and comply with applicable Security Rule requirements with respect to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of PHI and EPHI (f) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Business Associate that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those that apply to Business Associate with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI;.
Appears in 1 contract
Samples: Business Associate Agreement
Business Associate Obligations. To the Agreement, add the following provisions in the section describing the Business Associate’s obligations:
2.1 Business Associate shall develop, implement, maintain, and use appropriate safeguards to prevent any use or disclosure of the PHI or EPHI other than as provided by this Agreement, and to implement administrative, physical, and technical safeguards as required by sections 164.308, 164.310, 164.312 and 164.316 of title 45, Code of Federal Regulations and HITECH to protect the confidentiality, integrity, and availability of EPHI or PHI that Business Associate creates, receives, maintains, or transmits, in the same manner that such sections apply to the Covered Entity. See HITECH § 13401.
2.2 The additional requirements of Title XIII of HITECH that relate to privacy and security and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by this reference hereby incorporated into this Agreement. See HITECH § 13401.
2.3 Business Associate agrees to:to adopt the technology and methodology standards required in any guidance issued by the Secretary pursuant to HITECH §§ 13401-13402.
2.4 Business Associate agrees to mitigate any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement and to notify Covered Entity of any breach of Unsecured PHI, as required under HITECH § 13402.
2.5 In the case of a breach of Unsecured PHI, Business Associate shall, promptly following the discovery of a breach of such information, notify Covered Entity of such breach. The notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during the breach.
2.6 Business Associate agrees to enter into an agreement with each of its subcontractors pursuant to 45 CFR § 164.308(b)(1) and HITECH § 13401 that is appropriate and sufficient to require each such subcontractor to protect PHI to the same extent required of Business Associate hereunder.
2.7 Within ten (a10) not use and/or further disclose PHI except as necessary days of notice by Covered Entity of a request for an accounting of disclosures of PHI, Business Associate and any agents or subcontractors shall make available to Covered Entity the information required to provide the Services, as permitted or required by this BAA, and in compliance with each applicable requirement an accounting of 45 C.F.R. § 164.504(e), or as otherwise Required by Law;
(b) disclosures to the extent Business Associate is enable Covered Entity to carry out Covered Entity’s fulfill its obligations under the Privacy Rule, including but not limited to 45 CFR §164.528. Except in the case of a direct request from an Individual for an accounting related to treatment, payment, or operations disclosures through an electronic health record, if the request for an accounting is delivered directly to Business Associate will comply with or its agents or subcontractors, if any, Business Associate shall within five (5) business days of a request notify Covered Entity about such request. Covered Entity shall either request that Business Associate provide such information directly to the requirements of Individual, or it shall request that the Privacy Rule that apply information be immediately forwarded to Covered Entity in for compilation and distribution to such Individual. In the performance of those obligations;
(c) without unreasonable delay, report to Covered Entity:
(i) any use or disclosure of PHI not provided for by this BAA of which it becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C), and/or
(ii) any Security Incident of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C); The parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity's Electronic PHI
(d) in the event case of a Breachdirect request for an accounting from an Individual related to treatment, and without unreasonable delaypayment, and in any event no later than sixty (60) calendar days after Discoveryor operations disclosures through electronic health records, Business Associate shall provide Covered Entity with written notification such accounting to the Individual in accordance with 45 C.F.R. and effective on the applicable date set xxxxx xx XXXXXX § 164.410;
(e) implement and use appropriate administrative, physical and technical safeguards with respect to PHI, and comply with applicable Security Rule requirements with respect to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of 00000(x). Business Associate shall not disclose any PHI and EPHI (f) unless such disclosure is Required by Law or is in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of this Agreement. Business Associate that createshall document such disclosures. Notwithstanding anything in the Agreement to the contrary, receive, maintain or transmit PHI on behalf of Business Associate agreeand any agents or subcontractors shall continue to maintain the information required for purposes of complying with this Section 2.7 for a period of six (6) years after termination of the Agreement.
2.8 Business Associate and its agents or subcontractors, in writingif any, to restrictions shall only request, use and conditions on disclose the use and/or disclosure minimum amount of PHI that are no less restrictive than those that apply necessary to accomplish the purpose of the request, use or disclosure. Business Associate with respect agrees to that PHI, including complying comply with the applicable Security Rule requirements with respect Secretary’s guidance on what constitutes “minimum necessary.” See HITECH § 13405.
2.9 If Business Associate knows of a pattern of activity or practice by Covered Entity that constitutes a material breach or violation of Covered Entity’s obligations under this Agreement, Business Associate will take reasonable steps to ePHI;cure the breach or end the violation. If such steps are unsuccessful within a period of 30 days, Business Associate will either: 1) terminate the Agreement, if feasible; or 2) report the problem to the Secretary. . See HITECH § 13404(b).
Appears in 1 contract
Samples: Business Associate Agreement
Business Associate Obligations. Business Associate agrees to:The obligations set out in this Subsection 3.1 apply with respect to AANI’s Use or Disclosure of PHI, other than Limited Data Set Information.
(a) AANI agrees not use and/or further disclose to Use or Disclose PHI except as necessary to provide the Services, other than as permitted or required by this BAA/DUA or as Required By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA Regulations.
b) AANI agrees to use appropriate safeguards, and in compliance comply with each applicable requirement Subpart C of 45 C.F.R. § 164.504(e)CFR Part 164 with respect to Electronic PHI, to prevent Use or as otherwise Required by Law;
(b) to the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of those obligations;
(c) without unreasonable delay, report to Covered Entity:
(i) any use or disclosure Disclosure of PHI not other than as provided for by this BAA BAA/DUA. Without limiting the generality of which the foregoing, AANI further agrees to:
i. implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it becomes aware creates, receives, maintains, or transmits on behalf of Participant as required by 45 CFR 164.314(a);
ii. ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and
iii. report promptly, but in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C)no case later than five (5) business days after Discovery, and/or
(ii) to the Participant any Security Incident or Breach of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C)Unsecured PHI that is known to or reasonably should be known to AANI and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach; The parties provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by Business Associate AANI to Covered Entity Participant of the ongoing existence and occurrence or attempts of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity Participant shall be required. “Unsuccessful Security Incidents” shall includemeans, but not be limited towithout limitation, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity's Electronic PHI
(d) in the event of a Breach, and without unreasonable delay, and in any event no later than sixty (60) calendar days after Discovery, Business Associate shall provide Covered Entity with written notification in accordance with 45 C.F.R. § 164.410;
(e) implement and use appropriate administrative, physical and technical safeguards with respect to PHI, and comply with applicable Security Rule requirements with respect to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of PHI and EPHI (f) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Business Associate that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those that apply to Business Associate with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI;.
Appears in 1 contract
Samples: Participation Agreement
Business Associate Obligations. Business Associate hereby agrees to:
(a) not a. Not use and/or further or disclose PHI except as necessary to provide the Services, other than as permitted or required by this BAAAgreement or as required by law;
b. Use appropriate safeguards, and in compliance comply with each applicable requirement Subpart C of 45 C.F.R. § 164.504(e)CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as otherwise Required provided for by Lawthis Agreement;
(b) to the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply c. Report to Covered Entity in the performance of those obligations;
(c) without unreasonable delay, report to Covered Entity:
(i) any use or disclosure of PHI not provided for by this BAA Agreement of which it becomes aware in aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware;
d. In accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C), and/or
(ii) any Security Incident of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C); The parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity's Electronic PHI
(d) in the event of a Breach, and without unreasonable delay, and in any event no later than sixty (60) calendar days after Discovery, Business Associate shall provide Covered Entity with written notification in accordance with 45 C.F.R. § 164.410;
(e) implement and use appropriate administrative, physical and technical safeguards with respect to PHI, and comply with applicable Security Rule requirements with respect to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of PHI and EPHI (f) in accordance with 45 C.F.R. § CFR 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), if applicable, ensure that any subcontractors of Business Associate that create, receive, maintain maintain, or transmit PHI on behalf of Business Associate agreeagree to the same restrictions, in writingconditions, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those requirements that apply to Business Associate with respect to that PHIsuch information;
e. Make available PHI in a designated record set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;
f. Make any amendment(s) to PHI in a designated record set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526, including complying or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;
g. Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;
h. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the applicable Security Rule requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s); and
i. Make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services (“Secretary”) for purposes of determining compliance with respect to ePHI;the HIPAA Rules.
Appears in 1 contract
Samples: Hipaa Business Associate Agreement
Business Associate Obligations. Business Associate agrees toshall, in providing items or services pursuant to the Principal Agreement, appropriately safeguard all PHI that Business Associate accesses, maintains, retains, modifies, records, stores, or otherwise holds, uses, or discloses (collectively “uses or discloses”). In particular, Business Associate shall:
(a) not use and/or further 2.1 Use or disclose PHI except as necessary to provide the Services, as permitted or required by this BAA, only if and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), or as otherwise Required by Law;
(b) to the extent Business Associate is required to carry out perform functions or activities for or on behalf of Covered Entity’s obligations Entity under the Privacy RulePrincipal Agreement, permitted pursuant to Section 3 below, or Required By Law. In all cases, Business Associate will Associate’s use and disclosure shall comply with the requirements applicable provisions of the Privacy Rule PSRs, including without limitation HITECH’s minimum necessary requirements, mandate to agree to certain requested restrictions on disclosure, and imposition of restrictions on marketing and fundraising activities in addition to those described in HIPAA.
2.2 Ensure that any subcontractor or other third party (other than a Government Official) to whom it provides PHI agrees in writing to the same restrictions and conditions that apply to Business Associate with respect to such information, including without limitation implementation of reasonable and appropriate safeguards to protect it. Business Associate shall retain such writing for no fewer than six (6) years, or such longer time as may be required by applicable state law, after the conclusion of Business Associate’s relationship with such third party.
2.3 Implement and use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Addendum. Such safeguards shall include, without limitation, administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and electronic PHI (“ePHI”) that Business Associate creates, receives, maintains, or transmits on behalf of the Covered Entity as required by the PSRs. Business Associate expressly agrees to comply with 45 CFR §§ 164.308, 164.310, 164.312, and 164.316 in connection with the performance creation, receipt, maintenance, or transmission of those obligations;electronic PHI (“ePHI”) for or on behalf of Covered Entity.
2.4 Business Associate acknowledges that Covered Entity is or may be a “creditor” with “covered accounts” under the “Red Flag Rules” issued by the Federal Trade Commission (c) without unreasonable delay“FTC”), under the Fair and Accurate Credit Transactions Act of 2003 at 16 CFR part 681. Business Associate represents and warrants that it has implemented policies and procedures consistent with FTC recommendations to detect Red Flags as defined by FTC, and shall promptly report any such identified Red Flags to Covered Entity and, as appropriate, to appropriate law enforcement officials.
2.5 Promptly report to the Covered Entity:
(i) Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware in accordance with Addendum, and any security incident (as defined at 45 C.F.R. CFR § 164.504(e)(2)(ii)(C), and/or
(ii164.304) any Security Incident of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C)aware; The parties acknowledge and agree provided, however, that this Section constitutes notice by Business Associate to Covered Entity any security incidents that are not breaches of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents unsecured PHI (as defined hereinat 45 CFR § 164.402) for which no additional notice and that do not, to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on the best of Business Associate's firewall’s knowledge, port scansinformation, unsuccessful log-on attemptsand belief, denials of service and result in any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity's Electronic PHI
(d) ePHI in violation of this Addendum, may be reported in aggregate on at least a quarterly basis. In the event of a Breachbreach of unsecured PHI, and Business Associate shall notify Covered Entity promptly without unreasonable delay, and in any event no later than within sixty (60) calendar days after Discoverydays, of its discovery of such breach, the identification of each Individual whose unsecured PHI was or is reasonably believed to have been accessed, acquired, or disclosed during such breach. Business Associate shall provide fully cooperate with Covered Entity with written notification in accordance with 45 C.F.R. § 164.410;
(e) implement and use appropriate administrativeEntity’s review, physical and technical safeguards with respect to PHIinvestigation, and comply with applicable Security Rule requirements with respect response to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of PHI and EPHI (f) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Business Associate that create, receive, maintain such alleged security incident or transmit PHI on behalf of Business Associate agree, in writing, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those that apply to Business Associate with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI;breach.
Appears in 1 contract
Samples: Business Associate Addendum
Business Associate Obligations. Business Associate agrees to:The obligations set out in this Subsection 3.1 apply with respect to AANI’s Use or Disclosure of PHI, other than Limited Data Set Information.
(a) XXXX agrees not use and/or further disclose to Use or Disclose PHI except as necessary to provide the Services, other than as permitted or required by this BAA, and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), /DUA or as otherwise Required by Law;By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with the HIPAA Regulations.
(b) XXXX agrees to the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Ruleuse appropriate safeguards, Business Associate will and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA/DUA. Without limiting the requirements generality of the Privacy Rule that apply to Covered Entity in the performance of those obligations;
(c) without unreasonable delayforegoing, report to Covered EntityXXXX further agrees to:
(i) any use implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or disclosure transmits on behalf of PHI not provided for Participant as required by this BAA of which it becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(CCFR 164.314(a), and/or;
(ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and
(iii) report promptly, but in no case later than five (5) business days after Discovery, to the Participant any Security Incident or Breach of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C)Unsecured PHI that is known to or reasonably should be known to AANI and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach; The parties provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by Business Associate AANI to Covered Entity Participant of the ongoing existence and occurrence or attempts of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity Participant shall be required. “Unsuccessful Security Incidents” shall includemeans, but not be limited towithout limitation, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity's Electronic PHI
(d) in the event of a Breach, and without unreasonable delay, and in any event no later than sixty (60) calendar days after Discovery, Business Associate shall provide Covered Entity with written notification in accordance with 45 C.F.R. § 164.410;
(e) implement and use appropriate administrative, physical and technical safeguards with respect to PHI, and comply with applicable Security Rule requirements with respect to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of PHI and EPHI (f) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Business Associate that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those that apply to Business Associate with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI;.
Appears in 1 contract
Samples: Registry Participation Agreement
Business Associate Obligations. Business Associate agrees to:The obligations set out in this Subsection 3.1 apply with respect to APA’s Use or Disclosure of PHI, other than Limited Data Set Information.
(a) APA agrees not use and/or further disclose to Use or Disclose PHI except as necessary to provide the Services, other than as permitted or required by this BAA, and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), /DUA or as otherwise Required By Law and agrees to maintain the security and privacy of all PHI in a manner consistent with all applicable laws; provided that Participant will inform APA of any specific state laws that it believes are applicable to PHI submitted by Law;Participant and would require APA to take compliance steps beyond those required under the HIPAA regulations.
(b) APA agrees to the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Ruleuse appropriate safeguards, Business Associate will and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA/DUA. Without limiting the requirements generality of the Privacy Rule that apply to Covered Entity in the performance of those obligations;
(c) without unreasonable delayforegoing, report to Covered EntityAPA further agrees to:
(i) any use implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the Electronic PHI that it creates, receives, maintains, or disclosure transmits on behalf of PHI not provided for Participant as required by this BAA of which it becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C)CFR 164.308, and/or164.310, and 164.312;
(ii) ensure that any Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI; and
(iii) report promptly, but in no case later than five (5) business days after Discovery, to the Participant any Security Incident or Breach of which Business Associate becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C)Unsecured PHI that is known to or reasonably should be known to APA and shall mitigate, to the extent practicable, any harmful effects of said Security Incident or Breach of Unsecured PHI; The parties provided however, that the Parties acknowledge and agree that this Section b(iii) constitutes notice by Business Associate APA to Covered Entity Participant of the ongoing existence and occurrence or attempts of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity Participant shall be required. “Unsuccessful Security Incidents” shall includemeans, but not be limited towithout limitation, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use Use or disclosure Disclosure of Covered Entity's Electronic PHI
(d) in the event of a Breach, and without unreasonable delay, and in any event no later than sixty (60) calendar days after Discovery, Business Associate shall provide Covered Entity with written notification in accordance with 45 C.F.R. § 164.410;
(e) implement and use appropriate administrative, physical and technical safeguards with respect to PHI, and comply with applicable Security Rule requirements with respect to ePHI, to reasonably and appropriately protect the confidentiality, integrity and availability of PHI and EPHI (f) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Business Associate that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing, to restrictions and conditions on the use and/or disclosure of PHI that are no less restrictive than those that apply to Business Associate with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI;.
Appears in 1 contract
Samples: Business Associate Agreement and Data Use Agreement
