Common use of Business Associate Obligations Clause in Contracts

Business Associate Obligations. (a) Business Associate shall develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards (“Safeguards”), that reasonably and appropriately protect the integrity, confidentiality, and availability of, and to prevent non-permitted or violating use or disclosure of, Electronic Protected Health Information created, transmitted, maintained, or received in connection with the services functions, and/or transactions to be provided under the Agreement which this Addendum amends. (b) Business Associate shall document and keep these Safeguards current. These Safeguards shall extend to transmission, processing, and storage of Electronic Protected Health Information. Transmission of Electronic Protected Health Information shall include transportation of storage media, such as magnetic tape, disks or compact disk media, from one location to another. Upon Company’s request, Business Associate shall provide Company access to, and copies of, documentation regarding such Safeguards. (c) Business Associate agrees that it shall fully implement the requirements of the HIPAA Security Standards (45 CFR Parts 160, 162, and 164, issued on February 20, 2003) which shall include: (i) Implementing administrative, physical, and technicalsafeguards consistent with (and as required by) the HIPAA Security Standards that reasonably protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of a health plan or Covered Entity; (ii) Ensuring that any agent, including a subcontractor, to whom Business Associate provides such information agrees to implement reasonable and appropriate safeguards to protect such information; (iii) Reporting and tracking all Security Incidents as described below: (A) Business Associate shall report to Company any Security Incident that results in (i) unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information, or (ii) interference with Business Associate’s system operations in Business Associate’s information systems, of which Business Associate becomes aware; (B) Business Associate shall report to Company within a reasonable time after Business Associate learns of such non-permitted or violating use or disclosure, and the report must meet the format and content requirements imposed by Company. For any other Security Incident, Business Associate shall aggregate the data and provide such reports on a quarterly basis, or more frequently upon Company’s request. (C) Making Business Associate’s policies and procedures and documentation required by the HIPAA Security Standards related to these Safeguards available to the Secretary of U.S. Department of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA Security Standards. (D) Business Associate agrees to take all reasonable steps to the extent practicable to mitigate, any harmful effect that is known to Business Associate resulting from a Security Incident, including any reasonable steps recommended by Company. Business Associate agrees to provide to Company all information concerning such disclosure or breach as may be reasonably requested by Company.

Business Associate Obligations. (a) Business Associate shall develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards (“Safeguards”), that reasonably and appropriately protect the integrity, confidentiality, and availability of, and to prevent non-permitted or violating use or disclosure of, Electronic Protected Health Information created, transmitted, maintained, or received in connection with the services functions, and/or transactions to be provided under the Agreement which this Addendum amends. (b) Business Associate shall document and keep these Safeguards current. These Safeguards shall extend to transmission, processing, and storage of Electronic Protected Health Information. Transmission of Electronic Protected Health Information shall include transportation of storage media, such as magnetic tape, disks or compact disk media, from one location to another. Upon Company’s request, Business Associate shall provide Company access to, and copies of, documentation regarding such Safeguards. (c) Business Associate agrees that it shall fully implement the requirements therequirements of the HIPAA Security Standards (45 CFR Parts 160, 162, and 164, issued on February 20, 2003) which shall include: (i) i. Implementing administrative, physical, and technicalsafeguards consistent with (and as required by) the HIPAA Security Standards that reasonably protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of a health plan or Covered Entity; (ii) . Ensuring that any agent, including a subcontractor, to whom Business Associate provides such information agrees to implement reasonable and appropriate safeguards to protect such information; (iii) . Reporting and tracking all Security Incidents as described below: (A) Business Associate shall report to Company any Security Incident that results in in (i) unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information, or (ii) interference with Business Associate’s system operations in Business Associate’s information systems, of which Business Associate becomes aware; (B) Business Associate shall report to Company within a reasonable time after Business Associate learns of such non-permitted or violating use or disclosure, and the report must meet the format and content requirements imposed by Company. For any other Security Incident, Business Associate shall aggregate the data and provide such reports on a quarterly basis, or more frequently upon Company’s request. (C) Making Business Associate’s policies and procedures and documentation required by the HIPAA Security Standards related to these Safeguards available to the Secretary of U.S. Department of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA Security Standards. (D) Business Associate agrees to take all reasonable steps to the extent practicable to mitigate, any harmful effect that is known to Business Associate resulting from a Security Incident, including any reasonable steps recommended by Company. Business Associate agrees to provide to Company all information concerning such disclosure or breach as may be reasonably requested by Company.