Common use of Business Associate Obligations Clause in Contracts

Business Associate Obligations. Business Associate covenants and agrees that it (1) Not use or further disclose PHI other than as permitted or required under this Agreement or as required by applicable law or regulation. (2) Implement the administrative, physical and technical safeguards set forthin 45 C.F.R § 164.302-318 and otherwise reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity and to use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted under this Agreement. (3) Use appropriate safeguards to maintain the security of and prevent unauthorized access to Covered Entity’s PHI. Such safeguards will include a written information security program. (4) Require any of its agents or subcontractors, or other third parties with which Business Associate does business that are provided PHI or electronic PHI on behalf of Covered Entity, to agree, in writing, to adhere to substantially similar restrictions and conditions on the use and disclosure of PHI that apply to Business Associate under this Agreement. (5) To the extent Business Associate maintains PHI in a Designated Record Set, make available to Covered Entity upon written request from Covered Entity, such information as is necessary to fulfill Covered Entity’s obligations to provide PHI: (a) pursuant to an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); or (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526. Business associate will track disclosures of PHI as necessary to provide an accounting of disclosures pursuant to 45 C.F.R. § 164.528. In the event of a request by an individual directly to Business Associate for an accounting, Business Associate will inform Covered Entity and cooperate with Covered Entity so that Covered Entity may provide such an accounting in accordance with regulations and standards adopted by the Secretary of the U.S. Department of Health and Human Services (the “Secretary”). Business Associate shall also, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate. (6) Make available to the Secretary all internal practices, books and records relating to the use and disclosure of PHI received from, or created by, Business Associate on behalf of Covered Entity, for purposes of determining Covered Entity’s or Business Associate’s compliance with the HIPAA Regulations. The Parties’ respective rights and obligations under this Section C(6) shall survive termination of the Underlying Agreement. (7) During the term of the Underlying Agreement, notify Covered Entity of any suspected or actual Breach of Unsecured PHI, Security Incident, or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. Notice may be supplemented as facts become available and will include, to the extent known, the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such Breach and other information necessary for Covered Entity to fulfill any Breach notification obligations. This Section

Appears in 1 contract

Samples: Master Terms and Conditions

AutoNDA by SimpleDocs

Business Associate Obligations. Business Associate covenants and agrees that it (1) Not A. IAC shall not use or further disclose PHI individually identifiable health information (“protected health information” or “PHI”) other than as permitted or required under by this Business Associate Agreement or as required by applicable law or regulationlaw. (2) Implement the administrative, physical and technical safeguards set forthin 45 C.F.R § 164.302-318 and otherwise reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity and to B. IAC shall use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent the use or disclosure of PHI protected health information other than as permitted under provided for by this Business Associate Agreement. (3) Use appropriate safeguards C. IAC shall report to maintain the Owner any use or disclosure of protected health information not provided for by this Business Associate Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of and prevent unauthorized access to Covered Entity’s PHI. Such safeguards will include a written information security programwhich it becomes aware. (4D. In accordance with 45 CFR 164.502(e)(1)(ii) Require and 164.308(b)(2), if applicable, IAC shall ensure that any of its agents or subcontractorssubcontractors that create, receive, maintain, or other third parties with which Business Associate does business that are provided PHI or electronic PHI transmit protected health information on behalf of Covered EntityIAC agree to the same restrictions, to agreeconditions, in writing, to adhere to substantially similar restrictions and conditions on the use and disclosure of PHI requirements that apply to Business Associate under this AgreementIAC with respect to such information. (5) To the extent Business Associate maintains PHI E. IAC shall make available protected health information in a Designated Record Setdesignated record set to Owner as necessary to satisfy Owner’s obligations under 45 CFR 164.524. F. IAC shall make any amendment(s) to protected health information in a designated record set as directed or agreed to by Owner pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Owner’s obligations under 45 CFR 164.526. G. IAC shall maintain and make available to Covered Entity upon written request from Covered Entity, such the information as is necessary to fulfill Covered Entity’s obligations to provide PHI: (a) pursuant to an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); or (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526. Business associate will track disclosures of PHI as necessary required to provide an accounting of disclosures pursuant to Owner as necessary to satisfy Owner’s obligations under 45 C.F.R. § CFR 164.528. In . H. To the event extent IAC is to carry out one or more of a request by an individual directly Owner’s obligation(s) under Subpart E of 45 CFR Part 164, IAC shall comply with the requirements of Subpart E that apply to Business Associate for an accountingOwner in the performance of such obligation(s). I. IAC shall make its internal practices, Business Associate will inform Covered Entity books, and cooperate with Covered Entity so that Covered Entity may provide such an accounting in accordance with regulations and standards adopted by records available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”). Business Associate shall also, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate. (6) Make available to the Secretary all internal practices, books and records relating to the use and disclosure of PHI received from, or created by, Business Associate on behalf of Covered Entity, for purposes of determining Covered Entity’s or Business Associate’s compliance with the HIPAA Regulations. The Parties’ respective rights and obligations under this Section C(6) shall survive termination of the Underlying AgreementRules. (7) During the term of the Underlying Agreement, notify Covered Entity of any suspected or actual Breach of Unsecured PHI, Security Incident, or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. Notice may be supplemented as facts become available and will include, to the extent known, the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such Breach and other information necessary for Covered Entity to fulfill any Breach notification obligations. This Section

Appears in 1 contract

Samples: Business Associate Agreement

Business Associate Obligations. Business Associate covenants and agrees that itshall: (1) 3.1. Not use or further disclose PHI other than as permitted or required under by this Agreement Addendum or as required by applicable law or regulation. (2) Implement the administrative, physical 3.2. Establish and technical safeguards set forthin 45 C.F.R § 164.302-318 maintain commercially reasonable and otherwise reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity and to use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted under this Agreement. (3) Use appropriate Addendum; and, implement administrative, physical and technical safeguards to maintain consistent with the security Security Rule that reasonably and appropriately protect the confidentiality, integrity and availability of and prevent unauthorized access to Electronic Protected Health Information that Business Associate creates, receives, maintains or transmits on behalf of Covered Entity’s PHIEntity as required by 45 CFR 164.314(a)(2)(i)(A). Such safeguards will include a written information security program. (4) Require policies and procedures and documentation requirements found in 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 apply to Business Associate in the same manner as to Covered Entity. Additionally, Business Associate will report to Covered Entity any Breach of its agents Unsecured PHI or subcontractors, or other third parties with Security Incident of which Business Associate does business becomes aware. A report of a Breach of Unsecured PHI will include the identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been accessed, acquired, or disclosed during such Breach. 3.3. Request, use, and disclose only the minimum amount of PHI necessary for Business Associate to perform the services for which it has been retained by the Covered Entity. 3.4. Report to Covered Entity any use or disclosure of PHI of which Business Associate becomes aware that are is not provided PHI for, or electronic allowed by, this Addendum. 3.5. Prior to making any permitted disclosures, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Covered Entity, Business Associate agree in writing to agree, in writing, to adhere to substantially similar be bound by the same privacy and security restrictions and conditions on the use and disclosure of PHI that apply to Business Associate under this Agreement. (5) To , including but not limited to those conditions relating to termination of the extent Business Associate maintains PHI in a Designated Record Set, make available to Covered Entity upon written request from Covered Entity, such information as is necessary to fulfill Covered Entity’s obligations to provide PHI: (a) pursuant to an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); or (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526contract for improper disclosure. Business associate will track disclosures of PHI as necessary to provide an accounting of disclosures pursuant to 45 C.F.R. § 164.528. In the event of a request by an individual directly to Business Associate for an accountingFurther, Business Associate will inform Covered Entity shall implement and cooperate maintain sanctions against agents and subcontractors, if any, that violate such restrictions and conditions. Business Associate shall terminate any agreement with Covered Entity so that Covered Entity may provide an agent or subcontractor, if any, who fails to abide by such an accounting in accordance with regulations restrictions and standards adopted by obligations. 3.6. Make available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”). Business Associate shall also, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate. (6) Make available to the Secretary all internal practices, books and records relating to the use and disclosure of PHI received from, or created by, Business Associate on behalf of Covered Entity, for purposes of determining Covered Entity’s or Business Associate’s compliance with the HIPAA Regulations. The Parties’ respective rights and obligations under this Section C(6) shall survive termination of the Underlying AgreementRegulations as applicable. (7) During 3.7. Mitigate, to the term extent practicable, any harmful effect that is known to Business Associate of the Underlying Agreement, notify Covered Entity of any suspected or actual Breach of Unsecured PHI, Security Incident, or unauthorized a use or disclosure of PHI and/or any actual or suspected use or disclosure of data by Business Associate in violation of any applicable federal or state laws or regulationsthe requirements of this Addendum. 3.8. Notice Make available to Covered Entity such information as may be supplemented as facts become available required to fulfill Covered Entity's obligations to provide access to, amendment of, and will includeaccount for disclosures with respect to PHI pursuant to HIPAA and the HIPAA Regulations, including, but not limited to, 45 CFR §§164.524, 164.526 and 164.528. 3.9. Comply, to the extent knownBusiness Associate conducts Standard Transactions with, or on behalf of, the identification Covered Entity, with each applicable requirement of each individual whose Unsecured 00 XXX 000, and shall require the same of any subcontractor or agent involved with the conduct of such Standard Transactions. 3.10. Not use PHI has been to make any communications about a product or service that encourages recipients of the communication to purchase or use the product or service unless the communication is reasonably believed made as described in subparagraph (i), (ii) or (iii) of the definition of “Marketing” in 45 CFR 164.501. Such communication must be permitted under and consistent with the Agreement, including this Addendum. 3.11. Limit disclosures of PHI to the Limited Data Set as defined by Business Associate 42 CFR 164.514(e)(2) or the “Minimum Necessary” to have been accessedaccomplish the intended purpose of such use, acquired disclosure or disclosed during such Breach request, respectively, as provided in the Recovery Act §13405(b). 3.12. Maintain necessary and other information necessary sufficient documentation of disclosures of PHI as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures as necessary to fulfill Covered Entity’s obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. §164.528. Notwithstanding Section 7 below, Business Associate and any Breach notification obligations. This Sectionagents or subcontractors shall continue to maintain the information required for purposes of complying with this Section 3.12 for a period of six (6) years after termination of the Agreement.

Appears in 1 contract

Samples: Master Services Agreement

Business Associate Obligations. Business Associate covenants and agrees that it (1) Not A. IAC shall not use or further disclose PHI individually identifiable health information (“protected health information” or “PHI”) other than as permitted or required under by this Business Associate Agreement or as required by applicable law or regulationlaw. (2) Implement the administrative, physical and technical safeguards set forthin 45 C.F.R § 164.302-318 and otherwise reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity and to B. IAC shall use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent the use or disclosure of PHI protected health information other than as permitted under provided for by this Business Associate Agreement. (3) Use appropriate safeguards C. IAC shall report to maintain the Owner any use or disclosure of protected health information not provided for by this Business Associate Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of and prevent unauthorized access to Covered Entity’s PHI. Such safeguards will include a written information security programwhich it becomes aware. (4D. In accordance with 45 CFR 164.502(e)(1)(ii) Require and 164.308(b)(2), if applicable, IAC shall ensure that any of its agents or subcontractorssubcontractors that create, receive, maintain, or other third parties with which Business Associate does business that are provided PHI or electronic PHI transmit protected health information on behalf of Covered EntityIAC agree to the same restrictions, to agreeconditions, in writing, to adhere to substantially similar restrictions and conditions on the use and disclosure of PHI requirements that apply to IAC with respect to such information. E. IAC shall make available protected health information in a designated record set to Owner as necessary to satisfy Owner’s obligations under 45 CFR 164.524. IAC Business Associate Agreement 1 F. IAC shall make any amendment(s) to protected health information in a designated record set as directed or agreed to by Owner pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Owner’s obligations under this Agreement45 CFR 164.526. (5) To the extent Business Associate maintains PHI in a Designated Record Set, G. IAC shall maintain and make available to Covered Entity upon written request from Covered Entity, such the information as is necessary to fulfill Covered Entity’s obligations to provide PHI: (a) pursuant to an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); or (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526. Business associate will track disclosures of PHI as necessary required to provide an accounting of disclosures pursuant to Owner as necessary to satisfy Owner’s obligations under 45 C.F.R. § CFR 164.528. In . H. To the event extent IAC is to carry out one or more of a request by an individual directly Owner’s obligation(s) under Subpart E of 45 CFR Part 164, IAC shall comply with the requirements of Subpart E that apply to Business Associate for an accountingOwner in the performance of such obligation(s). I. IAC shall make its internal practices, Business Associate will inform Covered Entity books, and cooperate with Covered Entity so that Covered Entity may provide such an accounting in accordance with regulations and standards adopted by records available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”). Business Associate shall also, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate. (6) Make available to the Secretary all internal practices, books and records relating to the use and disclosure of PHI received from, or created by, Business Associate on behalf of Covered Entity, for purposes of determining Covered Entity’s or Business Associate’s compliance with the HIPAA Regulations. The Parties’ respective rights and obligations under this Section C(6) shall survive termination of the Underlying AgreementRules. (7) During the term of the Underlying Agreement, notify Covered Entity of any suspected or actual Breach of Unsecured PHI, Security Incident, or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. Notice may be supplemented as facts become available and will include, to the extent known, the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such Breach and other information necessary for Covered Entity to fulfill any Breach notification obligations. This Section

Appears in 1 contract

Samples: Business Associate Agreement

AutoNDA by SimpleDocs

Business Associate Obligations. Business Associate covenants and agrees that it (1) Not IAC shall not use or further disclose PHI individually identifiable health information (“protected health information” or “PHI”) other than as permitted or required under by this Business Associate Agreement or as required by applicable law or regulation. (2) Implement the administrative, physical and technical safeguards set forthin 45 C.F.R § 164.302-318 and otherwise reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity and to law. IAC shall use appropriate safeguards safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent the use or disclosure of PHI protected health information other than as permitted under provided for by this Business Associate Agreement. (3. IAC shall report to Facility any use or disclosure of protected health information not provided for by this Business Associate Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware. In accordance with 45 CFR 164.502(e)(1)(ii) Use appropriate safeguards to maintain the security of and prevent unauthorized access to Covered Entity’s PHI. Such safeguards will include a written information security program. (4) Require 164.308(b)(2), if applicable, IAC shall ensure that any of its agents or subcontractorssubcontractors that create, receive, maintain, or other third parties with which Business Associate does business that are provided PHI or electronic PHI transmit protected health information on behalf of Covered EntityIAC agree to the same restrictions, to agreeconditions, in writing, to adhere to substantially similar restrictions and conditions on the use and disclosure of PHI requirements that apply to Business Associate under this Agreement. (5) To the extent Business Associate maintains PHI IAC with respect to such information. IAC shall make available protected health information in a Designated Record Setdesignated record set to Facility as necessary to satisfy the Facility obligations under 45 CFR 164.524. IAC shall make any amendment(s) to protected health information in a designated record set as directed or agreed to by Facility pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Facility’s obligations under 45 CFR 164.526. IAC shall maintain and make available to Covered Entity upon written request from Covered Entity, such the information as is necessary to fulfill Covered Entity’s obligations to provide PHI: (a) pursuant to an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); or (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526. Business associate will track disclosures of PHI as necessary required to provide an accounting of disclosures pursuant to Facility as necessary to satisfy Facility’s obligations under 45 C.F.R. § CFR 164.528. In To the event extent IAC is to carry out one or more of a request by an individual directly Facility’s obligation(s) under Subpart E of 45 CFR Part 164, IAC shall comply with the requirements of Subpart E that apply to Business Associate for an accountingFacility in the performance of such obligation(s). IAC shall make its internal practices, Business Associate will inform Covered Entity books, and cooperate with Covered Entity so that Covered Entity may provide such an accounting in accordance with regulations and standards adopted by records available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”). Business Associate shall also, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate. (6) Make available to the Secretary all internal practices, books and records relating to the use and disclosure of PHI received from, or created by, Business Associate on behalf of Covered Entity, for purposes of determining Covered Entity’s or Business Associate’s compliance with the HIPAA Regulations. The Parties’ respective rights and obligations under this Section C(6) shall survive termination of the Underlying AgreementRules. (7) During the term of the Underlying Agreement, notify Covered Entity of any suspected or actual Breach of Unsecured PHI, Security Incident, or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. Notice may be supplemented as facts become available and will include, to the extent known, the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such Breach and other information necessary for Covered Entity to fulfill any Breach notification obligations. This Section

Appears in 1 contract

Samples: Accreditation Agreement

Business Associate Obligations. Business Associate covenants and agrees that itit shall: (1) Not use or further disclose PHI other than as permitted or required under this Agreement or as required by applicable law or regulation. (2) Implement the administrative, physical and technical safeguards set forthin forth in 45 C.F.R § 164.302-318 and otherwise reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity and to use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted under this Agreement. (3) Use appropriate safeguards to maintain the security of and prevent unauthorized access to Covered Entity’s PHI. Such safeguards will include a written information security program. (4) Require any of its agents or subcontractors, or other third parties with which Business Associate does business that are provided PHI or electronic PHI on behalf of Covered Entity, to agree, in writing, to adhere to substantially similar restrictions and conditions on the use and disclosure of PHI that apply to Business Associate under this Agreement. (5) To the extent Business Associate maintains PHI in a Designated Record Set, make available to Covered Entity upon written request from Covered Entity, such information as is necessary to fulfill Covered Entity’s obligations to provide PHI: (a) pursuant to an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); or (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526. Business associate will track disclosures of PHI as necessary to provide an accounting of disclosures pursuant to 45 C.F.R. § 164.528. In the event of a request by an individual directly to Business Associate for an accounting, Business Associate will inform Covered Entity and cooperate with Covered Entity so that Covered Entity may provide such an accounting in accordance with regulations and standards adopted by the Secretary of the U.S. Department of Health and Human Services (the “Secretary”). Business Associate shall also, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate. (6) Make available to the Secretary all internal practices, books and records relating to the use and disclosure of PHI received from, or created by, Business Associate on behalf of Covered Entity, for purposes of determining Covered Entity’s or Business Associate’s compliance with the HIPAA Regulations. The Parties’ respective rights and obligations under this Section C(6) shall survive termination of the Underlying Agreement. (7) During the term of the Underlying Agreement, notify Covered Entity of any suspected or actual Breach of Unsecured PHI, Security Incident, or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. Notice may be supplemented as facts become available and will include, to the extent known, the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such Breach and other information necessary for Covered Entity to fulfill any Breach notification obligations. This SectionSection C. (7) constitutes notice to Covered Entity of unsuccessful Security Incidents, such as port scans, firewall pings and failed login attempts provided that such unsuccessful Security Incidents do not result in the unauthorized use or disclosure of PHI. Notice to Covered Entity otherwise will be provided in accordance with the Notice provisions of the Underlying Agreement. (8) Disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary, in Business Associate’s judgment, to perform or fulfill a specific function required or permitted by this Agreement.

Appears in 1 contract

Samples: Terms and Conditions Agreement

Draft better contracts in just 5 minutes Get the weekly Law Insider newsletter packed with expert videos, webinars, ebooks, and more!