Common use of COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF Clause in Contracts

COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF. 1996 (HIPAA) Terms used in this section shall have the same meaning as those terms in the Privacy Rule, 45 CFR Parts 160 and 164. Obligations and Activities of the Contractor The Contractor agrees not to use or disclose protected health information other than as permitted or required by this Contract, HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH). The Contractor shall use and disclose protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of 45 CFR § 164.504(e). The Contractor is directly responsible for full compliance with the privacy provisions of HIPAA and HITECH that apply to business associates. The Contractor agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the protected health information that it creates, receives, maintains, or transmits on behalf of the County as required by 45 CFR, Part 164, Subpart C. The Contractor is directly responsible for compliance with the security provisions of HIPAA and HITECH to the same extent as the County. Within two business days of the discovery of a breach as defined at 45 CFR § 164.402 the Contractor shall notify the County of any breach of unsecured protected health information. The notification shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the Contractor to have been, accessed, acquired, or disclosed during such breach; a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; a description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); any steps individuals should take to protect themselves from potential harm resulting from the breach; a brief description of what the Contractor is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; the contact procedures of the Contractor for individuals to ask questions or learn additional information, which shall include a toll free number, an e-mail address, Web site, or postal address; and any other information required to be provided to the individual by the County pursuant to 45 CFR § 164.404, as amended. A breach shall be treated as discovered in accordance with the terms of 45 CFR § 164.410. The information shall be updated promptly and provided to the County as requested by the County. The Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to the Contractor of a use or disclosure of protected health information by the Contractor in violation of the requirements of this Contract or the law. The Contractor agrees to report in writing all unauthorized or otherwise improper disclosures of protected health information or security incident to the County within two days of the Contractor knowledge of such event. The Contractor agrees to ensure that any agent, including a subcontractor, to whom it provides protected health information received from, or created or received by the Contractor on behalf of the County, agrees to the same restrictions and conditions that apply through this Contract to the Contractor with respect to such information. The Contractor agrees to make available protected health information in accordance with 45 CFR § 164.524. The Contractor agrees to make available protected health information for amendment and incorporate any amendments to protected health information in accordance with 45 CFR § 164.526. The Contractor agrees to make internal practices, books, and records, including policies and procedures and protected health information, relating to the use and disclosure of protected health information received from, or created or received by the Contractor on behalf of King County, available to the Secretary of the U.S. Department of Health and Human Services, in a reasonable time and manner for purposes of the Secretary determining King County’s compliance with HIPAA, HITECH or this Contract. The Contractor agrees to make available the information required to provide an accounting of disclosures in accordance with 45 CFR §164.528. Should an individual make a request to the County for an accounting of disclosures of his or her protected health information pursuant to 45 CFR § 164.528, Contractor agrees to promptly provide an accounting, as specified under 42 U.S.C. § 17935(c)(1) and 45 CFR §164.528, of disclosures of protected health information that have been made by the Contractor acting on behalf of the County. The accounting shall be provided by the Contractor to the County or to the individual, as directed by the County. To the extent the Contractor is to carry out one or more of the covered entity’s obligations under Subpart E of 45 CFR § 164, the contractor shall comply with the requirements of Subpart E that apply to the County in the performance of such obligations. Permitted Uses and Disclosures by Business Associate The Contractor may use or disclose protected health information to perform functions, activities, or services for, or on behalf of, King County as specified in this Contract, provided that such use or disclosure would not violate HIPAA if done by King County or the minimum necessary policies and procedures of King County.

COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF. 1996 (HIPAA) Terms used in this section shall have the same meaning as those terms in the Privacy Rule, 45 CFR Parts 160 and 164. ) A. Obligations and Activities of the Contractor Contractor 1. The Contractor agrees not to use or disclose protected health information other than as permitted or required by this Contract, HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH). The Contractor shall use and disclose protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of 45 CFR § 164.504(e). The Contractor is directly responsible for full compliance with the privacy provisions of HIPAA and HITECH that apply to business associates. 2. The Contractor agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the protected health information that it creates, receives, maintains, or transmits on behalf of the County as required by 45 CFR, Part 164, Subpart C. The Contractor is directly responsible for compliance with the security provisions of HIPAA and HITECH to the same extent as the County. 3. Within two business days of the discovery of a breach as defined at 45 CFR § 164.402 the Contractor shall notify the County of any breach of unsecured protected health information. The notification shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the Contractor to have been, accessed, acquired, or disclosed during such breach; a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; a description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); any steps individuals should take to protect themselves from potential harm resulting from the breach; a brief description of what the Contractor is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; the contact procedures of the Contractor for individuals to ask questions or learn additional information, which shall include a toll free number, an e-mail email address, Web sitewebsite, or postal address; and any other information required to be provided to the individual by the County pursuant to 45 CFR § 164.404, as amended. A breach shall be treated as discovered in accordance with the terms of 45 CFR § 164.410. The information shall be updated promptly and provided to the County as requested by the County. 4. The Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to the Contractor of a use or disclosure of protected health information by the Contractor in violation of the requirements of this Contract or the law. 5. The Contractor agrees to report in writing all unauthorized or otherwise improper disclosures of protected health information or security incident to the County within two days of the Contractor knowledge of such event. 6. The Contractor agrees to ensure that any agent, including a subcontractor, to whom it provides protected health information received from, or created or received by the Contractor on behalf of the County, agrees to the same restrictions and conditions that apply through this Contract to the Contractor with respect to such information. 7. The Contractor agrees to make available protected health information in accordance with 45 CFR § 164.524. 8. The Contractor agrees to make available protected health information for amendment and incorporate any amendments to protected health information in accordance with 45 CFR § 164.526. 9. The Contractor agrees to make internal practices, books, and records, including policies and procedures and protected health information, relating to the use and disclosure of protected health information received from, or created or received by the Contractor on behalf of King County, available to the Secretary of the U.S. Department of Health and Human Services, in a reasonable time and manner for purposes of the Secretary determining King County’s compliance with HIPAA, HITECH or this Contract. 10. The Contractor agrees to make available the information required to provide an accounting of disclosures in accordance with 45 CFR §164.528. Should an individual make a request to the County for an accounting of disclosures of his or her protected health information pursuant to 45 CFR § 164.528, Contractor agrees to promptly provide an accounting, as specified under 42 U.S.C. § 17935(c)(117935(c) (1) and 45 CFR §164.528, of disclosures of protected health information that have been made by the Contractor acting on behalf of the County. The accounting shall be provided by the Contractor to the County or to the individual, as directed by the County. 11. To the extent the Contractor is to carry out one or more of the covered entity’s obligations under Subpart E of 45 CFR § 164, the contractor shall comply with the requirements of Subpart E that apply to the County in the performance of such obligations. Permitted Uses and Disclosures by Business Associate The Contractor may use or disclose protected health information to perform functions, activities, or services for, or on behalf of, King County as specified in this Contract, provided that such use or disclosure would not violate HIPAA if done by King County or the minimum necessary policies and procedures of King County.

COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF. 1996 (HIPAA) Terms used in this section shall have the same meaning as those terms in the Privacy Rule, 45 CFR Parts 160 and 164. ) A. Obligations and Activities of the Contractor Agency 1. The Contractor Agency agrees not to use or disclose protected health information other than as permitted or required by this Contract, HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH). The Contractor Agency shall use and disclose protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of 45 CFR § 164.504(e). The Contractor Agency is directly responsible for full compliance with the privacy provisions of HIPAA and HITECH that apply to business associates. 2. The Contractor Agency agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the protected health information that it creates, receives, maintains, or transmits on behalf of the County as required by 45 CFR, Part 164, Subpart C. The Contractor Agency is directly responsible for compliance with the security provisions of HIPAA and HITECH that apply to the same extent as the Countybusiness associates, including sections 164.308, 164.310, 164.312, and 164.316 of title 45 CFR. 3. Within two business days of the discovery of a breach as defined at 45 CFR § 164.402 the Contractor Agency shall notify the County of any breach of unsecured protected health information. The notification shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the Contractor Agency to have been, accessed, acquired, or disclosed during such breach; a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; a description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); any steps individuals should take to protect themselves from potential harm resulting from the breach; a brief description of what the Contractor Agency is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; the contact procedures of the Contractor Agency for individuals to ask questions or learn additional information, which shall include a toll free number, an e-mail address, Web site, or postal address; and any other information required to be provided to the individual by the County pursuant to 45 CFR § 164.404, as amended. A breach shall be treated as discovered in accordance with the terms of 45 CFR § 164.410. The information shall be updated promptly and provided to the County as requested by the County. 4. The Contractor Agency agrees to mitigate, to the extent practicable, any harmful effect that is known to the Contractor Agency of a use or disclosure of protected health information by the Contractor Agency in violation of the requirements of this Contract or the law. 5. The Contractor Agency agrees to report in writing all unauthorized or otherwise improper disclosures of protected health information or security incident to the County within two days of the Contractor Agency knowledge of such event. 6. The Contractor Agency agrees to ensure that any agent, including a subcontractor, to whom it provides protected health information received from, or created or received by the Contractor Agency on behalf of the County, agrees to the same restrictions and conditions that apply through this Contract to the Contractor Agency with respect to such information. 7. The Contractor Agency agrees to make available protected health information in accordance with 45 CFR § 164.524. 8. The Contractor Agency agrees to make available protected health information for amendment and incorporate any amendments to protected health information in accordance with 45 CFR § 164.526. 9. The Contractor Agency agrees to make internal practices, books, and records, including policies and procedures and protected health information, relating to the use and disclosure of protected health information received from, or created or received by the Contractor Agency on behalf of King County, available to the Secretary of the U.S. Department of Health and Human ServicesSecretary, in a reasonable time and manner for purposes of the Secretary determining King County’s compliance with HIPAA, HITECH or this Contract. 10. The Contractor Agency agrees to make available the information required to provide an accounting of disclosures in accordance with 45 CFR §164.528. Should an individual make a request to the County for an accounting of disclosures of his or her protected health information pursuant to 45 CFR § 164.528, Contractor Agency agrees to promptly provide an accounting, as specified under 42 U.S.C. § 17935(c)(1) and 45 CFR §164.528, of disclosures of protected health information that have been made by the Contractor Agency acting on behalf of the County. The accounting shall be provided by the Contractor Agency to the County or to the individual, as directed by the County. To the extent the Contractor is to carry out one or more of the covered entity’s obligations under Subpart E of 45 CFR § 164, the contractor shall comply with the requirements of Subpart E that apply to the County in the performance of such obligations. Permitted Uses and Disclosures by Business Associate The Contractor may use or disclose protected health information to perform functions, activities, or services for, or on behalf of, King County as specified in this Contract, provided that such use or disclosure would not violate HIPAA if done by King County or the minimum necessary policies and procedures of King County.