Common use of CONFIDENTIALITY AND SECURITY REQUIREMENTS Clause in Contracts

CONFIDENTIALITY AND SECURITY REQUIREMENTS. a. Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by the Participation Agreement, this Agreement or as required by law. To the extent Business Associate carries out obligations of Covered Entity under the HIPAA Security and Privacy Rule, Business Associate shall comply with the applicable provisions of the HIPAA Security and Privacy Rule as if such use or disclosure were made by Covered Entity. Covered Entity will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Security and Privacy Rule if done by Covered Entity, except as otherwise provided herein. Business Associate agrees to comply with Covered Entity's policies regarding the minimum necessary use or disclosure of Protected Health Information. b. Business Associate agrees to provide HIPAA training to all of its personnel who service Covered Entity's account or who otherwise will have access to Covered Entity's Protected Health Information. c. At termination of this Agreement, the Participation Agreement (or any similar documentation of the business relationship of the Parties), or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return (in a manner or process approved by the Covered Entity) or destroy all Protected Health Information received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, Business Associate will (i) provide notification of the conditions that make return or destruction not feasible, (ii) retain only that Protected Health Information required; (iii) extend the protections of this Agreement to the retained Protected Health Information; (iv) limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information not feasible; and (v) return or destroy the retained Protected Health Information when it is no longer needed by NC HIEA. This paragraph shall survive the termination of this Agreement and shall apply to Protected Health Information created, maintained, or received by Business Associate and any of its subcontractors. d. Business Associate agrees to ensure that its agents, including any subcontractors, that create, receive, maintain or transmit Protected Health Information on behalf of Business Associate agree to the same (or greater) restrictions and conditions that apply to Business Associate with respect to such information, and agree to implement reasonable and appropriate safeguards to protect any of such information that is Electronic Protected Health Information. Business Associate agrees to enter into written agreements with any subcontractors in accordance with the requirements of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to take reasonable steps to ensure that its employee’s actions or omissions do not cause Business Associate to breach the terms of this Agreement. e. Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule. f. To the extent applicable, Business Associate will comply with (i) any limitations to which Covered Entity has agreed in regard to an Individual's permission to use or disclose his or her Protected Health Information; and (ii) any restrictions to the use or disclosure of Protected Health Information to which Covered Entity has agreed or is required to agree. g. Business Associate will make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, of the Department of Health and Human Services for purposes of the Secretary determining Covered Entity s compliance with the terms of the DIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any investigations and compliance reviews, permit access to information, and cooperate with any complaints, as required by law. Unless prohibited from doing so by applicable law or by a court order, without unreasonable delay, Business Associate will notify Covered Entity in writing of any request by any governmental entity, or its designee, to review Business Associate's compliance with law or this BAA, to pursue a complaint, or to conduct an audit or assessment of any kind, if such review, complaint, audit or assessment pertains to the Participation Agreement or this BAA. h. Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information that is not in compliance with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of which it becomes aware, without unreasonable delay, and in no event later than five (5) calendar days of such discovery. For purposes of this Agreement, “Security Incident" means the attempted or successful unauthorized access, use, disclose modification or destruction of information or interference with system operations in an information system. Such notification shall contain the elements required by 45 C.F.R. 164.410. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement, as well as to provide complete cooperation to Covered Entity should Covered Entity elect to review or investigate such noncompliance or Security Incident. Business Associate shall cooperate in Covered Entity's breach analysis and/or risk assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the event that Covered Entity determines that any third parties must be notified of a Breach, provided that Business Associate shall not provide any such notification except at the direction of Covered Entity. To the extent any of the parties to this Agreement are an entity of the State of North Carolina, nothing this Agreement is intended to affect or abrogate that party's sovereign immunity as an entity of the State of North Carolina including all protections and immunities granted to that party under the North Carolina Tort Claims Act. i. Business Associate shall permit Covered Entity, in its discretion, to conduct an audit of Business Associate's compliance with this BAA, HIPAA, and HITECH. Such audit may consist of a series of inquiries that require written responses. Business Associate shall promptly and completely respond to Covered Entity’s request for information in support of the audit, which shall not be conducted more than once annually except in cases of an actual or reasonably suspected Security Incident or reasonably suspected noncompliance with this BAA, HIPAA or HITECH. Each Party shall bear its own costs associated with the audit.

Appears in 2 contracts

Samples: Participation Agreement, Participation & Subscription Agreement

AutoNDA by SimpleDocs

CONFIDENTIALITY AND SECURITY REQUIREMENTS. a. (a) Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by the Participation Agreement, this Agreement or as required by law. To the extent Business Associate carries out obligations of Covered Entity under the HIPAA Security and Privacy Rule, Business Associate shall comply with the applicable provisions of the HIPAA Security and Privacy Rule as if such use or disclosure were made by Covered Entity. Covered Entity will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Security and Privacy Rule if done by Covered Entity, except as otherwise provided herein. Business Associate agrees to comply with Covered Entity's ’s policies regarding the minimum necessary use or disclosure of Protected Health Information. b. (b) Business Associate agrees to provide HIPAA training to all of its personnel who service Covered Entity's ’s account or who otherwise will have access to Covered Entity's ’s Protected Health Information. c. (c) At termination of this Agreement, the Participation Arrangement Agreement (or any similar documentation of the business relationship of the Parties), or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return (in a manner or process approved by the Covered Entity) or destroy all Protected Health Information received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, Business Associate will (i) provide notification of the conditions that make return or destruction not feasible, (ii) retain only that Protected Health Information requirednecessary under the circumstances; (ii) return or destroy the remaining Protected Health Information that the Business Associate still maintains in any form; (iii) extend the protections of this Agreement to the retained Protected Health Information; (iv) limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information not feasible; and (v) return or destroy the retained Protected Health Information when it is no longer needed by NC HIEABusiness Associate. This paragraph shall survive the termination of this Agreement and shall apply to Protected Health Information created, maintained, or received by Business Associate and any of its subcontractors. d. (d) Business Associate agrees to ensure that its agents, including any subcontractors, that create, receive, maintain or transmit Protected Health Information on behalf of Business Associate agree to the same (or greater) restrictions and conditions that apply to Business Associate with respect to such information, and agree to implement reasonable and appropriate safeguards to protect any of such information that is Electronic Protected Health Information. Business Associate agrees to enter into written agreements with any subcontractors in accordance with the requirements of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to take reasonable steps to ensure that its employee’s employees’ actions or omissions do not cause Business Associate to breach the terms of this Agreement. e. (e) Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule. f. (f) To the extent applicable, Business Associate will comply with (i) Covered Entity’s Notice of Privacy Practices; (ii) any limitations to which Covered Entity has agreed in regard to an Individual's ’s permission to use or disclose his or her Protected Health Information; and (iiiii) any restrictions to the use or disclosure of Protected Health Information to which Covered Entity has agreed or is required to agree. g. (g) Business Associate will make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, Secretary of the Department of Health and Human Services for purposes of the Secretary determining Covered Entity s compliance with the terms of the DIPAA HIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any investigations and compliance reviews, permit access to information, and cooperate with any complaints, as required by law. Unless prohibited from doing so by applicable law Without unreasonable delay and, in any event, no more than 48 hours of receipt of the request or by a court order, without unreasonable delaynotification, Business Associate will notify Covered Entity in writing of any request by any governmental entity, or its designee, to review Business Associate's ’s compliance with law or this BAA, to pursue a complaint, or to conduct an audit or assessment of any kind, if such review, complaint, audit or assessment pertains to the Participation Agreement or this BAA. h. (h) Business Associate shall report to Covered Entity (see Exhibit B) any use or disclosure of Protected Health Information that is not in compliance with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of which it becomes aware, without unreasonable delay, and in no event later than five forty-eight (548) calendar days hours of such discovery. Security Incidents and Breaches shall be treated as discovered by Business Associate as of the first day on which such Security Incident or Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. For purposes of this Agreement, “Security Incident" means the attempted or successful unauthorized access, use, disclose modification disclosure, modification, or destruction of information or interference with system operations in an information system. Such notification shall contain the elements required by 45 C.F.R. § 164.410. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement, as well as to provide complete cooperation to Covered Entity should Covered Entity elect to review or investigate such noncompliance or Security Incident. Business Associate shall cooperate in Covered Entity's ’s breach analysis and/or risk assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the event that Covered Entity determines that any third parties must be notified of a Breach, provided that Business Associate shall not provide any such notification except at the direction of Covered Entity. To the extent any of the parties to this Agreement are an entity of the State of North Carolina, nothing this Agreement is intended to affect or abrogate that party's sovereign immunity as an entity of the State of North Carolina including all protections and immunities granted to that party under the North Carolina Tort Claims Act. i. Business Associate shall permit indemnify and hold harmless Covered Entity, in its discretion, Entity for any injury or damages arising from any noncompliance with this Agreement or any Security Incident or Breach attributable to conduct an audit the negligence of Business Associate's compliance with , including the failure to execute the terms of this BAA, HIPAA, and HITECH. Such audit may consist of a series of inquiries that require written responses. Business Associate shall promptly and completely respond to Covered Entity’s request for information in support of the audit, which shall not be conducted more than once annually except in cases of an actual or reasonably suspected Security Incident or reasonably suspected noncompliance with this BAA, HIPAA or HITECH. Each Party shall bear its own costs associated with the auditAgreement.

Appears in 1 contract

Samples: Business Associate Agreement

CONFIDENTIALITY AND SECURITY REQUIREMENTS. a. (a) Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by the Participation Agreement, this Agreement or as required by law. To the extent Business Associate carries out obligations of Covered Entity under the HIPAA Security and Privacy Rule, Business Associate shall comply with the applicable provisions of the HIPAA Security and Privacy Rule as if such use or disclosure were made by Covered Entity. Covered Entity will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Security and Privacy Rule if done by Covered Entity, except as otherwise provided herein. Business Associate agrees to comply with Covered Entity's ’s policies regarding the minimum necessary use or disclosure of Protected Health Information. b. (b) Business Associate agrees to provide HIPAA training to all of its personnel who service Covered Entity's ’s account or who otherwise will have access to Covered Entity's ’s Protected Health Information. c. (c) At termination of this Agreement, the Participation Arrangement Agreement (or any similar documentation of the business relationship of the Parties), or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return (in a manner or process approved by the Covered Entity) or destroy all Protected Health Information received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, Business Associate will (i) provide notification of the conditions that make return or destruction not feasible, (ii) retain only that Protected Health Information requirednecessary under the circumstances; (ii) return or destroy the remaining Protected Health Information that the Business Associate still maintains in any form; (iii) extend the protections of this Agreement to the retained Protected Health Information; (iv) limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information not feasible; and (v) return or destroy the retained Protected Health Information when it is no longer needed by NC HIEABusiness Associate. This paragraph shall survive the termination of this Agreement and shall apply to Protected Health Information created, maintained, or received by Business Associate and any of its subcontractors. d. (d) Business Associate agrees to ensure that its agents, including any subcontractors, that create, receive, maintain or transmit Protected Health Information on behalf of Business Associate agree agrees to the same (or greater) restrictions and conditions that apply to Business Associate with respect to such information, and agree to implement reasonable and appropriate safeguards to protect any of such information that is Electronic Protected Health Information. Business Associate agrees to enter into written agreements with any subcontractors in accordance with the requirements of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to take reasonable steps to ensure that its employee’s employees’ actions or omissions do not cause Business Associate to breach the terms of this Agreement. e. (e) Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule. f. (f) To the extent applicable, Business Associate will comply with (i) Covered Entity’s Notice of Privacy Practices; (ii) any limitations to which Covered Entity has agreed in regard to an Individual's ’s permission to use or disclose his or her Protected Health Information; and (iiiii) any restrictions to the use or disclosure of Protected Health Information to which Covered Entity has agreed or is required to agree. g. (g) Business Associate will make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, Secretary of the Department of Health and Human Services for purposes of the Secretary determining Covered Entity s compliance with the terms of the DIPAA HIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any investigations and compliance reviews, permit access to information, and cooperate with any complaints, as required by law. Unless prohibited from doing so by applicable law Without unreasonable delay and, in any event, no more than 48 hours of receipt of the request or by a court order, without unreasonable delaynotification, Business Associate will notify Covered Entity in writing of any request by any governmental entity, or its designee, to review Business Associate's ’s compliance with law or this BAA, to pursue a complaint, or to conduct an audit or assessment of any kind, if such review, complaint, audit or assessment pertains to the Participation Agreement or this BAA. h. (h) Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information that is not in compliance with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of which it becomes aware, without unreasonable delay, and in no event later than five (5) calendar days of such discovery. For purposes of this Agreement, “Security Incident" means the attempted or successful unauthorized access, use, disclose modification or destruction of information or interference with system operations in an information system. Such notification shall contain the elements required by 45 C.F.R. 164.410. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement, as well as to provide complete cooperation to Covered Entity should Covered Entity elect to review or investigate such noncompliance or Security Incident. Business Associate shall cooperate in Covered Entity's breach analysis and/or risk assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the event that Covered Entity determines that any third parties must be notified of a Breach, provided that Business Associate shall not provide any such notification except at the direction of Covered Entity. To the extent any of the parties to this Agreement are an entity of the State of North Carolina, nothing this Agreement is intended to affect or abrogate that party's sovereign immunity as an entity of the State of North Carolina including all protections and immunities granted to that party under the North Carolina Tort Claims Act. i. Business Associate shall permit Covered Entity, in its discretion, to conduct an audit of Business Associate's compliance with this BAA, HIPAA, and HITECH. Such audit may consist of a series of inquiries that require written responses. Business Associate shall promptly and completely respond to Covered Entity’s request for information in support of the audit, which shall not be conducted more than once annually except in cases of an actual or reasonably suspected Security Incident or reasonably suspected noncompliance with this BAA, HIPAA or HITECH. Each Party shall bear its own costs associated with the audit.any

Appears in 1 contract

Samples: Business Associate Agreement

CONFIDENTIALITY AND SECURITY REQUIREMENTS. a. (a) Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by the Participation Agreement, this Agreement or as required by law. To the extent Business Associate carries out obligations of Covered Entity under the HIPAA Security and Privacy Rule, Business Associate shall comply with the applicable provisions of the HIPAA Security and Privacy Rule as if such use or disclosure were made by Covered Entity. Covered Entity will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Security and Privacy Rule if done by Covered Entity, except as otherwise provided herein. Business Associate agrees to comply with Covered Entity's ’s policies regarding the minimum necessary use or disclosure of Protected Health Information. b. (b) Business Associate agrees to provide HIPAA training to all of its personnel who service Covered Entity's ’s account or who otherwise will have access to Covered Entity's ’s Protected Health Information. c. (c) At termination of this Agreement, the Participation Agreement (or any similar documentation of the Parties’ business relationship of the Parties)arrangement, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return (in a manner or process approved by the Covered Entity) or destroy all Protected Health Information received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, Business Associate will (i) provide notification of the conditions that make return or destruction not feasible, (ii) retain only that Protected Health Information requirednecessary under the circumstances; (ii) return or destroy the remaining Protected Health Information that the Business Associate still maintains in any form; (iii) extend the protections of this Agreement to the retained Protected Health Information; (iv) limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information not feasible; and (v) return or destroy the retained Protected Health Information when it is no longer needed by NC HIEABusiness Associate. This paragraph shall survive the termination of this Agreement and shall apply to Protected Health Information created, maintained, or received by Business Associate and any of its subcontractors. d. (d) Business Associate agrees to ensure that its agents, including any subcontractors, that create, receive, maintain or transmit Protected Health Information on behalf of Business Associate agree to the same (or greater) restrictions and conditions that apply to Business Associate with respect to such information, and agree to implement reasonable and appropriate safeguards to protect any of such information that is Electronic Protected Health Information. Business Associate agrees to enter into written agreements with any subcontractors in accordance with the requirements of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to take reasonable steps to ensure that its employee’s employees’ actions or omissions do not cause Business Associate to breach the terms of this Agreement. e. (e) Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule. f. (f) To the extent applicable, Business Associate will comply with (i) Covered Entity’s Notice of Privacy Practices; (ii) any limitations to which Covered Entity has agreed in regard to an Individual's ’s permission to use or disclose his or her Protected Health Information; and (iiiii) any restrictions to the use or disclosure of Protected Health Information to which Covered Entity has agreed or is required to agree. g. (g) Business Associate will make its internal practices, books books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, Secretary of the Department of Health and Human Services for purposes of the Secretary determining Covered Entity s compliance with the terms of the DIPAA HIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any investigations and compliance reviews, permit access to information, and cooperate with any complaints, as required by law. Unless prohibited from doing so by applicable law Without unreasonable delay and, in any event, no more than 48 hours of receipt of the request or by a court order, without unreasonable delaynotification, Business Associate will notify Covered Entity in writing of any request by any governmental entity, or its designee, to review Business Associate's ’s compliance with law or this BAA, to pursue a complaint, or to conduct an audit or assessment of any kind, if such review, complaint, audit or assessment pertains to the Participation Agreement or this BAA. h. (h) Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information that is not in compliance with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of which it becomes aware, without unreasonable delay, and in no event later than five (5) calendar sixty days of after such discovery. For purposes Security Incidents and Xxxxxxxx shall be treated as discovered by Business Associate as of this Agreementthe first day on which such Security Incident or Breach is known to Business Associate or, “Security Incident" means by exercising reasonable diligence, would have been known to Business Associate. Notification to the attempted or successful unauthorized access, use, disclose modification or destruction of information or interference with system operations in an information system. Such notification Covered Entity shall contain the elements required by 45 C.F.R. § 164.410. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement, as well as to provide complete cooperation to Covered Entity should Covered Entity elect to review or investigate such noncompliance or Security Incident. Business Associate shall cooperate in Covered Entity's ’s breach analysis and/or risk assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the event that Covered Entity determines that any third parties must be notified of a Breach, provided that Business Associate shall not provide any such notification except at the direction of Covered Entity. To the extent any of the parties to this Agreement are an entity of the State of North Carolina, nothing this Agreement is intended to affect or abrogate that party's sovereign immunity as an entity of the State of North Carolina including all protections and immunities granted to that party under the North Carolina Tort Claims Act. i. Business Associate shall permit indemnify and hold harmless Covered Entity, in its discretion, Entity for any injury or damages arising from any noncompliance with this Agreement or any Security Incident or Breach attributable to conduct an audit the negligence of Business Associate's compliance with , including the failure to execute the terms of this BAA, HIPAA, and HITECH. Such audit may consist of a series of inquiries that require written responses. Business Associate shall promptly and completely respond to Covered Entity’s request for information in support of the audit, which shall not be conducted more than once annually except in cases of an actual or reasonably suspected Security Incident or reasonably suspected noncompliance with this BAA, HIPAA or HITECH. Each Party shall bear its own costs associated with the auditAgreement.

Appears in 1 contract

Samples: Business Associate Agreement

CONFIDENTIALITY AND SECURITY REQUIREMENTS. a. (a) Business Associate agrees not agrees: (i) to use or disclose any Protected Health Information other than solely: (1) for meeting its obligations as permitted set forth in any agreements between the Parties evidencing their business relationship, or required by the Participation Agreement, this Agreement or (2) as required by applicable law. To the extent Business Associate carries out obligations of , rule or regulation, or by accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted under this Agreement, the Arrangement Agreement (if consistent with this Agreement and the HIPAA Security and Privacy Rule), or the HIPAA Security and Privacy Rule, Business Associate shall comply with the applicable provisions of and (3) as would be permitted by the HIPAA Security and Privacy Rule as if such use or disclosure were made by Covered Entity. Covered Entity will not request Business Associate All such uses and disclosures shall be subject to use or disclose Protected Health Information the limits set forth in any manner that would not be permissible under the HIPAA Security 45 CFR § 164.514 regarding limited data sets and Privacy Rule if done by Covered Entity, except as otherwise provided herein. Business Associate agrees to comply with Covered Entity's policies 45 CFR § 164.502(b) regarding the minimum necessary use or disclosure of Protected Health Information.requirements; b. Business Associate agrees to provide HIPAA training to all of its personnel who service Covered Entity's account or who otherwise will have access to Covered Entity's Protected Health Information. c. At (ii) at termination of this Agreement, the Participation Arrangement Agreement (or any similar documentation of the business relationship of the Parties), or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return (in a manner or process approved by the Covered Entity) or destroy all Protected Health Information received from Covered Entity, or created, maintained created or received by Business Associate on behalf of Covered Entity, Entity that Business Associate still maintains in any form and retain no copies of such information. If , or if such return or destruction is not feasible, Business Associate will (i) provide notification of the conditions that make return or destruction not feasible, (ii) retain only that Protected Health Information required; (iii) extend the protections of this Agreement to the retained Protected Health Information; (iv) information and limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information information not feasible; and ; (viii) return or destroy the retained Protected Health Information when it is no longer needed by NC HIEA. This paragraph shall survive the termination of this Agreement and shall apply to Protected Health Information created, maintained, or received by Business Associate and any of its subcontractors. d. Business Associate agrees to ensure that its agents, including any subcontractorsa subcontractor, that create, receive, maintain or transmit to whom it provides Protected Health Information received from or created by Business Associate on behalf of Business Associate agree Covered Entity, agrees to the same (or greater) restrictions and conditions that apply to Business Associate with respect to such information, and agree agrees to implement reasonable and appropriate safeguards to protect any of such information that which is Electronic Protected Health Information. Business Associate agrees to enter into written agreements with any subcontractors in accordance with the requirements of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to take reasonable steps to ensure that its employee’s employees’ actions or omissions do not cause Business Associate to breach the terms of this Agreement; (iv) Business Associate shall, following the discovery of a breach of unsecured PHI, as defined in the HITECH Act or accompanying regulations, notify the covered entity of such breach pursuant to the terms of 45 CFR § 164.410 and cooperate in the covered entity’s breach analysis procedures, including risk assessment, if requested. A breach shall be treated as discovered by Business Associate as of the first day on which such breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate will provide such notification to Covered Entity without unreasonable delay and in no event later than 30 calendar days after discovery of the breach. Such notification will contain the elements required in 45 CFR § 164.410; and (v) Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all additional applicable requirements of the Privacy Rule, including those contained in 45 CFR §§ 164.502(e) and 164.504(e)(1)(ii), at such time as the requirements are applicable to Business Associate. Business Associate will not directly or indirectly receive remuneration in exchange for any PHI, subject to the exceptions contained in the HITECH Act, without a valid authorization from the applicable individual. Business Associate will not engage in any communication which might be deemed to be “marketing” under the HITECH Act. In addition, Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all applicable requirements of the Security Rule, contained in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316, at such time as the requirements are applicable to Business Associate. e. (b) Notwithstanding the prohibitions set forth in this Agreement, Business Associate may use and disclose Protected Health Information as follows: (i) if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met: (A) the disclosure is required by law; or (B) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; (ii) for data aggregation services, if to be provided by Business Associate for the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship. For purposes of this Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities. Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this AgreementAgreementii. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule. f. To . The Secretary of Health and Human Services shall have the extent applicable, right to audit Business Associate will comply with (i) any limitations Associate’s records and practices related to which Covered Entity has agreed in regard to an Individual's permission to use or disclose his or her Protected Health Information; and (ii) any restrictions to the use or disclosure of Protected Health Information to which Covered Entity has agreed or is required to agree. g. Business Associate will make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, to ensure Covered Entity available to the Secretary, of the Department of Health and Human Services for purposes of the Secretary determining Covered Entity s Entity’s compliance with the terms of the DIPAA HIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any investigations and compliance reviews, permit access to information, and cooperate with any complaints, as required by law. Unless prohibited from doing so by applicable law or by a court order, without unreasonable delay, Business Associate will notify Covered Entity in writing of any request by any governmental entity, or its designee, to review Business Associate's compliance with law or this BAA, to pursue a complaint, or to conduct an audit or assessment of any kind, if such review, complaint, audit or assessment pertains to the Participation Agreement or this BAA. h. Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information that is not in compliance with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of which it becomes aware, without unreasonable delay, and in no event later than five (5) calendar days of such discovery. For purposes of this Agreement, “Security Incident" means the attempted or successful unauthorized access, use, disclose modification or destruction of information or interference with system operations in an information system. Such notification shall contain the elements required by 45 C.F.R. 164.410. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement, as well as to provide complete cooperation to Covered Entity should Covered Entity elect to review or investigate such noncompliance or Security Incident. Business Associate shall cooperate in Covered Entity's breach analysis and/or risk assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the event that Covered Entity determines that any third parties must be notified of a Breach, provided that Business Associate shall not provide any such notification except at the direction of Covered Entity. To the extent any of the parties to this Agreement are an entity of the State of North Carolina, nothing this Agreement is intended to affect or abrogate that party's sovereign immunity as an entity of the State of North Carolina including all protections and immunities granted to that party under the North Carolina Tort Claims Act. i. Business Associate shall permit Covered Entity, in its discretion, to conduct an audit of Business Associate's compliance with this BAA, HIPAA, and HITECH. Such audit may consist of a series of inquiries that require written responses. Business Associate shall promptly and completely respond to Covered Entity’s request for information in support of the audit, which shall not be conducted more than once annually except in cases of an actual or reasonably suspected Security Incident or reasonably suspected noncompliance with this BAA, HIPAA or HITECH. Each Party shall bear its own costs associated with the audit.

Appears in 1 contract

Samples: Business Associate Agreement

AutoNDA by SimpleDocs

CONFIDENTIALITY AND SECURITY REQUIREMENTS. a. (a) Business Associate agrees not agrees: (i) to use or disclose any Protected Health Information other than solely: (1) for meeting its obligations as permitted set forth in any agreements between the Parties evidencing their business relationship, or required by the Participation Agreement, this Agreement or (2) as required by applicable law. To the extent Business Associate carries out obligations of , rule or regulation, or by accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted under this Agreement, the Arrangement Agreement (if consistent with this Agreement and the HIPAA Security and Privacy Rule), or the HIPAA Security and Privacy Rule, Business Associate shall comply with the applicable provisions of and (3) as would be permitted by the HIPAA Security and Privacy Rule as if such use or disclosure were made by Covered Entity. Covered Entity will not request Business Associate All such uses and disclosures shall be subject to use or disclose Protected Health Information the limits set forth in any manner that would not be permissible under the HIPAA Security 45 CFR § 164.514 regarding limited data sets and Privacy Rule if done by Covered Entity, except as otherwise provided herein. Business Associate agrees to comply with Covered Entity's policies 45 CFR § 164.502(b) regarding the minimum necessary use or disclosure of Protected Health Information.requirements; b. Business Associate agrees (ii) to provide HIPAA training ensure that its agents, including a subcontractor, to all of its personnel who service Covered Entity's account or who otherwise will have access to Covered Entity's Protected Health Information. c. At termination of this Agreement, the Participation Agreement (or any similar documentation of the business relationship of the Parties), or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return (in a manner or process approved by the Covered Entity) or destroy all whom it provides Protected Health Information received from Covered Entity, or created, maintained or received created by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, Business Associate will (i) provide notification of the conditions that make return or destruction not feasible, (ii) retain only that Protected Health Information required; (iii) extend the protections of this Agreement to the retained Protected Health Information; (iv) limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information not feasible; and (v) return or destroy the retained Protected Health Information when it is no longer needed by NC HIEA. This paragraph shall survive the termination of this Agreement and shall apply to Protected Health Information created, maintained, or received by Business Associate and any of its subcontractors. d. Business Associate agrees to ensure that its agents, including any subcontractors, that create, receive, maintain or transmit Protected Health Information on behalf of Business Associate agree to the same (or greater) restrictions and conditions that apply to Business Associate with respect to such information, and agree agrees to implement reasonable and appropriate safeguards to protect any of such information that which is Electronic Protected Health Information. Business Associate agrees to enter into written agreements with any subcontractors in accordance with the requirements of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to take reasonable steps to ensure that its employee’s employees’ actions or omissions do not cause Business Associate to breach the terms of this Agreement; (iv) Business Associate shall, following the discovery of a breach of unsecured PHI, as defined in the HITECH Act or accompanying regulations, notify the covered entity of such breach pursuant to the terms of 45 CFR § 164.410 and cooperate in the covered entity’s breach analysis procedures, including risk assessment, if requested. A breach shall be treated as discovered by Business Associate as of the first day on which such breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate will provide such notification to Covered Entity without unreasonable delay and in no event later than 30 calendar days after discovery of the breach. Such notification will contain the elements required in 45 CFR § 164.410; and (v) Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all additional applicable requirements of the Privacy Rule, including those contained in 45 CFR §§ 164.502(e) and 164.504(e)(1)(ii), at such time as the requirements are applicable to Business Associate. Business Associate will not directly or indirectly receive remuneration in exchange for any PHI, subject to the exceptions contained in the HITECH Act, without a valid authorization from the applicable individual. Business Associate will not engage in any communication which might be deemed to be “marketing” under the HITECH Act. In addition, Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all applicable requirements of the Security Rule, contained in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316, at such time as the requirements are applicable to Business Associate. e. (b) Notwithstanding the prohibitions set forth in this Agreement, Business Associate may use and disclose Protected Health Information as follows: (i) if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met: (A) the disclosure is required by law; or (B) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; (ii) for data aggregation services, if to be provided by Business Associate for the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship. For purposes of this Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities. Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule. f. To . The Secretary of Health and Human Services shall have the extent applicable, right to audit Business Associate will comply with (i) any limitations to which Covered Entity has agreed in regard to an Individual's permission to use or disclose his or her Protected Health Information; and (ii) any restrictions to the use or disclosure of Protected Health Information to which Covered Entity has agreed or is required to agree. g. Business Associate will make its Associate’s internal practices, books and records relating related to the use and disclosure of Protected Health Information received from, or created or received by to ensure both Covered Entity’s and Business Associate on behalf of, Covered Entity available to the Secretary, of the Department of Health and Human Services for purposes of the Secretary determining Covered Entity s Associate’s compliance with the terms of the DIPAA HIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any investigations and compliance reviews, permit access to information, and cooperate with any complaints, as required by law. Unless prohibited from doing so by applicable law or by a court order, without unreasonable delay, Business Associate will notify Covered Entity in writing of any request by any governmental entity, or its designee, to review Business Associate's compliance with law or this BAA, to pursue a complaint, or to conduct an audit or assessment of any kind, if such review, complaint, audit or assessment pertains to the Participation Agreement or this BAA. h. Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information that is not in compliance with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of which it becomes aware, without unreasonable delay, and in no event later than five (5) calendar days of such discovery. For purposes of this Agreement, “Security Incident" means the attempted or successful unauthorized access, use, disclose modification or destruction of information or interference with system operations in an information system. Such notification shall contain the elements required by 45 C.F.R. 164.410. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement, as well as to provide complete cooperation to Covered Entity should Covered Entity elect to review or investigate such noncompliance or Security Incident. Business Associate shall cooperate in Covered Entity's breach analysis and/or risk assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the event that Covered Entity determines that any third parties must be notified of a Breach, provided that Business Associate shall not provide any such notification except at the direction of Covered Entity. To the extent any of the parties to this Agreement are an entity of the State of North Carolina, nothing this Agreement is intended to affect or abrogate that party's sovereign immunity as an entity of the State of North Carolina including all protections and immunities granted to that party under the North Carolina Tort Claims Act. i. Business Associate shall permit Covered Entity, in its discretion, to conduct an audit of Business Associate's compliance with this BAA, HIPAA, and HITECH. Such audit may consist of a series of inquiries that require written responses. Business Associate shall promptly and completely respond to Covered Entity’s request for information in support of the audit, which shall not be conducted more than once annually except in cases of an actual or reasonably suspected Security Incident or reasonably suspected noncompliance with this BAA, HIPAA or HITECH. Each Party shall bear its own costs associated with the audit.

Appears in 1 contract

Samples: Business Associate Agreement

CONFIDENTIALITY AND SECURITY REQUIREMENTS. a. (a) Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by the Participation Agreement, this Agreement or as required by law. To the extent Business Associate carries out obligations of Covered Entity under the HIPAA Security and Privacy Rule, Business Associate shall comply with the applicable provisions of the HIPAA Security and Privacy Rule as if such use or disclosure were made by Covered Entity. Covered Entity will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Security and Privacy Rule if done by Covered Entity, except as otherwise provided herein. Business Associate agrees to comply with Covered Entity's ’s policies regarding the minimum necessary use or disclosure of Protected Health Information. b. (b) Business Associate agrees to provide HIPAA training to all of its personnel who service Covered Entity's ’s account or who otherwise will have access to Covered Entity's ’s Protected Health Information. c. (c) At termination of this Agreement, the Participation Arrangement Agreement (or any similar documentation of the business relationship of the Parties), or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return (in a manner or process approved by the Covered Entity) or destroy all Protected Health Information received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, Business Associate will (i) provide notification of the conditions that make return or destruction not feasible, (ii) retain only that Protected Health Information requirednecessary under the circumstances; (ii) return or destroy the remaining Protected Health Information that the Business Associate still maintains in any form; (iii) extend the protections of this Agreement to the retained Protected Health Information; (iv) limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information not feasible; and (v) return or destroy the retained Protected Health Information when it is no longer needed by NC HIEA. This paragraph shall survive the termination of this Agreement and shall apply to Protected Health Information created, maintained, or received by Business Associate and any of its subcontractors. d. Business Associate agrees to ensure that its agents, including any subcontractors, that create, receive, maintain or transmit Protected Health Information on behalf of Business Associate agree to the same (or greater) restrictions and conditions that apply to Business Associate with respect to such information, and agree to implement reasonable and appropriate safeguards to protect any of such information that is Electronic Protected Health Information. Business Associate agrees to enter into written agreements with any subcontractors in accordance with the requirements of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to take reasonable steps to ensure that its employee’s actions or omissions do not cause Business Associate to breach the terms of this Agreement. e. Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule. f. To the extent applicable, Business Associate will comply with (i) any limitations to which Covered Entity has agreed in regard to an Individual's permission to use or disclose his or her Protected Health Information; and (ii) any restrictions to the use or disclosure of Protected Health Information to which Covered Entity has agreed or is required to agree. g. Business Associate will make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, of the Department of Health and Human Services for purposes of the Secretary determining Covered Entity s compliance with the terms of the DIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any investigations and compliance reviews, permit access to information, and cooperate with any complaints, as required by law. Unless prohibited from doing so by applicable law or by a court order, without unreasonable delay, Business Associate will notify Covered Entity in writing of any request by any governmental entity, or its designee, to review Business Associate's compliance with law or this BAA, to pursue a complaint, or to conduct an audit or assessment of any kind, if such review, complaint, audit or assessment pertains to the Participation Agreement or this BAA. h. Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information that is not in compliance with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of which it becomes aware, without unreasonable delay, and in no event later than five (5) calendar days of such discovery. For purposes of this Agreement, “Security Incident" means the attempted or successful unauthorized access, use, disclose modification or destruction of information or interference with system operations in an information system. Such notification shall contain the elements required by 45 C.F.R. 164.410. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement, as well as to provide complete cooperation to Covered Entity should Covered Entity elect to review or investigate such noncompliance or Security Incident. Business Associate shall cooperate in Covered Entity's breach analysis and/or risk assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the event that Covered Entity determines that any third parties must be notified of a Breach, provided that Business Associate shall not provide any such notification except at the direction of Covered Entity. To the extent any of the parties to this Agreement are an entity of the State of North Carolina, nothing this Agreement is intended to affect or abrogate that party's sovereign immunity as an entity of the State of North Carolina including all protections and immunities granted to that party under the North Carolina Tort Claims Act. i. Business Associate shall permit Covered Entity, in its discretion, to conduct an audit of Business Associate's compliance with this BAA, HIPAA, and HITECH. Such audit may consist of a series of inquiries that require written responses. Business Associate shall promptly and completely respond to Covered Entity’s request for information in support of the audit, which shall not be conducted more than once annually except in cases of an actual or reasonably suspected Security Incident or reasonably suspected noncompliance with this BAA, HIPAA or HITECH. Each Party shall bear its own costs associated with the audit.;

Appears in 1 contract

Samples: Business Associate Agreement

Draft better contracts in just 5 minutes Get the weekly Law Insider newsletter packed with expert videos, webinars, ebooks, and more!