Confidentiality Requirements. A. Contractor agrees to use and disclose Protected Health Information that is disclosed to it by the Department solely for meeting its obligations under its agreements with the Department, in accordance with the terms of this agreement, the Department's established policies rules, procedures and requirements, or as required by law, rule or regulation. B. In addition to any other uses and/or disclosures permitted or authorized by this Agreement or required by law, Contractor may use and disclose Protected Health Information as follows: (1) if necessary for the proper management and administration of the Contractor and to carry out the legal responsibilities of the Contractor, provided that any such disclosure is required by law or that Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Contractor of any instances of which it is aware in which the confidentiality of the information has been breached; (2) for data aggregation services, only if to be provided by Contractor for the health care operations of the Department pursuant to any and all agreements between the Parties. For purposes of this Agreement, data aggregation services means the combining of protected health information by Contractor with the protected health information received by Contractor in its capacity as a Contractor of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities. (3) Contractor may use and disclose protected health information that Contractor obtains or creates only if such disclosure is in compliance with every applicable requirement of Section 164.504(e) of the Privacy relating to Contractor contracts. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that are made applicable to the Department as a covered entity shall also be applicable to Contractor and are incorporated herein by reference. C. Contractor will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Further, Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Department. The Secretary of Health and Human Services and the Department shall have the right to audit Contractor’s records and practices related to use and disclosure of Protected Health Information to ensure the Department's compliance with the terms of the HIPAA Privacy Rule and/or the HIPAA Security Rule. Further, Sections 164.308 (administrative safeguards). 164.310 (physical safeguards), 164.312 (technical safeguards), and 164.316 (policies and procedures and documentation requirements) of the Security Rule shall apply to the Contractor in the same manner that such sections apply to the Department as a covered entity. The additional requirements of the HITECH Act that relate to security and that are made applicable to covered entities shall be applicable to Contractor and are hereby incorporated by reference into this BA Agreement. D. Contractor shall report to Department any use or disclosure of Protected Health Information, which is not in compliance with the terms of this Agreement as well as any Security incident of which it becomes aware. Contractor agrees to notify the Department, and include a copy of any complaint related to use, disclosure, or requests of Protected Health Information that the Contractor receives directly and use best efforts to assist the Department in investigating and resolving such complaints. In addition, Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a use or disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement. Such report shall notify the Department of: 1) any Use or Disclosure of protected health information (including Security Incidents) not permitted by this Agreement or in writing by the Department; 2) any Security Incident; 3) any Breach, as defined by the HITECH Act; or 4) any other breach of a security system, or like system, as may be defined under applicable State law (Collectively a “Breach”). Contractor will without unreasonable delay, but no later than seventy-two (72) hours after discovery of a Breach, send the above report to the Department. Such report shall identify each individual whose protected health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during any Breach pursuant to 42 U.S.C.A. § 17932(b). Such report will: 1) Identify the nature of the non-permitted or prohibited access, use, or disclosure, including the nature of the Breach and the date of discovery of the Breach. 2) Identify the protected health information accessed, used or disclosed, and provide an exact copy or replication of that protected health information. 3) Identify who or what caused the Breach and who accessed, used, or received the protected health information. 4) Identify what has been or will be done to mitigate the effects of the Breach; and 5) Provide any other information, including further written reports, as the Department may request. E. In accordance with Section 164.504(e)(1)(ii) of the Privacy Rule, each party agrees that if it knows of a pattern of activity or practice of the other party that constitutes a material breach of or violation of the other party’s obligations under the BA Agreement, the non-breaching party will take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, terminate the contract or arrangement if feasible. If termination is not feasible, the party will report the problem to the Secretary of Health and Human Services (federal government). F. Contractor will ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from, or created by Contractor on behalf of the Department, agree to the same restrictions and conditions that apply to Contractor, and apply reasonable and appropriate safeguards to protect such information. Contractor agrees to designate an appropriate individual (by title or name) to ensure the obligations of this agreement are met and to respond to issues and requests related to Protected Health Information. In addition, Contractor agrees to take other reasonable steps to ensure that its employees’ actions or omissions do not cause Contractor to breach the terms of this Agreement. G. Contractor shall secure all protected health information by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary of Health and Human Services specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, pursuant to the HITECH Act, 42 U.S.C.A. § 300jj-11, unless the Department agrees in writing that this requirement is infeasible with respect to particular data. These security and protection standards shall also apply to any of Contractor’s agents and subcontractors. H. Contractor agrees to make available Protected Health Information so that the Department may comply with individual rights to access in accordance with Section 164.524 of the HIPAA Privacy Rule. Contractor agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Privacy Rule. In addition, Contractor agrees to record disclosures and such other information necessary, and make such information available, for purposes of the Department providing an accounting of disclosures, as required by Section 164.528 of the HIPAA Privacy Rule. I. The Contractor agrees, when requesting Protected Health Information to fulfill its contractual obligations or on the Department’s behalf, and when using and disclosing Protected Health Information as permitted in this contract, that the Contractor will request, use, or disclose only the minimum necessary in order to accomplish the intended purpose.
Appears in 3 contracts
Samples: Memorandum of Agreement, Memorandum of Agreement, Contract for Services
Confidentiality Requirements. A. Contractor agrees to use and disclose Protected Health Information that is disclosed to it by the Department solely for meeting its obligations under its agreements with the Department, in accordance with the terms of this agreement, the Department's established policies rules, procedures and requirements, or as required by law, rule or regulation.
B. In addition to any other uses and/or disclosures permitted or authorized by this Agreement or required by law, Contractor may use and disclose Protected Health Information as follows:
(1) if necessary for the proper management and administration of the Contractor and to carry out the legal responsibilities of the Contractor, provided that any such disclosure is required by law or that Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Contractor of any instances of which it is aware in which the confidentiality of the information has been breached;
(2) for data aggregation services, only if to be provided by Contractor for the health care operations of the Department pursuant to any and all agreements between the Parties. For purposes of this Agreement, data aggregation services means the combining of protected health information by Contractor with the protected health information received by Contractor in its capacity as a Contractor of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
(3) Contractor may use and disclose protected health information that Contractor obtains or creates only if such disclosure is in compliance with every applicable requirement of Section 164.504(e) of the Privacy relating to Contractor contracts. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that are made applicable to the Department as a covered entity shall also be applicable to Contractor and are incorporated herein by reference.
C. Contractor will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Further, Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Department. The Secretary of Health and Human Services and the Department shall have the right to audit Contractor’s records and practices related to use and disclosure of Protected Health Information to ensure the Department's compliance with the terms of the HIPAA Privacy Rule and/or the HIPAA Security Rule. Further, Sections 164.308 (administrative safeguards). 164.310 (physical safeguards), 164.312 (technical safeguards), and 164.316 (policies and procedures and documentation requirements) of the Security Rule shall apply to the Contractor in the same manner that such sections apply to the Department as a covered entity. The additional requirements of the HITECH Act that relate to security and that are made applicable to covered entities shall be applicable to Contractor and are hereby incorporated by reference into this BA Agreement.
D. Contractor shall report to Department any use or disclosure of Protected Health Information, which is not in compliance with the terms of this Agreement as well as any Security incident of which it becomes aware. Contractor agrees to notify the Department, and include a copy of any complaint related to use, disclosure, or requests of Protected Health Information that the Contractor receives directly and use best efforts to assist the Department in investigating and resolving such complaints. In addition, Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a use or disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement. Such report shall notify the Department of:
1) any Use or Disclosure of protected health information (including Security Incidents) not permitted by this Agreement or in writing by the Department;
2) any Security Incident;
3) any Breach, as defined by the HITECH Act; or
4) any other breach of a security system, or like system, as may be defined under applicable State law (Collectively a “Breach”). Contractor will without unreasonable delay, but no later than seventy-two (72) hours after discovery of a Breach, send the above report to the Department. Such report shall identify each individual whose protected health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during any Breach pursuant to 42 U.S.C.A. § 17932(b). Such report will:
1) Identify the nature of the non-permitted or prohibited access, use, or disclosure, including the nature of the Breach and the date of discovery of the Breach.
2) Identify the protected health information accessed, used or disclosed, and provide an exact copy or replication of that protected health information.
3) Identify who or what caused the Breach and who accessed, used, or received the protected health information.
4) Identify what has been or will be done to mitigate the effects of the Breach; and
5) Provide any other information, including further written reports, as the Department may request.
E. In accordance with Section 164.504(e)(1)(ii) of the Privacy Rule, each party agrees that if it knows of a pattern of activity or practice of the other party that constitutes a material breach of or violation of the other party’s obligations under the BA Agreement, the non-breaching party will take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, terminate the contract or arrangement if feasible. If termination is not feasible, the party will report the problem to the Secretary of Health and Human Services (federal government).
F. Contractor will ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from, or created by Contractor on behalf of the Department, agree to the same restrictions and conditions that apply to Contractor, and apply reasonable and appropriate safeguards to protect such information. Contractor agrees to designate an appropriate individual (by title or name) to ensure the obligations of this agreement are met and to respond to issues and requests related to Protected Health Information. In addition, Contractor agrees to take other reasonable steps to ensure that its employees’ actions or omissions do not cause Contractor to breach the terms of this Agreement.
G. Contractor shall secure all protected health information by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary of Health and Human Services specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, pursuant to the HITECH Act, 42 U.S.C.A. § 300jj-11300jj- 11, unless the Department agrees in writing that this requirement is infeasible with respect to particular data. These security and protection standards shall also apply to any of Contractor’s agents and subcontractors.
H. Contractor agrees to make available Protected Health Information so that the Department may comply with individual rights to access in accordance with Section 164.524 of the HIPAA Privacy Rule. Contractor agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Privacy Rule. In addition, Contractor agrees to record disclosures and such other information necessary, and make such information available, for purposes of the Department providing an accounting of disclosures, as required by Section 164.528 of the HIPAA Privacy Rule.
I. The Contractor agrees, when requesting Protected Health Information to fulfill its contractual obligations or on the Department’s behalf, and when using and disclosing Protected Health Information as permitted in this contract, that the Contractor will request, use, or disclose only the minimum necessary in order to accomplish the intended purpose.
Appears in 2 contracts
Confidentiality Requirements. A. Contractor agrees to use and disclose Protected Health Information that is disclosed to it by the Department solely for meeting its obligations under its agreements with the Department, in accordance with the terms of this agreement, the Department's established policies rules, procedures and requirements, or as required by law, rule or regulation.
B. In addition to any other uses and/or disclosures permitted or authorized by this Agreement or required by law, Contractor may use and disclose Protected Health Information as follows:
(1) if necessary for the proper management and administration of the Contractor and to carry out the legal responsibilities of the Contractor, provided that any such disclosure is required by law or that Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Contractor of any instances of which it is aware in which the confidentiality of the information has been breached;
(2) for data aggregation services, only if to be provided by Contractor for the health care healthcare operations of the Department pursuant to any and all agreements between the Parties. For purposes of this Agreement, data aggregation services means the combining of protected health information by Contractor with the protected health information received by Contractor in its capacity as a Contractor of another covered entity, to permit data analyses that relate to the health care healthcare operations of the respective covered entities.
(3) Contractor may use and disclose protected health information that Contractor obtains or creates only if such disclosure is in compliance with every applicable requirement of Section 164.504(e) of the Privacy relating to Contractor contracts. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that are made applicable to the Department as a covered entity shall also be applicable to Contractor and are incorporated herein by reference.
C. Contractor will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Further, Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Department. The Secretary of Health and Human Services and the Department shall have the right to audit Contractor’s records and practices related to use and disclosure of Protected Health Information to ensure the Department's compliance with the terms of the HIPAA Privacy Rule and/or the HIPAA Security Rule. Further, Sections 164.308 (administrative safeguards). 164.310 (physical safeguards), 164.312 (technical safeguards), and 164.316 (policies and procedures and documentation requirements) of the Security Rule shall apply to the Contractor in the same manner that such sections apply to the Department as a covered entity. The additional requirements of the HITECH Act that relate to security and that are made applicable to covered entities shall be applicable to Contractor and are hereby incorporated by reference into this BA Agreement.
D. Contractor shall report to Department any use or disclosure of Protected Health Information, which is not in compliance with the terms of this Agreement as well as any Security incident of which it becomes aware. Contractor agrees to notify the Department, and include a copy of any complaint related to use, disclosure, or requests of Protected Health Information that the Contractor receives directly and use best efforts to assist the Department in investigating and resolving such complaints. In addition, Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a use or disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement. Such report shall notify the Department of:
1) any Use or Disclosure of protected health information (including Security Incidents) not permitted by this Agreement or in writing by the Department;
2) any Security Incident;
3) any Breach, as defined by the HITECH Act; or
4) any other breach of a security system, or like system, as may be defined under applicable State law (Collectively a “Breach”). Contractor will without unreasonable delay, but no later than seventy-two (72) hours after discovery of a Breach, send the above report to the Department. Such report shall identify each individual whose protected health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during any Breach pursuant to 42 U.S.C.A. § 17932(b). Such report will:
1) Identify the nature of the non-permitted or prohibited access, use, or disclosure, including the nature of the Breach and the date of discovery of the Breach.
2) Identify the protected health information accessed, used or disclosed, and provide an exact copy or replication of that protected health information.
3) Identify who or what caused the Breach and who accessed, used, or received the protected health information.
4) Identify what has been or will be done to mitigate the effects of the Breach; and
5) Provide any other information, including further written reports, as the Department may request.
E. In accordance with Section 164.504(e)(1)(ii) of the Privacy Rule, each party agrees that if it knows of a pattern of activity or practice of the other party that constitutes a material breach of or violation of the other party’s obligations under the BA Agreement, the non-breaching party will take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, terminate the contract or arrangement if feasible. If termination is not feasible, the party will report the problem to the Secretary of Health and Human Services (federal government).
F. D. Contractor will ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from, or created by Contractor on behalf of the Department, agree to the same restrictions and conditions that apply to Contractor, and apply reasonable and appropriate safeguards to protect such information. Contractor agrees to designate an appropriate individual (by title or name) to ensure the obligations of this agreement are met and to respond to issues and requests related to Protected Health Information. In addition, Contractor agrees to take other reasonable steps to ensure that its employees’ actions or omissions do not cause Contractor to breach the terms of this Agreement.
G. Contractor shall secure all protected health information by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary of Health and Human Services specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, pursuant to the HITECH Act, 42 U.S.C.A. § 300jj-11, unless the Department agrees in writing that this requirement is infeasible with respect to particular data. These security and protection standards shall also apply to any of Contractor’s agents and subcontractors.
H. E. Contractor agrees to make available Protected Health Information so that the Department may comply with individual rights to access in accordance with Section 164.524 of the HIPAA Privacy Rule. Contractor agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Privacy Rule. In addition, Contractor agrees to record disclosures and such other information necessary, and make such information available, for purposes of the Department providing an accounting of disclosures, as required by Section 164.528 of the HIPAA Privacy Rule.
I. F. The Contractor agrees, when requesting Protected Health Information to fulfill its contractual obligations or on the Department’s behalf, and when using and disclosing Protected Health Information as permitted in this contract, that the Contractor will request, use, or disclose only the minimum necessary in order to accomplish the intended purpose.
G. The Contractor agrees to defend and hold harmless the Department against any action or liability or damages arising out of or related to the Contractor’s breach of its obligations under this agreement.
Appears in 1 contract
Samples: Contract for Extradition Services
Confidentiality Requirements. A. Contractor agrees to use and disclose Protected Health Information that is disclosed to it by the Department solely for meeting its obligations under its agreements with the Department, in accordance with the terms of this agreement, the Department's established policies rules, procedures and requirements, or as required by law, rule or regulation.
B. In addition to any other uses and/or disclosures permitted or authorized by this Agreement or required by law, Contractor may use and disclose Protected Health Information as follows:
(1) if necessary for the proper management and administration of the Contractor and to carry out the legal responsibilities of the Contractor, provided that any such disclosure is required by law or that Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Contractor of any instances of which it is aware in which the confidentiality of the information has been breached;
(2) for data aggregation services, only if to be provided by Contractor for the health care operations of the Department pursuant to any and all agreements between the Parties. For purposes of this Agreement, data aggregation services means the combining of protected health information by Contractor with the protected health information received by Contractor in its capacity as a Contractor of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
(3) Contractor may use and disclose protected health information that Contractor obtains or creates only if such disclosure is in compliance with every applicable requirement of Section 164.504(e) of the Privacy relating to Contractor contracts. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that are made applicable to the Department as a covered entity shall also be applicable to Contractor and are incorporated herein by reference.
C. Contractor will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Further, Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Department. The Secretary of Health and Human Services and the Department shall have the right to audit Contractor’s records and practices related to use and disclosure of Protected Health Information to ensure the Department's compliance with the terms of the HIPAA Privacy Rule and/or the HIPAA Security Rule. Further, Sections 164.308 (administrative safeguards). 164.310 (physical safeguards), 164.312 (technical safeguards), and 164.316 (policies and procedures and documentation requirements) of the Security Rule shall apply to the Contractor in the same manner that such sections apply to the Department as a covered entity. The additional requirements of the HITECH Act that relate to security and that are made applicable to covered entities shall be applicable to Contractor and are hereby incorporated by reference into this BA Agreement.
D. Contractor shall report to Department any use or disclosure of Protected Health Information, which is not in compliance with the terms of this Agreement as well as any Security incident of which it becomes aware. Contractor agrees to notify the Department, and include a copy of any complaint related to use, disclosure, or requests of Protected Health Information that the Contractor receives directly and use best efforts to assist the Department in investigating and resolving such complaints. In addition, Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a use or disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement. Such report shall notify the Department of:
1) any Use or Disclosure of protected health information (including Security Incidents) not permitted by this Agreement or in writing by the Department;
2) any Security Incident;
3) any Breach, as defined by the HITECH Act; or
4) any other breach of a security system, or like system, as may be defined under applicable State law (Collectively a “Breach”). Contractor will without unreasonable delay, but no later than seventy-two (72) hours after discovery of a Breach, send the above report to the Department. Such report shall identify each individual whose protected health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during any Breach pursuant to 42 U.S.C.A. § 17932(b). Such report will:
1) Identify the nature of the non-permitted or prohibited access, use, or disclosure, including the nature of the Breach and the date of discovery of the Breach.
2) Identify the protected health information accessed, used or disclosed, and provide an exact copy or replication of that protected health information.
3) Identify who or what caused the Breach and who accessed, used, or received the protected health information.
4) Identify what has been or will be done to mitigate the effects of the Breach; and
5) Provide any other information, including further written reports, as the Department may request.
E. In accordance with Section 164.504(e)(1)(ii) of the Privacy Rule, each party agrees that if it knows of a pattern of activity or practice of the other party that constitutes a material breach of or violation of the other party’s obligations under the BA Agreement, the non-breaching party will take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessfulun, terminate the contract or arrangement if feasible. If termination is not feasible, the party will report the problem to the Secretary of Health and Human Services (federal government).
F. Contractor will ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from, or created by Contractor on behalf of the Department, agree to the same restrictions and conditions that apply to Contractor, and apply reasonable and appropriate safeguards to protect such information. Contractor agrees to designate an appropriate individual (by title or name) to ensure the obligations of this agreement are met and to respond to issues and requests related to Protected Health Information. In addition, Contractor agrees to take other reasonable steps to ensure that its employees’ actions or omissions do not cause Contractor to breach the terms of this Agreement.
G. Contractor shall secure all protected health information by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary of Health and Human Services specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, pursuant to the HITECH Act, 42 U.S.C.A. § 300jj-11, unless the Department agrees in writing that this requirement is infeasible with respect to particular data. These security and protection standards shall also apply to any of Contractor’s agents and subcontractors.
H. Contractor agrees to make available Protected Health Information so that the Department may comply with individual rights to access in accordance with Section 164.524 of the HIPAA Privacy Rule. Contractor agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Privacy Rule. In addition, Contractor agrees to record disclosures and such other information necessary, and make such information available, for purposes of the Department providing an accounting of disclosures, as required by Section 164.528 of the HIPAA Privacy Rule.
I. The Contractor agrees, when requesting Protected Health Information to fulfill its contractual obligations or on the Department’s behalf, and when using and disclosing Protected Health Information as permitted in this contract, that the Contractor will request, use, or disclose only the minimum necessary in order to accomplish the intended purpose.
Appears in 1 contract
Samples: Contract Amendment
Confidentiality Requirements. A. Contractor agrees to use and disclose Protected Health Information that is disclosed to it by the Department solely for meeting its obligations under its agreements with the Department, in accordance with the terms of this agreement, the Department's established policies rules, procedures and requirements, or as required by law, rule or regulation.
B. In addition to any other uses and/or disclosures permitted or authorized by this Agreement or required by law, Contractor may use and disclose Protected Health Information as follows:
(1) if necessary for the proper management and administration of the Contractor and to carry out the legal responsibilities of the Contractor, provided that any such disclosure is required by law or that Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Contractor of any instances of which it is aware in which the confidentiality of the information has been breached;
(2) for data aggregation services, only if to be provided by Contractor for the health care operations of the Department pursuant to any and all agreements between the Parties. For purposes of this Agreement, data aggregation services means the combining of protected health information by Contractor with the protected health information received by Contractor in its capacity as a Contractor of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
(3) Contractor may use and disclose protected health information that Contractor obtains or creates only if such disclosure is in compliance with every applicable requirement of Section 164.504(e) of the Privacy relating to Contractor contracts. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that are made applicable to the Department as a covered entity shall also be applicable to Contractor and are incorporated herein by reference.
C. Contractor will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Further, Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Department. The Secretary of Health and Human Services and the Department shall have the right to audit Contractor’s records and practices related to use and disclosure of Protected Health Information to ensure the Department's compliance with the terms of the HIPAA Privacy Rule and/or the HIPAA HIPPA Security Rule. Further, Sections 164.308 (administrative safeguards). 164.310 (physical safeguards), 164.312 (technical safeguards), and 164.316 (policies and procedures and documentation requirements) of the Security Rule shall apply to the Contractor in the same manner that such sections apply to the Department as a covered entity. The additional requirements of the HITECH Act that relate to security and that are made applicable to covered entities shall be applicable to Contractor and are hereby incorporated by reference into this BA Agreement.
D. Contractor shall report to Department any use or disclosure of Protected Health Information, which is not in compliance with the terms of this Agreement as well as any Security incident of which it becomes aware. Contractor agrees to notify the Department, and include a copy of any complaint related to use, disclosure, or requests of Protected Health Information that the Contractor receives directly and use best efforts to assist the Department in investigating and resolving such complaints. In addition, Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a use or disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement. Such report shall notify the Department of:
1) any Use or Disclosure of protected health information (including Security Incidents) not permitted by this Agreement or in writing by the Department;
2) any Security Incident;
3) any Breach, as defined by the HITECH Act; or
4) any other breach of a security system, or like system, as may be defined under applicable State law (Collectively a “Breach”). Contractor will without unreasonable delay, but no later than seventy-two (72) hours after discovery of a Breach, send the above report to the Department. Such report shall identify each individual whose protected health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during any Breach pursuant to 42 U.S.C.A. § 17932(b). Such report will:
1) Identify the nature of the non-permitted or prohibited access, use, or disclosure, including the nature of the Breach and the date of discovery of the Breach.
2) Identify the protected health information accessed, used or disclosed, and provide an exact copy or replication of that protected health information.
3) Identify who or what caused the Breach and who accessed, used, or received the protected health information.
4) Identify what has been or will be done to mitigate the effects of the Breach; and
5) Provide any other information, including further written reports, as the Department may request.
E. In accordance with Section 164.504(e)(1)(ii) of the Privacy Rule, each party agrees that if it knows of a pattern of activity or practice of the other party that constitutes a material breach of or violation of the other party’s obligations under the BA Agreement, the non-breaching party will take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, terminate the contract or arrangement if feasible. If termination is not feasible, the party will report the problem to the Secretary of Health and Human Services (federal government).
F. D. Contractor will ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from, or created by Contractor on behalf of the Department, agree to the same restrictions and conditions that apply to Contractor, and apply reasonable and appropriate safeguards to protect such information. Contractor agrees to designate an appropriate individual (by title or name) to ensure the obligations of this agreement are met and to respond to issues and requests related to Protected Health Information. In addition, Contractor agrees to take other reasonable steps to ensure that its employees’ actions or omissions do not cause Contractor to breach the terms of this Agreement.
G. Contractor shall secure all protected health information by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary of Health and Human Services specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, pursuant to the HITECH Act, 42 U.S.C.A. § 300jj-11, unless the Department agrees in writing that this requirement is infeasible with respect to particular data. These security and protection standards shall also apply to any of Contractor’s agents and subcontractors.
H. E. Contractor agrees to make available Protected Health Information so that the Department may comply with individual rights to access in accordance with Section 164.524 of the HIPAA Privacy Rule. Contractor agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Privacy Rule. In addition, Contractor agrees to record disclosures and such other information necessary, and make such information available, for purposes of the Department providing an accounting of disclosures, as required by Section 164.528 of the HIPAA Privacy Rule.
I. F. The Contractor agrees, when requesting Protected Health Information to fulfill its contractual obligations or on the Department’s behalf, and when using and disclosing Protected Health Information as permitted in this contract, that the Contractor will request, use, or disclose only the minimum necessary in order to accomplish the intended purpose.
G. The Contractor agrees to defend and hold harmless the Department against any action or liability or damages arising out of or related to the Contractor’s breach of its obligations under this agreement.
Appears in 1 contract
Samples: Construction Contract
Confidentiality Requirements. A. Contractor agrees to use and disclose Protected Health Information that is disclosed to it by the Department solely for meeting its obligations under its agreements with the Department, in accordance with the terms of this agreement, the Department's established policies rules, procedures and requirements, or as required by law, rule or regulation.
B. In addition to any other uses and/or disclosures permitted or authorized by this Agreement or required by law, Contractor may use and disclose Protected Health Information as follows:
(1) if necessary for the proper management and administration of the Contractor and to carry out the legal responsibilities of the Contractor, provided that any such disclosure is required by law or that Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Contractor of any instances of which it is aware in which the confidentiality of the information has been breached;
(2) for data aggregation services, only if to be provided by Contractor for the health care operations of the Department pursuant to any and all agreements between the Parties. For purposes of this Agreement, data aggregation services means the combining of protected health information by Contractor with the protected health information received by Contractor in its capacity as a Contractor of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
(3) Contractor may use and disclose protected health information that Contractor obtains or creates only if such disclosure is in compliance with every applicable requirement of Section 164.504(e) of the Privacy relating to Contractor contracts. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that are made applicable to the Department as a covered entity shall also be applicable to Contractor and are incorporated herein by reference.
C. Contractor will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Further, Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Department. The Secretary of Health and Human Services and the Department shall have the right to audit Contractor’s records and practices related to use and disclosure of Protected Health Information to ensure the Department's compliance with the terms of the HIPAA Privacy Rule and/or the HIPAA Security Rule. Further, Sections 164.308 (administrative safeguards). 164.310 (physical safeguards), 164.312 (technical safeguards), and 164.316 (policies and procedures and documentation requirements) of the Security Rule shall apply to the Contractor in the same manner that such sections apply to the Department as a covered entity. The additional requirements of the HITECH Act that relate to security and that are made applicable to covered entities shall be applicable to Contractor and are hereby incorporated by reference into this BA Agreement.
D. Contractor shall report to Department any use or disclosure of Protected Health Information, which is not in compliance with the terms of this Agreement as well as any Security incident of which it becomes aware. Contractor agrees to notify the Department, and include a copy of any complaint related to use, disclosure, or requests of Protected Health Information that the Contractor receives directly and use best efforts to assist the Department in investigating and resolving such complaints. In addition, Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a use or disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement. Such report shall notify the Department of:
1) any Use or Disclosure of protected health information (including Security Incidents) not permitted by this Agreement or in writing by the Department;
2) any Security Incident;
3) any Breach, as defined by the HITECH Act; or
4) any other breach of a security system, or like system, as may be defined under applicable State law (Collectively a “Breach”). Contractor will without unreasonable delay, but no later than seventy-two (72) hours after discovery of a Breach, send the above report to the Department. Such report shall identify each individual whose protected health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during any Breach pursuant to 42 U.S.C.A. § 17932(b). Such report will:
1) Identify the nature of the non-permitted or prohibited access, use, or disclosure, including the nature of the Breach and the date of discovery of the Breach.
2) Identify the protected health information accessed, used or disclosed, and provide an exact copy or replication of that protected health information.
3) Identify who or what caused the Breach and who accessed, used, or received the protected health information.
4) Identify what has been or will be done to mitigate the effects of the Breach; and
5) Provide any other information, including further written reports, as the Department may request.
E. In accordance with Section 164.504(e)(1)(ii) of the Privacy Rule, each party agrees that if it knows of a pattern of activity or practice of the other party that constitutes a material breach of or violation of the other party’s obligations under the BA Agreement, the non-breaching party will take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, terminate the contract or arrangement if feasible. If termination is not feasible, the party will report the problem to the Secretary of Health and Human Services (federal government).
F. D. Contractor will ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from, or created by Contractor on behalf of the Department, agree to the same restrictions and conditions that apply to Contractor, and apply reasonable and appropriate safeguards to protect such information. Contractor agrees to designate an appropriate individual (by title or name) to ensure the obligations of this agreement are met and to respond to issues and requests related to Protected Health Information. In addition, Contractor agrees to take other reasonable steps to ensure that its employees’ actions or omissions do not cause Contractor to breach the terms of this Agreement.
G. Contractor shall secure all protected health information by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary of Health and Human Services specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, pursuant to the HITECH Act, 42 U.S.C.A. § 300jj-11, unless the Department agrees in writing that this requirement is infeasible with respect to particular data. These security and protection standards shall also apply to any of Contractor’s agents and subcontractors.
H. E. Contractor agrees to make available Protected Health Information so that the Department may comply with individual rights to access in accordance with Section 164.524 of the HIPAA Privacy Rule. Contractor agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Privacy Rule. In addition, Contractor agrees to record disclosures and such other information necessary, and make such information available, for purposes of the Department providing an accounting of disclosures, as required by Section 164.528 of the HIPAA Privacy Rule.
I. F. The Contractor agrees, when requesting Protected Health Information to fulfill its contractual obligations or on the Department’s behalf, and when using and disclosing Protected Health Information as permitted in this contract, that the Contractor will request, use, or disclose only the minimum necessary in order to accomplish the intended purpose.
G. The Contractor agrees to defend and hold harmless the Department against any action or liability or damages arising out of or related to the Contractor’s breach of its obligations under this agreement.
Appears in 1 contract
Confidentiality Requirements. A. Contractor agrees to use and disclose Protected Health Information that is disclosed to it by the Department solely for meeting its obligations under its agreements with the Department, in accordance with the terms of this agreement, the Department's established policies rules, procedures and requirements, or as required by law, rule or regulation.
B. In addition to any other uses and/or disclosures permitted or authorized by this Agreement or required by law, Contractor may use and disclose Protected Health Information as follows:
(1) if necessary for the proper management and administration of the Contractor and to carry out the legal responsibilities of the Contractor, provided that any such disclosure is required by law or that Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it CONTRACT C2297 ATTACHMENT #1 was disclosed to the person, and the person notifies Contractor of any instances of which it is aware in which the confidentiality of the information has been breached;
(2) for data aggregation services, only if to be provided by Contractor for the health care healthcare operations of the Department pursuant to any and all agreements between the Parties. For purposes of this Agreement, data aggregation services means the combining of protected health information by Contractor with the protected health information received by Contractor in its capacity as a Contractor of another covered entity, to permit data analyses that relate to the health care healthcare operations of the respective covered entities.
(3) Contractor may use and disclose protected health information that Contractor obtains or creates only if such disclosure is in compliance with every applicable requirement of Section 164.504(e) of the Privacy relating to Contractor contracts. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that are made applicable to the Department as a covered entity shall also be applicable to Contractor and are incorporated herein by reference.
C. Contractor will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Further, Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Department. The Secretary of Health and Human Services and the Department shall have the right to audit Contractor’s 's records and practices related to use and disclosure of Protected Health Information to ensure the Department's compliance with the terms of the HIPAA Privacy Rule and/or the HIPAA Security Rule. Further, Sections 164.308 (administrative safeguards). 164.310 (physical safeguards), 164.312 (technical safeguards), and 164.316 (policies and procedures and documentation requirements) of the Security Rule shall apply to the Contractor in the same manner that such sections apply to the Department as a covered entity. The additional requirements of the HITECH Act that relate to security and that are made applicable to covered entities shall be applicable to Contractor and are hereby incorporated by reference into this BA Agreement.
D. Contractor shall report to Department any use or disclosure of Protected Health Information, which is not in compliance with the terms of this Agreement as well as any Security incident of which it becomes aware. Contractor agrees to notify the Department, and include a copy of any complaint related to use, disclosure, or requests of Protected Health Information that the Contractor receives directly and use best efforts to assist the Department in investigating and resolving such complaints. In addition, Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a use or disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement. Such report shall notify the Department of:
1) any Use or Disclosure of protected health information (including Security Incidents) not permitted by this Agreement or in writing by the Department;
2) any Security Incident;
3) any Breach, as defined by the HITECH Act; or
4) any other breach of a security system, or like system, as may be defined under applicable State law (Collectively a “Breach”). Contractor will without unreasonable delay, but no later than seventy-two (72) hours after discovery of a Breach, send the above report to the Department. Such report shall identify each individual whose protected health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during any Breach pursuant to 42 U.S.C.A. § 17932(b). Such report will:
1) Identify the nature of the non-permitted or prohibited access, use, or disclosure, including the nature of the Breach and the date of discovery of the Breach.
2) Identify the protected health information accessed, used or disclosed, and provide an exact copy or replication of that protected health information.
3) Identify who or what caused the Breach and who accessed, used, or received the protected health information.
4) Identify what has been or will be done to mitigate the effects of the Breach; and
5) Provide any other information, including further written reports, as the Department may request.
E. In accordance with Section 164.504(e)(1)(ii) of the Privacy Rule, each party agrees that if it knows of a pattern of activity or practice of the other party that constitutes a material breach of or violation of the other party’s obligations under the BA Agreement, the non-breaching party will take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, terminate the contract or arrangement if feasible. If termination is not feasible, the party will report the problem to the Secretary of Health and Human Services (federal government).
F. D. Contractor will ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from, or created by Contractor on behalf of the Department, agree to the same restrictions and conditions that apply to Contractor, and apply reasonable and appropriate safeguards to protect such information. Contractor agrees to designate an appropriate individual (by title or name) to ensure the obligations of this agreement are met and to respond to issues and requests related to Protected Health Information. In addition, Contractor agrees to take other reasonable steps to ensure that its employees’ ' actions or omissions do not cause Contractor to breach the terms of this Agreement.
G. Contractor shall secure all protected health information by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary of Health and Human Services specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, pursuant to the HITECH Act, 42 U.S.C.A. § 300jj-11, unless the Department agrees in writing that this requirement is infeasible with respect to particular data. These security and protection standards shall also apply to any of Contractor’s agents and subcontractors.
H. E. Contractor agrees to make available Protected Health Information so that the Department may comply with individual rights to access in accordance with Section 164.524 of the HIPAA Privacy Rule. Contractor agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Privacy Rule. In addition, Contractor agrees to record disclosures and such other information necessary, and make such information available, for purposes of the Department providing an accounting of disclosures, as to the extent required by Section 164.528 of the HIPAA Privacy Rule.
I. F. The Contractor agrees, when requesting Protected Health Information to fulfill its contractual obligations or on the Department’s 's behalf, and when using and disclosing Protected Health Information as permitted in this contract, that the Contractor will request, use, or disclose only the minimum necessary in order to accomplish the intended purpose. CONTRACT C2297
G. The Contractor agrees to defend and hold harmless the Department against any action or liability or damages arising out of or related to the Contractor's breach of its obligations under this agreement.
Appears in 1 contract
