Common use of DUTIES OF BUSINESS ASSOCIATE RELATIVE TO PHI Clause in Contracts

DUTIES OF BUSINESS ASSOCIATE RELATIVE TO PHI. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate shall be directly responsible for full compliance with the relevant requirements of the Privacy Rule to the same extent as Covered Entity. Business Associate shall comply with the provisions of the Security Rule directing the implementation of administrative, physical and technical safeguards for electronic-PHI (“e-PHI”) and the development and enforcement of related policies, procedures, and documentation standards (including but not limited to designation of a security official). In the event of an unauthorized use or disclosure of PHI or a Breach of Unsecured PHI, Business Associate shall mitigate, to the extent practicable, any harmful effects of said disclosure that are known to it. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. To the extent applicable, Business Associate shall provide access to Protected Health Information in a Designated Record Set at reasonable times, at the request of Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524. Business Associate will, upon receipt of written notice from Covered Entity, promptly amend or permit Covered Entity access to amend any portion of Covered Entity’s PHI so that Covered Entity may meet its amendment obligations under 45 CFR §164.526. Business Associate shall, upon request with reasonable notice, provide Covered Entity access to its premises for a review and demonstration of its internal practices and procedures for safeguarding PHI. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for a Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Should an Individual make a request to Covered Entity for an accounting of disclosures of his or her PHI pursuant to 45 C.F.R. §164.528, Business Associate agrees to promptly provide Covered Entity with information in a format and manner sufficient to respond to the Individual’s request. Business Associate shall, upon request with reasonable notice, provide Covered Entity with an accounting of uses and disclosures of PHI provided to it by Covered Entity. Business Associate shall make its internal practices, books, records, and any other material requested by the Secretary relating to the use, disclosure, and safeguarding of PHI received from Covered Entity available to the Secretary for the purpose of determining compliance with the Privacy Rule. The aforementioned information shall be made available to the Secretary in the manner and place as designated by the Secretary or the Secretary’s duly appointed delegate. Under this Agreement, Business Associate shall comply and cooperate with any request for documents or other information from the Secretary directed to Covered Entity that seeks documents or other information held by Business Associate. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 42 C.F.R. §164.502(j)(1). Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

DUTIES OF BUSINESS ASSOCIATE RELATIVE TO PHI. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate shall be directly responsible for full compliance with the relevant requirements of the Privacy Rule to the same extent as Covered Entity. Business Associate shall comply with the provisions of the Security Rule directing the implementation of administrative, physical and technical safeguards for electronic-PHI (“e-PHI”) and the development and enforcement of related policies, procedures, and documentation standards (including but not limited to designation of a security official). In the event of an unauthorized use or disclosure of PHI or a Breach of Unsecured PHI, Business Associate shall mitigate, to the extent practicable, any harmful effects of said disclosure that are known to it. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. To the extent applicable, Business Associate shall provide access to Protected Health Information in a Designated Record Set at reasonable times, at the request of Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524. Business Associate will, upon receipt of written notice from Covered Entity, promptly amend or permit Covered Entity access to amend any portion of Covered Entity’s PHI so that Covered Entity may meet its amendment obligations under 45 CFR §164.526. Business Associate shall, upon request with reasonable notice, provide Covered Entity access to its premises for a review and demonstration of its internal practices and procedures for safeguarding PHI. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for a Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Should an Individual make a request to Covered Entity for an accounting of disclosures of his or her PHI pursuant to 45 C.F.R. §164.528, Business Associate agrees to promptly provide Covered Entity with information in a format and manner sufficient to respond to the Individual’s request. Business Associate shall, upon request with reasonable notice, provide Covered Entity with an accounting of uses and disclosures of PHI provided to it by Covered Entity. Business Associate shall make its internal practices, books, records, and any other material requested by the Secretary relating to the use, disclosure, and safeguarding of PHI received from Covered Entity available to the Secretary for the purpose of determining compliance with the Privacy Rule. The aforementioned information shall be made available to the Secretary in the manner and place as designated by the Secretary or the Secretary’s duly appointed delegate. Under this Agreement, Business Associate shall comply and cooperate with any request for documents or other information from the Secretary directed to Covered Entity that seeks documents or other information held by Business Associate. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 42 C.F.R. §164.502(j)(1). Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.. REPORTING