General Obligations of Business Associate. Section 2.01 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
Section 2.02 Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
Section 2.03 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 The Business Associate agrees to the following breach notification requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity within five business days of verbal notice. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or as promptly thereafter as information becomes known. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F....
General Obligations of Business Associate. 2.1 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
2.2 Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the BAA.
2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that cause a Breach of Unsecured PHI.
2.4 Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware, or any Security Incident of which it becomes aware, within seven (7) calendar days of the Discovery of such Breach or Security Incident. Business Associate shall provide, as much as may be reasonably practicable, such additional information reasonably requested by Covered Entity for purposes of investigating the Breach or Security Incident and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available.
2.5 Business Associate does not presently use any Subcontractors. However and to the extent may be applicable, Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
2.6 Business Associate does not maintain a Designated Record Set (as defined in 45 C.F.R. § 164.501), nor does Business Associate maintain any unique PHI to which Covered Entity does not have access. Covered Entity retains all obligations related to Designated Record Sets, including maintenance, individual access, amendments to the Designated Record Set, and responding to individuals’ requests for access.
2.7 To the extent applicable and practicable given that Business Associate does not maintain a Designated Record Set, Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F....
General Obligations of Business Associate. Business Associate agrees to:
1. Not use or further disclose Protected Health Information other than as permitted or required by this Agreement, as required to accomplish the intended purposes of the Business Relationship or as Required by Law.
2. Use appropriate administrative, physical, and technical safeguards, and comply, where applicable, with the Security Rule with respect to Electronic Protected Health Information, to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement, or as required to accomplish the intended purposes of the Business Relationship, or as Required by Law. Business Associate shall provide Covered Entity with a copy of its written information security program upon request. Upon reasonable notice and during normal business hours, Covered Entity shall have the right to audit Business Associate’s compliance with its security program and the terms of this Agreement. Business Associate shall cooperate in such audits and shall provide copies of any documents reasonably requested by Covered Entity at no charge.
3. Report (and maintain such records as are necessary to enable it to report) to Covered Entity, without unreasonable delay and in no case later than ten (10) business days after discovery, any use or disclosure of Protected Health Information not provided for by this Agreement, or as required to accomplish the intended purposes of the Business Relationship, or as Required by Law of which it becomes aware, including any Breach of Unsecured Protected Health Information as required by 45 CFR §164.410 and any Security Incident as required by 45 CFR §164.314(2)(i)(C). Notice of a Breach or Security Incident shall include, at a minimum:
a. In the case of a Breach, the identification of each Individual whose Protected Health Information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach;
b. The date of the Breach or Security Incident, if known;
c. The scope of the Breach or Security Incident; and
d. A description of the Business Associate’s response to the Breach or Security Incident.
4. In accordance with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such Protected Health Information.
5. Make a...
General Obligations of Business Associate. Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA.
General Obligations of Business Associate
