General Obligations of Business Associate. Section 2.01 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI. Section 2.02 Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA. Section 2.03 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI. Section 2.04 The Business Associate agrees to the following breach notification requirements: (a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity within five business days of verbal notice. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or as promptly thereafter as information becomes known. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time. (b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA. (c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI. Section 2.05 Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information. Section 2.06 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI. (a) Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted under applicable law. (b) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time. Section 2.07 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526. Section 2.08 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual or individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528. Section 2.09 Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII). Section 2.10 To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). Section 2.11 Business Associate agrees to account for the following disclosures: (a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI. (b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI. (c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article V) ("EHR") in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business Associate. (d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR. Section 2.12 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time. Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
Appears in 4 contracts
Samples: Annual Service Interpretation and Translation Services Contract, Annual Service Interpretation and Translation Services Contract, Annual Service Agreement
General Obligations of Business Associate. Business Associate acknowledges and agrees as follows:
(1) Business Associate shall designate one liaison to serve as a single point of contact for KDADS as identified in Section 2.01 X of this Agreement, or as later amended.
(2) Business Associate will use or disclose the PHI solely to perform functions, activities, or services for, or on behalf of KDADS as specified in the Underlying Agreement, provided that such use or disclosure would not violate HIPAA if done by KDADS, or as required by law.
(3) Business Associate acknowledges that in receiving, transmitting, transporting, storing, processing, or otherwise dealing with any information received from KDADS identifying or otherwise relating to PHI, Business Associate is fully bound to comply with the provisions of the federal regulations governing the Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.
(4) Business Associate agrees that all PHI obtained in the scope of this Agreement is confidential and agrees that it shall safeguard and prevent the use and/or disclosure of the PHI other than as permitted in this Agreement or in accordance with federal and state law. Further, Business Associate agrees not to disclose any PHI obtained from the KDADS for purposes other than those described herein unless it has obtained express written prior approval from KDADS or as contained in an Underlying Agreement, or as required by law.
(5) Business Associate agrees to inform all workforce members, agents and subcontractors accessing PHI that the violation of this Agreement may result in disciplinary action or criminal prosecution if warranted. Business Associate also agrees to take appropriate disciplinary action against its respective workforce members, agents and subcontractors that are found to have violated this Agreement, in a manner consistent with Business Associate’s policies and procedures. Business Associate agrees to provide KDADS upon request a copy of its policies and procedures relative to HIPAA compliance.
(6) Business Associate agrees that it is responsible for compliance with the terms of this Agreement by its workforce, agents, subcontractors and any and all other persons or entities which may have access to the PHI, its use or disclose PHIdisclosure, as part of the Underlying Agreement between KDADS and Business Associate.
(7) Business Associate may not release, reproduce, distribute or publish any PHI or other than confidential information obtained in the performance of this Agreement without prior written permission of KDADS, which shall not be unreasonably withheld. This provision does not apply to uses and disclosures related to Business Associate’s role as permitted or required by this BAA or as Required By Lawa covered entity to carry out treatment, payment, or if such healthcare operations; in response to a valid authorization per 45 C.F.R. 164.508; routine requests for use, disclosure, access or copies of PHI by Business Associate clients, client guardians, and health care providers; a permitted use or disclosure does not per 45 C.F.R. 164.512; or as otherwise cause a Breach of Unsecured PHI.
Section 2.02 required by law. Business Associate agrees to use reasonable and appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
Section 2.03 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 The Business Associate agrees to the following breach notification requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity within five business days of verbal notice. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or as promptly thereafter as information becomes known. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA.
(c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Section 2.05 Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information.
Section 2.06 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI.
(a) Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted under applicable law.
(b) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526.
Section 2.08 Business Associate agrees to maintain the privacy and make available the information required to provide an accounting confidentiality of disclosures to the individual or individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528data obtained from KDADS.
Section 2.09 Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII).
Section 2.10 To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 Business Associate agrees to account for the following disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article V) ("EHR") in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business Associate.
(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR.
Section 2.12 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
Appears in 3 contracts
Samples: Business Associate Agreement, Business Associate Agreement, Business Associate Agreement
General Obligations of Business Associate. Section 2.01 (a) Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
Section 2.02 (b) Business Associate agrees to use appropriate safeguards safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this the BAA.
Section 2.03 (c) Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's ’s requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 The (d) Business Associate agrees to the following breach notification requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within five ten (10) business days of verbal notice“discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or as promptly thereafter as information becomes knowndelayed. Business Associate's ’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(be) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA.
(c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Section 2.05 Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information.
Section 2.06 (f) To the extent Business Associate maintains a Designated Record Set, Business Associate agrees to make available PHI in a Designated Record Set to the individual or Covered Entity to enable the individual’s designee as necessary Covered Entity to satisfy Covered Entity’s fulfill its obligations under the Privacy Rule, including 45 C.F.R. 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI.
(ag) Business Associate agrees to comply with an individual's ’s written request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted under applicable law.
(bh) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. 164.514(e)(2), necessary to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 (i) To the extent Business Associate maintains a Designated Record Set, Business Associate agrees to make PHI available to the Covered Entity so that the Covered Entity can make any amendments to PHI in a the Designated Record Set as directed or agreed to by that the Covered Entity directs or agrees to pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526.
Section 2.08 (j) Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual or individual’s designee Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528.
Section 2.09 (k) Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) Secretary for the purpose of Covered Entity or the Secretary determining the Covered Entity’s compliance with the Privacy Rule (as defined in Article VIII)Rule.
Section 2.10 (l) To the extent that Business Associate is to carry out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 (m) Business Associate agrees to account for the following disclosures:disclosures:
(ai) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHIdisclosures.
(bii) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's Entity upon written request, information collected in accordance with this Section 2.112(m), to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHIdisclosures.
(ciii) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article VSection 5) ("“EHR"”) in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly in writing from the Business AssociateCovered Entity.
(div) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (cSection 2(m)(iii) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (cSection 2(m)(iii) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR.
Section 2.12 (n) Business Associate agrees to comply with the "Prohibition on Sale may not use or disclose PHI in a manner that would violate Subpart E of Electronic Health Records or Protected Health Information," as provided in section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as 45 C.F.R. Part of Health Care Operations," as provided in section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued 164 if done by the Secretary from time to time.
Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.covered entity
Appears in 2 contracts
Samples: Cloud Based Application Agreement, Business Associate Agreement
General Obligations of Business Associate. Section 2.01 2.1 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
Section 2.02 2.2 Business Associate agrees to use appropriate safeguards safeguards, and otherwise comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHIthe Privacy Rule and Security Rule, to protect and prevent the use or disclosure of PHI and Electronic Protected Health Information (“ePHI”) other than as provided for by this the BAA.
Section 2.03 2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's ’s requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 2.4 The Business Associate agrees to the following breach Security Incident and Breach notification requirements:requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known agrees to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity any Security Incident of which it becomes aware within five business thirty (30) calendar days of verbal “discovery” within the meaning of the HITECH Act, except that, with respect to any occurrences of Unsuccessful Security Incidents, this section shall hereby serve as notice, and no additional reporting shall be required to Covered Entity. Such Otherwise, a notice of a Security Incident shall include the identification of each individual whose Unsecured PHI whether the Security Incident is also a Breach, the general nature of the Security Incident, whether the Security Incident is ongoing, and whether means through which the Security Incident occurred has been, been or is reasonably believed by being addressed.
(b) Business Associate agrees to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by report to Covered Entity for purposes any Breach of investigating which it becomes aware within thirty (30) calendar days of “discovery” within the Breach and any other available information that Covered Entity is required to include to meaning of the individual under 45 C.F.R. 164.404(c) at the time of notification or as promptly thereafter as information becomes knownHITECH Act. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time.. Specifically, a notice of a Breach shall include the following:
(bi) To the extent possible, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate agrees to provide notification have been, accessed, acquired, used, or disclosed during the breach;
(ii) A brief description of any what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(iii) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of which it becomes awarebirth, as required under 45 C.F.R. 164.410home address, and any Security Incident account number, diagnosis, disability code, or other types of which it becomes awareinformation were involved);
(iv) Any steps individuals should take to protect themselves from potential harm resulting from the Breach;
(v) A brief description of what the covered entity involved is doing to investigate the Breach, in violation of this BAA to mitigate harm to individuals, the media and to protect against any further breaches; and
(as defined under the HITECH Act)vi) Contact procedures for individuals to ask questions or learn additional information, the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity which shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining include a toll-free call number telephone number, an e-mail address, Web site, or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAApostal address.
(c) In the event Business Associate becomes aware of a Breach, Covered Entity hereby agrees that Business Associate's use Associate may, in its discretion, provide any notices of Breach or disclosure Security Incident to applicable authorities and/or affected individuals that are required by any applicable state or federal law, provided that Covered Entity shall have the right to propose commercially reasonable edits to any such notices; otherwise, if Business Associate defers to Covered Entity to provide any such notices then Business Associate shall provide Covered Entity with such reasonable assistance as necessary to enable Covered Entity to provide any such notices. Covered Entity may, at its own effort and expense, send any notices that are not required by applicable law.
(d) In the event of Unsecured PHI in violation of HIPAA, the HITECH Act a Breach or ARRASecurity Incident for which Business Associate elects to send notices required by applicable state or federal law, Business Associate bears the burden of demonstrating that notice notices as required under this Section 2.04 was by applicable state or federal law were made, including evidence demonstrating the necessity of any delay, or that the unauthorized use or disclosure did not constitute a Breach of Unsecured PHIor a Security Incident.
Section 2.05 2.5 Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions conditions, and requirements that apply to the Business Associate with respect to such information.
Section 2.06 2.6 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee Covered Entity as necessary to satisfy Covered Entity’s 's obligations under 45 C.F.R. 164.524. Business Associate shall be solely responsible for verifying the right § 164.524 within twenty (20) days of any individual or individual’s designee to access the requested PHIreceiving written request by Covered Entity.
(a) In the event Business Associate receives a request directly from an individual in regard to the individual exercising their rights under 45 C.F.R. § 164.524, Business Associate shall forward the request to the Covered Entity within twenty (20) days of receipt of the request.
(b) Business Associate agrees to comply with an individual's a Covered Entity’s request to restrict the disclosure of their personal an individual’s PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure disclosure, or request is required or permitted under applicable law.
(bc) To the extent Business Associate is permitted by Covered Entity to respond to requests Business Entity receives from individuals, Business Associate agrees to charge fees related to providing individuals access to their PHI in accordance with 45 C.F.R. § 164.524(c)(4).
(d) Business Associate agrees that when requesting, using using, or disclosing PHI in accordance with 45 C.F.R. 502(b)(1§ 164.502(b)(1) that such request, use use, or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 2.7 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or to take other measures as necessary to satisfy Covered Entity’s 's obligations under 45 C.F.R. § 164.526.
Section 2.08 2.8 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual or individual’s designee Covered Entity as necessary to satisfy Covered Entity’s 's obligations under 45 C.F.R. § 164.528.
Section 2.09 2.9 In the event Business Associate receives a request directly from an individual in regard to the individual exercising their rights under 45 C.F.R. § 164.526 or 45 C.F.R. § 164.528, Business Associate shall forward the request to the Covered Entity within forty (40) days of receipt of the request.
2.10 Business Associate agrees to make its internal practices, books books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) Secretary for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII)Rule.
Section 2.10 2.11 To the extent that Business Associate is agrees to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 2.12 Business Associate agrees to account for the following disclosures:disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI Xxxxxxxx and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required under Applicable Healthcare Law for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHIBreaches.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, Entity information collected in accordance with this Section 2.112.12, as required under Applicable Healthcare Law to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article VSection 5) ("EHR") in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that that, where required under Applicable Healthcare Law, an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business AssociateCovered Entity.
(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 2011, or the date that it acquires the EHR.
Section 2.12 2.13 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section Section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Section 2.13 2.14 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall may be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
Appears in 2 contracts
Samples: Business Associate Agreement, Business Associate Agreement
General Obligations of Business Associate. Business Associate acknowledges and agrees as follows:
(1) Business Associate shall designate one liaison to serve as a single point of contact for KDADS as identified in Section 2.01 X of this Agreement, or as later amended.
(2) Business Associate will use or disclose the PHI solely to perform functions, activities, or services for, or on behalf of KDADS as specified in the Underlying Agreement, provided that such use or disclosure would not violate HIPAA if done by KDADS, or as required by law.
(3) Business Associate agrees that all PHI obtained in the scope of this Agreement is confidential and agrees that it shall safeguard and prevent the use and/or disclosure of the PHI other than as permitted in this Agreement or in accordance with federal and state law. Further, Business Associate agrees not to disclose any PHI obtained from the KDADS for purposes other than those described herein unless it has obtained express written prior approval from KDADS or as contained in an Underlying Agreement, or as required by law.
(4) Business Associate agrees to inform all workforce members, agents and subcontractors accessing PHI that the violation of this Agreement may result in disciplinary action or criminal prosecution if warranted. Business Associate also agrees to take appropriate disciplinary action against its respective workforce members, agents and subcontractors that are found to have violated this Agreement, in a manner consistent with Business Associate’s policies and procedures. Business Associate agrees to provide KDADS upon request a copy of its policies and procedures relative to HIPAA compliance.
(5) Business Associate agrees that it is responsible for compliance with the terms of this Agreement by its workforce, agents, subcontractors and any and all other persons or entities which may have access to the PHI, its use or disclose PHIdisclosure, as part of the Underlying Agreement between KDADS and Business Associate.
(6) Business Associate may not release, reproduce, distribute or publish any PHI or other than confidential information obtained in the performance of this Agreement without prior written permission of KDADS, which shall not be unreasonably withheld. This provision does not apply to uses and disclosures related to Business Associate’s role as permitted or required by this BAA or as Required By Lawa covered entity to carry out treatment, payment, or if such healthcare operations; in response to a valid authorization per 45 C.F.R. 164.508; routine requests for use, disclosure, access or copies of PHI by Business Associate clients, client guardians, and health care providers; a permitted use or disclosure does not per 45 C.F.R. 164.512; or as otherwise cause a Breach of Unsecured PHI.
Section 2.02 required by law. Business Associate agrees to use reasonable and appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
Section 2.03 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 The Business Associate agrees to the following breach notification requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity within five business days of verbal notice. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or as promptly thereafter as information becomes known. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA.
(c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Section 2.05 Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information.
Section 2.06 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI.
(a) Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted under applicable law.
(b) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526.
Section 2.08 Business Associate agrees to maintain the privacy and make available the information required to provide an accounting confidentiality of disclosures to the individual or individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528data obtained from KDADS.
Section 2.09 Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII).
Section 2.10 To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 Business Associate agrees to account for the following disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article V) ("EHR") in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business Associate.
(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR.
Section 2.12 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
Appears in 1 contract
Samples: Business Associate Agreement
General Obligations of Business Associate. Section 2.01 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
Section 2.02 Business Associate agrees to use appropriate safeguards safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
Section 2.03 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 The Business Associate agrees to the following breach notification requirements:requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity within five business days of verbal notice. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or as promptly thereafter as information becomes known. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA.
(c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Section 2.05 Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information.
Section 2.06 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI.
(a) Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted under applicable law.
(b) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526.45
Section 2.08 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual or individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528.
Section 2.09 Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII).of
Section 2.10 To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 Business Associate agrees to account for the following disclosures:disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article V) ("EHR") in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business Associate.
(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 2011, or the date that it acquires the EHR.
Section 2.12 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.42
Appears in 1 contract
Samples: Annual Service Agreement
General Obligations of Business Associate. Section 2.01 2.1 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
Section 2.02 2.2 Business Associate agrees to use appropriate safeguards safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this the BAA.
Section 2.03 2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's ’s requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 2.4 The Business Associate agrees to the following breach notification requirements:requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known agrees to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within five business 10 calendar days of verbal notice“discovery” within the meaning of the HITECH Act, as codified at 42 U.S.C. § 17932(c). Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, .
(b) Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or as promptly thereafter as information becomes knownavailable. Business Associate's ’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA.
(c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Section 2.05 2.5 Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions conditions, and requirements that apply to the Business Associate with respect to such information.
Section 2.06 2.6 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI.
(a) Business Associate agrees to comply with an individual's ’s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure disclosure, or request is required or permitted under applicable law.
(b) Business Associate agrees that when requesting, using using, or disclosing PHI in accordance with 45 C.F.R. 502(b)(1§ 164.502(b)(1) that such request, use use, or disclosure shall be to the minimum extent necessary, including the use of a "“limited data set" ” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 2.7 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.
Section 2.08 2.8 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual or individual’s designee Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.
Section 2.09 2.9 Business Associate agrees to make its internal practices, books books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) Secretary for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII)Rule.
Section 2.10 To the extent that Business Associate is to carry out one or more of Covered Entity's ’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 Business Associate agrees to account for the following disclosures:disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, Entity information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record EHR (as defined in Article V) ("EHR"Section 5) in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business AssociateCovered Entity.
(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR.
Section 2.12 Business Associate agrees to comply with the "“Prohibition on Sale of Electronic Health Records or Protected Health Information," ” as provided in section Section 13405(d) of Subtitle D (Privacy) of ARRA, and the "“Conditions on Certain Contacts as Part of Health Care Operations," ” as provided in section Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under subject to the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
Appears in 1 contract
Samples: Hipaa Business Associate Agreement
General Obligations of Business Associate. Business Associate acknowledges and agrees as follows:
(1) Business Associate shall designate one liaison to serve as a single point of contact for Covered Entity as identified in Section 2.01 X of this Agreement, or as later amended.
(2) Business Associate will use or disclose the PHI solely to perform functions, activities, or services for, or on behalf of Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate HIPAA if done by Covered Entity, or as required by law.
(3) Business Associate agrees that all PHI obtained in the scope of this Agreement is confidential and agrees that it shall safeguard and prevent the use and/or disclosure of the PHI other than as permitted in this Agreement or in accordance with federal and state law. Further, Business Associate agrees not to disclose any PHI obtained from the Covered Entity for purposes other than those described herein unless it has obtained express written prior approval from Covered Entity or as contained in an Underlying Agreement, or as required by law.
(4) Business Associate agrees to inform all workforce members, agents and subcontractors accessing PHI that the violation of this Agreement may result in disciplinary action or criminal prosecution if warranted. Business Associate also agrees to take appropriate disciplinary action against its respective workforce members, agents and subcontractors that are found to have violated this Agreement, in a manner consistent with Business Associate’s policies and procedures. Business Associate agrees to provide Covered Entity upon request a copy of its policies and procedures relative to HIPAA compliance.
(5) Business Associate agrees that it is responsible for compliance with the terms of this Agreement by its workforce, agents, subcontractors and any and all other persons or entities which may have access to the PHI, its use or disclose PHIdisclosure, as part of the Underlying Agreement between Covered Entity and Business Associate.
(6) Business Associate may not release, reproduce, distribute or publish any PHI or other than confidential information obtained in the performance of this Agreement without prior written permission of Covered Entity, which shall not be unreasonably withheld. This provision does not apply to uses and disclosures related to Business Associate’s role as permitted or required by this BAA or as Required By Lawa covered entity to carry out treatment, payment, or if such healthcare operations; in response to a valid authorization per 45 C.F.R. 164.508; routine requests for use, disclosure, access or copies of PHI by Business Associate clients, client guardians, and health care providers; a permitted use or disclosure does not per 45 C.F.R. 164.512; or as otherwise cause a Breach of Unsecured PHI.
Section 2.02 required by law. Business Associate agrees to use reasonable and appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
Section 2.03 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 The Business Associate agrees to the following breach notification requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity within five business days of verbal notice. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or as promptly thereafter as information becomes known. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA.
(c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Section 2.05 Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information.
Section 2.06 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI.
(a) Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted under applicable law.
(b) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526.
Section 2.08 Business Associate agrees to maintain the privacy and make available the information required to provide an accounting confidentiality of disclosures to the individual or individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528.
Section 2.09 Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received data obtained from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII).
Section 2.10 To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 Business Associate agrees to account for the following disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article V) ("EHR") in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business Associate.
(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR.
Section 2.12 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
Appears in 1 contract
Samples: Business Associate Agreement
General Obligations of Business Associate. Section 2.01 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Lawrequired by law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
Section 2.02 Business Associate agrees to use appropriate safeguards safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
Section 2.03 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 The Business Associate agrees to the following breach notification requirements:requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three five (5) business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH PHI has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity within five fifteen (15) business days of verbal notice. Such notice shall include include, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide provide, any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or as promptly thereafter as information becomes known. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, in violation of this BAA BAA, to individuals, the media (as defined under the HITECH Act), the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ attorneys fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, notification shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA.
(c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Section 2.05 Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information.
Section 2.06 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI.
(a) Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted under applicable law.
(b) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526.45
Section 2.08 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual or individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528.
Section 2.09 Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII).
Section 2.10 To the extent that Business Associate is agrees to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 Business Associate agrees to account for the following disclosures:disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article V) ("EHR") in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business Associate.
(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR.
Section 2.12 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.42
Appears in 1 contract
Samples: Annual Service Agreement
General Obligations of Business Associate. Section 2.01 2.1 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
Section 2.02 2.2 Business Associate agrees to use appropriate safeguards safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this the BAA.
Section 2.03 2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 2.4 The Business Associate agrees to the following breach notification requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known agrees to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within five business 20 calendar days of verbal notice"discovery" within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or as promptly thereafter as information becomes knownavailable. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary Secretary, and/or any other parties as required under HIPAA, the HITECH Act, ARRA ARRA, and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA.
(c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act Act, or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 2.4 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Section 2.05 2.5 Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions conditions, and requirements that apply to the Business Associate with respect to such information.
Section 2.06 2.6 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s 's designee as necessary to satisfy Covered Entity’s 's obligations under 45 C.F.R. § 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI.
(a) Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure disclosure, or request is required or permitted under applicable law.
(b) Business Associate agrees to charge fees related to providing individuals access to their PHI in accordance with 45 C.F.R. § 164.524(c)(4).
(c) Business Associate agrees that when requesting, using using, or disclosing PHI in accordance with 45 C.F.R. 502(b)(1§ 164.502(b)(1) that such request, use use, or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 2.7 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s 's obligations under 45 C.F.R. § 164.526.
Section 2.08 2.8 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual or individual’s designee as necessary to satisfy Covered Entity’s 's obligations under 45 C.F.R. § 164.528.
Section 2.09 2.9 Business Associate agrees to make its internal practices, books books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII)Section 8).
Section 2.10 To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 Business Associate agrees to account for the following disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article VSection 5) ("EHR") in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business Associate.
(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 2011, or the date that it acquires the EHR.
Section 2.12 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section Section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
Appears in 1 contract
Samples: Hipaa Business Associate Agreement
General Obligations of Business Associate. Section 2.01 2.1 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
Section 2.02 2.2 Business Associate agrees to use appropriate safeguards safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this the BAA.
Section 2.03 2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 2.4 The Business Associate agrees to the following breach notification requirements:requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known agrees to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within five business 20 calendar days of verbal notice"discovery" within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or as promptly thereafter as information becomes knownavailable. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA.
(c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act Act, or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 2.4 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Section 2.05 2.5 Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions conditions, and requirements that apply to the Business Associate with respect to such information.
Section 2.06 2.6 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee Covered Entity as necessary to satisfy Covered Entity’s 's obligations under 45 C.F.R. § 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI.
(a) Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure disclosure, or request is required or permitted under applicable law.
(b) Business Associate agrees to charge fees related to providing individuals access to their PHI in accordance with 45 C.F.R. § 164.524(c)(4).
(c) Business Associate agrees that when requesting, using using, or disclosing PHI in accordance with 45 C.F.R. 502(b)(1§ 164.502(b)(1) that such request, use use, or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 2.7 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s 's obligations under 45 C.F.R. § 164.526.
Section 2.08 2.8 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual or individual’s designee Covered Entity as necessary to satisfy Covered Entity’s 's obligations under 45 C.F.R. § 164.528.
Section 2.09 2.9 Business Associate agrees to make its internal practices, books books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII)Section 8).
Section 2.10 To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 Business Associate agrees to account for the following disclosures:disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article VSection 5) ("EHR") in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business AssociateCovered Entity.
(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 2011, or the date that it acquires the EHR.
Section 2.12 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section Section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
Appears in 1 contract
Samples: Hipaa Business Associate Agreement
General Obligations of Business Associate. Section 2.01 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
Section 2.02 Business Associate agrees to use appropriate safeguards safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
Section 2.03 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 The Business Associate agrees to the following breach notification requirements:requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity within five business days of verbal notice. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or as promptly thereafter as information becomes known. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ attorneys fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA.
(c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Section 2.05 Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information.
Section 2.06 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI.
(a) Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted under applicable law.
(b) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526.45
Section 2.08 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual or individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528.
Section 2.09 Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII).
Section 2.10 To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 Business Associate agrees to account for the following disclosures:disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article V) ("EHR") in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business Associate.
(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR.
Section 2.12 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.42
Appears in 1 contract
Samples: Hipaa Business Associate Agreement
General Obligations of Business Associate. Business Associate acknowledges and agrees as follows:
(1) Business Associate shall designate one liaison to serve as a single point of contact for DCF as identified in Section 2.01 X of this Agreement, or as later amended.
(2) Business Associate will use or disclose the PHI solely to perform functions, activities, or services for, or on behalf of DCF as specified in the Underlying Agreement, provided that such use or disclosure would not violate HIPAA if done by DCF, or as required by law.
(3) Business Associate agrees that all PHI obtained in the scope of this Agreement is confidential and agrees that it shall safeguard and prevent the use and/or disclosure of the PHI other than as permitted in this Agreement or in accordance with federal and state law. Further, Business Associate agrees not to disclose any PHI obtained from the DCF for purposes other than those described herein unless it has obtained express written prior approval from DCF or as contained in an Underlying Agreement, or as required by law.
(4) Business Associate agrees to inform all workforce members, agents and subcontractors accessing PHI that the violation of this Agreement may result in disciplinary action or criminal prosecution if warranted. Business Associate also agrees to take appropriate disciplinary action against its respective workforce members, agents and subcontractors that are found to have violated this Agreement, in a manner consistent with Business Associate’s policies and procedures. Business Associate agrees to provide DCF upon request a copy of its policies and procedures relative to HIPAA compliance.
(5) Business Associate agrees that it is responsible for compliance with the terms of this Agreement by its workforce, agents, subcontractors and any and all other persons or entities which may have access to the PHI, its use or disclose PHIdisclosure, as part of the Underlying Agreement between DCF and Business Associate.
(6) Business Associate may not release, reproduce, distribute or publish any PHI or other than confidential information obtained in the performance of this Agreement without prior written permission of DCF, which shall not be unreasonably withheld. This provision does not apply to uses and disclosures related to Business Associate’s role as permitted or required by this BAA or as Required By Lawa covered entity to carry out treatment, payment, or if such healthcare operations; in response to a valid authorization per 45 C.F.R. 164.508; routine requests for use, disclosure, access or copies of PHI by Business Associate clients, client guardians, and health care providers; a permitted use or disclosure does not per 45 C.F.R. 164.512; or as otherwise cause a Breach of Unsecured PHI.
Section 2.02 required by law. Business Associate agrees to use reasonable and appropriate safeguards to maintain the privacy and comply with confidentiality of data obtained from DCF.
A. Security obligations The Security Standards specified in 45 CFR 164 Subpart C including the requirements of Sections 164.306, 164.308, 164.310, 164.312, 164.314 and 164.316, apply to the Business Associate in the same manner that such sections apply to DCF (45 C.F.R. Part 164 with respect CFR 164.302). The Business Associate’s required obligations include, but are not limited to, the following:
(1) Safeguards to ePHIbe in Place: Business Associate shall abide by all applicable provisions of the Security Standards and use all appropriate safeguards to ensure the confidentiality, to integrity, and availability of PHI the covered entity or business associate creates, receives, maintains, or transmits and prevent the use or disclosure of PHI other than as provided for by this BAA.
Section 2.03 Business Associate agrees to mitigate, to Agreement. Without limiting the extent practicable, any harmful effect that is known to Business Associate as a result generality of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 The Business Associate agrees to the following breach notification requirements:
(a) Business Associate shall notify Covered Entity by telephone call without unreasonable delay, which in no event shall be more than three business days from which Business Associate knows of such Breach, Unauthorized Use or Disclosure, or Security Incident, or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall notify Covered Entity of all Breaches, even if Business Associate determines there is a low probability that the PH has been compromised based on its risk assessment. Business Associate shall provide a full written report to Covered Entity within five business days of verbal notice. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In additionforegoing sentence, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating shall: Implement Administrative, Physical and Technical Safeguards that are required and those that are reasonable and appropriate to protect the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or as promptly thereafter as information becomes known. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRAconfidentiality, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(b) Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. 164.410integrity, and any Security Incident availability of which Electronic PHI that it becomes awarecreates, in violation of this BAA to individualsreceives, the media (as defined under the HITECH Act), the Secretary and/or any other parties as required under HIPAA, the HITECH Act, ARRA and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. In the event Business Associate fails to perform its obligations hereunder, the Covered Entity shall have the right, within its sole discretion, to take over the notification functions specified herein. Any and all costs incurred by Covered Entity in fulfilling the notification requirements specified in HIPAA, the HITECH Act, ARRA or the HIPAA Rules, including but not limited to attorneys’ fees, fines, penalties, publication and mailing charges, and any fees associated with creating and maintaining a toll-free call number or modifications to any Covered Entity website related to breach notification, shall be paid immediately by Business Associate upon demand by Covered Entity consistent with Article VI of this BAA.
(c) In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.04 was made, including evidence demonstrating the necessity of any delaymaintains, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Section 2.05 Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI transmits on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information.
Section 2.06 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee DCF as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.524. Business Associate shall be solely responsible for verifying the right of any individual or individual’s designee to access the requested PHI.
(a) Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted under applicable law.
(b) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Section 2.07 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526.
Section 2.08 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual or individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528.
Section 2.09 Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Article VIII).
Section 2.10 To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Section 2.11 Business Associate agrees to account for the following disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity's request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Article V) ("EHR") in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business Associate.
(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR.
Section 2.12 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Section 2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.required;
Appears in 1 contract
Samples: Business Associate Agreement
