Common use of Implementation of Security Standards; Notice of Security Incidents Clause in Contracts

Implementation of Security Standards; Notice of Security Incidents. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as expressly permitted under this Agreement. Business Associate will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate acknowledges that the HITECH Act requires Business Associate to comply with 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314, and 164.316 as if Business Associate were a Covered Entity, and Business Associate agrees to comply with these provisions of the Security Standards and all additional security provisions of the HITECH Act. Furthermore, to the extent feasible, Business Associate will use commercially reasonable efforts to ensure that the technology safeguards used by Business Associate to secure PHI will render such PHI unusable, unreadable and indecipherable to individuals unauthorized to acquire or otherwise have access to such PHI in accordance with HHS Guidance published at 74 Federal Register 19006 (April 17, 2009), or such later regulations or guidance promulgated by HHS or issued by the National Institute for Standards and Technology (“NIST”) concerning the protection of identifiable data such as PHI. Business Associate acknowledges and agrees that the HIPAA Omnibus Rule finalized January 25, 2013 at 78 Fed. Reg. 5566 requires Business Associate to comply with new and modified obligations imposed by that rule under 45 C.F.R. §164.306, 45 C.F.R. § 164.308, 45 C.F.R. § 163.310, 45 C.F.R. § 164.312, 45 C.F.R. § 164.316, 45 C.F.R. § 164.502, 45 C.F.R. § 164.504. Lastly, Business Associate will promptly report to Covered Entity any successful Security Incident of which it becomes aware. At the request of Covered Entity, Business Associate shall identify: the date of the Security Incident, the scope of the Security Incident, the Business Associate’s response to the Security Incident and the identification of the party responsible for causing the Security Incident, if known. Business Associate and Covered Entity shall take reasonable measures to ensure the availability of all affirmative defenses under the HITECH Act, HIPAA, and other state and federal laws and regulations governing PHI and EPHI.

Implementation of Security Standards; Notice of Security Incidents. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as expressly permitted under this Agreement. Business Associate will implement administrative, physical physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity integrity, and availability of the PHI that it creates, receives, maintains maintains, or transmits on behalf of Covered Entity. Business Associate acknowledges that the HITECH Act requires HIPAA Regulations require Business Associate to comply with 45 C.F.R. CFR §§ 164.308, 164.310, 164.312, 164.314, and 164.316 as if DocuSign Envelope ID: Business Associate were a Covered Entity, and Business Associate agrees to comply with these provisions of the Security Standards and all additional security provisions of the HITECH ActHIPAA Regulations. Furthermore, to the extent feasible, Business Associate will use commercially reasonable efforts to ensure that the technology safeguards used by Business Associate to secure PHI will render such PHI unusable, unreadable unreadable, and indecipherable to individuals unauthorized to acquire or otherwise have access to such PHI in accordance with HHS Guidance published at 74 Federal Register 19006 (April 17, 2009), or such later regulations or guidance promulgated by HHS or issued by the National Institute for Standards and Technology (“NIST”) concerning the protection of identifiable data such as PHI. Business Associate acknowledges and agrees that the HIPAA Omnibus Rule finalized January 25, 2013 at 78 Fed. Reg. 5566 requires Business Associate to comply with new and modified obligations imposed by that rule under 45 C.F.R. §164.306, 45 C.F.R. § 164.308, 45 C.F.R. § 163.310, 45 C.F.R. § 164.312, 45 C.F.R. § 164.316, 45 C.F.R. § 164.502, 45 C.F.R. § 164.504. Lastly, Business Associate will promptly report to Covered Entity any successful Security Incident of which it becomes aware. At the request of Covered Entity, Business Associate shall will identify: : (i) the date of the Security Incident, (ii) the scope of the Security Incident, (iii) the Business Associate’s response to the Security Incident Incident, and (iv) the identification of the party Party responsible for causing the Security Incident, if known. Business Associate will keep a log of all Security Incidents, whether successful or not, and provide such log to Covered Entity shall take reasonable measures to ensure the availability of all affirmative defenses under the HITECH Act, HIPAA, and other state and federal laws and regulations governing PHI and EPHIupon request.