Common use of Obligations and Activities of Business Associate Clause in Contracts

Obligations and Activities of Business Associate. 2.1 Business Associate agrees to: 2.1.1 Not use or disclose protected health information other than as permitted or required by this Attachment or as required by law; 2.1.2 Use appropriate administrative safeguards as set forth at 45 CRF164.308, physical safeguards as set forth at 45 CRF164.310, and technical safeguards as set forth at 45 CFR 164.312; including, policies and procedures regarding the protection of PHI and/or ePHI set forth at 45 CRF 164.316 and the provisions of training on such policies and procedures to applicable employees, independent contractors and volunteers, that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and/or ePHI that the Network Service Provider creates, receives, maintains or transmits on behalf of the Managing Entity and/or the Department; 2.1.3 Acknowledge that (a) the foregoing safeguards, policies and procedures requirements shall apply to the Business Associate in the same manner that such requirements apply to the Managing Entity and/or the Department, and (b) the Business Associates and their Subcontractors are directly liable under the civil and criminal enforcement provisions set forth at Section 13404 of the HITECH Act and 45 CRF 164.500 and 164.502(E) of the Privacy Rule (42 U.S.C. 1320d-5 and 1320d-6), as amended, for failure to comply with the safeguards, policies and procedures requirements and any guidance issued by the Secretary of Health and Human Services with respect to such requirements; 2.1.4 Report to covered entity any use or disclosure of protected health information not provided for by this Attachment of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;

Obligations and Activities of Business Associate. 2.1 Business Associate agrees to: 2.1.1 Not use or disclose protected health information other than as permitted or required by this Attachment or as required by law; 2.1.2 Use appropriate administrative safeguards as set forth at 45 CRF164.308CFR § 164.308, physical safeguards as set forth at 45 CRF164.310CFR § 164.310, and technical safeguards as set forth at 45 CFR § 164.312; including, policies and procedures regarding the protection of PHI and/or ePHI set forth at 45 CRF CFR § 164.316 and the provisions of training on such policies and procedures to applicable employees, independent contractors contractors, and volunteers, that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and/or ePHI that the Network Service Provider creates, receives, maintains or transmits on behalf of the Managing Entity and/or the Department; 2.1.3 Acknowledge that (a) the foregoing safeguards, policies and procedures requirements shall apply to the Business Associate in the same manner that such requirements apply to the Managing Entity and/or the Department, and (b) the Business Associates Associate’s and their Subcontractors are directly liable under the civil and criminal enforcement provisions set forth at Section 13404 of the HITECH Act and section 45 CRF CFR §§ 164.500 and 164.502(E) of the Privacy Rule (42 U.S.C. 1320d-5 and 1320d-6), as amended, for failure to comply with the safeguards, policies and procedures requirements and any guidance issued by the Secretary of Health and Human Services with respect to such requirements; 2.1.4 Report to covered entity any use or disclosure of protected health information not provided for by this Attachment of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR § 164.410, and any security incident of which it becomes aware;

Obligations and Activities of Business Associate. 2.1 Business Associate agrees to: 2.1.1 Not use or disclose protected health information other than as permitted or required by this Attachment or as required by law; 2.1.2 Use appropriate administrative safeguards as set forth at 45 CRF164.308CFR § 164.308, physical safeguards as set forth at 45 CRF164.310CFR § 164.310, and technical safeguards as set forth at 45 CFR § 164.312; including, policies and procedures regarding the protection of PHI and/or ePHI set forth at 45 CRF CFR § 164.316 and the provisions of training on such policies and procedures to applicable employees, independent contractors contractors, and volunteers, that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and/or ePHI that the Network Service Provider creates, receives, maintains or transmits on behalf of the Managing Entity and/or the Department; 2.1.3 Acknowledge that (a) the foregoing safeguards, policies and procedures requirements shall apply to the Business Associate in the same manner that such requirements apply to the Managing Entity and/or the Department, and (b) the Business Associates Associate’s and their Subcontractors are directly liable under the civil and criminal enforcement provisions set forth at Section 13404 of the HITECH Act and section 45 CRF CFR §§ 164.500 and 164.502(E) of the Privacy Rule (42 U.S.C. 1320d-5 and 1320d-6), as amended, for failure to comply with the safeguards, policies and procedures requirements and any guidance issued by the Secretary of Health and Human Services with respect to such requirements; 2.1.4 Report to covered entity any use or disclosure of protected health information not provided for by this Attachment of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR § 164.410, and any security incident of which it becomes aware; 2.1.5 Notify the Department’s Security Officer, Privacy Officer and the Contract Manager as soon as possible, but no later than five (5) business days following the determination of any breach or potential breach of personal and confidential departmental data; 2.1.6 Notify the Privacy Officer and Contract Manager within (24) hours of notification by the US Department of Health and Human Services of any investigations, compliance reviews or inquiries by the US Department of Health and Human Services concerning violations of HIPAA (Privacy, Security Breach). 2.1.7 Provide any additional information requested by the Department for purposes of investigating and responding to a breach; 2.1.8 Provide at Business Associate’s own cost notice to affected parties no later than 45 days following the determination of any potential breach of personal or confidential departmental data as provided in section 501.171, F.S.; 2.1.9 Implement at Business Associate’s own cost measures deemed appropriate by the Department to avoid or mitigate potential injury to any person due to a breach or potential breach of personal and confidential departmental data; 2.1.10 Take immediate steps to limit or avoid the recurrence of any security breach and take any other action pertaining to such unauthorized access or disclosure required by applicable federal and state laws and regulations regardless of any actions taken by the Department ; 2.1.11 In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information. Business Associate’s must attain satisfactory assurance in the form of a written contract or other written agreement with their business associate’s or subcontractor’s that meets the applicable requirements of 164.504(e)

Obligations and Activities of Business Associate. 2.1 Business Associate agrees to: 2.1.1 Not use or disclose protected health information other than as permitted or required by this Attachment or as required by law; 2.1.2 Use appropriate administrative safeguards as set forth at 45 CRF164.308CFR § 164.308, physical safeguards as set forth at 45 CRF164.310CFR § 164.310, and technical safeguards as set forth at 45 CFR § 164.312; including, policies and procedures regarding the protection of PHI and/or ePHI set forth at 45 CRF CFR § 164.316 and the provisions of training on such policies and procedures to applicable employees, independent contractors contractors, and volunteers, that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and/or ePHI that the Network Service Provider creates, receives, maintains or transmits on behalf of the Managing Entity and/or the Department; 2.1.3 Acknowledge that (a) the foregoing safeguards, policies and procedures requirements shall apply to the Business Associate in the same manner that such requirements apply to the Managing Entity and/or the Department, and (b) the Business Associates Associate’s and their Subcontractors are directly liable under the civil and criminal enforcement provisions set forth at Section 13404 of the HITECH Act and section 45 CRF CFR § 164.500 and 164.502(E) of the Privacy Rule (42 U.S.C. 1320d-5 and 1320d-6), as amended, for failure to comply with the safeguards, policies and procedures requirements and any guidance issued by the Secretary of Health and Human Services with respect to such requirements; 2.1.4 Report to covered entity any use or disclosure of protected health information not provided for by this Attachment of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;

Obligations and Activities of Business Associate. 2.1 Business Associate agrees to: 2.1.1 Not use or disclose protected health information other than as permitted or required by this Attachment or as required by law; 2.1.2 Use appropriate administrative safeguards as set forth at 45 CRF164.308CFR § 164.308, physical safeguards as set forth at 45 CRF164.310CFR § 164.310, and technical safeguards as set forth at 45 CFR § 164.312; including, policies and procedures regarding the protection of PHI and/or ePHI set forth at 45 CRF CFR § 164.316 and the provisions of training on such policies and procedures to applicable employees, independent contractors contractors, and volunteers, that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and/or ePHI that the Network Service Provider creates, receives, maintains or transmits on behalf of the Managing Entity and/or the Department; 2.1.3 Acknowledge that (a) the foregoing safeguards, policies and procedures requirements shall apply to the Business Associate in the same manner that such requirements apply to the Managing Entity and/or the Department, and (b) the Business Associates Associate’s and their Subcontractors are directly liable under the civil and criminal enforcement provisions set forth at Section 13404 of the HITECH Act and section 45 CRF CFR §§ 164.500 and 164.502(E) of the Privacy Rule (42 U.S.C. 1320d-5 and 1320d-61320d- 6), as amended, for failure to comply with the safeguards, policies and procedures requirements and any guidance issued by the Secretary of Health and Human Services with respect to such requirements; 2.1.4 Report to covered entity any use or disclosure of protected health information not provided for by this Attachment of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR § 164.410, and any security incident of which it becomes aware; 2.1.5 Notify the Department’s Security Officer, Privacy Officer and the Contract Manager as soon as possible, but no later than five (5) business days following the determination of any breach or potential breach of personal and confidential departmental data; 2.1.6 Notify the Privacy Officer and Contract Manager within (24) hours of notification by the US Department of Health and Human Services of any investigations, compliance reviews or inquiries by the US Department of Health and Human Services concerning violations of HIPAA (Privacy, Security Breach). 2.1.7 Provide any additional information requested by the Department for purposes of investigating and responding to a breach; 2.1.8 Provide at Business Associate’s own cost notice to affected parties no later than 45 days following the determination of any potential breach of personal or confidential departmental data as provided in section 501.171, F.S.; 2.1.9 Implement at Business Associate’s own cost measures deemed appropriate by the Department to avoid or mitigate potential injury to any person due to a breach or potential breach of personal and confidential departmental data; 2.1.10 Take immediate steps to limit or avoid the recurrence of any security breach and take any other action pertaining to such unauthorized access or disclosure required by applicable federal and state laws and regulations regardless of any actions taken by the Department ; 2.1.11 In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information. Business Associate’s must attain satisfactory assurance in the form of a written contract or other written agreement with their business associate’s or subcontractor’s that meets the applicable requirements of 164.504(e)

Obligations and Activities of Business Associate. 2.1 Business Associate agrees to: 2.1.1 Not use or disclose protected health information other than as permitted or required by this Attachment or as required by law; 2.1.2 Use appropriate administrative safeguards as set forth at 45 CRF164.308, physical safeguards as set forth at 45 CRF164.310, and technical safeguards as set forth at 45 CFR 164.312; including, policies and procedures regarding the protection of PHI and/or ePHI set forth at 45 CRF 164.316 and the provisions of training on such policies and procedures to applicable employees, independent contractors and volunteers, that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and/or ePHI that the Network Service Provider creates, receives, maintains or transmits on behalf of the Managing Entity and/or the Department; 2.1.3 Acknowledge that (a) the foregoing safeguards, policies and procedures requirements shall apply to the Business Associate in the same manner that such requirements apply to the Managing Entity and/or the Department, and (b) the Business Associates and their Subcontractors are directly liable under the civil and criminal enforcement provisions set forth at Section 13404 of the HITECH Act and 45 CRF 164.500 and 164.502(E) of the Privacy Rule (42 U.S.C. 1320d-5 and 1320d-6), as amended, for failure to comply with the safeguards, policies and procedures requirements and any guidance issued by the Secretary of Health and Human Services with respect to such requirements; 2.1.4 Report to covered entity any use or disclosure of protected health information not provided for by this Attachment of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware; 2.1.5 Notify the Managing Entity’s Network Manager as soon as possible, but no later than five (5) business days following the determination of any breach or potential breach of personal and confidential departmental data; 2.1.6 Notify the Managing Entity’s Network Manager within (24) hours of notification by the US Department of Health and Human Services of any investigations, compliance reviews or inquiries by the US Department of Health and Human Services concerning violations of HIPAA (Privacy, Security Breach). 2.1.7 Provide any additional information requested by the Managing Entity and/or the Department for purposes of investigating and responding to a breach; 2.1.8 Provide at Business Associate’s own cost notice to affected parties no later than 45 days following the determination of any potential breach of personal or confidential departmental data as provided in §817.5681, Fla. Stat.; 2.1.9 Implement at Business Associate’s own cost measures deemed appropriate by the Managing Entity and/or the Department to avoid or mitigate potential injury to any person due to a breach or potential breach of personal and confidential departmental data; 2.1.10 Take immediate steps to limit or avoid the recurrence of any security breach and take any other action pertaining to such unauthorized access or disclosure required by applicable federal and state laws and regulations regardless of any actions taken by the Managing Entity or the Department ; 2.1.11 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. Business Associates must attain satisfactory assurance in the form of a written contract or other written agreement with their business associates or subcontractors that meets the applicable requirements of 45 CFR 164.504(e)