Obligations and Activities of Business Associate. a. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, as Required by Law or as permitted by law, provided such use or disclosure would also be permissible by law by Covered Entity. b. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504. c. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement. d. Business Associate agrees to report to Covered Entity any use or disclosure for the PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware. e. Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314. f. Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity. g. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. h. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Rule. i. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. j. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528. k. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity of such breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach. l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies. m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act. n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502. o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement. i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00. ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 2 contracts
Samples: Management Services Agreement (Apollo Medical Holdings, Inc.), Management Services Agreement (Apollo Medical Holdings, Inc.)
Obligations and Activities of Business Associate. a. A. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, Addendum or as Required by Law or as permitted by lawBy Law, provided such use or disclosure would also be permissible by law by Covered Entity.
b. B. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this AgreementAddendum. Business Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504.
c. C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of from a use or disclosure of PHI by Business Associate in violation of the requirements of this AgreementAddendum.
d. D. Business Associate agrees to report to Covered Entity the discovery of any use or disclosure for the of PHI not provided for by this AgreementAddendum, including breaches of unsecured Unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, within twenty-four (24) hours of the breach and/or Security Incident.
e. E. Business Associate agrees to perform any required breach notifications to individuals, federal agencies, and potentially the media, on behalf of Covered Entity, if requested by Covered Entity.
F. Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement Addendum to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314164.
f. Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity.
g. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
h. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528.
j. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528.
k. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity of such breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 2 contracts
Samples: Transportation Brokerage Services Contract, Medicaid Managed Care Services Agreement
Obligations and Activities of Business Associate. a. A. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, as Required by Law Agreement or as permitted required by lawLaw, provided such use or disclosure would also be permissible by law by Covered Entity.
b. B. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by the “Security Rule.”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504.
c. C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
d. D. Business Associate agrees to report to Covered Entity by telephone call plus e-mail, web form, or fax the discovery of any use or disclosure for of the PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, within one (1) hour and in no case later than forty-eight (48) hours of the breach and/or Security Incident.
e. E. Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314.
f. F. Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity.
g. G. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall notify Covered Entity upon receipt of such request.
h. H. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. I. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528.
j. J. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528.
k. K. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity by telephone call plus e-mail, web form, or fax upon the discovery of such breachany breach of within one (1) hour and in no case later than forty-eight (48) hours after discovery of the breach and/or Security Incident. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.;
Appears in 1 contract
Obligations and Activities of Business Associate. a. 2.1. Business Associate agrees to that it will not use or further disclose PHI other than except as permitted or required by this Agreement, or as Required by Law or as permitted by law, provided such use or disclosure would also be permissible by law by Covered EntityBy Law.
b. 2.2. Business Associate agrees to use appropriate safeguards to prevent make uses and disclosures and requests for PHI consistent with the Covered Entity’s minimum necessary policies and procedures. Business Associate shall not use or disclosure disclose PHI except for the purpose of performing Business Associate's obligations under the PHI other than as provided for CPC-HIE Agreement, including those obligations imposed by this Agreementany exhibits.
2.3. Business Associate agrees to implement Administrative Safeguardsadministrative, Physical Safeguards physical and Technical Safeguards (“Safeguards”) technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of the Covered Entity and to prevent the use or disclosure of PHI other than as required provided by this Agreement. Business Associate acknowledges that the “Security Rule”Rule provisions regarding administrative safeguards, including those safeguards required pursuant to physical safeguards, technical safeguards, and policies and procedures and documentation requirements found in 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 164.312 and 164.316, 164.316 apply to Business Associate in the same manner that those requirements apply as to Covered Entity pursuant to 45 C.F.R. § 164.504Entity.
c. 2.4. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
d. 2.5. Business Associate agrees to that it will report to Covered Entity any use or disclosure for the of PHI not provided for allowed by this Agreement, including breaches any breach of unsecured PHI as required by 45 C.F.R. § 164.410PHI, if it becomes aware of the use or disclosure, and any Security Incident security incident of which it becomes aware.
e. 2.6. Business Associate agrees to will ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate and to implement reasonable and appropriate safeguards with respect to such information through a contractual arrangement that complies information, in accordance with 45 C.F.R. § 164.314CFR 164.502(e)(1)(ii) and 164.308(b)(2).
f. 2.7. Within ten (10) days of request by Covered Entity, Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, access to PHI maintained in a Designated Record Set Sets by Business Associate to enable Covered Entity orto fulfill its obligations under the Privacy rule, as directed by Covered Entityincluding, to an Individual in order to meet the requirements under but not limited to, 45 C.F.R. § 164.524CFR Sections 164.524 and 164.526. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity.
g. Business Associate agrees to make incorporate any amendment(s) amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to accordance with 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered EntityCFR 164.526.
h. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. 2.8. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §CFR Section 164.528.
j. Business Associate agrees to provide . Such accounting shall be provided to Covered Entity or an Individualat the address, in a time and manner designated to the attention of, the department specified by Covered Entity, information collected in accordance with this AgreementEntity at the time that such request for accounting is made , to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. CFR Section 164.528.
k. If 2.9. Business Associate accessesshall make its internal practices, maintains, retains, modifies, records, stores, destroysbooks and records relating to the use and disclosure of PHI received from, or otherwise holdscreated or received by Business Associate on behalf of, uses, or discloses Unsecured Protected Covered Entity available to the Secretary of the U.S. Department of Health Information and Human Services (as defined in 45 C.F.R. § 164.402“Secretary”) for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule. Business Associate shall notify Covered Entity regarding any information that Business Associate provides to the Secretary concurrently with providing such information to the Secretary, it shalland upon Covered Entity’s request, following shall provide Covered Entity with a duplicate copy of such information.
2.10. Business Associate’s responses to requests for action with respect to PHI described in this Section 2 shall be completed in a manner which complies with the discovery timeliness requirements contained in the Privacy Rules.
2.11. Business Associate agrees to notify Covered Entity within forty eight (48) hours of discovering a breach of such informationunsecured PHI pursuant to the requirements of 45 CFR § 164.410. To the extent possible, promptly notify Covered Entity of such breach. Such this notice shall include: a) will include the identification of each individual whose Unsecured Protected Health Information PHI has been, been or is reasonably believed by Business Associate to have been accessed, acquired acquired, disclosed, or disclosed used during such breach; b) a brief description of what happened, including the date of Breach. Business Associate will provide Covered Entity with any additional information its obtains regarding the breach and discovery of the breach; c) a description of the type Breach of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breachon an ongoing basis, mitigation of harm to the individuals and protection against further breaches; e) the results of any Business Associate will provide Covered Entity with all assistance and all investigation performed information in Business Associate’s possession reasonably needed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the comply with Covered Entity’s breach and its investigation into the breach.
l. notification obligations. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange implement a reasonable system for PHI without authorization unless an exception under 13405(d) discovery of the HITECH Act appliesBreaches.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 1 contract
Samples: Health Information Exchange Participation Agreement
Obligations and Activities of Business Associate. a. Business Associate agrees to not use or further disclose PHI PI other than as permitted or required by this Agreement, Agreement or as Required by Law or as permitted by law, provided such use or disclosure would also be permissible by law by Covered EntityLaw.
b. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI PI other than as provided for by this Agreement. Business Associate agrees to implement Administrative Safeguardsadministrative, Physical Safeguards physical and Technical Safeguards (“Safeguards”) technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI any electronic PI that Business Associate creates, receives, maintains or transmits on behalf of Covered Entity, as required by provided for in the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504.
c. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI PI by Business Associate in violation of the requirements of this Agreement.
d. Business Associate agrees to report to Covered Entity any use or disclosure for of the PHI PI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident Agreement of which it becomes aware. Business Associate also agrees to report to Covered Entity any security incident, any breach of unsecured Protected Health Information (as defined under HIPAA), and any breach of security of Personal Information (as defined under FIPA) within five (5) business days of discovery of same.
e. Business Associate agrees to ensure that any agent, including a subcontractor or vendorsubcontractor, to whom it provides PHI PI received from, or created or received by Business Associate on behalf of of, Covered Entity Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314information.
f. Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entityduring normal business hours, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. CFR § 164.524. If the Individual requests an electronic copy of the information, provided that Covered Entity delivers to Business Associate must provide Covered Entity with the information requested a written notice at least five (5) business days in the electronic form advance of requesting such access. This provision does not apply if Business Associate and format requested by the Individual and/or Covered Entity if it is readily producible in such form its employees, subcontractors and format; or, if not, agents have no PHI in a readable electronic form and format as requested by Designated Record Set of Covered Entity.
g. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 CFR § 164.526, at the request of Covered Entity or an Individual. This provision does not apply if Business Associate and its employees, subcontractors and in the time and manner designated by agents have no PHI from a Designated Record Set of Covered Entity.
h. Unless otherwise protected or prohibited from discovery or disclosure by law, Business Associate agrees to make its internal practices, books, and records records, including policies and procedures, relating to the use and or disclosure of PHI received from, created or create or received by Business Associate on behalf of Covered Entity available to of, Covered Entity, or at the request of Covered Entity available to the Secretary, in a time and manner designated by Covered Entity or the Secretary, Business Associate for the purposes of the Secretary determining Covered Entity’s OR Business Associate’s compliance with the Privacy Rule and or Security Rule. Business Associate shall have a reasonable time within which to comply with requests for such access and in no case shall access be required in less than five (5) business days after Business Associate’s receipt of such request, unless otherwise designated by the Secretary.
i. Business Associate agrees to document such maintain necessary and sufficient documentation of disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of such disclosures, in accordance with 45 CFR § 164.528.
j. On request of Covered Entity, Business Associate agrees to provide to Covered Entity documentation made in accordance with this Agreement to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §§ 164.528. Business Associate shall have a reasonable time within which to comply with such a request from Covered Entity and in no case shall Business Associate be required to provide such documentation in less than five (5) business days after Business Associate’s receipt of such request.
j. k. Except as provided for in this Agreement, in the event Business Associate agrees to provide to Covered Entity receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, in a time and manner designated by Business Associate will redirect the Individual to the Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528.
k. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity of such breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 1 contract
Samples: Hipaa Business Associate Agreement
Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not restrict its use or further disclose and disclosure of PHI other than solely for the purpose of performing Business Associate’s obligations under the Underlying Agreement and as otherwise permitted or required by this Agreement, these Requirements or as Required by Law or as permitted by law, provided such use or disclosure would also be permissible by law by Covered EntityBy Law.
b. (b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required permitted by the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 Underlying Agreement and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504these Requirements.
c. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect 1 The privacy and security rules (45 C.F.R. Parts 160 and 164), adopted under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as may be modified or amended from time to time (“HIPAA”), have required that health plans as covered entities enter into a written contract containing specific requirements with Business Associates prior to the disclosure of PHI. Brokers receive PHI from health plans and perform services on behalf of health plans. Therefore, brokers meet the definition of a Business Associate. that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreementthese Requirements.
d. (i) Business Associate agrees to report to Covered Entity Medica any use or disclosure for the of PHI not provided for by this Agreementthese Requirements of which it becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, within five (5) business days of the discovery of the use or disclosure. Business Associate shall submit the report via secure email to Medica at xxxxxxx@xxxxxx.xxx. Medica shall have sole control over: The determination of whether a Breach of unsecured PHI has occurred as defined in 45 C.F.R. § 164.402;
(ii) Whether Breach notification is required; and
(iii) The timing and any Security Incident method of which it becomes awareproviding notification to affected individuals, the Secretary, and, if applicable, the media.
e. (d) Business Associate agrees agrees, prior to ensure that disclosure of PHI to any agent, including a subcontractor or vendorSubcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees require the Subcontractor to agree in writing to the same terms and restrictions and conditions that apply through this Agreement to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314PHI.
f. (e) Business Associate agrees to provide paper or electronic access, at the request of Covered Entity Medica, and in the time and manner designated determined by Covered EntityMedica, to PHI in a Designated Record Set Set, to Covered Entity orMedica, or as directed by Covered EntityXxxxxx, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If In the event an Individual requests an electronic a copy of the informationPHI maintained electronically in one or more Designated Record Sets, Business Associate must agrees to provide Covered Entity with access, at the information requested request of Medica, and in the time and manner determined by Medica, to such PHI, to Medica, or as directed by Medica, to the Individual in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if notnot readily producible, in a readable electronic form and format as requested agreed to by Covered Entitythe Individual.
g. (f) Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §§ 164.526 at the request of Covered Entity or an IndividualMedica, and in the time and manner designated by Covered Entity.
h. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528.
j. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528.
k. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity of such breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.ten
Appears in 1 contract
Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, BAA or as Required by Law Law. Business Associate may disclose PHI to, or as permitted receive PHI f rom, another business associate of CalPERS to the extent directed to do so, in writing, by lawCalPERS. For purposes of this BAA, provided such use the terms “use” or disclosure would also be permissible “disclose” include the receipt, creation, transmission, or maintenance of PHI to the extent allowed by law by Covered Entitythe HIPAA Regulations.
b. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. (b) Business Associate agrees to implement Administrative Safeguardsadministrative, Physical Safeguards physical, and Technical Safeguards technical saf eguards (“Safeguards”including written policies and procedures) that reasonably and appropriately protect the confidentialityconf identiality, integrity integrity, and availability of PHI EPHI that Business Associate creates, receives, maintains, or transmits on behalf of CalPERS as required by the “Security Rule”. Business Associate will ensure that any Agent, including those safeguards required pursuant a Subcontractor, to 45 C.F.R. §§ whom Business Associate provides EPHI agrees to implement reasonable and appropriate administrative, physical, and technical saf eguards to reasonably and appropriately protect the conf identiality, integrity, and availability of such EPHI. Business Associate agrees to comply with Sections 164.306, 164.308, 164.310, 164.312, 164.314 and 164.316164.316 of Title 45, in Code of Federal Regulations with respect to all EPHI. Business Associate agrees that it and its Subcontractors and Agents (1) will not send EPHI by email unless the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504email meets the encryption standards of the Security Rule; and (2) will encrypt any laptops containing EPHI, as password and login protocol are not deemed adequate protections by CalPERS.
c. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect harmf ul ef fect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.Business
d. (d) Business Associate agrees to report to Covered Entity CalPERS in writing any use or disclosure for of the PHI not provided for permitted by this AgreementBAA by Business Associate, including breaches a Subcontractor of unsecured PHI as required by 45 C.F.R. § 164.410, and Business Associate or an Agent of Business Associate within f ive (5) business days of such unauthorized use or disclosure of which Business Associate becomes aware. Business Associate agrees to report to CalPERS any Security Incident of which it Business Associate becomes aware.
e. (e) Business Associate agrees to will ensure that any agentSubcontractor of Business Associate using or disclosing PHI has executed a Business Associate agreement containing substantially the same terms as this BAA, including a subcontractor or vendor, the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI. Business Associate will ensure than any Agent to whom it Business Associate provides PHI received fromf rom, or created or received by Business Associate on behalf of Covered Entity agrees to of, CalPERS has executed an agreement containing substantially the same restrictions and conditions that apply through this Agreement BAA to Business Associate with respect to such information through inf ormation. Business Associate will provide, upon written request by CalPERS, a contractual arrangement that complies with 45 C.F.R. § 164.314list of any such Subcontractors of Business Associate and any Agents of Business Associate using or disclosing PHI. Business Associate will ensure only those who reasonably need to know such PHI in order to perf orm the services contemplated by the Other Agreement receive such PHI and, in such case, only the minimum amount of such PHI is disclosed as is necessary for such perf ormance.
f. (f) Business Associate agrees to provide paper or electronic access, at the request of Covered Entity CalPERS and in the time and manner designated requested by Covered EntityCalPERS, to PHI in a Designated Record Set Set, to Covered Entity CalPERS or, as directed by Covered EntityCalPERS, to an Individual Individual, in order to meet the requirements under 45 C.F.R. § CFR §164.524. If the Individual CalPERS requests an electronic copy of PHI that is maintained electronically in a Designated Record Set in the informationBusiness Associate’s custody or control or the custody or control of a Subcontractor or Agent of Business Associate, Business Associate must will provide Covered Entity with the information requested such PHI in the electronic form and format requested by CalPERS unless it is not readily produced in such format, in which case Business Associate will provide another reasonable electronic format as agreed to by the parties and the Individual and/or Covered Entity if it is readily producible in requesting such form and format; or, if not, in a readable electronic form and format as requested by Covered EntityPHI.
g. (g) Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity CalPERS directs or agrees to pursuant to 45 C.F.R. CFR §164.526 at the request of Covered Entity CalPERS or an Individual, and in the time and manner designated reasonably requested by Covered EntityCalPERS.
h. (h) Business Associate agrees to make its internal practices, books, and records records, including policies and procedures, relating to the use and disclosure of PHI received fromf rom, or created or received by Business Associate on behalf of Covered Entity of, CalPERS available to Covered Entitythe Secretary or other regulatory officials as directed by CalPERS, in a time and manner requested by CalPERS, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity the Secretary or the Secretaryother regulatory official, for the purposes of the Secretary or other regulatory official determining Covered EntityCalPERS’s or Business Associate’s compliance with the Privacy Rule and Security RuleHIPAA Regulations or other applicable law.
i. (i) Business Associate agrees to document such disclosures of PHI and information inf ormation related to such disclosures as would be required for Covered Entity CalPERS to respond to a request
(j) In conducting any electronic transaction that is subject to the Electronic Transactions Rule on behalf of CalPERS, Business Associate agrees to comply with all requirements of the Electronic Transactions Rule that would apply to CalPERS if CalPERS were conducting the transaction itself . Business Associate agrees to ensure that any Agent or Subcontractor of Business Associate that conducts standard transactions with PHI will comply with all of the requirements with the Electronic Transactions Rule that would apply to CalPERS if CalPERS were conducting the transaction itself .
(k) Business Associate agrees to provide to CalPERS or an Individual, in a time and manner designated by CalPERS, inf ormation collected in accordance with Section 2(i) of this BAA to permit CalPERS to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. CFR §164.528.
j. (l) Business Associate agrees will request, use, and/or disclose only the minimum amount of PHI necessary to provide to Covered Entity accomplish the purpose of the request, use or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528disclosure.
k. If (m) Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery will not disclose PHI to any member of a breach of such information, promptly notify Covered Entity of such breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by its workforce unless Business Associate to have been accessed, acquired or disclosed during has advised such breach; b) a brief description person of what happenedBusiness Associate’s privacy and security obligations under this BAA, including the date consequences for violation of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by such obligations. Business Associate related to the breach; will take appropriate disciplinary action against any member of its workforce who uses or discloses PHI in violation of this BAA and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breachapplicable law.
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Business Associate. a. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, as Required required by Law or as permitted by law, provided such the use or disclosure would also be permissible by law if made by the Covered Entity.
b. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate agrees to implement Administrative Safeguardsadministrative safeguards, Physical Safeguards physical safeguards and Technical Safeguards technical safeguards (“Safeguardssafeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 164.314, and 164.316, in the same manner that those requirements apply to the Covered Entity pursuant to 45 C.F.R. § 164.504.
c. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement, or of any security incident of which it becomes aware.
d. Business Associate agrees to report to the Covered Entity any use or disclosure for the of PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, ; and any Security Incident security incident of which it becomes aware.
e. Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, from or created or received by Business Associate on behalf of the Covered Entity agrees to the same substantially similar restrictions and conditions that apply through this Agreement to Business Associate with respect to such that information through a contractual arrangement that complies with 45 C.F.R. § 164.314.
f. Business Associate agrees to provide paper or electronic access, at access to PHI to the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, or as directed by the Covered Entity, Entity to an Individual individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity.
g. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and as directed in the time and manner designated by the Covered EntityEntity or individual pursuant to 45 C.F.R. § 164.526.
h. Business Associate Associates agrees to make its internal practices, books, books and records relating to the use and disclosure of PHI received from, created or received by the Business Associate on behalf of the Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, Secretary in a time and manner designated by Covered Entity or the Secretary, Secretary for the purposes of the Secretary determining the Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. Business Associate agrees to document such disclosures of PHI and the information related to such the disclosures as that would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §§ 164.528.
j. Business Associate agrees to provide to the Covered Entity or an Individual, in a time and manner designated by the Covered Entity, information collected in accordance with this Agreement, to permit the Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. § 164.528.
k. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity), it shall, following the discovery of a breach of such information, shall promptly notify the Covered Entity of such the breach. Such The notice shall include: (a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; c(b) a description of the type types of Unsecured PHI Protected Health Information that was were involved in the breachbreach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); dand (c) a brief description of what the investigation into Business Associate is doing to investigate the breach, mitigation of to mitigate harm to the individuals individuals, and protection to protect against any further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §§ 164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from the Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 Entity during the term of the Agreement.
i. 1. Business Associate agrees to: (:
a) implement Implement and maintain appropriate physical, technical technical, and administrative security measures for the protection of personal information as required by any state New York State law, including 201 CMR 17.00; including, but not limited to: (i) encrypting :
i. Encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (;
ii) prohibiting . Prohibiting the transfer of personal information to any portable device unless such transfer that has not been approved in advance; and (and
iii) encrypting . Encrypting any personal information to be transferred to a portable device; and (.
b) implement Implement and maintain a Written Information Security Program as required by any state New York State law, including 201 CMR 17.00.
ii2. The safeguards set forth in this Agreement shall apply equally to ePHI, PHI, and confidential and “personal information.” Personal information is defined by any applicable law or regulation and means any information about an individual maintained by any agency, company or organization, including (1) any information that can be used to distinguish or trace an individual's ’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information; it also includes combinations of information such as an individual’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's ’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number number, or password, that would permit access to a resident's ’s financial account; providedprovided it is also information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context; however, that "“personal information" ” shall not include information that is lawfully obtained from publicly available information, or from federal, state state, or local government records lawfully made available to the general public.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Business Associate. a. A. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, Addendum or as Required by Law or as permitted by lawBy Law, provided such use or disclosure would also be permissible by law by Covered Entity.
b. B. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this AgreementAddendum. Business Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504.
c. C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of from a use or disclosure of PHI by Business Associate in violation of the requirements of this AgreementAddendum.
d. Business X. Xxxxxxxx Associate agrees to report to Covered Entity the discovery of any use or disclosure for the of PHI not provided for by this AgreementAddendum, including breaches of unsecured Unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, within twenty-four (24) hours of the breach and/or Security Incident.
e. E. Business Associate agrees to perform any required breach notifications to individuals, federal agencies, and potentially the media, on behalf of Covered Entity, if requested by Covered Entity.
F. Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement Addendum to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314.
f. G. Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity.
g. X. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §§ 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall notify Covered Entity upon receipt of such request.
h. I. Business Associate agrees to maintain reasonable written security procedures and practices, and shall make its internal written procedures, practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. X. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §§ 164.528.
j. K. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this AgreementAddendum, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. § 164.528.
k. . If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity by telephone call plus e-mail, web form, or fax upon the discovery of such breachany breach of within twenty-four (24) hours after discovery of the breach and/or Security Incident. Such notice shall include: a(i) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b(ii) a brief description of what happened, including the date of the breach and discovery of the breach; c(iii) a description of the type of Unsecured PHI that was involved in the breach; d(iv) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e(v) the results of any and all investigation performed by Business Associate related to the breach; and f(vi) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach. Upon learning new or additional information regarding the breach or Security Incident, Business Associate shall provide corrected supplemental information to Covered Entity.
l. L. To the extent Business Associate is carrying out an obligation of Covered Entity’s under the Privacy Rule, Business Associate must comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
M. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d45 C.F.R. § 164.502(a)(5)(ii)(B)(2) of the HITECH Act applies.
m. N. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 § 164.501, unless permitted by the HITECH Act45 C.F.R. § 164.508(a)(3)(A)-(B).
n. O. If applicable, Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. P. Business Associate hereby agrees to comply with state laws and rules and regulations applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 Entity during the term of the AgreementAddendum.
i. (i) Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00law and rules and regulations; including, but not limited to: to (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; , (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; , and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program written security procedures as required by any state law, including 201 CMR 17.00law as applicable.
(ii. ) The safeguards Safeguards set forth in this Agreement Addendum shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's ’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's ’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's ’s financial account; provided, however, that "“personal information" ” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Business Associate. a. A. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, as Required by Law Agreement or as permitted required by lawLaw, provided such use or disclosure would also be permissible by law by Covered Entity.
b. B. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by the “Security Rule.”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504.
c. C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
d. D. Business Associate agrees to report to Covered Entity by telephone call plus e- mail, web form, or fax the discovery of any use or disclosure for of the PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, within one (1) hour and in no case later than forty-eight (48) hours of the breach and/or Security Incident.
e. E. Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314.
f. F. Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity.
g. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
h. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528.
j. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528.
k. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity of such breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 1 contract
Samples: Transportation Brokerage Services
Obligations and Activities of Business Associate. a. With regard to its use and disclosure of PHI, Business Associate agrees agrees:
2.1 to use or disclose PHI only if such use or disclosure is in compliance with each applicable requirement of 45 C.F.R. 164.504(e).
2.2 to not use or further disclose PHI other than as permitted or required by this Agreement, Agreement or as Required by Law or as permitted by law, provided such use or disclosure would also be permissible by law by Covered EntityLaw.
b. Business Associate agrees 2.3 to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate agrees Agreement including the implementation of all requirements of the HIPAA Security Rule with respect to EPHI.
2.4 to implement Administrative Safeguardsadministrative, Physical Safeguards physical and Technical Safeguards (“Safeguards”) technical safeguards in compliance with the Security Rule requirements at 45 C.F.R. sections 164.308, 164.310 and 164.312 that reasonably and appropriately will protect the confidentiality, integrity and availability of PHI as required by the “Security Rule”EPHI that Business Associate creates, including those safeguards required pursuant to 45 C.F.R. §§ 164.308receives, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504maintains or transmits on behalf of Provider.
c. Business Associate agrees 2.5 to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
d. 2.6 to the extent the Business Associate agrees is to report carry out the Provider’s obligations under the Privacy Rule, the Business Associate shall comply with the Privacy Rule’s requirements that apply to Covered Entity any use or disclosure for the PHI not provided for by this Agreement, including breaches Provider in the performance of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes awaresuch obligation.
e. Business Associate agrees 2.7 to ensure require that any agentagent of Business Associate, including a subcontractor or vendorsubcontractor, to whom it Business Associate provides PHI received fromagrees, or created or received by Business Associate on behalf of Covered Entity agrees in writing, to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314PHI.
f. Business Associate agrees 2.8 to provide paper or electronic access, at the request of Covered Entity Provider and in the time and manner designated by Covered Entitywithin fifteen (15) days of such request, to PHI in a Designated Record Set Set, to Covered Entity Provider or, as directed by Covered EntityProvider, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the an Individual requests an electronic copy of the informationmakes a request for access to PHI directly to Business Associate, Business Associate must shall notify Provider of the request within five (5) business days of such request. Business Associate acknowledges that Individuals have the right to obtain access to their PHI in an electronic format, and Business Associate will provide Covered Entity with the information requested PHI maintained in the a Designated Record Set in an electronic form and format requested requested, if such format is readily producible, or in another readable electronic format as may be agreed to by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered EntityIndividual.
g. Business Associate agrees 2.9 to make any amendment(s) to PHI in a Designated Record Set that Covered Entity Provider directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or Provider, within fifteen (15) days of receiving such request. If an IndividualIndividual makes a request for an amendment to PHI directly to Business Associate, and in Business Associate shall notify Provider of the time and manner designated by Covered Entityrequest within three (3) business days of such request.
h. Business Associate agrees 2.10 to make its Business Associate’s internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity Provider available to Covered EntityProvider, or at the request of Covered Entity to the Secretary, within fifteen (15) days or in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered EntityProvider ’s compliance with the Privacy Rule and Security Rule.
i. Business Associate agrees 2.11 to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. At a minimum, the following information regarding the disclosure will be documented: (1) the date of the disclosure; (2) the name of the entity or person who received the Protected Health Information, and the address of such entity or person; (3) a brief description of the Protected Health Information disclosed; (4) a brief statement regarding the purpose and an explanation of the basis of such disclosure; and (5) the names of Individuals whose Protected Health Information was disclosed.
j. Business Associate agrees 2.12 to provide to Covered Entity or an IndividualProvider, in a time and manner designated by Covered Entitywithin thirty (30) days of receiving such request, information collected in accordance with Section 2.12 of this Agreement, to permit Covered Entity Provider to respond to a request by an individual Individual for an accounting of disclosures for of PHI in accordance with 45 §C.F.R. 164.528.
k. If 2.13 Business Associate accessesagrees not to directly or indirectly receive remuneration in exchange for any PHI unless one of the following applies:
a. Provider has obtained an authorization from such Individual (and provided a copy of the authorization to the Individual) that meets the requirements of 45 C.F.R. 164.508(c) which is signed and dated by the Individual and contains, maintainsat a minimum, retains, modifies, records, stores, destroys, a statement that direct or otherwise holds, uses, indirect remuneration to Provider or discloses Unsecured Protected Health Information (as defined Business Associate from a third party is involved.
b. The purpose of the exchange meets an exception detailed in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity of such breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach164.502(a)(5)(ii)(B)(2).
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Business Associate. a. a) Business Associate acknowledges and agrees that it is obligated by law (or upon the effective date of any portion thereof shall be obligated) to meet the applicable provisions of HIPAA and such provisions are incorporated herein and made a part of this Business Associate Agreement. Covered Entity and Business Associate agree that any regulations and/or guidance issued by DHHS with respect to HIPAA that relate to the obligations of the business associate pursuant to its obligations in the Underlying Agreement shall be deemed incorporated into and made a part of this Business Associate Agreement.
b) In accordance with 45 CFR §164.502(a)(3), Business Associate agrees not to not use or further disclose PHI other than as permitted or required by this Agreement, Business Associate Agreement or as Required by Law or as permitted by law, provided such use or disclosure would also be permissible by law by Covered EntityLaw.
b. c) Business Associate agrees to develop, implement, maintain and use appropriate administrative, technical, and physical safeguards that are designed to reasonably prevent the use or disclosure of the PHI other than as provided for by this Business Associate Agreement, in accordance with 45 CFR §§164.306, 310 and 312. Business Associate agrees to implement Administrative Safeguardsdevelop, Physical Safeguards implement, maintain and Technical Safeguards (“Safeguards”) use administrative, physical, and technical safeguards that are designed to reasonably and appropriately protect the confidentiality, integrity integrity, and availability of PHI Electronic PHI, in accordance with 45 CFR §§164.306, 308, 310, and 312. In accordance with 45 CFR §164.316, Business Associate shall also develop and implement policies and procedures and meet the documentation requirements as and at such time as may be required by the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504HIPAA.
c. d) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate Associate, of a use or disclosure of PHI by Business Associate in violation of the requirements of this Business Associate Agreement.
d. e) In accordance with 45 CFR §§164.308, 314 and 502, Business Associate agrees will use commercially reasonable efforts to report to Covered Entity any use or disclosure for the PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware.
e. Business Associate agrees to ensure require that any workforce member or agent, including a subcontractor vendor or vendorsubcontractor, whom Business Associate engages to whom it provides PHI received fromcreate, receive, maintain, or created or received by transmit PHI on Business Associate on behalf of Covered Entity agrees Associate’s behalf, agree to the same restrictions and conditions that apply through this Business Associate Agreement to Business Associate with respect to such information through information, including minimum necessary limitations. Business Associate will use commercially reasonable efforts to require that any workforce member or agent, including a contractual arrangement that complies with 45 C.F.R. § 164.314vendor or subcontractor, whom Business Associate engages to create, receive, maintain, or transmit PHI on Business Associate’s behalf, agree to implement reasonable and appropriate safeguards designed to protect the confidentiality, integrity, and availability of the PHI.
f. f) At the request of Covered Entity, Business Associate will provide Covered Entity, or as directed by Covered Entity, an Individual, access to PHI maintained in a Designated Record Set in a time and manner that is sufficient to meet the requirements of 45 CFR § 164.524, and, where required by HIPAA, shall make such information available in an electronic format where directed by the Covered Entity.
g) At the written request of Covered Entity, (or if so, directed by Covered Entity, at the written request of an Individual), Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, make any amendment to PHI in a Designated Record Set to Covered Entity orSet, as directed by Covered Entity, to an Individual in order a time and manner that is sufficient to meet the requirements under of 45 C.F.R. CFR § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity164.526.
g. Business Associate agrees to make any amendment(sh) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to In accordance with 45 C.F.R. CFR §164.526 at the request of Covered Entity or an Individual164.504(e)(2), and in the time and manner designated by Covered Entity.
h. Business Associate agrees to make its internal practices, books, and records records, including policies and procedures, and any PHI, relating to the use and disclosure of PHI received fromPHI, created or received by Business Associate on behalf of Covered Entity available to Covered Entity, Entity or at the request of Covered Entity to the SecretarySecretary for purposes of determining compliance with applicable law. To the extent permitted by law, said disclosures shall be held in confidence by the Covered Entity. Business Associate will provide such access in a time and manner designated by Covered Entity or the Secretary, for the purposes that is sufficient to meet any applicable requirements of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Ruleapplicable law.
i. i) Business Associate agrees to document such and maintain a record of disclosures of PHI and information related to such disclosures as would be required disclosures, including the date, recipient and purpose of such disclosures, in a manner that is sufficient for Covered Entity or Business Associate to respond to a request by Covered Entity or an Individual for an accounting Accounting of disclosures of PHI and in accordance with 45 C.F.R. §CFR § 164.528. Business Associate further shall provide any additional information where required by HIPAA and any implementing regulations. Unless otherwise provided under HIPAA, Business Associate will maintain the Accounting with respect to each disclosure for at least six years following the date of the disclosure.
j. j) Business Associate agrees to provide to Covered Entity or upon written request, or, as directed by Covered Entity, to an Individual, an Accounting of disclosures in a time and manner designated by Covered Entitythat is sufficient to meet the requirements of HIPAA, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 CFR §C.F.R. 164.528. In addition, where Business Associate is contacted directly by an Individual based upon information provided to the Individual by Covered Entity and where so required by HIPAA and/or any implementing regulations, Business Associate shall make such Accounting available directly to the Individual.
k. If k) In accordance with 45 CFR §164.502(b), Business Associate accessesagrees to make reasonable efforts to limit use, maintainsdisclosure, retainsand/or requests for PHI to the minimum necessary to accomplish the intended purpose of the use, modifies, records, stores, destroysdisclosure, or otherwise holdsrequest. Where required by HIPAA, usesBusiness Associate shall determine (in its reasonable judgment) what constitutes the minimum necessary to accomplish the intended purpose of a disclosure.
l) In accordance with 45 CFR §502(a)(5), Business Associate shall not directly or discloses indirectly receive remuneration in exchange for any PHI of an Individual, except with the express written pre- approval of Covered Entity.
m) To the extent Business Associate is to carry out one or more obligation(s) of the Covered Entity’s under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
n) In accordance with 45 CFR §164.314(a)(1)(i)(C), Business Associate agrees to promptly report to Covered Entity any Security Incident of which Business Associate becomes aware. The parties agree that this Section 2(n) satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. For purposes of this Business Associate Agreement, such unsuccessful Security Incidents include, without limitation, activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service and any combination of the above.
o) In accordance with 45 CFR §164.410 and the provisions of this Business Associate Agreement, Business Associate will report to Covered Entity, following Discovery and without unreasonable delay, but in no event later than five business days following Discovery, any Breach of Unsecured Protected Health Information (as defined Information. Business Associate shall cooperate with Covered Entity in 45 C.F.R. § 164.402) for investigating the Breach and in meeting Covered Entity’s obligations under HIPAA and any other applicable security breach notification laws, it including, but not limited to, providing Covered Entity with such information in addition to Business Associate’s report as Covered Entity may reasonably request, e.g., for purposes of Covered Entity making an assessment as to whether/what Breach Notification is required. Business Associate’s report under this subsection shall, following to the discovery of a breach of extent available at the time the initial report is required, or as promptly thereafter as such informationinformation becomes available but no later than 30 days from discovery, promptly notify Covered Entity of such breachinclude:
1. Such notice shall include: aThe identification (if known) the identification of each individual Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been been, accessed, acquired acquired, or disclosed during such breach; b) a brief Breach;
2. A description of what happenedthe nature of the unauthorized acquisition, access, use, or disclosure, including the date of the breach Breach and the date of discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.Breach;
Appears in 1 contract
Samples: Contract Agreement
Obligations and Activities of Business Associate. a. A. Business Associate agrees not to not use or further disclose PHI other than as permitted or required by the Agreement or this AgreementExhibit, as Required by Law or as permitted by law, provided such use or disclosure would also be permissible by law by Covered EntityRequired By Law.
b. B. Business Associate agrees to use appropriate safeguards to prevent protect against any use or disclosure of the PHI other than as not provided for by this Agreementherein and to comply, where applicable, with Subpart C of 45 CFR Part 164 with respect to EPHI. Without limiting the foregoing, Business Associate agrees to implement Administrative Safeguardsappropriate administrative, Physical Safeguards physical, and Technical Safeguards (“Safeguards”) that reasonably technical safeguards designed to prevent the unauthorized use and appropriately disclosure of Protected Health Information, and to protect the confidentiality, integrity integrity, and availability of Electronic Protected Health Information, including maintaining an Incident Response Team to investigate and respond to unauthorized uses and disclosures of PHI upon learning thereof, as required by the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §CFR § 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply as may be amended from time to Covered Entity pursuant to 45 C.F.R. § 164.504time.
c. C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this AgreementExhibit.
d. D. In addition to the reporting required by Section 2.L, Business Associate agrees to report to Covered Entity Plan upon request any use or disclosure for the PHI of PHI, not provided for by the Agreement or this AgreementExhibit, of which the Incident Response Team becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, such uses and any disclosures arising from a Security Incident of which it becomes awareIncident.
e. E. In accordance with 45 CFR 164.502 (e)(1)(ii) and 164.308(b)(2) Business Associate agrees to ensure require that any agentSubcontractor, including a subcontractor to whom it delegates any function or vendoractivity it has undertaken to perform on behalf of Plan, and to whom it provides PHI received from, from or created or received by Business Associate on behalf of Covered Entity Plan, agrees to substantially the same restrictions and conditions that on the use or disclosure of PHI as apply through this Agreement Exhibit to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314Business Associate Agreement between such Subcontractor and Business Associate.
f. F. Upon the Plan’s written request, and in a reasonable time and manner, Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated to Plan such PHI maintained by Covered Entity, to PHI Business Associate in a Designated Record Set as required for Plan to Covered Entity or, as directed by Covered Entity, respond to an Individual in order to meet the requirements a request for access under 45 C.F.R. § CFR 164.524. If .
G. Upon the Individual requests an electronic copy of the informationPlan’s written request, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form reasonable time and format as requested by Covered Entity.
g. manner, Business Associate agrees to make any amendment(s) to available PHI maintained by it in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an IndividualSet, and to make amendments to such PHI, in the time and manner designated by Covered Entityorder for Plan to respond to a request for amendment under 45 CFR 164.526.
h. H. Business Associate agrees to make its internal practices, policies, procedures, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity Plan, available to Covered Entity, or at for inspection and copying by the request of Covered Entity to Secretary upon the Secretary, in a time and manner designated by Covered Entity or the Secretary, ’s written request for the same for purposes of the Secretary determining Covered Entity’s the Plan's compliance with the Privacy Rule and Security RuleHIPAA Rules.
i. I. Business Associate agrees to document such disclosures of PHI made by it, and information related to such disclosures disclosures, as would be required for Covered Entity Plan to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with under 45 C.F.R. §CFR 164.528.
j. J. Upon written request by Plan, and in a reasonable time and manner, Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, Plan information collected in accordance with Paragraph I of this Agreement, Section for Plan to permit Covered Entity to respond to a request by an individual for provide an accounting of disclosures for PHI in accordance with under 45 §C.F.R. CFR 164.528.
k. If K. To the extent Plan specifically delegates to Business Associate accessesone or more of Plan's obligation(s) under Subpart E of 45 CFR Part 164, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined Business Associate agrees to comply with the requirements of Subpart E that apply to Plan in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the performance of such obligation(s).
L. Following the discovery by Business Associate of a breach any Breach of Unsecured PHI by Business Associate or its Subcontractors, Business Associate agrees to notify Plan of such informationBreach without unreasonable delay, promptly notify Covered Entity but no later than within ten (10) business days after the Incident Response Team is notified of such breachthe Breach. Such notice notification shall include: a) , to the identification extent available, the identity of each individual Individual whose Unsecured Protected Health Information PHI has been, or is reasonably believed by Business Associate to have been been, accessed, acquired acquired, used, or disclosed during the Breach. At the time of notification or promptly thereafter as such breach; b) a brief description of what happenedinformation becomes available, including the date Business Associate shall also provide Plan with such other available information as is required for Plan to notify an Individual of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed Breach as required by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. 45 CFR 164.404(c). Business Associate agrees that it will not receive remuneration directly to the extent the Breach is solely as a result of Business Associate’s negligent acts or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. omissions, Business Associate agrees that it will not receive remuneration for certain communications that fall within shall provide the exceptions to the definition of Marketing notifications required under 45 C.F.R. §164.501 unless permitted by CFR 164.404, 45 CFR 164.406 and 164.408(b). Notwithstanding the HITECH Act.
n. above, if a law enforcement official provides Business Associate agrees with a statement that it will not use the notification required under this paragraph would impede a criminal investigation or disclose genetic information for underwriting purposescause damage to national security, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including may delay the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures notification for the protection period of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards time set forth in this Agreement shall apply equally to PHI, confidential and “personal informationthe statement as permitted under 45 CFR 164.412.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 1 contract
Obligations and Activities of Business Associate. a. A. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, as Required by Law Agreement or as permitted required by lawLaw, provided such use or disclosure would also be permissible by law by Covered Entity.
b. B. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by the “Security Rule.”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504.
c. C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
d. D. Business Associate agrees to report to Covered Entity any use or disclosure for of the PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, within twenty-four (24) hours of the incident.
e. E. Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314.
f. F. Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity.. SAMPLE
g. G. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall notify Covered Entity upon receipt of such request.
h. Business X. Xxxxxxxx Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. I. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528.
j. X. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528.
k. X. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity of such breach within a period of twenty-four (24) hours after discovery of the breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. L. To the extent the Business Associate is carrying out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
M. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d45 C.F.R. § 164.502(a)(5)(ii)(B)(2) of the HITECH Act applies.
m. N. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 164.501, unless permitted by the HITECH Act45 C.F.R. § 164.508(a)(3)(A)-(B).
n. O. If applicable, Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. P. Business Associate hereby agrees to comply with state laws and rules and regulations applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 Entity during the term of the Agreement.. SAMPLE
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00law and rules and regulations; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00law as applicable.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.;
Appears in 1 contract
Samples: Service Agreement
Obligations and Activities of Business Associate. a. (1) Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, as Required by Law Agreement or as permitted required by law, provided such use or disclosure would also be permissible by law by Covered Entity.
b. (2) Business Associate agrees to:
(a) Implement policies and procedures to use appropriate safeguards to prevent prevent, detect, contain and correct security violations in accordance with 45 C.F.R. § 164.306;
(b) Prevent use or disclosure of the PHI other than as provided for by this Agreement. Agreement or as required by law;
(c) Use appropriate safeguards and comply, where applicable, with Subpart C of 45 C.F.R. § 164 with respect to ePHI that the Business Associate agrees creates, receives, maintains, or transmits on behalf of the Covered Entity, to implement prevent use or disclosure of the information other than as provided for by this agreement or by law;
(d) Comply with the Security Rule requirements including the Administrative Safeguards, Physical Safeguards Safeguards, Technical Safeguards, and Technical Safeguards (“Safeguards”) that reasonably policies and appropriately protect the confidentiality, integrity procedures and availability of PHI as required by the “Security Rule”, including those safeguards required pursuant to documentation requirements set forth in 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in including the same manner provisions of training on such policies and procedures to applicable employees, independent contractors, and volunteers, that those reasonably and appropriately protect the confidentiality, integrity, and availability of PHI and/or ePHI that the Business Associate creates, receives, maintains or transmits on behalf of the Covered Entity; and
(e) Comply with the requirements of the Privacy Rule that apply to Covered Entity pursuant in the performance of such obligations, to the extent Business Associate is able to carry out Covered Entity’s obligations under 45 C.F.R. § 164.504164 or this agreement.
c. (f) When requested by agency, maintain a professional liability insurance policy that includes coverage for HIPAA violations including for proceedings, fines and penalties. The amount of such insurance shall be as agreed to by agency and Business Associate.
(3) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
d. (4) Business Associate agrees to report to Covered Entity Entity, without unreasonable delay, any use or disclosure for of the PHI not provided for by this Agreement, including Agreement of which it becomes aware. This includes any copying or amendment of such information and any security breaches of involving unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware.
e. . Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314.
f. Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible include in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity.notice:
g. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
h. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528.
j. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528.
k. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity of such breach. Such notice shall include: a) the identification Identification of each any individual whose Unsecured Protected Health Information unsecured PHI has been, or is reasonably believed by the Business Associate to have been been, accessed, acquired acquired, or disclosed during such breach; b) a brief description of what happened, including the date of the security breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply accordance with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.45
Appears in 1 contract
Samples: Master Contract
Obligations and Activities of Business Associate. a. A. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, BAA or as Required by Law or as permitted by lawLaw, provided such use or disclosure would also be permissible by law if done by Covered Entity.
b. B. Business Associate agrees to use appropriate safeguards (including encryption as specified in the Security Rule) and destruction, to prevent use or disclosure of the PHI other than as provided for by this Agreement. BAA.
C. As required by the Security Rule, Business Associate agrees to conduct a risk assessment and implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by that it creates, receives, maintains, or transmits on behalf of the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504Entity.
c. D. Business Associate agrees to use reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure, or request.
E. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this AgreementBAA.
d. F. Business Associate agrees to report to Covered Entity any use or disclosure for of the PHI not provided for by this AgreementBAA, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, within five (5) days of the incident’s occurrence or Business Associate’s discovery thereof.
e. G. Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement BAA to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314.
f. H. Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity.
g. I. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §§ 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall promptly notify Covered Entity upon receipt of such request.
h. J. Business Associate agrees to make its internal practices, books, and records records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Omnibus Rule.
i. X. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §§ 164.528.
j. L. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this AgreementBAA, to permit Covered Entity to respond to a request by an individual Individual for an accounting of disclosures for of PHI in accordance with 45 §C.F.R. § 164.528.
k. M. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information PHI (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach Breach of such information, promptly notify Covered Entity of such Breach within a period of five (5) days after discovery of the breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breachBreach; b) a brief description of what happened, including the date of the breach Breach and discovery of the breachBreach; c) a description of the type of Unsecured PHI that was involved in the breachBreach; d) a description of the investigation into the breachBreach, mitigation of and the steps taken by Business Associate to mitigate harm to the individuals affected Individuals and protection protect against further breachesBreaches; e) the results of any and all investigation performed by Business Associate related to the breachBreach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach Breach and its Business Associate’s investigation into of the breachBreach.
l. N. To the extent the Business Associate is carrying out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
O. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d45 C.F.R. § 164.502(a)(5)(ii)(B)(2) of the HITECH Act applies.
m. P. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing “Marketing” under 45 C.F.R. §164.501 § 164.501, unless permitted by the HITECH Act45 C.F.R. § 164.508(a)(3)(i)(A)-(B).
n. Q. If applicable, Business Associate agrees that it will not use or disclose genetic information for “underwriting purposes”, as that term is defined in 45 C.F.R. § 164.502.
o. R. Business Associate hereby agrees to comply with state laws and rules and regulations applicable to PHI and Individuals’ personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 Entity during the term of the AgreementContract.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00law and rules and regulations; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00law as applicable.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.;
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Business Associate. a. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, as Required by By Law or as permitted by law, provided such the use or disclosure would also be permissible by law if made by the Covered Entity.
b. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 164.314, and 164.316, in the same manner that those requirements apply to the Covered Entity pursuant to 45 C.F.R. § 164.504.
c. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement, or of any Security Incident of which it becomes aware.
d. Business Associate agrees to report to the Covered Entity any use or disclosure for the of PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, ; and any Security Incident of which it becomes aware.
e. Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, from or created or received by Business Associate on behalf of the Covered Entity agrees to the same substantially similar restrictions and conditions that apply through this Agreement to Business Associate with respect to such that information through a contractual arrangement that complies with 45 C.F.R. § 164.314.
f. Business Associate agrees to provide paper or electronic access, at the request of the Covered Entity and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set Set, to the Covered Entity or, as directed by the Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide the Covered Entity with the information requested in the electronic form and format requested by the Individual and/or the Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by the Covered Entity.
g. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. §§ 164.526 at the request of the Covered Entity or an Individual, and in the time and manner designated by the Covered Entity.
h. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Covered Entity, or at the request of Covered Entity available to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining the Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. Business Associate agrees to document such disclosures of PHI and the information related to such the disclosures as that would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §§ 164.528.
j. Business Associate agrees to provide to the Covered Entity or an Individual, in a time and manner designated by the Covered Entity, information collected in accordance with this Agreement, to permit the Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. § 164.528.
k. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity), it shall, following the discovery of a breach of such information, promptly notify the Covered Entity of such the breach. Such The notice shall include: :
(a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; c(b) a description of the type types of Unsecured PHI Protected Health Information that was were involved in the breachbreach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); dand (c) a brief description of what the investigation into Business Associate is doing to investigate the breach, mitigation of to mitigate harm to the individuals individuals, and protection to protect against any further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §§ 164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from the Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 Entity during the term of the Agreement.
i. 1. Business Associate agrees to: (:
a) implement Implement and maintain appropriate physical, technical technical, and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting :
i. Encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (;
ii) prohibiting . Prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (and
iii) encrypting . Encrypting any personal information to be transferred to a portable device; and (.
b) implement Implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii2. The safeguards set forth in this Agreement shall apply equally to ePHI, PHI, and confidential and “personal information.” Personal information is defined by any applicable law or regulation and means any information about an individual maintained by any agency, company or organization, including (1) any information that can be used to distinguish or trace an individual's ’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information; it also includes combinations of information such as an individual’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's ’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number number, or password, that would permit access to a resident's ’s financial account; providedprovided it is also information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context; however, that "“personal information" ” shall not include information that is lawfully obtained from publicly available information, or from federal, state state, or local government records lawfully made available to the general public.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Business Associate. a. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, BAA or as Required by Law or as permitted by lawLaw, provided such use or disclosure would also be permissible by law if done by Covered Entity.
b. . Business Associate agrees to use appropriate safeguards (including encryption as specified in the Security Rule) and destruction, to prevent use or disclosure of the PHI other than as provided for by this AgreementBAA. As required by the Security Rule, Business Associate agrees to conduct a risk assessment and implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by that it creates, receives, maintains, or transmits on behalf of the “Security Rule”Covered Entity. Business Associate agrees to use reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, including those safeguards required pursuant to 45 C.F.R. §§ 164.308disclosure, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504.
c. or request. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
d. BAA. Business Associate agrees to report to Covered Entity any use or disclosure for of the PHI not provided for by this AgreementBAA, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware.
e. , within five (5) days of the incident’s occurrence or Business Associate’s discovery thereof. Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement BAA to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314.
f. . Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity.
g. . Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §§ 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
h. . If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall promptly notify Covered Entity upon receipt of such request. Business Associate agrees to make its internal practices, books, and records records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Omnibus Rule.
i. . Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §§ 164.528.
j. . Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this AgreementBAA, to permit Covered Entity to respond to a request by an individual Individual for an accounting of disclosures for of PHI in accordance with 45 §C.F.R. § 164.528.
k. . If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information PHI (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach Breach of such information, promptly notify Covered Entity of such Breach within a period of five (5) days after discovery of the breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breachBreach; b) a brief description of what happened, including the date of the breach Breach and discovery of the breachBreach; c) a description of the type of Unsecured PHI that was involved in the breachBreach; d) a description of the investigation into the breachBreach, mitigation of and the steps taken by Business Associate to mitigate harm to the individuals affected Individuals and protection protect against further breachesBreaches; e) the results of any and all investigation performed by Business Associate related to the breachBreach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach Breach and its Business Associate’s investigation into of the breach.
l. Breach. To the extent the Business Associate is carrying out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d45 C.F.R. § 164.502(a)(5)(ii)(B)(2) of the HITECH Act applies.
m. . Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing “Marketing” under 45 C.F.R. §164.501 § 164.501, unless permitted by the HITECH Act.
n. 45 C.F.R. § 164.508(a)(3)(i)(A)-(B). If applicable, Business Associate agrees that it will not use or disclose genetic information for “underwriting purposes”, as that term is defined in 45 C.F.R. § 164.502.
o. . Business Associate hereby agrees to comply with state laws and rules and regulations applicable to PHI and Individuals’ personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 Entity during the term of the Agreement.
i. Contract. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00law and rules and regulations; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00law as applicable.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Business Associate. a. A. Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, as Required by Law Agreement or as permitted required by lawLaw, provided such use or disclosure would also be permissible by law by Covered Entity.
b. B. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by the “Security Rule.”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504.
c. C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
d. D. Business Associate agrees to report to Covered Entity any use or disclosure for of the PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, within twenty-four (24) hours of the incident.
e. E. Business Associate agrees to ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314.
f. F. Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form and format as requested by Covered Entity.
g. G. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall notify H. Covered Entity upon receipt of such request.
h. I. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. X. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528.
j. K. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528.
k. L. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity of such breach within a period of twenty-four (24) hours after discovery of the breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. M. To the extent the Business Associate is carrying out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
N. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d45 C.F.R. § 164.502(a)(5)(ii)(B)(2) of the HITECH Act applies.
m. O. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 164.501, unless permitted by the HITECH Act45 C.F.R. § 164.508(a)(3)(A)-(B).
n. P. If applicable, Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Q. Business Associate hereby agrees to comply with state laws and rules and regulations applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 Entity during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00law and rules and regulations; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00law as applicable.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 1 contract
Obligations and Activities of Business Associate. a. A. Business Associate agrees to shall not use or further disclose PHI other than as permitted or required by this Agreement, as Required by Law BAA or as permitted required by law, provided such use or disclosure would also be permissible by law by Covered Entity.
b. B. Business Associate agrees to shall use appropriate safeguards as required by HIPAA and the HITECH Act to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504.
c. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
d. Business Associate agrees to report to Covered Entity any use or disclosure for the PHI not provided for by this BAA or the Underlying Agreement, including breaches of unsecured PHI but not limited to administrative, physical and technical safeguards as required by defined in the Security Rule, 45 C.F.R. § 164.410CFR Part 164, and any Security Incident of which it becomes aware.Subpart C, including using appropriate safeguards for electronic PHI..
e. C. Business Associate agrees to shall ensure that any agent, including a subcontractor or vendor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity Entity, agrees in writing to the same restrictions and conditions that apply through this Agreement BAA to Business Associate with respect to such information through a contractual arrangement information. In the event that complies Business Associate creates, maintains, receives or transmits electronic PHI on behalf of Covered Entity, Business Associate shall implement appropriate safeguards as mentioned in Section 3(B) above with 45 C.F.R. § 164.314respect to such electronic PHI.
f. D. Business Associate agrees shall report to provide paper Covered Entity within five (5) business days any use or electronic disclosure of PHI or an Individual’s information not provided for by this BAA, including without limitation any Breach of PHI, Unsecured PHI or an Individual’s information, and any Security Incident that compromises PHI or an Individual’s information of which Business Associate becomes aware.
E. Business Associate shall, in consultation with the Covered Entity, take any action necessary to mitigate, to the extent practical, any harmful effect that is known to Business Associate of a Security Incident, and of any use or disclosure not provided for by this BAA.
F. If Business Associate maintains PHI in a Designated Record set, Business Associate shall:
(1) Provide access, at the request of the Covered Entity and Entity, in the a time and manner designated mutually agreed upon in good faith by Covered Entityboth parties, to PHI in a Designated Record Set set, to Covered Entity orEntity, or as directed by Covered Entity, to an Individual individual in order to meet the requirements under 45 C.F.R. § CFR 164.524. If the Individual requests an , including requirements relating to access to electronic copy of the information, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and formatPHI; or, if not, in a readable electronic form and format as requested by Covered Entity.and
g. Business Associate agrees to make (2) Make any amendment(s) amendments to PHI in a Designated designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §CFR 164.526 at the request of Covered Entity or an Individualindividual, and in the a time and manner designated mutually agreed upon in good faith by Covered Entityboth parties.
h. G. Business Associate agrees to make its internal practices, booksbooks and records, including policies and records procedures relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for the purposes of the Secretary determining Covered Entity’s or Business Associate’s compliance with the Privacy Rule and Security RuleHIPAA.
i. H. Business Associate agrees shall make available to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity the information required to respond to a request by an Individual for provide an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528.
j. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit enable Covered Entity to respond to a request by an individual fulfill its obligations under the Privacy Rule, the HITECH Act and the Final Rule. Such information for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528.
k. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity of such breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed will be collected and maintained by Business Associate for at least six (6) years prior to have been accessedthe request. The accounting should include (1) the date of disclosure, acquired (2) the name of the entity or disclosed during such breach; bperson, and address if known, who received the PHI, (3) a brief description of what happenedPHI disclosed, including the date and (4) a brief statement of the breach and discovery purpose of the breach; c) disclosure. In the event that a description request for accounting is delivered directly to Business Associate, Business Associate will promptly forward the request to Covered Entity.
I. Business Associate acknowledges that if it violates any of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breachrequirements provided under this BAA, mitigation of harm Business Associate will be subject to the individuals same civil and protection against further breaches; e) criminal penalties that a Covered Entity would be subject to if such Covered Entity violated the results of any and all investigation performed by same requirements.
J. Business Associate related shall implement and maintain safeguards as necessary to ensure that all PHI is used or disclosed only as authorized under HIPAA, the breach; HITECH standards, the Final Rule and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. this BAA. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable assess potential risks and vulnerabilities to PHI in its possession and personal information of individuals’ information it receives from Covered Entitydevelop, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physicalthe administrative, physical and technical and administrative security measures for the protection of personal information as safeguards required by any state lawthe HIPAA and HITECH standards that protect the confidentiality, including 201 CMR 17.00; includingavailability and integrity of the PHI that Business Associate creates, but not limited to: (i) encrypting all transmitted records receives, maintains or transmits on behalf of the Covered Entity. Business Associate also agrees to implement policies and files containing personal information procedures required under the Final Rule that will travel across public networksaddress Business Associate’s compliance with applicable HIPAA standards and its efforts to detect, prevent and encryption mitigate the risks of all data containing personal information to be transmitted wirelessly; (ii) prohibiting identity theft from the transfer improper use and/or disclosure of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00an Individual’s information.
ii. The safeguards set forth in this Agreement shall apply equally K. To the extent Business Associate is to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate will comply with the following data elements requirements of Subpart E that relate apply to Covered Entity in the performance of such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account numberobligations.
L. Both Parties shall limit the request, disclosure and use of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general publicrequest.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Business Associate. a. A. Business Associate agrees not to not use or further disclose PHI other than as permitted or required by the Agreement or this AgreementExhibit, as Required by Law or as permitted by law, provided such use or disclosure would also be permissible by law by Covered EntityRequired By Law.
b. B. Business Associate agrees to use appropriate safeguards to prevent protect against any use or disclosure of the PHI other than as not provided for by this Agreementherein and to comply, where applicable, with Subpart C of 45 CFR Part 164 with respect to EPHI. Without limiting the foregoing, Business Associate agrees to implement Administrative Safeguardsappropriate administrative, Physical Safeguards physical, and Technical Safeguards (“Safeguards”) that reasonably technical safeguards designed to prevent the unauthorized use and appropriately disclosure of Protected Health Information, and to protect the confidentiality, integrity integrity, and availability of Electronic Protected Health Information, including maintaining an Incident Response Team to investigate and respond to unauthorized uses and disclosures of PHI upon learning thereof, as required by the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §CFR § 164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply as may be amended from time to Covered Entity pursuant to 45 C.F.R. § 164.504time.
c. C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this AgreementExhibit.
d. D. In addition to the reporting required by Section 2.L, Business Associate agrees to report to Covered Entity Plan upon request any use or disclosure for the PHI of PHI, not provided for by the Agreement or this AgreementExhibit, of which the Incident Response Team becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, such uses and any disclosures arising from a Security Incident of which it becomes awareIncident.
e. E. In accordance with 45 CFR 164.502 (e)(1)(ii) and 164.308(b)(2) Business Associate agrees to ensure require that any agentSubcontractor, including a subcontractor to whom it delegates any function or vendoractivity it has undertaken to perform on behalf of Plan, and to whom it provides PHI received from, from or created or received by Business Associate on behalf of Covered Entity Plan, agrees to substantially the same restrictions and conditions that on the use or disclosure of PHI as apply through this Agreement Exhibit to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314Business Associate Agreement between such Subcontractor and Business Associate.
f. F. Upon the Plan’s written request, and in a reasonable time and manner, Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated to Plan such PHI maintained by Covered Entity, to PHI Business Associate in a Designated Record Set as required for Plan to Covered Entity or, as directed by Covered Entity, respond to an Individual in order to meet the requirements a request for access under 45 C.F.R. § CFR 164.524. If .
G. Upon the Individual requests an electronic copy of the informationPlan’s written request, Business Associate must provide Covered Entity with the information requested in the electronic form and format requested by the Individual and/or Covered Entity if it is readily producible in such form and format; or, if not, in a readable electronic form reasonable time and format as requested by Covered Entity.
g. manner, Business Associate agrees to make any amendment(s) to available PHI maintained by it in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an IndividualSet, and to make amendments to such PHI, in the time and manner designated by Covered Entityorder for Plan to respond to a request for amendment under 45 CFR 164.526.
h. H. Business Associate agrees to make its internal practices, policies, procedures, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity Plan, available to Covered Entity, or at for inspection and copying by the request of Covered Entity to Secretary upon the Secretary, in a time and manner designated by Covered Entity or the Secretary, ’s written request for the same for purposes of the Secretary determining Covered Entity’s the Plan's compliance with the Privacy Rule and Security RuleHIPAA Rules.
i. I. Business Associate agrees to document such disclosures of PHI made by it, and information related to such disclosures disclosures, as would be required for Covered Entity Plan to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with under 45 C.F.R. §CFR 164.528.
j. J. Upon written request by Plan, and in a reasonable time and manner, Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, Plan information collected in accordance with Paragraph I of this Agreement, Section for Plan to permit Covered Entity to respond to a request by an individual for provide an accounting of disclosures for PHI in accordance with under 45 §C.F.R. CFR 164.528.
k. If K. To the extent Plan specifically delegates to Business Associate accessesone or more of Plan's obligation(s) under Subpart E of 45 CFR Part 164, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined Business Associate agrees to comply with the requirements of Subpart E that apply to Plan in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the performance of such obligation(s).
L. Following the discovery by Business Associate of a breach any Breach of Unsecured PHI by Business Associate or its Subcontractors, Business Associate agrees to notify Plan of such informationBreach without unreasonable delay, promptly notify Covered Entity but no later than within thirty (30) calendar days after the Incident Response Team is notified of such breachthe Breach. Such notice notification shall include: a) , to the identification extent available, the identity of each individual Individual whose Unsecured Protected Health Information PHI has been, or is reasonably believed by Business Associate to have been been, accessed, acquired acquired, used, or disclosed during the Breach. At the time of notification or promptly thereafter as such breach; b) a brief description of what happenedinformation becomes available, including the date Business Associate shall also provide Plan with such other available information as is required for Plan to notify an Individual of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed Breach as required by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. 45 CFR 164.404(c). Business Associate agrees that it will not receive remuneration directly to the extent the Breach is solely as a result of Business Associate’s negligent acts or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. omissions, Business Associate agrees that it will not receive remuneration for certain communications that fall within shall provide the exceptions to the definition of Marketing notifications required under 45 C.F.R. §164.501 unless permitted by CFR 164.404, 45 CFR 164.406 and 164.408(b). Notwithstanding the HITECH Act.
n. above, if a law enforcement official provides Business Associate agrees with a statement that it will not use the notification required under this paragraph would impede a criminal investigation or disclose genetic information for underwriting purposescause damage to national security, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including may delay the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures notification for the protection period of personal information as required by any state law, including 201 CMR 17.00; including, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards time set forth in this Agreement shall apply equally to PHI, confidential and “personal informationthe statement as permitted under 45 CFR 164.412.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Appears in 1 contract
Obligations and Activities of Business Associate. a. (a) Business Associate agrees to not use or further disclose PHI Protected Health Information other than as permitted or required by this Agreement, Agreement or as Required by Law or as permitted by law, provided such use or disclosure would also be permissible by law by Covered EntityLaw.
b. (b) Business Associate agrees to use appropriate safeguards Security Measures to prevent use or disclosure of the PHI Protected Health Information other than as provided for by this Agreement. With respect to EPHI, Business Associate agrees to implement Administrative Safeguardsdevelop, Physical Safeguards implement, maintain and use appropriate and reasonable Administrative, Physical, and Technical Safeguards (“Safeguards”) Security Measures to insure the Integrity, Confidentiality and Availability of, and to prevent non-permitted uses and disclosures of EPHI that reasonably it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate acknowledges and appropriately protect the confidentiality, integrity and availability of PHI as required by the “Security Rule”, including those safeguards required agrees that pursuant to 45 C.F.R. section 13401(a) of the HITECH Act [42 USC §§ 17931(a)] that it will implement and document its Security Measures in order to comply with sections 164.308, 164.310, 164.312, 164.314 164.312 and 164.316, 164.316 of Title 45 of the Code of Federal Regulations in the same manner that Business Associate would if it were a covered entity subject to those requirements apply to Covered Entity pursuant to 45 C.F.R. § 164.504rules.
c. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI Protected Health Information by Business Associate Associate, or an agent or subcontractor of Business Associate, in violation of the requirements of this Agreement.
d. (d) Business Associate agrees to report to Covered Entity any Entity:
1. Any use or disclosure for by the PHI Business Associate of Protected Health Information not provided for by this Agreement, including breaches Agreement of unsecured PHI as required by 45 C.F.R. § 164.410, and which it becomes aware.
2. Within ten (10) days any Security Incident of which it becomes awareaware that results in an unauthorized access, use modification, destruction or disclosure of EPHI or interference with information systems for EPHI.
e. Business Associate agrees 3. Within ten (10) days of receipt of a written request any Security Incident of which it becomes aware that was an unsuccessful attempt to ensure obtain unauthorized access, use modification, destruction or disclosure of EPHI or interference with information systems for EPHI.
4. A Discovery of a Breach of Covered Entity’s Unsecured PHI that any agent, including a subcontractor is used or vendor, to whom it provides PHI received from, or created or received disclosed by Business Associate on behalf in any manner arising out of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information through a contractual arrangement that complies with 45 C.F.R. § 164.314.
f. Business Associate agrees to provide paper or electronic access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If the Individual requests an electronic copy of the informationAgreement, Business Associate must provide shall timely notify Covered Entity with the information requested as provided in the electronic form and format requested by the Individual and/or subsection 5 of this section 2(d). Prior to notifying Covered Entity if it is readily producible in such form and format; orof the Discovery of a Breach, if not, in a readable electronic form and format as requested by Covered Entity.
g. Business Associate agrees shall take reasonable steps to make any amendment(s) to PHI in a Designated Record Set satisfy itself based upon reasonable diligence that Covered Entity directs the acquisition, access, use, or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
h. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received fromwas not unintentional or inadvertent and that it poses a significant risk of financial, created or received by Business Associate on behalf of Covered Entity available to Covered Entityreputational, or at the request of Covered Entity other harm to the Secretary, in individual.
5. Following Discovery of a time and manner designated by Covered Entity or the Secretary, for the purposes Breach of the Secretary determining Covered Entity’s compliance with the Privacy Rule and Security Rule.
i. Unsecured PHI, Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528.
j. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §C.F.R. 164.528.
k. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402) for Covered Entity, it shall, following the discovery of a breach of such information, promptly notify Covered Entity of such breach. Such notice shall include: a) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such breach; b) a brief description of what happened, including the date of the breach and discovery of the breach; c) a description of the type of Unsecured PHI that was involved in the breach; d) a description of the investigation into the breach, mitigation of harm to the individuals and protection against further breaches; e) the results of any and all investigation performed by Business Associate related to the breach; and f) contact information of the most knowledgeable individual for Covered Entity to contact relating to the breach and its investigation into the breach.
l. Business Associate agrees that it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under 13405(d) of the HITECH Act applies.
m. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 C.F.R. §164.501 unless permitted by the HITECH Act.
n. Business Associate agrees that it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 C.F.R. § 164.502.
o. Business Associate hereby agrees to comply with state laws applicable to PHI and personal information of individuals’ information it receives from Covered Entity, including the Massachusetts Data Security Regulations, 201 CMR 17.00 during the term of the Agreement.
i. Business Associate agrees to: (a) implement and maintain appropriate physical, technical and administrative security measures for the protection of personal information as required by any state law, including 201 CMR 17.00; includingunreasonable delay, but not limited to: (i) encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; (ii) prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance; and (iii) encrypting any personal information to be transferred to a portable device; and (b) implement and maintain a Written Information Security Program as required by any state law, including 201 CMR 17.00.
ii. The safeguards set forth in this Agreement shall apply equally to PHI, confidential and “personal information.” Personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.no case later than Thirty
Appears in 1 contract
Samples: Service Agreement
