Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law. (2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards. (3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity. (4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract. (5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident of which it becomes aware. (6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information. (7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request. (8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity. (9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards. (10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. (11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. (12) Business Associate agrees to comply with any State or federal law that is more stringent than the Privacy Rule. (13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316. (14) In the event that an Individual requests that the Business Associate (A) restrict disclosures of PHI; (B) provide an accounting of disclosures of the Individual’s PHI; (C) provide a copy of the Individual’s PHI in an Electronic Health Record; or (D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request. (15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without (A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and (B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations. (16) Obligations in the Event of a Breach. (A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract. (B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach. (C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information: 1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed. 2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code). 3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach. 4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches. 5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 56 contracts
Samples: Contract for Services, Maintenance & Support Services Agreement, Contract for Solid Waste and Recycling Services
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standardsstandards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, , to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards...
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individualindividual’s Designated Record Set designated record set, the Business Associate agrees to notify the Covered Entity, in writing, within five Days business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. . A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 28 contracts
Samples: Personal Service Agreement, Personal Service Agreement, Personal Service Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection clause h. (g)(1010) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees that at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ sections 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
Associate (Aa) restrict disclosures of PHI;
; (Bb) provide an accounting of disclosures of the Individualindividual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 25 contracts
Samples: Information Processing Systems Contract, Contract for Purchase and Sale, Disaster Debris Monitoring Services Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s 's actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s 's compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s 's direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s 's PHI;
(C) provide a copy of the Individual’s 's PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individual’s Designated Record Set 's designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without:
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (g)(16)(C) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate's notification to the Covered Entity.
(E) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(F) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(G) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 19 contracts
Samples: Personal Service Agreement, Contract Amendment, Contract Amendment
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standardsstandards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards...
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests individual request that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individualindividual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 12 contracts
Samples: Provider Agreement, Provider Agreement, Provider Agreement
Obligations and Activities of Business Associates. (1) . Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) . Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standardsstandards.
(3) . Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) . Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) . Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) . Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
(7) . Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) 8. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) . Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) . Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) . Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) . Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) . Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) . In the event that an Individual individual requests that the Business Associate
(A) A. restrict disclosures of PHI;
(B) B. provide an accounting of disclosures of the Individualindividual’s PHI;
(C) C. provide a copy of the Individualindividual’s PHI in an Electronic Health Recordelectronic health record; or
(D) D. amend PHI in the Individualindividual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days business days of the request.
(15) . Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the A. The written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the B. The valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) . Obligations in the Event of a Breach.
(A) A. The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) B. Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) C. The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 12 contracts
Samples: Custodial Services Agreement, Custodial Services Agreement, Specialized Laboratory Equipment Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.clause h.
Appears in 11 contracts
Samples: Contract, Contract, Hvac Preventive Maintenance Services Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards...
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 11 contracts
Obligations and Activities of Business Associates. (1) . Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) . Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standardsstandards.
(3) . Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) . Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) . Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) . Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
(7) . Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, , to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) 8. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) . Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) . Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) . Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) . Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) . Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) . In the event that an Individual individual requests that the Business Associate
(A) A. restrict disclosures of PHI;
(B) B. provide an accounting of disclosures of the Individualindividual’s PHI;
(C) C. provide a copy of the Individualindividual’s PHI in an Electronic Health Recordelectronic health record; or
(D) D. amend PHI in the Individualindividual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days business days of the request.
(15) . Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the A. The written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the B. The valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) . Obligations in the Event of a Breach.
(A) A. The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) B. Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) C. The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 9 contracts
Samples: Testing Services Agreement, Testing Services Agreement, Custodial Services Agreement
Obligations and Activities of Business Associates. (1) . Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) . Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standardsstandards.
(3) . Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) . Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) . Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) . Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
(7) . Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) 8. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) . Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) . Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) . Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) . Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) . Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) . In the event that an Individual individual requests that the Business Associate
(A) Associate restrict disclosures of PHI;
(B) ; provide an accounting of disclosures of the Individualindividual’s PHI;
(C) ; provide a copy of the Individualindividual’s PHI in an Electronic Health Recordelectronic health record; or
(D) or amend PHI in the Individualindividual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days business days of the request.
(15) . Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the without The written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the and The valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) regulations Obligations in the Event of a Breach.
(A) . The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) . Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) breach. The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 7 contracts
Samples: Contract Agreement, Contract, Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection clause h. (g)(1010) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees that at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ sections 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
Associate (Aa) restrict disclosures of PHI;
; (Bb) provide an accounting of disclosures of the Individualindividual’s PHI;
; or (Cc) provide a copy of the Individualindividual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set electronic health record, the Business Associate agrees to notify the Covered Entitycovered entity, in writing, within five Days two business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, not directly or indirectly, indirectly receive any remuneration in exchange for PHI of an Individual without
individual without (A1) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
and (B2) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 Act,(42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by of a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D the requirements of Part 164 section 13402 of Title 45 HITECH (42 U.S.C. § 17932(b) and the provisions of this section of the Code of Federal Regulations and this Section of the Contractcontract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412section 13402 (g) of HITECH (42 U.S.C. § 17932(g)) . A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractorAssociate. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A brief description of what happened, including the date of the Breach; breach and the date of the discovery of the Breach; the unauthorized personbreach, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) individuals take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, writing the Business Associate that he or she has determined that notification or notice to Individuals individuals or the posting required under 45 C.F.R.section 13402 of the HITECH Act would impede a criminal investigation or cause damage to national security and contact information for said official.
(D) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that individuals informed by the Covered Entity of a breach by the Business Associate have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor or Contractor Parties.
(E) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 5 contracts
Samples: Purchase and Sale Agreement, Contract for Purchase of Goods, Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection (g)(10h)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;; or
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Record; orelectronic health record,
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entitycovered entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by of a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D the requirements of Part 164 section 13402 of Title 45 of the Code of Federal Regulations HITECH (42 U.S.C. § 17932(b)) and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412section 13402(g) of HITECH (42 U.S.C. § 17932(g)). A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractorAssociate. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A brief description of what happened, including the date of the Breach; breach and the date of the discovery of the Breach; the unauthorized personbreach, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) individuals take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, writing the Business Associate that he or she has determined that notification or notice to Individuals individuals or the posting required under section 13402 of the HITECH Act would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that individuals informed by the Covered Entity of a breach by the Business Associate have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site or a postal address. For breaches involving ten or more individuals whose contact information is insufficient or out of date to allow written notification under 45 C.F.R.C.F.R. § 164.404(d)(1)(i), the Business Associate shall notify the Covered Entity of such persons and maintain a toll-free telephone number for ninety (90) days after said notification is sent to the Covered Entity. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(E) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 5 contracts
Samples: Personal Service Agreement, Personal Service Agreement, Personal Service Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection clause h. (g)(1010) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ sections 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
Associate (Aa) restrict disclosures of PHI;
; (Bb) provide an accounting of disclosures of the Individualindividual’s PHI;
; or (Cc) provide a copy of the Individualindividual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set electronic health record, the Business Associate agrees to notify the Covered Entitycovered entity, in writing, within five Days two business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
individual without (A1) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
and (B2) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 Act,(42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) A. The Business Associate agrees that, following the discovery by the Business Associate or by of a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D the requirements of Part 164 section 13402 of Title 45 HITECH (42 U.S.C. 17932(b) and the provisions of the Code of Federal Regulations and this Section of the Contract.
(B) B. Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412section 13402 (g) of HITECH (42 U.S.C. 17932(g)) . A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractorAssociate. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) C. The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A brief description of what happened, including the date of the Breach; breach and the date of the discovery of the Breach; the unauthorized personbreach, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) individuals take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, writing the Business Associate that he or she has determined that notification or notice to Individuals individuals or the posting required under 45 C.F.R.section 13402 of the HITECH Act would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
D. Business Associate agrees to provide appropriate staffing and have established procedures to ensure that individuals informed by the Covered Entity of a breach by the Business Associate have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
E. Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 3 contracts
Samples: Personal Service Agreement, Personal Service Agreement, Personal Service Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. : A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 3 contracts
Samples: Information Processing Systems Contract, Information Processing Systems Contract, Information Processing Systems Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s 's actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s 's compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s 's direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s 's PHI;
(C) provide a copy of the Individual’s 's PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individual’s Designated Record Set 's designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (g)(16)(C) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate's notification to the Covered Entity.
(E) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(F) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(G) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 3 contracts
Samples: Contract Amendment, Personal Service Agreement, Personal Service Agreement
Obligations and Activities of Business Associates. (1) a. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) b. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) c. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) e. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) f. Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.. DocuSign Envelope ID: 99412057-D71B-408D-9265-8250A328AE5B
(7) g. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) h. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) i. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) j. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) k. Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) 8.A.7.j of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) l. Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) m. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity DocuSign Envelope ID: 99412057-D71B-408D-9265-8250A328AE5B and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) n. In the event that an Individual requests that the Business Associate
Associate (Ai) restrict disclosures of PHI;
; (Bii) provide an accounting of disclosures of the Individual’s PHI;
; (Ciii) provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
or (Div) amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) o. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
without (Ai) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
Contract; and (Bii) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) p. Obligations in the Event of a Breach.
(A1) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B2) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C3) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:: DocuSign Envelope ID: 99412057-D71B-408D-9265-8250A328AE5B
1. (a) A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. (b) A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. (c) The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. (d) A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. (e) Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(4) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs (a) to (d) inclusive, of subsection 8.A.7.p.(3) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
(5) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(6) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e- DocuSign Envelope ID: 99412057-D71B-408D-9265-8250A328AE5B mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(7) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 2 contracts
Samples: Contract, Amendment to Agreement
Obligations and Activities of Business Associates. (1) a. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) b. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) c. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) e. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) f. Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.. DocuSign Envelope ID: ED91CDCC-5F32-443F-B8A6-C6B5266F1BBA
(7) g. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) h. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) i. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) j. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) k. Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) 8.A.7.j of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) l. Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) m. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity DocuSign Envelope ID: ED91CDCC-5F32-443F-B8A6-C6B5266F1BBA and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) n. In the event that an Individual requests that the Business Associate
Associate (Ai) restrict disclosures of PHI;
; (Bii) provide an accounting of disclosures of the Individual’s PHI;
; (Ciii) provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
or (Div) amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) o. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
without (Ai) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
Contract; and (Bii) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) p. Obligations in the Event of a Breach.
(A1) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B2) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C3) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:: DocuSign Envelope ID: ED91CDCC-5F32-443F-B8A6-C6B5266F1BBA
1. (a) A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. (b) A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. (c) The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. (d) A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. (e) Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(4) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs (a) to (d) inclusive, of subsection 8.A.7.p.(3) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
(5) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(6) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e- DocuSign Envelope ID: ED91CDCC-5F32-443F-B8A6-C6B5266F1BBA mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(7) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 2 contracts
Samples: Contract, Amendment to Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standardsstandards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards...
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individualindividual’s Designated Record Set designated record set, the Business Associate agrees to notify the Covered Entity, in writing, within five Days business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. . A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 2 contracts
Samples: Contract Amendment, Contract Amendment
Obligations and Activities of Business Associates. (1) a. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) b. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) c. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) e. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) f. Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) g. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) h. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) i. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) j. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) k. Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) 8.A.7.j of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) l. Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) m. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) n. In the event that an Individual requests that the Business Associate
Associate (Ai) restrict disclosures of PHI;
; (Bii) provide an accounting of disclosures of the Individual’s PHI;
; (Ciii) provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
or (Div) amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) o. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
without (Ai) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
Contract; and (Bii) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) p. Obligations in the Event of a Breach.
(A1) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B2) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C3) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. (a) A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. (b) A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. (c) The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. (d) A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. (e) Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(4) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs (a) to (d) inclusive, of subsection 8.A.7.p.(3) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
(5) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(6) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e- mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(7) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 2 contracts
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (g)(16)(C) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
(E) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(F) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(G) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 2 contracts
Samples: Personal Service Agreement, Personal Services Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. : A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4breach. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breaches.
5breaches. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (g)(16)(C) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
(E) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(F) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(G) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 2 contracts
Samples: Purchase of Service Contract, Purchase of Service Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract Agreement or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsAgreement.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the ContractAgreement.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract Agreement or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Agreement to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection clause h. (g)(1010) of this Section of the ContractAgreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ sections 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
Associate (Aa) restrict disclosures of PHI;
; (Bb) provide an accounting of disclosures of the Individualindividual’s PHI;
; or (Cc) provide a copy of the Individualindividual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set electronic health record, the Business Associate agrees to notify the Covered Entitycovered entity, in writing, within five Days business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
individual without (A1) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
Agreement and (B2) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 Act,(42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(Aa) The Business Associate agrees that, following the discovery by the Business Associate or by of a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D the requirements of Part 164 section 13402 of Title 45 HITECH (42 U.S.C. 17932(b) and the provisions of the Code of Federal Regulations and this Section of the ContractAgreement.
(Bb) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412section 13402 (g) of HITECH (42 U.S.C. 17932(g)) . A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractorAssociate. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(Cc) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A brief description of what happened, including the date of the Breach; breach and the date of the discovery of the Breach; the unauthorized personbreach, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) individuals take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, writing the Business Associate that he or she has determined that notification or notice to Individuals individuals or the posting required under section 13402 of the HITECH Act would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(d) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that individuals informed by the Covered Entity of a breach by the Business Associate have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site or a postal address. For breaches involving ten or more individuals whose contact information is insufficient or out of date to allow written notification under 45 C.F.R.CFR § 164.404(d)(1)(i), the Business Associate shall notify the Covered Entity of such persons and maintain a toll-free telephone number for ninety days after said notification is sent to the Covered Entity. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(e) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 2 contracts
Samples: Information Processing Systems Agreement, Information Processing Systems Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards...
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. : A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 2 contracts
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.C.F.R.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection (g)(10) paragraph I of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder164.528.
(12) Business Associate agrees to comply with any State or federal state law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 2 contracts
Samples: Terms and Conditions Contract, Terms and Conditions Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, agrees in accordance with 45 C.F.R. §502(e)(1)(ii) and §164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receive, maintain receives maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (g)(16)(C) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
(E) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(F) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(G) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Contract Amendment
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subCONTRACTOR, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection (g)(10h)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests individual request that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;; or
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set electronic health record, the Business Associate agrees to notify the Covered Entitycovered entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by of a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D the requirements of Part 164 section 13402 of Title 45 of the Code of Federal Regulations HITECH (42 U.S.C. § 17932(b)) and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412section 13402(g) of HITECH (42 U.S.C. § 17932(g)). A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractorAssociate. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate, the Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Contract
Obligations and Activities of Business Associates. (1) a. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) b. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) c. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) e. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) f. Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree agrees to the same restrictions, conditions, and requirements that apply to the business associate Business Associate with respect to such information.
(7) g. Business Associate agrees to provide access access, (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) h. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.§
(9) i. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) j. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § §17935) and any regulations promulgated thereunder.
(11) k. Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(107)(j) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.42
(12) l. Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) m. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) n. In the event that an Individual requests request that the Business Associate:
(A) i. restrict disclosures of PHI;
(B) ii. provide an accounting of disclosures of the Individual’s PHI;
(C) iii. provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
(D) iv. amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.designated record set;
(15) o. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without:
(A) i. the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) ii. the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) p. Obligations in the Event of a Breach.
(A) i. The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) ii. Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) iii. The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. ) A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.,
2. ) A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. ) The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. ) A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. ) Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
iv. If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4, inclusive of (7)(p)(iii) of this Section and determine whether, in its opinion there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
v. If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
vi. Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
vii. Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notification’s requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Personal Service Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (g)(16)(C) of this Section and determine whether, in its option, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
(E) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor or the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(F) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(G) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Personal Service Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. : A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4breach. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breaches.
5breaches. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (g)(16)(C) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
(E) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. § 164.404 and 45 C.F.R. § 164.406.
(F) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(G) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Purchase of Service Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection clause h. (g)(1010) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ sections 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
Associate (Aa) restrict disclosures of PHI;
; (Bb) provide an accounting of disclosures of the Individualindividual’s PHI;
; or (Cc) provide a copy of the Individualindividual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set electronic health record, the Business Associate agrees to notify the Covered Entitycovered entity, in writing, within five Days two business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
individual without (A1) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
and (B2) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 Act,(42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) Breach The Business Associate agrees that, following the discovery by the Business Associate or by of a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D the requirements of Part 164 section 13402 of Title 45 HITECH (42 U.S.C. 17932(b) and the provisions of the Code of Federal Regulations and this Section of the Contract.
(B) . Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412section 13402 (g) of HITECH (42 U.S.C. 17932(g)) . A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractorAssociate. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) breach. The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. : A brief description of what happened, including the date of the Breach; breach and the date of the discovery of the Breach; the unauthorized personbreach, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) individuals take to protect themselves from potential harm resulting from the Breach.
4breach. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breaches.
5breaches. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, writing the Business Associate that he or she has determined that notification or notice to Individuals individuals or the posting required under 45 C.F.R.section 13402 of the HITECH Act would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official. Business Associate agrees to provide appropriate staffing and have established procedures to ensure that individuals informed by the Covered Entity of a breach by the Business Associate have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor. Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Student Health Insurance Agreement
Obligations and Activities of Business Associates. (1) a. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) b. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) c. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) e. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) f. Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) g. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) h. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) i. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) j. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) k. Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10Section 7.5(A)(7)(j) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) l. Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) m. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) n. In the event that an Individual requests that the Business Associate
(A) i. restrict disclosures of PHI;
(B) ii. provide an accounting of disclosures of the Individual’s PHI;
(C) iii. provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
(D) iv. amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) o. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without:
(A) i. the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) ii. the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) p. Obligations in the Event of a Breach.
(A) i. The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) ii. Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) iii. The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
iv. If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (7)(p)(iii) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
v. If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
vi. Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
vii. Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Contract Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s 's actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s 's compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s 's direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s 's PHI;
(C) provide a copy of the Individual’s 's PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individual’s Designated Record Set 's designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without:
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (g)(16)(C) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate's notification to the Covered Entity.
(E) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(F) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e- mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(G) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Personal Services Agreement
Obligations and Activities of Business Associates. (1) Business 0. Xxxxxxxx Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract Agreement or as Required by Law.
(2) Business 0. Xxxxxxxx Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract Agreement and in accordance with HIPAA Standards.
(3) Business 0. Xxxxxxxx Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered EntityOHS.
(4) Business 0. Xxxxxxxx Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the ContractAgreement.
(5) . Business Associate agrees to report to Covered Entity OHS any use or disclosure of PHI not provided for by this Section of the Contract Agreement or any Security Incident security incident of which it becomes aware.
(6) Business 0. Xxxxxxxx Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business 0. Xxxxxxxx Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered EntityOHS, and in the time and manner designated by the Covered EntityOHS, to PHI in a Designated Record Set, to Covered Entity OHS or, as directed by Covered EntityXXX, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity OHS to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business 0. Xxxxxxxx Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity OHS directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered EntityOHS, and in the time and manner designated by the Covered EntityOHS.
(9) Business 0. Xxxxxxxx Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered EntityOHS, available to Covered Entity OHS or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.determining
(10) . Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity OHS to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) . Business Associate agrees to provide to Covered EntityOHS, in a time and manner designated by the Covered EntityOHS, information collected in accordance with subsection (g)(10) of this Section of the ContractAgreement, to permit Covered Entity OHS to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) . Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) . Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity OHS and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) . In the event that an Individual requests that the Business Associate
(A) Associate A. restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.B.
Appears in 1 contract
Samples: Memorandum of Agreement (Moa)
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (g)(16)(C) of this Section and determine whether, in its option, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty
Appears in 1 contract
Samples: Contract Amendment
Obligations and Activities of Business Associates. (1) A. Business Associate agrees not to to:
1) Not use or disclose PHI protected health information other than as permitted or required by this Section of the Contract MOU or as Required required by Law.law;
(2) Business Associate agrees to use and maintain Use appropriate safeguards safeguards, and comply with applicable HIPAA Standards Subpart C of 45 CFR Part 164 with respect to all PHI and electronic protected health information, to prevent use or disclosure of PHI protected health information other than as provided for in this Section of by the Contract and in accordance with HIPAA Standards.MOU;
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report Report to Covered Entity any use or disclosure of PHI protected health information not provided for by this Section of the Contract or any Security Incident MOU of which it becomes aware., including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;
(64) Business Associate agrees, in In accordance with 45 C.F.R. 502(e)(1)(iiCFR 164.502(e)(1)(ii) and 164.308(d)(2164.308(b)(2), if applicable, to ensure that any subcontractors that create, receive, maintain maintain, or transmit PHI protected health information on behalf of the Business Associate, BA agree to the same restrictions, conditions, and requirements that apply to the business associate BA with respect to such information.;
(75) Business Associate agrees Make available protected health information in a designated record set to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Entity as necessary to satisfy Covered Entity, ’s obligations under 45 CFR 164.524;
6) Make any amendment(s) to PHI protected health information in a Designated Record Set, to Covered Entity or, designated record set as directed by Covered Entity, or agreed to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;
7) Maintain and make available the information required to provide an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost accounting of postage, labor and supplies for complying with the request.
(8) Business Associate agrees disclosures to make any amendments to PHI in a Designated Record Set that the Covered Entity directs as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;
8) To the extent the Business Associate is to carry out one or agrees more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and Entity in the time and manner designated by the Covered Entity.performance of such obligation(s); and
(9) Business Associate agrees to make Make its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, records available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsRules.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Memorandum of Understanding
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection (g)(10h)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Contract Agreement
Obligations and Activities of Business Associates. (1) 22.8.1 Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) 22.8.2 Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) 22.8.3 Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) 22.8.4 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) 22.8.5 Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) 22.8.6 Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) 22.8.7 Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § §164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) 22.8.8 Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § §164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) 22.8.9 Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) 22.8.10 Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § §164.528 and section 13405 of the HITECH Act (42 U.S.C. § §17935) and any regulations promulgated thereunder.
(11) 22.8.11 Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection (g)(10clause viii) J) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § §164.528 and section 13405 of the HITECH Act (42 U.S.C. § §17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § §164.528 and section 13405 of the HITECH Act (42 U.S.C. § §17935) and any regulations promulgated thereunder.
(12) 22.8.12 Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) 22.8.13 Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ sections 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) 22.8.14 In the event that an Individual individual requests that the Business Associate
Associate (Aa) restrict disclosures of PHI;
; (Bb) provide an accounting of disclosures of the Individualindividual’s PHI;
; or (Cc) provide a copy of the Individualindividual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set electronic health record, the Business Associate agrees to notify the Covered Entitycovered entity, in writing, within five Days two business days of the request.
(15) 22.8.15 Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
individual without (A1) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
and (B2) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, Act (42 U.S.C. § §17935(d)(2)) and in any accompanying regulations.
(16) 22.8.16 Obligations in the Event of a Breach.
(A) 22.8.16.1 The Business Associate agrees that, following the discovery by the Business Associate or by of a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D the requirements of Part 164 section 13402 of Title 45 HITECH (42 U.S.C. 17932(b)) and the provisions of the Code of Federal Regulations and this Section of the Contract.
(B) 22.8.16.2 Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412section 13402(g) of HITECH (42 U.S.C. 17932(g)). A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractorAssociate. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) 22.8.16.3 The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A : (a) a brief description of what happened, including the date of the Breach; breach and the date of the discovery of the Breach; the unauthorized personbreach, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A (b) a description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The ; (c) the steps the Business Associate recommends that Individual(s) individuals take to protect themselves from potential harm resulting from the Breach.
4. A breach; (d) a detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breaches.
5. Whether breaches; (e) whether a law enforcement official has advised the Business Associate, either verbally or in writing, writing the Business Associate that he or she has determined that notification or notice to Individuals individuals or the posting required under 45 C.F.R.section 13402 of the HITECH Act would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
22.8.16.4 Business Associate agrees to provide appropriate staffing and have established procedures to ensure that individuals informed by the Covered Entity of a breach by the Business Associate have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor. Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notification requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract of which it becomes aware in accordance with 45 C.F.R. § 164.502(e)(ii)(C) or any Security Incident of which it becomes awareaware in accordance with 45 C.F.R. § 164.502(e)(ii)(C).
(6) Business Associate agrees, in accordance with 45 C.F.R. §§ 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
(A) restrict disclosures of PHIPHI that Business Associate maintains for or on behalf of the Covered Entity; or;
(B) provide an accounting of disclosures of the Individualindividual’s PHIPHI that Business Associate maintains for or on behalf of the Covered Entity; or;
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Recordelectronic health record that Business Associate maintains for or on behalf of the Covered Entity; or
(D) amend PHI in the Individualindividual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days seven business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) . The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Business Associates. (1) . Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) . Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standardsstandards.
(3) . Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) . Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) . Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) . Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
(7) . Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) 8. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) . Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) . Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) . Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) . Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) . Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) . In the event that an Individual individual requests that the Business Associate
(A) A. restrict disclosures of PHI;
(B) B. provide an accounting of disclosures of the Individualindividual’s PHI;
(C) C. provide a copy of the Individualindividual’s PHI in an Electronic Health Recordelectronic health record; or
(D) D. amend PHI in the Individualindividual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days business days of the request.
(15) . Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Custodial Services Agreement
Obligations and Activities of Business Associates. (1) a. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) b. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) c. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) e. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) f. Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.. DocuSign Envelope ID: 1D737AE2-D7DC-4AA7-BFF2-52D9D31500C3
(7) g. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) h. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) i. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) j. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) k. Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) 8.A.7.j of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) l. Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) m. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity DocuSign Envelope ID: 1D737AE2-D7DC-4AA7-BFF2-52D9D31500C3 and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) n. In the event that an Individual requests that the Business Associate
Associate (Ai) restrict disclosures of PHI;
; (Bii) provide an accounting of disclosures of the Individual’s PHI;
; (Ciii) provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
or (Div) amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) o. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
without (Ai) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
Contract; and (Bii) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) p. Obligations in the Event of a Breach.
(A1) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B2) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C3) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:: DocuSign Envelope ID: 1D737AE2-D7DC-4AA7-BFF2-52D9D31500C3
1. (a) A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. (b) A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. (c) The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. (d) A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. (e) Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(4) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs (a) to (d) inclusive, of subsection 8.A.7.p.(3) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
(5) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(6) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e- DocuSign Envelope ID: 1D737AE2-D7DC-4AA7-BFF2-52D9D31500C3 mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(7) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection (g)(10h)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;; or
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set electronic health record, the Business Associate agrees to notify the Covered Entitycovered entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by of a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D the requirements of Part 164 section 13402 of Title 45 of the Code of Federal Regulations HITECH (42 U.S.C. § 17932(b)) and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412section 13402(g) of HITECH (42 U.S.C. § 17932(g)). A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractorAssociate. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. : A brief description of what happened, including the date of the Breach; breach and the date of the discovery of the Breach; the unauthorized personbreach, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) individuals take to protect themselves from potential harm resulting from the Breach.
4breach. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breaches.
5breaches. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, writing the Business Associate that he or she has determined that notification or notice to Individuals individuals or the posting required under section 13402 of the HITECH Act would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that individuals informed by the Covered Entity of a breach by the Business Associate have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site or a postal address. For breaches involving ten or more individuals whose contact information is insufficient or out of date to allow written notification under 45 C.F.R.C.F.R. § 164.404(d)(1)(i), the Business Associate shall notify the Covered Entity of such persons and maintain a toll-free telephone number for ninety (90) days after said notification is sent to the Covered Entity. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(E) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Purchase of Service Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards...
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Personal Services Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection (g)(10h)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;; or
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set electronic health record, the Business Associate agrees to notify the Covered Entitycovered entity, in writing, within five Days two business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by of a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D the requirements of Part 164 section 13402 of Title 45 of the Code of Federal Regulations HITECH (42 U.S.C. 17932(b) and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412section 13402(g) of HITECH (42 U.S.C. 17932(g)). A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractorAssociate. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. : A brief description of what happened, including the date of the Breach; breach and the date of the discovery of the Breach; the unauthorized personbreach, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) individuals take to protect themselves from potential harm resulting from the Breach.
4breach. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breaches.
5breaches. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, writing the Business Associate that he or she has determined that notification or notice to Individuals individuals or the posting required under 45 C.F.R.section 13402 of the HITECH Act would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that individuals informed by the Covered Entity of a breach by the Business Associate have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(E) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Purchase of Service Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standardsstandards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, , to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual recordV WKH DPRXQW SHUPLWWHG E\ VWDWH O cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s WKH 6HFUHWDU\ IRU SXUSRVHV RI WKH 6HFUHWDU\ compliance with the HIPAA Standards...
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual CoveUHG (QWLW\·V GLUHFWLRQ WR SURYLGH DQ DFFRX in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;WKH LQGLYLGXDO·V 3+,
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set SURYLGH D FRS\ RI WKH LQGLYLGXDO·V 3+, LQ ' DPHQG 3+, LQ WKH LQGLYLGXDO·V GHVLJQD the Business Associate agrees to notify the Covered Entity, in writing, within five Days business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. . A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Personal Service Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s 's actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s 's compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s 's direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s 's PHI;
(C) provide a copy of the Individual’s 's PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individual’s Designated Record Set 's designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without:
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (g)(16)(C) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate's notification to the Covered Entity.
(E) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity,
(F) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(G) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Contract Amendment
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.. Contract Document SP-50 Rev. 10/11/19 Prev. Rev. 7/18/19
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.. Contract Document SP-50 Rev. 10/11/19 Prev. Rev. 7/18/19
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.. Contract Document SP-50 Rev. 10/11/19 Prev. Rev. 7/18/19
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Contract No. 03psx0261
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receive, maintain receive maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s 's actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s 's compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s 's direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s 's PHI;
(C) provide a copy of the Individual’s 's PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individual’s Designated Record Set the 's designated record set,-the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Contract; and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs 1 to 4 inclusive, of (g)(16)(C) of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate's notification to the Covered Entity.
(E) If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
(F) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
(G) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Contract Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract Agreement or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsAgreement.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the ContractAgreement.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract Agreement or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subcontractor, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Agreement to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection clause h. (g)(1010) of this Section of the ContractAgreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ sections 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
Associate (Aa) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standardsstandards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, , to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards...
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individualindividual’s Designated Record Set designated record set, the Business Associate agrees to notify the Covered Entity, in writing, within five Days business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. . A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Contract Amendment
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standardsstandards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident successful security incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, , to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards...
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individualindividual’s Designated Record Set designated record set, the Business Associate agrees to notify the Covered Entity, in writing, within five Days business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. . A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Personal Service Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section Section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section Section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section Section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section Section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. : A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Contract
Obligations and Activities of Business Associates. (1) a. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) b. Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) c. Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) d. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) e. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) f. Business Associate agrees, agrees in accordance with 45 C.F.R. § 502(e)(1)(ii) and § 164.308(d)(2), if applicable, to ensure that any subcontractors subcontractor that createcreates, receivereceives, maintain maintains or transmit transmits PHI on behalf of the Business Associate, agree Associate agrees to the same restrictions, conditions, conditions and requirements that apply to the business associate Business Associate with respect to such information.
(7) g. Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) h. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) i. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) j. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) k. Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) 7.j of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual Individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) l. Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) m. Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) n. In the event that an Individual requests that the Business Associate
Associate (A) restrict disclosures of PHI;
; (B) provide an accounting of disclosures of the Individual’s PHI;
; (C) provide a copy of the Individual’s PHI in an Electronic Health Recordelectronic health record; or
or (D) amend PHI in the Individual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) o. Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
without (A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
Contract; and (B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) regulations p. Obligations in the Event of a Breach.
(A) i. The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health informationunsecured PHI, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) ii. Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 thirty (30) days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. § 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual Individual if the Individual is deceased) whose Unsecured protected health information unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) iii. The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information unsecured PHI that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.C.F.R. § 164.412 would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
6. If directed by the Covered Entity, the Business Associate agrees to conduct a risk assessment using at least the information in subparagraphs (A) to (D) inclusive, of 7.p.iii of this Section and determine whether, in its opinion, there is a low probability that the PHI has been compromised. Such recommendation shall be transmitted to the Covered Entity within twenty (20) business days of the Business Associate’s notification to the Covered Entity.
7. If the Covered Entity determines that there has been a breach, as defined in 45 C.F.R. § 164.402, by the Business Associate or a subcontractor of the Business Associate, if directed by the Covered Entity, shall provide all notifications required by 45 C.F.R. §§ 164.404 and 164.406.
8. Business Associate agrees to provide appropriate staffing and have established procedures to ensure that Individuals informed of a breach have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site and a postal address. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures will be borne by the Contractor.
9. Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Contract Agreement
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agreesagrees to insure that any agent, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicableincluding a subCONTRACTOR, to ensure that any subcontractors that createwhom it provides PHI received from, receiveor created or received by Business Associate, maintain or transmit PHI on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection (g)(10h)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests individual request that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;; or
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set electronic health record, the Business Associate agrees to notify the Covered Entitycovered entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by of a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D the requirements of Part 164 section 13402 of Title 45 of the Code of Federal Regulations HITECH (42 U.S.C. § 17932(b)) and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412section 13402(g) of HITECH (42 U.S.C. § 17932(g)). A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractorAssociate. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate, the Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A brief description of what happened, including the date of the Breach; breach and the date of the discovery of the Breach; the unauthorized personbreach, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) individuals take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, writing the Business Associate that he or she has determined that notification or notice to Individuals individuals or the posting required under section 13402 of the HITECH Act would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that individuals informed by the Covered Entity of a breach by the Business Associate have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site or a postal address. For breaches involving ten or more individuals whose contact information is insufficient or out of date to allow written notification under 45 C.F.R.C.F.R. § 164.404(d)(1)(i), the Business Associate shall notify the Covered Entity of such persons and maintain a toll-free telephone number for ninety (90) days after said notification is sent to the Covered Entity. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures shall be borne by The CONTRACTOR.
(E) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA Standards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards...
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individual’s PHI;
(C) provide a copy of the Individual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set the Business Associate agrees to notify the Covered Entity, in writing, within five Days of the request.Set
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual (or the next of kin of the individual if the Individual is deceased) whose Unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breach; the date of the discovery of the Breach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured protected health information that were involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breach, to mitigate losses, and to protect against any further Breaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract and in accordance with HIPAA StandardsContract.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the Contract.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, agrees to ensure insure that any subcontractors that createagent, receiveincluding a sub29ubcontractoro whom it provides PHI received from, maintain or transmit PHI created or received by Business Associate, on behalf of the Business AssociateCovered Entity, agree agrees to the same restrictions, conditions, restrictions and requirements conditions that apply through this Section of the Contract to the business associate Business Associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both)access, at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated agreed to by the Covered Entityparties.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted created or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA StandardsPrivacy Rule.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated agreed to by the Covered Entityparties, information collected in accordance with subsection (g)(10h)(10) of this Section of the Contract, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual requests individual request that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;; or
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Record; or
(D) amend PHI in the Individual’s Designated Record Set electronic health record, the Business Associate agrees to notify the Covered Entitycovered entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by of a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the Contract, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D the requirements of Part 164 section 13402 of Title 45 of the Code of Federal Regulations HITECH (42 U.S.C. § 17932(b)) and this Section of the Contract.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412section 13402(g) of HITECH (42 U.S.C. § 17932(g)). A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractorAssociate. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate, the Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A brief description of what happened, including the date of the Breach; breach and the date of the discovery of the Breach; the unauthorized personbreach, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) individuals take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, writing the Business Associate that he or she has determined that notification or notice to Individuals individuals or the posting required under section 13402 of the HITECH Act would impede a criminal investigation or cause damage to national security and; if so, include contact information for said official.
(D) Business Associate agrees to provide appropriate staffing and have established procedures to ensure that individuals informed by the Covered Entity of a breach by the Business Associate have the opportunity to ask questions and contact the Business Associate for additional information regarding the breach. Such procedures shall include a toll-free telephone number, an e-mail address, a posting on its Web site or a postal address. For breaches involving ten or more individuals whose contact information is insufficient or out of date to allow written notification under 45 C.F.R.C.F.R. § 164.404(d)(1)(i), the Business Associate shall notify the Covered Entity of such persons and maintain a toll-free telephone number for ninety (90) days after said notification is sent to the Covered Entity. Business Associate agrees to include in the notification of a breach by the Business Associate to the Covered Entity, a written description of the procedures that have been established to meet these requirements. Costs of such contact procedures shall be borne by The CONTRACTOR.
(E) Business Associate agrees that, in the event of a breach, it has the burden to demonstrate that it has complied with all notifications requirements set forth above, including evidence demonstrating the necessity of a delay in notification to the Covered Entity.
Appears in 1 contract
Samples: Contract
Obligations and Activities of Business Associates. (1) Business Associate agrees not to use or disclose PHI other than as permitted or required by this Section of the Contract Agreement or as Required by Law.
(2) Business Associate agrees to use and maintain appropriate safeguards and comply with applicable HIPAA Standards with respect to all PHI and to prevent use or disclosure of PHI other than as provided for in this Section of the Contract Agreement and in accordance with HIPAA Standardsstandards.
(3) Business Associate agrees to use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
(4) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of this Section of the ContractAgreement.
(5) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Section of the Contract Agreement or any Security Incident security incident of which it becomes aware.
(6) Business Associate agrees, in accordance with 45 C.F.R. 502(e)(1)(ii) and 164.308(d)(2), if applicable, to ensure that any subcontractors that create, receive, maintain or transmit PHI protected health information on behalf of the Business Associatebusiness associate, agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
(7) Business Associate agrees to provide access (including inspection, obtaining a copy or both), at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. Business Associate shall not charge any fees greater than the lesser of the amount charged by the Covered Entity to an Individual for such records; the amount permitted by state law; or the Business Associate’s actual cost of postage, labor and supplies for complying with the request.
(8) Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of the Covered Entity, and in the time and manner designated by the Covered Entity.
(9) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created, maintained, transmitted or received by, Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary in a time and manner agreed to by the parties or designated by the Secretary, for purposes of the Secretary investigating or determining Covered Entity’s compliance with the HIPAA Standards.
(10) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(11) Business Associate agrees to provide to Covered Entity, in a time and manner designated by the Covered Entity, information collected in accordance with subsection (g)(10) of this Section of the ContractAgreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder. Business Associate agrees at the Covered Entity’s direction to provide an accounting of disclosures of PHI directly to an individual in accordance with 45 C.F.R. § 164.528 and section 13405 of the HITECH Act (42 U.S.C. § 17935) and any regulations promulgated thereunder.
(12) Business Associate agrees to comply with any State state or federal law that is more stringent than the Privacy Rule.
(13) Business Associate agrees to comply with the requirements of the HITECH Act relating to privacy and security that are applicable to the Covered Entity and with the requirements of 45 C.F.R. §§ 164.504(e), 164.308, 164.310, 164.312, and 164.316.
(14) In the event that an Individual individual requests that the Business Associate
(A) restrict disclosures of PHI;
(B) provide an accounting of disclosures of the Individualindividual’s PHI;
(C) provide a copy of the Individualindividual’s PHI in an Electronic Health Recordelectronic health record; or
(D) amend PHI in the Individualindividual’s Designated Record Set designated record set the Business Associate agrees to notify the Covered Entity, in writing, within five Days (5) business days of the request.
(15) Business Associate agrees that it shall not, and shall ensure that its subcontractors do not, directly or indirectly, receive any remuneration in exchange for PHI of an Individual without
(A) the written approval of the Covered Entitycovered entity, unless receipt of remuneration in exchange for PHI is expressly authorized by this Contract Agreement and
(B) the valid authorization of the Individualindividual, except for the purposes provided under section 13405(d)(2) of the HITECH Act, (42 U.S.C. § 17935(d)(2)) and in any accompanying regulations.
(16) Obligations in the Event of a Breach.
(A) The Business Associate agrees that, following the discovery by the Business Associate or by a subcontractor of the Business Associate of any use or disclosure not provided for by this section of the ContractAgreement, any breach of Unsecured unsecured protected health information, or any Security Incident, it shall notify the Covered Entity of such Breach breach in accordance with Subpart D of Part 164 of Title 45 of the Code of Federal Regulations and this Section of the ContractAgreement.
(B) Such notification shall be provided by the Business Associate to the Covered Entity without unreasonable delay, and in no case later than 30 days after the Breach breach is discovered by the Business Associate, or a subcontractor of the Business Associate, except as otherwise instructed in writing by a law enforcement official pursuant to 45 C.F.R. 164.412. A Breach breach is considered discovered as of the first day on which it is, or reasonably should have been, known to the Business Associate or its subcontractor. The notification shall include the identification and last known address, phone number and email address of each Individual individual (or the next of kin of the individual if the Individual individual is deceased) whose Unsecured unsecured protected health information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breachbreach.
(C) The Business Associate agrees to include in the notification to the Covered Entity at least the following information:
1. A description of what happened, including the date of the Breachbreach; the date of the discovery of the Breachbreach; the unauthorized person, if known, who used the PHI or to whom it was disclosed; and whether the PHI was actually acquired or viewed.
2. A description of the types of Unsecured unsecured protected health information that were involved in the Breach breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
3. The steps the Business Associate recommends that Individual(s) take to protect themselves from potential harm resulting from the Breachbreach.
4. A detailed description of what the Business Associate is doing or has done to investigate the Breachbreach, to mitigate losses, and to protect against any further Breachesbreaches.
5. Whether a law enforcement official has advised the Business Associate, either verbally or in writing, that he or she has determined that notification or notice to Individuals or the posting required under 45 C.F.R.
Appears in 1 contract
Samples: Personal Service Agreement
