Obligations and Activities of Contractor. a) Contractor shall not Use or Disclose Protected Health Information other than as permitted or required by this Agreement. b) Contractor agrees to use appropriate administrative, physical, and technical safeguards to prevent Use or Disclosure of the Protected Health Information other than as provided for by this Agreement. c) Contractor agrees to comply with the applicable requirements of the Security Standards for Protection of Electronic Protected Health Information, 45 C.F.R. Part 164 Subpart C (the “Security Rule”), including using appropriate administrative, physical, and technical safeguards to safeguard the confidentiality, integrity, and availability of Electronic Protected Health Information. d) Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement and shall cooperate with Business Associate in the mitigation process. e) Contractor agrees to report in writing to Business Associate, without unreasonable delay and no later than within 48 hours of Discovery: (i) Any Use or Disclosure of Protected Health Information not provided for by this Agreement, including Breaches of Unsecured Protected Health Information; and/or (ii) Any Security Incident. f) For any Breach of Unsecured Protected Health Information, Contractor agrees to supplement the above report with the information required by 45 C.F.R. § 164.410 without unreasonable delay and in no case later than 14 calendar days after discovery of the Breach. Contractor shall reasonably cooperate with Business Associate to provide any information in its possession needed by Business Associate to conduct a Breach risk assessment or to respond to Individuals’ or Business Associate’s Customers and Partners’ inquiries regarding a successful Security Incident or an unauthorized use or disclosure of Protected Health Information. Contractor will reimburse Business Associate for reasonable remediation and notification costs incurred by Business Associate resulting from a Breach or Security Incident caused by Contractor’s breach of this Agreement. g) Except to the extent required by applicable law, Contractor shall not make any public announcement or provide notice regarding Business Associate’s or Business Associate’s Customers and Partners’ involvement in a Breach without Business Associate’s prior written approval, which shall not be unreasonably withheld or delayed. h) Contractor agrees to ensure that any further subcontractors that create, receive, maintain, or transmit Protected Health Information on Contractor’s behalf agree in writing to the same restrictions and conditions that apply through this Agreement to Contractor with respect to such Protected Health Information, including complying with the applicable requirements of the Security Rule. Contractor shall not allow a further Contractor to create, receive, maintain, or transmit Protected Health Information on Contractor’s behalf unless Contractor has first conducted reasonable due diligence of the further subcontractor’s information security and determined that such security is reasonable. If Contractor knows of a pattern of activity or practice of its subcontractor that constitutes a breach of that subcontractor’s obligations under the agreement referenced in this Section 3(h), Contractor shall take reasonable steps to require the subcontractor to cure the breach or terminate its agreement with the subcontractor. i) Contractor agrees to make its internal practices, books, records, agreements, policies, and procedures relating to the Use and Disclosure of Protected Health Information available to Business Associate and to the Secretary of the Department of Health and Human Services (“Secretary”) for the purposes of determining compliance with HIPAA, and Business Associate determining Contractor’s compliance with this Agreement. Nothing in this section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information. Contractor shall immediately notify Business Associate of any request (i) from the Secretary pertaining to an investigation of Business Associate’s or Business Associate’s Customers’ and Partners’ compliance with HIPAA, or (ii) for disclosure of Protected Health Information that Contractor believes is Required by Law. j) Contractor, upon request by Business Associate, will make Protected Health Information in a Designated Record Set available to Business Associate or, at the request of Business Associate, the Individual, within ten (10) days of Business Associate’s request, as necessary to allow Business Associate’s Customers and Partners to comply with their obligations to provide Individuals access to their health information as required by 45 C.F.R. § 164.524. k) Contractor, upon request by Business Associate, will make Protected Health Information in a Designated Record Set available to Business Associate and will incorporate any amendments to such information as instructed by Business Associate within ten (10) days of a request, as necessary to allow Business Associate’s Customers and Partners to comply with their amendment obligations as required by 45 C.F.R. § 164.526. l) Contractor will maintain and, upon request by Business Associate, within ten (10) days provide Business Associate with the information necessary for Business Associate to provide an Individual with an accounting of each disclosure of Protected Health Information made by Contractor or its employees, agents, representatives, or subcontractors that is subject to 45 CFR Section 164.528. Contractor shall implement a process that allows for an accounting to be collected and maintained for any disclosure of Protected Health Information for which Business Associate or Business Associate’s Customers and Partners are required to maintain such an accounting. Contractor shall include in the accounting, to the extent known to Contractor: (a) the date of the disclosure; (b) the name, and address if known, of the entity or person who received the Protected Health Information; (c) a brief description of the Protected Health Information disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Contractor shall document the information specified in the preceding sentence and shall securely retain this documentation for the period of time necessary for Business Associate and Business Associate’s Customers and Partners to be able to comply with 45 CFR Section 164.528. m) In the event any Individual requests access to, or amendment or an accounting of, Protected Health Information directly from Contractor, Contractor shall forward such request to Business Associate within two
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Contractor. a) a. Contractor shall agrees not Use to use or Disclose disclose Protected Health Information other than as permitted or required by this Agreementthe Agreement or as Required by Law.
b) b. Contractor agrees to use appropriate administrative, physical, and technical safeguards to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this the Agreement.
c) Contractor agrees , and to comply with the applicable requirements of the Security Standards for Protection of Electronic Protected Health Information, 45 C.F.R. Part 164 Subpart C (the “Security Rule”), including using appropriate implement administrative, physical, and technical safeguards to safeguard that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic any electronic Protected Health InformationInformation that it creates, receives, maintains, or transmits on behalf of Covered Entity pursuant to this Agreement. Contractor agrees to fully comply with the responsibilities of Business Associates as set xxxxx xx §00000 of the HITECH Act.
d) c. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use use or Disclosure disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement and shall cooperate with Business Associate in the mitigation processAgreement.
e) d. Contractor agrees to report in writing to Business Associate, without unreasonable delay and no later than within 48 hours Covered Entity any use or disclosure of Discovery:
(i) Any Use or Disclosure of the Protected Health Information not provided for by this Agreementthe Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information; and/or
(ii) Any Information as required at 45 CFR §164.410, and any Security Incident.
f) For any Incident of which it becomes aware. In the event of a Breach of Unsecured Protected Health Information:
(1) Contractor shall promptly notify Covered Entity of the Breach when it is discovered, Contractor agrees to supplement the above report with the information required by 45 C.F.R. § 164.410 without unreasonable delay and in but no case later than 14 30 days from the discovery of the Breach. A Breach is considered discovered on the first day on which Contractor knows or should have known of such Breach. Such notification shall identify the Individualswhose Unsecured Protected Health Information has, or is reasonably believed to have, been the subject of the Breach, and their contact information.
(2) Covered Entity shall promptly notify Individuals about a Breach of their Unsecured Protected Health Information as soon as possible, but not later than 60 calendar days after discovery of the Breach, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. Contractor Notification shall reasonably cooperate with Business Associate to provide any information in its possession needed by Business Associate to conduct a Breach risk assessment or to respond to Individuals’ or Business Associate’s Customers and Partners’ inquiries regarding a successful Security Incident or an unauthorized use or disclosure meet the requirements of Protected Health Information. Contractor will reimburse Business Associate for reasonable remediation and notification costs incurred by Business Associate resulting from a Breach or Security Incident caused by Contractor’s breach §13402 of this Agreementthe HITECH Act.
ge. In accordance with 45 CFR §164.502(e)(1)(ii) Except to the extent required by applicable lawand §164.308(b)(2), Contractor shall not make any public announcement or provide notice regarding Business Associate’s or Business Associate’s Customers and Partners’ involvement in a Breach without Business Associate’s prior written approvalif applicable, which shall not be unreasonably withheld or delayed.
h) Contractor agrees to ensure that any further subcontractors that create, receive, maintain, agent or transmit subcontractor of Contractor to whom Contractor provides Protected Health Information received from, or created or received by Contractor on Contractor’s behalf agree in writing of Covered Entity pursuant to the Agreement agrees to at least the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such Protected Health Information, including complying with the applicable requirements of the Security Rule. Contractor shall not allow a further will ensure that Business Associate Agreements are executed with all subcontractors that will perform functions or activities on behalf of Contractor to create, receive, maintain, that involve the use or transmit disclosure of Protected Health Information received from, or created or received by Contractor on behalf of, Covered Entity.
f. To the extent that the information made available to Contractor under the Agreement includes Protected Health Information in a Designated Record Set, Contractor agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524.
g. To the extent that the information made available to Contractor in connection with or in the course of Contractor’s behalf unless Contractor has first conducted reasonable due diligence performance of the further subcontractor’s Agreement includes Protected Health Information in a Designated Record Set, Contractor agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
h. Contractor agrees to document such disclosures of Protected Health Information under the Agreement and information security related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528.
i. Contractor agrees to provide to Covered Entity or an Individual, in a time and determined that such security is reasonablemanner designated by Covered Entity, information collected in accordance with paragraph (i) of Section 4 of this Business Associate Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528. If Contractor knows of a pattern of activity or practice of its subcontractor that constitutes a breach of that subcontractor’s obligations under the agreement referenced assists Covered Entity in this Section 3(hmaintaining an electronic health record (EHR), Contractor shall take reasonable steps support Covered Entity in providing, upon the request of the Individual, an accounting of disclosures of Protected Health Information in the EHR within the prior three years, as well as an electronic copy of Protected Health Information that is part of an EHR.
j. To the extent Contractor is to require the subcontractor to cure the breach carry out one or terminate its agreement more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, Contractor shall comply with the subcontractorrequirements of Subpart E that apply to the Covered Entity in the performance of such obligations; and shall be directly responsible for full compliance with the relevant requirements of the Privacy Rule to the same extent that Covered Entity is responsible for compliance with such rule.
i) k. Contractor agrees to make its internal practices, books, and records, agreements, policies, including policies and procedures and Protected Health Information, relating to the Use use and Disclosure of Protected Health Information available to Business Associate and to the Secretary of the Department of Health and Human Services (“Secretary”) for the purposes of determining compliance with HIPAA, and Business Associate determining Contractor’s compliance with this Agreement. Nothing in this section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information. Contractor shall immediately notify Business Associate of any request
(i) from the Secretary pertaining to an investigation of Business Associate’s or Business Associate’s Customers’ and Partners’ compliance with HIPAA, or (ii) for disclosure of Protected Health Information that received from, or created or received by Contractor believes is Required by Law.
j) Contractoron behalf of Covered Entity pursuant to the Agreement, upon request by Business Associate, will make Protected Health Information in a Designated Record Set available to Business Associate orthe Covered Entity , or at the request of Business Associatethe Covered Entity to the Secretary, in a time and manner as designated by the IndividualCovered Entity, within ten (10) days for purposes of Business Associatethe Secretary’s request, as necessary to allow Business Associatedetermining Covered Entity’s Customers and Partners to comply compliance with their obligations to provide Individuals access to their health information as required by 45 C.F.R. § 164.524the HIPAA Rules.
k) Contractorl. Contractor shall make its internal practices, upon request by Business Associatebooks, will make Protected Health Information in a Designated Record Set and records available to Business Associate and will incorporate any amendments to such information as instructed by Business Associate within ten (10) days the Secretary for purposes of a request, as necessary to allow Business Associate’s Customers and Partners to comply with their amendment obligations as required by 45 C.F.R. § 164.526.
l) Contractor will maintain and, upon request by Business Associate, within ten (10) days provide Business Associate determining its compliance with the information necessary for Business Associate to provide an Individual with an accounting of each disclosure of Protected Health Information made by Contractor or its employees, agents, representatives, or subcontractors that is subject to 45 CFR Section 164.528. Contractor shall implement a process that allows for an accounting to be collected and maintained for any disclosure of Protected Health Information for which Business Associate or Business Associate’s Customers and Partners are required to maintain such an accounting. Contractor shall include in the accounting, to the extent known to Contractor: (a) the date of the disclosure; (b) the name, and address if known, of the entity or person who received the Protected Health Information; (c) a brief description of the Protected Health Information disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Contractor shall document the information specified in the preceding sentence and shall securely retain this documentation for the period of time necessary for Business Associate and Business Associate’s Customers and Partners to be able to comply with 45 CFR Section 164.528HIPAA Rules.
m) In the event any Individual requests access to, or amendment or an accounting of, Protected Health Information directly from Contractor, Contractor shall forward such request to Business Associate within two
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Contractor. a) a. Contractor shall agrees not Use to use or Disclose disclose Protected Health Information other than as permitted or required by this Agreementthe Agreement or as Required by Law.
b) b. Contractor agrees to use appropriate administrative, physical, and technical safeguards to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this the Agreement.
c) Contractor agrees , and to comply with the applicable requirements of the Security Standards for Protection of Electronic Protected Health Information, 45 C.F.R. Part 164 Subpart C (the “Security Rule”), including using appropriate implement administrative, physical, and technical safeguards to safeguard that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic any electronic Protected Health InformationInformation that it creates, receives, maintains, or transmits on behalf of Covered Entity pursuant to this Agreement. Contractor agrees to fully comply with the responsibilities of Business Associates as set forth in §13401 of the HITECH Act.
d) c. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use use or Disclosure disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement and shall cooperate with Business Associate in the mitigation processAgreement.
e) d. Contractor agrees to report in writing to Business Associate, without unreasonable delay and no later than within 48 hours Covered Entity any use or disclosure of Discovery:
(i) Any Use or Disclosure of the Protected Health Information not provided for by this Agreementthe Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information; and/or
(ii) Any Information as required at 45 CFR §164.410, and any Security Incident.
f) For any Incident of which it becomes aware. In the event of a Breach of Unsecured Protected Health Information:
(1) Contractor shall promptly notify Covered Entity of the Breach when it is discovered, Contractor agrees to supplement the above report with the information required by 45 C.F.R. § 164.410 without unreasonable delay and in but no case later than 14 30 days from the discovery of the Breach. A Breach is considered discovered on the first day on which Contractor knows or should have known of such Breach. Such notification shall identify the Individualswhose Unsecured Protected Health Information has, or is reasonably believed to have, been the subject of the Breach, and their contact information.
(2) Covered Entity shall promptly notify Individuals about a Breach of their Unsecured Protected Health Information as soon as possible, but not later than 60 calendar days after discovery of the Breach, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. Contractor Notification shall reasonably cooperate with Business Associate to provide any information in its possession needed by Business Associate to conduct a Breach risk assessment or to respond to Individuals’ or Business Associate’s Customers and Partners’ inquiries regarding a successful Security Incident or an unauthorized use or disclosure meet the requirements of Protected Health Information. Contractor will reimburse Business Associate for reasonable remediation and notification costs incurred by Business Associate resulting from a Breach or Security Incident caused by Contractor’s breach §13402 of this Agreementthe HITECH Act.
ge. In accordance with 45 CFR §164.502(e)(1)(ii) Except to the extent required by applicable lawand §164.308(b)(2), Contractor shall not make any public announcement or provide notice regarding Business Associate’s or Business Associate’s Customers and Partners’ involvement in a Breach without Business Associate’s prior written approvalif applicable, which shall not be unreasonably withheld or delayed.
h) Contractor agrees to ensure that any further subcontractors that create, receive, maintain, agent or transmit subcontractor of Contractor to whom Contractor provides Protected Health Information received from, or created or received by Contractor on Contractor’s behalf agree in writing of Covered Entity pursuant to the Agreement agrees to at least the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such Protected Health Information, including complying with the applicable requirements of the Security Rule. Contractor shall not allow a further will ensure that Business Associate Agreements are executed with all subcontractors that will perform functions or activities on behalf of Contractor to create, receive, maintain, that involve the use or transmit disclosure of Protected Health Information received from, or created or received by Contractor on behalf of, Covered Entity.
f. To the extent that the information made available to Contractor under the Agreement includes Protected Health Information in a Designated Record Set, Contractor agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524.
g. To the extent that the information made available to Contractor in connection with or in the course of Contractor’s behalf unless Contractor has first conducted reasonable due diligence performance of the further subcontractor’s Agreement includes Protected Health Information in a Designated Record Set, Contractor agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
h. Contractor agrees to document such disclosures of Protected Health Information under the Agreement and information security related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528.
i. Contractor agrees to provide to Covered Entity or an Individual, in a time and determined that such security is reasonablemanner designated by Covered Entity, information collected in accordance with paragraph (i) of Section 4 of this Business Associate Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528. If Contractor knows of a pattern of activity or practice of its subcontractor that constitutes a breach of that subcontractor’s obligations under the agreement referenced assists Covered Entity in this Section 3(hmaintaining an electronic health record (EHR), Contractor shall take reasonable steps support Covered Entity in providing, upon the request of the Individual, an accounting of disclosures of Protected Health Information in the EHR within the prior three years, as well as an electronic copy of Protected Health Information that is part of an EHR.
j. To the extent Contractor is to require the subcontractor to cure the breach carry out one or terminate its agreement more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, Contractor shall comply with the subcontractorrequirements of Subpart E that apply to the Covered Entity in the performance of such obligations; and shall be directly responsible for full compliance with the relevant requirements of the Privacy Rule to the same extent that Covered Entity is responsible for compliance with such rule.
i) k. Contractor agrees to make its internal practices, books, and records, agreements, policies, including policies and procedures and Protected Health Information, relating to the Use use and Disclosure of Protected Health Information available to Business Associate and to the Secretary of the Department of Health and Human Services (“Secretary”) for the purposes of determining compliance with HIPAA, and Business Associate determining Contractor’s compliance with this Agreement. Nothing in this section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information. Contractor shall immediately notify Business Associate of any request
(i) from the Secretary pertaining to an investigation of Business Associate’s or Business Associate’s Customers’ and Partners’ compliance with HIPAA, or (ii) for disclosure of Protected Health Information that received from, or created or received by Contractor believes is Required by Law.
j) Contractoron behalf of Covered Entity pursuant to the Agreement, upon request by Business Associate, will make Protected Health Information in a Designated Record Set available to Business Associate orthe Covered Entity , or at the request of Business Associatethe Covered Entity to the Secretary, in a time and manner as designated by the IndividualCovered Entity, within ten (10) days for purposes of Business Associatethe Secretary’s request, as necessary to allow Business Associatedetermining Covered Entity’s Customers and Partners to comply compliance with their obligations to provide Individuals access to their health information as required by 45 C.F.R. § 164.524the HIPAA Rules.
k) Contractorl. Contractor shall make its internal practices, upon request by Business Associatebooks, will make Protected Health Information in a Designated Record Set and records available to Business Associate and will incorporate any amendments to such information as instructed by Business Associate within ten (10) days the Secretary for purposes of a request, as necessary to allow Business Associate’s Customers and Partners to comply with their amendment obligations as required by 45 C.F.R. § 164.526.
l) Contractor will maintain and, upon request by Business Associate, within ten (10) days provide Business Associate determining its compliance with the information necessary for Business Associate to provide an Individual with an accounting of each disclosure of Protected Health Information made by Contractor or its employees, agents, representatives, or subcontractors that is subject to 45 CFR Section 164.528. Contractor shall implement a process that allows for an accounting to be collected and maintained for any disclosure of Protected Health Information for which Business Associate or Business Associate’s Customers and Partners are required to maintain such an accounting. Contractor shall include in the accounting, to the extent known to Contractor: (a) the date of the disclosure; (b) the name, and address if known, of the entity or person who received the Protected Health Information; (c) a brief description of the Protected Health Information disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Contractor shall document the information specified in the preceding sentence and shall securely retain this documentation for the period of time necessary for Business Associate and Business Associate’s Customers and Partners to be able to comply with 45 CFR Section 164.528HIPAA Rules.
m) In the event any Individual requests access to, or amendment or an accounting of, Protected Health Information directly from Contractor, Contractor shall forward such request to Business Associate within two
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Contractor. a) a. Contractor shall agrees not Use to use or Disclose disclose Protected Health Information other than as permitted or required by this Agreementthe Agreement or as Required by Law.
b) b. Contractor agrees to use appropriate administrative, physical, and technical safeguards to prevent Use use or Disclosure disclosure of the Protected Health Information other than as provided for by this the Agreement.
c) Contractor agrees , and to comply with the applicable requirements of the Security Standards for Protection of Electronic Protected Health Information, 45 C.F.R. Part 164 Subpart C (the “Security Rule”), including using appropriate implement administrative, physical, and technical safeguards to safeguard that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic any electronic Protected Health InformationInformation that it creates, receives, maintains, or transmits on behalf of Covered Entity pursuant to this Agreement. Contractor agrees to fully comply with the responsibilities of Business Associates as set xxxxx xx §00000 of the HITECH Act.
d) c. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use use or Disclosure disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement and shall cooperate with Business Associate in the mitigation processAgreement.
e) d. Contractor agrees to report in writing to Business Associate, without unreasonable delay and no later than within 48 hours Covered Entity any use or disclosure of Discovery:
(i) Any Use or Disclosure of the Protected Health Information not provided for by this Agreementthe Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information; and/or
(ii) Any Information as required at 45 CFR §164.410, and any Security Incident.
f) For any Incident of which it becomes aware. In the event of a Breach of Unsecured Protected Health Information:
1) Contractor shall promptly notify Covered Entity of the Breach when it is discovered, Contractor agrees to supplement the above report with the information required by 45 C.F.R. § 164.410 without unreasonable delay and in but no case later than 14 30 days from the discovery of the Breach. A Breach is considered discovered on the first day on which Contractor knows or should have known of such Breach. Such notification shall identify the Individualswhose Unsecured Protected Health Information has, or is reasonably believed to have, been the subject of the Breach, and their contact information.
2) Covered Entity shall promptly notify Individuals about a Breach of their Unsecured Protected Health Information as soon as possible, but not later than 60 calendar days after discovery of the Breach, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. Contractor Notification shall reasonably cooperate with Business Associate to provide any information in its possession needed by Business Associate to conduct a Breach risk assessment or to respond to Individuals’ or Business Associate’s Customers and Partners’ inquiries regarding a successful Security Incident or an unauthorized use or disclosure meet the requirements of Protected Health Information. Contractor will reimburse Business Associate for reasonable remediation and notification costs incurred by Business Associate resulting from a Breach or Security Incident caused by Contractor’s breach §13402 of this Agreementthe HITECH Act.
ge. In accordance with 45 CFR §164.502(e)(1)(ii) Except to the extent required by applicable lawand §164.308(b)(2), Contractor shall not make any public announcement or provide notice regarding Business Associate’s or Business Associate’s Customers and Partners’ involvement in a Breach without Business Associate’s prior written approvalif applicable, which shall not be unreasonably withheld or delayed.
h) Contractor agrees to ensure that any further subcontractors that create, receive, maintain, agent or transmit subcontractor of Contractor to whom Contractor provides Protected Health Information received from, or created or received by Contractor on Contractor’s behalf agree in writing of Covered Entity pursuant to the Agreement agrees to at least the same restrictions and conditions that apply through this Business Associate Agreement to Contractor with respect to such Protected Health Information, including complying with the applicable requirements of the Security Rule. Contractor shall not allow a further will ensure that Business Associate Agreements are executed with all subcontractors that will perform functions or activities on behalf of Contractor to create, receive, maintain, that involve the use or transmit disclosure of Protected Health Information received from, or created or received by Contractor on behalf of, Covered Entity.
f. To the extent that the information made available to Contractor under the Agreement includes Protected Health Information in a Designated Record Set, Contractor agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524.
g. To the extent that the information made available to Contractor in connection with or in the course of Contractor’s behalf unless Contractor has first conducted reasonable due diligence performance of the further subcontractor’s Agreement includes Protected Health Information in a Designated Record Set, Contractor agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
h. Contractor agrees to document such disclosures of Protected Health Information under the Agreement and information security related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528.
i. Contractor agrees to provide to Covered Entity or an Individual, in a time and determined that such security is reasonablemanner designated by Covered Entity, information collected in accordance with paragraph (i) of Section 4 of this Business Associate Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528. If Contractor knows of a pattern of activity or practice of its subcontractor that constitutes a breach of that subcontractor’s obligations under the agreement referenced assists Covered Entity in this Section 3(hmaintaining an electronic health record (EHR), Contractor shall take reasonable steps support Covered Entity in providing, upon the request of the Individual, an accounting of disclosures of Protected Health Information in the EHR within the prior three years, as well as an electronic copy of Protected Health Information that is part of an EHR.
j. To the extent Contractor is to require the subcontractor to cure the breach carry out one or terminate its agreement more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, Contractor shall comply with the subcontractorrequirements of Subpart E that apply to the Covered Entity in the performance of such obligations; and shall be directly responsible for full compliance with the relevant requirements of the Privacy Rule to the same extent that Covered Entity is responsible for compliance with such rule.
i) k. Contractor agrees to make its internal practices, books, and records, agreements, policies, including policies and procedures and Protected Health Information, relating to the Use use and Disclosure of Protected Health Information available to Business Associate and to the Secretary of the Department of Health and Human Services (“Secretary”) for the purposes of determining compliance with HIPAA, and Business Associate determining Contractor’s compliance with this Agreement. Nothing in this section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information. Contractor shall immediately notify Business Associate of any request
(i) from the Secretary pertaining to an investigation of Business Associate’s or Business Associate’s Customers’ and Partners’ compliance with HIPAA, or (ii) for disclosure of Protected Health Information that received from, or created or received by Contractor believes is Required by Law.
j) Contractoron behalf of Covered Entity pursuant to the Agreement, upon request by Business Associate, will make Protected Health Information in a Designated Record Set available to Business Associate orthe Covered Entity , or at the request of Business Associatethe Covered Entity to the Secretary, in a time and manner as designated by the IndividualCovered Entity, within ten (10) days for purposes of Business Associatethe Secretary’s request, as necessary to allow Business Associatedetermining Covered Entity’s Customers and Partners to comply compliance with their obligations to provide Individuals access to their health information as required by 45 C.F.R. § 164.524the HIPAA Rules.
k) Contractorl. Contractor shall make its internal practices, upon request by Business Associatebooks, will make Protected Health Information in a Designated Record Set and records available to Business Associate and will incorporate any amendments to such information as instructed by Business Associate within ten (10) days the Secretary for purposes of a request, as necessary to allow Business Associate’s Customers and Partners to comply with their amendment obligations as required by 45 C.F.R. § 164.526.
l) Contractor will maintain and, upon request by Business Associate, within ten (10) days provide Business Associate determining its compliance with the information necessary for Business Associate to provide an Individual with an accounting of each disclosure of Protected Health Information made by Contractor or its employees, agents, representatives, or subcontractors that is subject to 45 CFR Section 164.528. Contractor shall implement a process that allows for an accounting to be collected and maintained for any disclosure of Protected Health Information for which Business Associate or Business Associate’s Customers and Partners are required to maintain such an accounting. Contractor shall include in the accounting, to the extent known to Contractor: (a) the date of the disclosure; (b) the name, and address if known, of the entity or person who received the Protected Health Information; (c) a brief description of the Protected Health Information disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Contractor shall document the information specified in the preceding sentence and shall securely retain this documentation for the period of time necessary for Business Associate and Business Associate’s Customers and Partners to be able to comply with 45 CFR Section 164.528HIPAA Rules.
m) In the event any Individual requests access to, or amendment or an accounting of, Protected Health Information directly from Contractor, Contractor shall forward such request to Business Associate within two
Appears in 1 contract
Samples: Business Associate Agreement
