Obligations and Activities of Parties. Business Associate agrees as follows: (a) not to use or further disclose PHI other than as permitted or required by this BAA or as Required By Law; (b) to establish, maintain, and use appropriate safeguards to prevent use or disclosure of the PHI other than as permitted by this BAA, the Organization Access Agreement, and the HIPAA Rules, and to comply with Subpart C of 45 C.F.R. part 164 with respect to Electronic PHI; (c) to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity; (d) to report to Covered Entity within a reasonable time any use or disclosure of PHI not provided for by this BAA or Breach of Unsecured PHI of which Business Associate becomes aware. Business Associate will take (i) prompt action to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of such use, disclosure or Breach; and (ii) any further action required of Business Associate by applicable Federal and State laws and regulations. For incidents constituting a Breach, the report will include, to the extent available, the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed to have been, accessed, acquired, used or disclosed during a Breach of Unsecured Protected Health Information; (e) to report to Covered Entity any Security Incident of which Business Associate becomes aware. Notwithstanding the foregoing, Covered Entity acknowledges that Business Associate routinely experiences Unsuccessful Security Incidents (as defined below) that do not result in a Breach of Unsecured PHI. The Parties agree that this section satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents for which no additional notice to Covered Entity will be required. For purposes of this BAA, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic PHI; (f) to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA; (g) in accordance with 45 C.F.R. §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to no less restrictive restrictions and conditions that apply to Business Associate with respect to such information and agree to comply with the HIPAA Security Regulations with respect to Electronic PHI; (h) at the request of Covered Entity and in the time and manner reasonably designated by Covered Entity, furnish access to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524, provided that Business Associate will not be required to furnish access to the same PHI that is maintained in more than one Designated Record Set or at more than one location, as provided in 45 CFR §164.524(c)(1); (i) to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual, and in the time and manner reasonably requested by Covered Entity; (j) subject to Business Associate’s reasonable confidentiality and security practices, to make internal practices, books, and records relating to the use and disclosure of PHI available to Covered Entity or the Secretary, in a time and manner reasonably requested by Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule; (k) to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; (l) to provide to Covered Entity or an Individual, in a time and manner reasonably requested by Covered Entity, information collected in accordance with Section 2.1(k) above to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; and (m) if and only to the extent Business Associate is to carry out one or more of the Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Appears in 1 contract
Samples: Organization Access Agreement
Obligations and Activities of Parties. Business Associate agrees Organization and Availity both agree as follows:
(a) not to use or further disclose PHI other than as permitted or required by this BAA Agreement, in accordance with the Minimum Necessary rules, or as Required By Law;
(b) to establish, maintain, and use appropriate safeguards to prevent use or disclosure of the PHI other than as permitted by this BAAAgreement, the Organization Access Customer Agreement, and the HIPAA Rules, and to comply with Subpart C of 45 C.F.R. part 164 with respect to Electronic PHI;
(c) to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity;
(d) to report to Covered Entity within a reasonable time and in writing any use suspected or actual breach of security, intrusion or unauthorized use, or disclosure of PHI not provided for by this BAA or Breach of Unsecured PHI of which Business Associate becomes aware. Business Associate will shall take (i) prompt corrective action to mitigate, to the extent practicable, cure any harmful effect that is known to Business Associate of such use, disclosure or Breachdeficiencies; and (ii) any further action pertaining to such unauthorized disclosure required of Business Associate by applicable Federal and State laws and regulations. For reports of incidents constituting a Breach, the report will shall include, to the extent available, the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed to have been, accessed, acquired, used or disclosed during a Breach of Unsecured Protected Health Information;
(e) to report to Covered Entity in writing any of the following Security Incident Incidents of which Business Associate becomes aware. Notwithstanding the foregoing, aware or upon Covered Entity acknowledges that Business Associate routinely experiences Unsuccessful Security Incidents Entity's request: (as defined belowA) that do not result in a Breach of Unsecured PHI. The Parties agree that this section satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents for which no additional notice to Covered Entity will be required. For purposes of this BAA, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use use, disclosure, modification, or disclosure destruction of Business Associate's Electronic PHI;, or (B) unauthorized interference with system operations in Business Associate's information systems that contain or provide access to Covered Entity's Electronic PHI
(f) to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAAAgreement;
(g) in accordance with 45 C.F.R. §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to no less restrictive restrictions the same restrictions, conditions, and conditions requirements that apply to Business Associate with respect to such information and agree to comply with the HIPAA Security Regulations with respect to Electronic PHIinformation;
(h) at the request of Covered Entity and in the time and manner reasonably designated by Covered Entity, furnish access to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524, provided that Business Associate will not be required to furnish access to the same PHI that is maintained in more than one Designated Record Set or at more than one location, as provided in 45 CFR §164.524(c)(1);
(i) to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual, and in the time and manner reasonably requested by Covered Entity;
(j) subject to Business Associate’s 's reasonable confidentiality and security practices, to make internal practices, books, and records relating to the use and disclosure of PHI available to Covered Entity or or, at the request of Covered Entity, to the Secretary, in a time and manner reasonably requested by Covered Entity or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s 's compliance with the Privacy Rule;
(k) to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528;
(l) to provide to Covered Entity or an Individual, in a time and manner reasonably requested by Covered Entity, information collected in accordance with Section 2.1(k) above to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; and;
(m) if and only to the extent Business Associate is to carry out one or more of the Covered Entity’s 's obligation(s) under Subpart E of 45 C.F.R. part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).;
Appears in 1 contract
Samples: Organization Access Agreement
Obligations and Activities of Parties. Business Associate agrees HS1 and Provider both agree as follows:
(a) not to use or further disclose PHI other than as permitted or required by this BAA Agreement, in accordance with the Minimum Necessary rules, or as Required By Law;
(b) to establish, maintain, and use appropriate safeguards to prevent use or disclosure of the PHI other than as permitted by this BAAAgreement, the Organization Access Customer Agreement, and the HIPAA Rules, and to comply with Subpart C of 45 C.F.R. part 164 with respect to Electronic PHI;
(c) to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity;
(d) to report to Covered Entity within a reasonable time and in writing any use suspected or actual breach of security, intrusion or unauthorized use, or disclosure of PHI not provided for by this BAA or Breach of Unsecured PHI of which Business Associate becomes aware. Business Associate will shall take (i) prompt corrective action to mitigate, to the extent practicable, cure any harmful effect that is known to Business Associate of such use, disclosure or Breachdeficiencies; and (ii) any further action pertaining to such unauthorized disclosure required of Business Associate by applicable Federal and State laws and regulations. For reports of incidents constituting a Breach, the report will shall include, to the extent available, the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed to have been, accessed, acquired, used or disclosed during a Breach of Unsecured Protected Health Information;
(e) to report to Covered Entity in writing any of the following Security Incident Incidents of which Business Associate becomes aware. Notwithstanding the foregoing, aware or upon Covered Entity acknowledges that Business Associate routinely experiences Unsuccessful Security Incidents Entity's request: (as defined belowA) that do not result in a Breach of Unsecured PHI. The Parties agree that this section satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents for which no additional notice to Covered Entity will be required. For purposes of this BAA, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use use, disclosure, modification, or disclosure destruction of Business Associate's Electronic PHI;, or (B) unauthorized interference with system operations in Business Associate's information systems that contain or provide access to Covered Entity's Electronic PHI
(f) to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAAAgreement;
(g) in accordance with 45 C.F.R. §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to no less restrictive restrictions the same restrictions, conditions, and conditions requirements that apply to Business Associate with respect to such information and agree to comply with the HIPAA Security Regulations with respect to Electronic PHIinformation;
(h) at the request of Covered Entity and in the time and manner reasonably designated by Covered Entity, furnish access to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524, provided that Business Associate will not be required to furnish access to the same PHI that is maintained in more than one Designated Record Set or at more than one location, as provided in 45 CFR §164.524(c)(1);
(i) to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual, and in the time and manner reasonably requested by Covered Entity;
(j) subject to Business Associate’s 's reasonable confidentiality and security practices, to make internal practices, books, and records relating to the use and disclosure of PHI available to Covered Entity or or, at the request of Covered Entity, to the Secretary, in a time and manner reasonably requested by Covered Entity or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s 's compliance with the Privacy Rule;
(k) to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528;
(l) to provide to Covered Entity or an Individual, in a time and manner reasonably requested by Covered Entity, information collected in accordance with Section 2.1(k) above to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; and;
(m) if and only to the extent Business Associate is to carry out one or more of the Covered Entity’s 's obligation(s) under Subpart E of 45 C.F.R. part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).;
Appears in 1 contract
Samples: Provider Portal Agreement
Obligations and Activities of Parties. Business Associate agrees Organization and Availity both agree as follows:
(a) not to use or further disclose PHI other than as permitted or required by this BAA Agreement, in accordance with the Minimum Necessary rules, or as Required By Law;
(b) to establish, maintain, and use appropriate safeguards to prevent use or disclosure of the PHI other than as permitted by this BAAAgreement, the Organization Access Customer Agreement, and the HIPAA Rules, and to comply with Subpart C of 45 C.F.R. part 164 with respect to Electronic PHI;
(c) to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity;
(d) to report to Covered Entity within a reasonable time and in writing any use suspected or actual breach of security, intrusion or unauthorized use, or disclosure of PHI not provided for by this BAA or Breach of Unsecured PHI of which Business Associate becomes aware. Business Associate will shall take (i) prompt corrective action to mitigate, to the extent practicable, cure any harmful effect that is known to Business Associate of such use, disclosure or Breachdeficiencies; and (ii) any further action pertaining to such unauthorized disclosure required of Business Associate by applicable Federal and State laws and regulations. For reports of incidents constituting a Breach, the report will shall include, to the extent available, the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed to have been, accessed, acquired, used or disclosed during a Breach of Unsecured Protected Health Information;
(e) to report to Covered Entity in writing any of the following Security Incident Incidents of which Business Associate becomes aware. Notwithstanding the foregoingaware or upon Covered Entity’s request: (A) unauthorized access, Covered Entity acknowledges that Business Associate routinely experiences Unsuccessful Security Incidents (as defined below) that do not result in a Breach use, disclosure, modification, or destruction of Unsecured PHI. The Parties agree that this section satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents for which no additional notice to Covered Entity will be required. For purposes of this BAA, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic PHI;, or (B) unauthorized interference with system operations in Business Associate’s information systems that contain or provide access to Covered Entity’s Electronic PHI
(f) to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAAAgreement;
(g) in accordance with 45 C.F.R. §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any Subcontractors subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to no less restrictive restrictions the same restrictions, conditions, and conditions requirements that apply to Business Associate with respect to such information and agree to comply with the HIPAA Security Regulations with respect to Electronic PHIinformation;
(h) at the request of Covered Entity and in the time and manner reasonably designated by Covered Entity, furnish access to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524, provided that Business Associate will not be required to furnish access to the same PHI that is maintained in more than one Designated Record Set or at more than one location, as provided in 45 CFR §164.524(c)(1);
(i) to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual, and in the time and manner reasonably requested by Covered Entity;
(j) subject to Business Associate’s reasonable confidentiality and security practices, to make internal practices, books, and records relating to the use and disclosure of PHI available to Covered Entity or or, at the request of Covered Entity, to the Secretary, in a time and manner reasonably requested by Covered Entity or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule;
(k) to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528;
(l) to provide to Covered Entity or an Individual, in a time and manner reasonably requested by Covered Entity, information collected in accordance with Section 2.1(k) above to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; and;
(m) if and only to the extent Business Associate is to carry out one or more of the Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).;
Appears in 1 contract
Samples: Organization Access Agreement
