Obligations and Activities of Provider. Provider agrees to: a. not use or further disclose NDIIS data other than as permitted or required by this Agreement or as required by law; b. require all Authorized Users to sign a confidentiality agreement before access to NDIIS is granted by the Provider. The confidentiality agreement must include the following: i. statement of permitted use of data; ii. statement of prohibited use and disclosure of data; iii. agreement to comply with Provider’s policies, procedures, and HIPAA Rules; iv. agreement to maintain NDIIS information confidential; v. agreement to comply with security provisions and password protections; and vi. sanctions or consequences of non-compliance. c. use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, to prevent use or disclosure of the PHI other than as provided for by this Agreement; d. comply with any limitation on the use or disclosure of a specified individual’s PHI, if the State has notified the Provider of the limitation; e. mitigate, to the extent practicable, any harmful effect that is known to the Provider or of a use or disclosure of PHI by the Provider or its Authorized Users in violation of the requirements of this Agreement; f. in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that Business Associates and their subcontractors that create, receive, maintain, or transmit PHI received from NDIIS on behalf of the Provider agree to the same restrictions, conditions, and requirements that apply to the Provider with respect to that information; g. report to State any use or disclosure of the PHI not provided for by this Agreement of which the Provider becomes aware without unreasonable delay and in any case within 30 days from the date Provider becomes aware of any such unauthorized use or disclosure, including breaches of Unsecured PHI as required at 45 C.F.R. § 164.410, and any security incident of which Provider becomes aware; h. in the event of a the discovery of a Breach of Unsecured PHI, Provider shall provide the State with a written notification that complies with 45 C.F.R. § 164.410 which shall include the following information: i. to the extent possible, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Provider to have been, accessed, acquired or disclosed during the breach; ii. the date of discovery of the breach and date of the breach; iii. the nature of the PHI that was involved;
Appears in 1 contract
Samples: Memorandum of Understanding
Obligations and Activities of Provider. 2.1. Provider agrees to:
a. to not use or further disclose NDIIS data Protected Health Information (“PHI”) other than as permitted or required by this the BA Agreement or as required Required by law;
b. require all Authorized Users to sign a confidentiality agreement before access to NDIIS is granted by the Provider. The confidentiality agreement must include the following:
i. statement of permitted use of data;
ii. statement of prohibited use and disclosure of data;
iii. agreement to comply with Provider’s policies, procedures, and HIPAA Rules;
iv. agreement to maintain NDIIS information confidential;
v. agreement to comply with security provisions and password protections; and
vi. sanctions or consequences of non-complianceLaw.
c. 2.2. Provider agrees to use reasonably appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, safeguards intended to prevent use or disclosure of the PHI other than as provided for by this BA Agreement;
d. comply with any limitation on , including implementing administrative, physical, and technical safeguards that are aimed at reasonably and appropriately protecting the use or disclosure of a specified individual’s PHIconfidentiality, if the State has notified the Provider integrity, and availability of the limitation;
e. mitigateelectronic PHI that it creates, to the extent practicablereceives, any harmful effect that is known to the Provider or of a use or disclosure of PHI by the Provider or its Authorized Users in violation of the requirements of this Agreement; f. in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that Business Associates and their subcontractors that create, receive, maintainmaintains, or transmit PHI received from NDIIS transmits on behalf of the Client.
2.3. Provider agree agrees to the same restrictions, conditions, and requirements that apply to the Provider with respect to that information;
g. report to State Client any use or disclosure of the PHI that is not provided for by this BA Agreement of which the it becomes aware. Provider becomes aware without unreasonable delay and in any case within 30 days from the date Provider becomes aware further agrees to notify Client of any such unauthorized use or disclosure, including breaches Breach of Unsecured PHI as required of which it becomes aware.
2.4. Provider agrees to ensure that any agent, including a subcontractor, to whom it provides PHI or which is received from, or created or received by Provider on behalf of Client, complies with the provisions of this BA Agreement. Likewise, Client agrees to the same restrictions and conditions protecting and/or governing the receipt or provision of PHI that apply through this BA Agreement to Provider with respect to such information.
2.5. Provider agrees to provide access, at 45 C.F.R. § 164.410the request of Client, and any security incident within a reasonable time and manner not materially disruptive of which Provider’s operations or business, to PHI in a Designated Record Set to Client in order to meet the requirements under 45 CFR 164.524.
2.6. Provider becomes aware;agrees to document such disclosures of PHI and information related to such disclosures as would be required for Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528 and the regulations adopted pursuant to 42 USC17935(c), and to reasonably cooperate with Client in responding to such requests. Client shall be responsible for such costs and expenses of Provider.
h. 2.7. If, in the event performance of a its obligations set forth herein, Provider expends time and materials in addition to the discovery of a Breach of Unsecured PHIServices to be provided by Provider pursuant to their Master Client Agreement, Provider shall provide the State Client with a written notification that complies with 45 C.F.R. § 164.410 which shall include the following information:
i. to the extent possible, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Provider to have been, accessed, acquired or disclosed during the breach;
ii. the date of discovery an estimate of the breach fees for such time and date materials. Such fees to may be charged by Provider for such time and materials, Provider shall invoice Client on a time and materials basis at reasonable rate, and Client shall pay Provider all such fees in accordance with the payment terms of the breach;
iii. the nature of the PHI that was involved;their Master Client Agreement.
Appears in 1 contract
Samples: Business Associate Agreement
Obligations and Activities of Provider. Provider agrees to:
a. not use or further disclose NDIIS data other than as permitted or required by this Agreement or as required by law;
b. require all Authorized Users to sign a confidentiality agreement before access to NDIIS is granted by the Provider. The confidentiality agreement must include the following:
i. statement of permitted use of data;
ii. statement of prohibited use and disclosure of data;
iii. agreement to comply with Provider’s policies, procedures, and HIPAA Rules;
iv. agreement to maintain NDIIS information confidentialconfidentiality;
v. agreement to comply with security provisions and password protections; and
vi. sanctions or consequences of non-compliance.
c. use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, to prevent use or disclosure of the PHI other than as provided for by this Agreement;
d. comply with any limitation on the use or disclosure of a specified individual’s PHI, if the State has notified the Provider of the limitation;
e. mitigate, to the extent practicable, any harmful effect that is known to the Provider or of a use or disclosure of PHI by the Provider or its Authorized Users in violation of the requirements of this Agreement; f. in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that Business Associates and their subcontractors that create, receive, maintain, or transmit PHI received from NDIIS on behalf of the Provider agree to the same restrictions, conditions, and requirements that apply to the Provider with respect to that information;
g. report to State any use or disclosure of the PHI not provided for by this Agreement of which the Provider becomes aware without unreasonable delay and in any case within 30 days from the date Provider becomes aware of any such unauthorized use or disclosure, including breaches of Unsecured PHI as required at 45 C.F.R. § 164.410, and any security incident of which Provider becomes aware;
h. in the event of a the discovery of a Breach of Unsecured PHI, Provider shall provide the State with a written notification that complies with 45 C.F.R. § 164.410 which shall include the following information:
i. to the extent possible, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Provider to have been, accessed, acquired or disclosed during the breach;
ii. the date of discovery of the breach and date of the breach;
iii. the nature of the PHI that was involved;
Appears in 1 contract
Samples: Memorandum of Understanding
Obligations and Activities of Provider. In carrying out its obligations to PORI, Provider (and its agents and subcontractors) may have access to, use, and create PHI on behalf of PORI. Provider acknowledges that this information is protected by state and federal law and agrees toto comply with these laws. Without limiting any of the foregoing in any way, Provider specifically agrees:
a. not (i) Not to use or further disclose NDIIS data PHI other than as permitted necessary or required by this Agreement advisable to provide the services as set forth in the Contract, or as required by law;
b. require all Authorized Users to sign a confidentiality agreement before access to NDIIS is granted by the Provider. The confidentiality agreement must include the following:
i. statement of permitted use of data;
ii. statement of prohibited use and disclosure of data;
iii. agreement to comply with Provider’s policies, procedures, and HIPAA Rules;
iv. agreement to maintain NDIIS information confidential;
v. agreement to comply with security provisions and password protections; and
vi. sanctions or consequences of non-complianceRequired By Law.
c. (ii) To use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, safeguards to prevent the use or disclosure of the PHI other than as provided for by this Agreement;Addendum.
d. comply with any limitation on the use or disclosure of a specified individual’s PHI, if the State has notified the Provider of the limitation;
e. (iii) To mitigate, to the extent practicable, any harmful effect that is known to Provider of the Provider or of a use or disclosure of PHI by the Provider or its Authorized Users in violation of the requirements of this Agreement; f. in accordance with 45 C.F.R. §§ 164.502(e)(1)(iiAddendum.
(iv) and 164.308(b)(2), if applicable, ensure that Business Associates and their subcontractors that create, receive, maintain, or transmit PHI received from NDIIS on behalf of the Provider agree to the same restrictions, conditions, and requirements that apply to the Provider with respect to that information;
g. To report to State PORI any use or disclosure of the PHI not provided for by this Agreement of which the Provider becomes aware without unreasonable delay and in any case within 30 days from the date Provider becomes aware of any such unauthorized use or disclosure, including breaches of Unsecured PHI as required at 45 C.F.R. § 164.410, and any security incident Addendum of which Provider becomes aware;.
h. (v) To ensure that any agent, including a subcontractor, to whom Provider provides PHI received from, or created or received by Provider on behalf of, PORI agrees to the same restrictions and conditions that apply through this Addendum to Provider with respect to such information.
(vi) At the request of PORI and in the event time and manner agreed to by PORI and Provider, to provide access to PHI in a Designated Record Set not in the possession of PORI to PORI or to an Individual, in order to meet the requirements of 45 C.F.R. § 164.524.
(vii) At the request of PORI and in the time and manner agreed to by PORI and Provider, to make any amendment(s) to PHI in a the discovery of a Breach of Unsecured PHI, Provider shall provide the State with a written notification Designated Record Set in Provider’s possession that complies are necessary for PORI to comply with 45 C.F.R. § 164.410 which shall include the following information:164.526.
i. (viii) Subject to all applicable legal privileges, to make its internal practices, books, and records relating to the extent possible, the identification use and disclosure of each individual whose Unsecured PHI has beenreceived from, or is reasonably believed created or received by Provider on behalf of, PORI available, at the request of PORI, to the Secretary, in a time and manner designated by the Provider to have beenSecretary, accessed, acquired or disclosed during for the breach;
ii. the date of discovery purpose of the breach Secretary determining PORI’s compliance with the Privacy Rule.
(ix) To provide to PORI, in the time and date manner agreed to by PORI and Provider, information as would be required for PORI to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
(x) To comply with the HIPAA Regulations that apply to Provider when conducting any electronic transaction on behalf of PORI that is subject to the HIPAA Regulations. In addition, Provider shall require its agents or subcontractors to do the same.
(xi) To the extent required by the HIPAA Regulations, (A) to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any E-PHI that Provider creates, receives, maintains, or transmits on behalf of the breach;
iii. the nature PORI; and (B) to report to PORI any Security Incident of the PHI that was involved;which Provider becomes aware.
Appears in 1 contract
Samples: Provider Contract