Obligations and Activities of Subcontractor. (a) Subcontractor agrees to not use or disclose Protected Health Information other than as permitted or required by this BA Agreement or as Required By Law. (b) Subcontractor agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this BA Agreement. (c) Subcontractor agrees to report to Business Associate's Privacy Official, within five (5) business days, any use or disclosure of the Protected Health Information not provided for by this BA Agreement, including the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Subcontractor to have been, accessed, acquired, or disclosed during such breach. (d) Subcontractor agrees to ensure that any agent or subcontractor to whom it provides Protected Health Information received from, or created or received by Subcontractor on behalf of Business Associate, agrees in writing to the same restrictions and conditions that apply through this BA Agreement to Subcontractor with respect to such information. (e) To the extent Subcontractor has Protected Health Information in a Designated Record Set, Subcontractor agrees to provide access to Protected Health Information in a Designated Record Set to Business Associate in order to meet the requirements under 45 C.F.R. § 164.524, including provision of records in electronic form to the extent required by the HITECH Act. (f) Subcontractor agrees to make any amendment(s) to Protected Health Information in its possession contained in a Designated Record Set that Business Associate directs or agrees to pursuant to 45 C.F.R. § 164.526, at the request of Business Associate. (g) Subcontractor agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Subcontractor on behalf of Business Associate, available to Business Associate and/or the Secretary, in a time and manner designated by the Business Associate and/or the Secretary, as applicable, for purposes of determining Business Associate's compliance with HIPAA or the HITECH Act. (h) Subcontractor agrees to document such disclosures of Protected Health Information in its possession and information related to such disclosures as would be required for Business Associate to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and the HITECH Act. (i) Subcontractor agrees to provide to Business Associate information collected in accordance with Section 2(h) of this BA Agreement, to permit Business Associate to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and the HITECH Act. (j) Subcontractor agrees to, subject to subsection 4(c)(2) below, return to the Business Associate or remove from access to any third party, within fifteen (15) days of the termination of this Agreement, the Protected Health Information in its possession. (k) Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to either party, of a use or disclosure of Protected Health Information in violation of this BA Agreement. (l) Subcontractor agrees to indemnify, insure, defend and hold harmless Business Associate and Business Associate's employees, directors, officers, subcontractors, affiliates, agents, and members of its Workforce, each of the foregoing hereinafter referred to as an "indemnified party," against all actual and direct losses suffered by the indemnified party and all liability to third parties arising from or in connection with any breach of this BA Agreement or of any warranty hereunder or from any negligence, wrongful acts, or omissions, including the failure to perform its obligations under HIPAA, as well as the additional obligations under the HITECH Act, by Subcontractor or its employees, directors, officers, subcontractors, agents, or members of its workforce. This includes, but is not limited to, expenses associated with notification to individuals and/or the media in the event of a breach of Protected Health Information held by Subcontractor. Accordingly, on demand, Subcontractor shall reimburse any indemnified party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys' fees) which may for any reason be imposed upon any indemnified party by reason of any suit, claim, action, proceeding or demand by any third party which results from the indemnifying party's breach hereunder. The provisions of this paragraph shall survive the expiration or termination of this BA Agreement for any reason. (m) In addition to its overall obligations with respect to Protected Health Information, to the extent required by the Security Rule, Subcontractor will: 1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information (EPHI) that it creates, receives, maintains, or transmits on behalf of Business Associate as required by HIPAA; 2. Ensure that any agent or subcontractor to whom it provides such XXXX agrees in writing to implement reasonable and appropriate safeguards to protect the EPHI; and 3. Report to Business Associate any Security Incident of which it becomes aware. (n) Except as otherwise allowed in this BA Agreement, HIPAA, and the HITECH Act, Subcontractor shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual unless the Individual has provided a valid, HIPAA-compliant authorization. (o) Subcontractor shall use and disclose only the minimum necessary Protected Health Information to accomplish the intended purpose of such use, disclosure or request. Prior to any use or disclosure, Subcontractor shall determine whether a Limited Data Set would be sufficient for these purposes. (p) Business Associate, in its sole and absolute discretion, may elect to delegate to Subcontractor the requirement under HIPAA and the HITECH Act to notify affected Individuals of a breach of unsecured Protected Health Information if such breach results from, or is related to, an act or omission of Subcontractor or the agents or representatives of Subcontractor. If Business Associate elects to make such delegation, Subcontractor shall perform such notifications and any other reasonable remediation services (i) at Subcontractor’s sole cost and expense, and (ii) in compliance with all applicable laws including HIPAA and the HITECH Act. Subcontractor shall also provide Business Associate with the opportunity to review and approve of the form and content of any breach notification that Subcontractor provides to Individuals. (q) Subcontractor agrees to comply with the following: i. Sections 164.308 (administrative safeguards), 164.310 (physical safeguards), 164.312 (technical safeguards) and 164.316 (policies and procedures and documentation requirements) of the Security Rule shall apply to Subcontractor in the same manner that such sections apply to Business Associate. The additional requirements of the HITECH Act that relate to security and that are made applicable with respect to Covered Entities shall also be applicable to Subcontractor and shall be and by this reference hereby are incorporated into this BA Agreement. ii. Unless Business Associate agrees, in writing, that this requirement is infeasible with respect to particular data, Subcontractor shall secure all Protected Health Information by a technology standard that renders Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary specifying the technologies and methodologies that render Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by the HITECH Act. iii. Subcontractor may use and disclose Protected Health Information that Subcontractor obtains or creates only if such use or disclosure, respectively, is in compliance with each applicable requirement of Section 164.504(e) of the Privacy Rule, relating to business associate contracts. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that are made applicable with respect to Business Associate shall also be applicable to Subcontractor and shall be and by this reference hereby are incorporated into this BA Agreement. iv. In accordance with Section 164.504(e)(1)(ii) of the Privacy Rule, each party agrees that, if it knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of the other party's obligation under the BA Agreement, the non-breaching party will take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible, or if termination is not feasible, report the problem to the Secretary. (r) Subcontractor represents and warrants that, as of the effective date of this BA Agreement, Subcontractor has implemented compliance programs, including written policies and procedures, designed to ensure compliance with all Business Associate Agreements, as well as applicable state and federal privacy laws. These policies and procedures include, but are not limited to, policies related to mitigation of security breaches, training employees, documenting disclosures as required for an "accounting" (as that term is defined in HIPAA and as contemplated by subsection 2(h) and (i) of this BA Agreement), and maintaining the physical and technical security of electronic data, including encryption. Subcontractor represents and warrants that it is currently conducting its business in material compliance with all applicable laws governing the privacy, security or confidentiality of individually identifiable health information and/or other records generated in the course of providing or paying for health care services.
Appears in 1 contract
Samples: Software Subscription Agreement
Obligations and Activities of Subcontractor. (aA) Subcontractor acknowledges and agrees that all PHI that is created or received by Business Associate and used by or disclosed to Subcontractor or created or received by Subcontractor on Business Associate’s behalf shall be subject to this Agreement.
(B) Subcontractor agrees to not use or disclose Protected Health Information PHI other than as permitted or required by this BA Agreement or as Required By by Law.
(bC) Subcontractor agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information PHI other than as provided for by this BA Agreement.
(c) Subcontractor agrees to report to Business Associate's Privacy Official, within five (5) business days, any use or disclosure of the Protected Health Information not provided for by this BA Agreement, including the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by the Subcontractor to have been, accessed, acquired, or disclosed during such breach.
(d) Subcontractor agrees to ensure that any agent or subcontractor to whom it provides Protected Health Information received from, or created or received by Subcontractor on behalf of Business Associate, agrees in writing to the same restrictions and conditions that apply through this BA Agreement to Subcontractor with respect to such information.
(e) To the extent Subcontractor has Protected Health Information in a Designated Record Set, Subcontractor agrees to provide access to Protected Health Information in a Designated Record Set to Business Associate in order to meet the requirements under 45 C.F.R. § 164.524, including provision of records in electronic form to the extent required by the HITECH Act.
(f) Subcontractor agrees to make any amendment(s) to Protected Health Information in its possession contained in a Designated Record Set that Business Associate directs or agrees to pursuant to 45 C.F.R. § 164.526, at the request of Business Associate.
(g) Subcontractor agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Subcontractor on behalf of Business Associate, available to Business Associate and/or the Secretary, in a time and manner designated by the Business Associate and/or the Secretary, as applicable, for purposes of determining Business Associate's compliance with HIPAA or the HITECH Act.
(h) Subcontractor agrees to document such disclosures of Protected Health Information in its possession and information related to such disclosures as would be required for Business Associate to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and the HITECH Act.
(i) Subcontractor agrees to provide to Business Associate information collected in accordance with Section 2(h) of this BA Agreement, to permit Business Associate to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and the HITECH Act.
(j) Subcontractor agrees to, subject to subsection 4(c)(2) below, return to the Business Associate or remove from access to any third party, within fifteen (15) days of the termination of this Agreement, the Protected Health Information in its possession.
(kD) Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to either party, Subcontractor of a use or disclosure of Protected Health Information PHI by Subcontractor in violation of the requirements of this BA Agreement, the Privacy Rule or the Security Rule.
(lE) Subcontractor agrees to indemnify, insure, defend and hold harmless notify Business Associate and Business Associate's employeespromptly at xxxxxxx.xxxxxxx@xxxxxxx.xxx, directorsin no event later than three (3) days, officers, subcontractors, affiliates, agents, and members of its Workforce, each of the foregoing hereinafter referred to as an "indemnified party," against all actual and direct losses suffered by the indemnified party and all liability to third parties arising from or in connection with any breach of this BA Agreement or following discovery of any warranty hereunder (i) Breach of Unsecured PHI, and/or (ii) any use or from any negligence, wrongful acts, or omissions, including the failure disclosure of PHI not provided for by this Agreement. Any notice pursuant to perform its obligations under HIPAA, as well as the additional obligations under the HITECH Act, by Subcontractor or its employees, directors, officers, subcontractors, agents, or members of its workforce. This includes, but is not limited to, expenses associated with notification to individuals and/or the media in the event of a breach of Protected Health Information held by Subcontractor. Accordingly, on demand, Subcontractor shall reimburse any indemnified party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys' feesthis Section 2(E) which may for any reason be imposed upon any indemnified party by reason of any suit, claim, action, proceeding or demand by any third party which results from the indemnifying party's breach hereunder. The provisions of this paragraph shall survive the expiration or termination of this BA Agreement for any reason.
(m) In addition to its overall obligations with respect to Protected Health Informationwill include, to the extent required by possible, the Security Rule, Subcontractor will:
1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability identification of the electronic Protected Health Information (EPHI) that it creates, receives, maintainseach Individual whose Unsecured PHI has been, or transmits on behalf of is reasonably believed by Subcontractor, to have been accessed, acquired or disclosed during such Breach. Subcontractor will also provide Business Associate as other available information that Subcontractor is required by HIPAA;to include in its notification to the Individual or Covered Entity.
2. Ensure that any agent or subcontractor (F) Subcontractor agrees to whom it provides such XXXX agrees in writing to implement reasonable and appropriate safeguards to protect the EPHI; and
3. Report report to Business Associate any use or disclosure of PHI not provided for by this Agreement or any Security Incident of which it becomes aware.
(n) Except as otherwise allowed in this BA Agreement, HIPAA, and the HITECH Act, Subcontractor shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual unless the Individual has provided a valid, HIPAA-compliant authorization.
(o) Subcontractor shall use and disclose only the minimum necessary Protected Health Information to accomplish the intended purpose of such use, disclosure or request. Prior to any use or disclosure, Subcontractor shall determine whether a Limited Data Set would be sufficient for these purposes.
(p) Business Associate, in its sole and absolute discretion, may elect to delegate to Subcontractor the requirement under HIPAA and the HITECH Act to notify affected Individuals of a breach of unsecured Protected Health Information if such breach results from, or is related to, an act or omission of Subcontractor or the agents or representatives of Subcontractor. If Business Associate elects to make such delegation, Subcontractor shall perform such notifications and any other reasonable remediation services (i) at Subcontractor’s sole cost and expense, and (ii) in compliance with all applicable laws including HIPAA and the HITECH Act. Subcontractor shall also provide Business Associate with the opportunity to review and approve of the form and content of any breach notification that Subcontractor provides to Individuals.
(qG) Subcontractor agrees to comply with the following:
i. Sections 164.308 ensure that any agent, including a subcontractor (administrative safeguardsif permitted to have subcontractors by Business Associate), 164.310 to whom it provides PHI received from, or created or received by Subcontractor for, or on behalf of, Business Associate agrees in writing to substantially similar restrictions and conditions that apply through this Agreement to Subcontractor with respect to such information.
(physical safeguards)H) Within five (5) days of receiving a written request from Business Associate, 164.312 provide to Business Associate such information as is requested by Business Associate to permit Business Associate to respond to a request by an Individual or Covered Entity to inspect and obtain a copy of PHI about the Individual that is maintained in a Designated Record Set, for as long as the PHI is maintained in the Designated Record Set, in accordance with 45 C.F.R. § 164.524; to amend PHI or a record about the Individual in a Designated Record Set, for as long as PHI is maintained in the Designated Record Set, in accordance with 45 C.F.R. § 164.526; and for an accounting of the disclosures of the Individual’s PHI in accordance with 45 C.F.R. § 164.528.
(technical safeguardsI) Subcontractor agrees to make internal practices, books, and 164.316 (records, including policies and procedures and documentation requirements) PHI, relating to the use and disclosure of PHI received from, or created or received by Subcontractor on behalf of Business Associate, available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Security Rule shall apply to Subcontractor in the same manner that such sections apply to Secretary determining Business Associate. The additional requirements of the HITECH Act that relate to security and that are made applicable with respect to Covered Entities shall also be applicable to Subcontractor and shall be and by this reference hereby are incorporated into this BA Agreement.
ii. Unless Business Associate agrees, in writing, that this requirement is infeasible with respect to particular data, Subcontractor shall secure all Protected Health Information by a technology standard that renders Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary specifying the technologies and methodologies that render Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by the HITECH Act.
iii. Subcontractor may use and disclose Protected Health Information that Subcontractor obtains or creates only if such use or disclosure, respectively, is in ’s compliance with each applicable requirement of Section 164.504(e) of the Privacy Rule, relating to business associate contracts. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that are made applicable with respect to Business Associate shall also be applicable to Subcontractor and shall be and by this reference hereby are incorporated into this BA Agreement.
iv. In accordance with Section 164.504(e)(1)(ii) of the Privacy Rule, each party agrees that, if it knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of the other party's obligation under the BA Agreement, the non-breaching party will take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible, or if termination is not feasible, report the problem to the Secretary.
(r) Subcontractor represents and warrants that, as of the effective date of this BA Agreement, Subcontractor has implemented compliance programs, including written policies and procedures, designed to ensure compliance with all Business Associate Agreements, as well as applicable state and federal privacy laws. These policies and procedures include, but are not limited to, policies related to mitigation of security breaches, training employees, documenting disclosures as required for an "accounting" (as that term is defined in HIPAA and as contemplated by subsection 2(h) and (i) of this BA Agreement), and maintaining the physical and technical security of electronic data, including encryption. Subcontractor represents and warrants that it is currently conducting its business in material compliance with all applicable laws governing the privacy, security or confidentiality of individually identifiable health information and/or other records generated in the course of providing or paying for health care services.
Appears in 1 contract
Obligations and Activities of Subcontractor. (a) a. Subcontractor agrees to not use Use or disclose Protected Health Information Disclose PHI other than as permitted or required by this BA Agreement or as Required By Law.
(b) b. Subcontractor agrees to use appropriate safeguards to prevent use the Use or disclosure Disclosure of the Protected Health Information PHI other than as provided for by this BA Agreement. Subcontractor further agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic PHI, as provided for in the Security Rule and as mandated by Section 13401 of the HITECH Act.
c. Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of a Use or Disclosure of PHI by Subcontractor in violation of the requirements of this Agreement. Subcontractor further agrees to report to Business Associate any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, and in a manner as prescribed in this Agreement.
(c) d. Subcontractor agrees to report to Business Associate's Privacy OfficialAssociate any Security Incident, including all data Breaches or compromises, whether internal or external, related to PHI, whether the PHI is secured or unsecured, of which Subcontractor becomes aware.
e. If the Breach, as discussed in paragraph 2(d), pertains to Unsecured PHI, then Subcontractor agrees to report any such data Breach to Business Associate within five ten (510) business days, any use or disclosure days of discovery of the Protected Health Information not provided Breach; all other compromises, or attempted compromises, of PHI must be reported to Business Associate within twenty (20) business days of discovery. Subcontractor further agrees, consistent with Section 13402 of the HITECH Act, to provide Business Associate with information necessary for Business Associate to meet the requirements of the HITECH Act, and in a manner and format to be specified by Business Associate.
f. If Subcontractor is an Agent of Business Associate, then Subcontractor agrees that any Breach of Unsecured PHI will be reported to Business Associate immediately after the Subcontractor becomes aware of the Breach, and under no circumstances later than one (1) business day after the Breach. Subcontractor further agrees that any compromise, or attempted compromise, of PHI, other than a Breach of Unsecured PHI as specified in 2(e) of this BA Agreement, including must be reported to Business Associate within ten (10) business days of discovering the identification of each individual whose unsecured Protected Health Information has beencompromise, or is reasonably believed by the Subcontractor to have been, accessed, acquired, or disclosed during such breachattempted compromise.
(d) g. Subcontractor agrees to ensure that any agent or subcontractor Subcontractor, to whom it Subcontractor provides Protected Health Information received from, or created or received by Subcontractor on behalf of Business AssociatePHI, agrees in writing to the same restrictions and conditions that apply through this BA Agreement to Subcontractor with respect to such information.
(e. Subcontractor further agrees that restrictions and conditions analogous to those contained in this Agreement will be imposed on the Subcontractors via a written agreement that complies with all the requirements specified in §164.504(e)(2), and that Subcontractor may only provide the Subcontractors PHI consistent with Section 13405(b) To of the extent Subcontractor has Protected Health Information in a Designated Record SetHITECH Act. Further, Subcontractor agrees to provide access copies of the written agreements to Protected Health Information Business Associate within ten (10) business days of a Business Associate’s request for the written agreements.
h. Subcontractor agrees to provide access, at the request of Business Associate and during normal business hours, to PHI in a Designated Record Set to Business Associate or, as directed by Business Associate, to an Individual, in order to meet the Business Associate’s requirements under 45 C.F.R. § CFR §164.524, including provision provided that Business Associate delivers to Subcontractor a written notice at least three (3) business days in advance of records requesting such access. Subcontractor further agrees, in electronic form the case where Subcontractor controls access to PHI in an Electronic Health Record, or controls access to PHI stored electronically in any format, to provide similar access in order for Business Associate to meet its requirements under the extent required by HIPAA Rules and under Section 13405(c) of the HITECH Act. These provisions do not apply if Subcontractor and its employees or Subcontractors have no PHI in a Designated Record Set of Business Associate.
(f) i. Subcontractor agrees to make any amendment(s) amendments to Protected Health Information in its possession contained PHI in a Designated Record Set that Business Associate directs or agrees to pursuant to 45 C.F.R. § CFR §164.526, at the request of Business Associate or an Individual. This provision does not apply if Subcontractor and its employees or Subcontractors have no PHI from a Designated Record Set of Business Associate.
(g) j. Unless otherwise protected or prohibited from discovery or disclosure by law, Subcontractor agrees to make its internal practices, books, and records records, including policies and procedures (collectively “Compliance Information”), relating to the use Use or Disclosure of PHI and disclosure the protection of Protected Health Information received fromPHI, available to the Business Associate or created or received by to the Secretary for purposes of the Secretary determining Business Associate’s compliance with the HIPAA Rules and the HITECH Act. Subcontractor on behalf further agrees, at the request of Business Associate, available to provide Business Associate and/or the Secretarywith demonstrable evidence that its Compliance Information ensures Subcontractor’s compliance with this Agreement over time. Subcontractor will have a reasonable time within which to comply with requests for such access or demonstrable evidence, consistent with this Agreement. In no case may access, or demonstrable evidence, be required in a time and manner less than five (5) business days after Subcontractor’s receipt of such request, unless otherwise designated by the Business Associate and/or the Secretary, as applicable, for purposes of determining Business Associate's compliance with HIPAA or the HITECH Act.
(h) k. Subcontractor agrees to document such disclosures maintain necessary and sufficient documentation of Protected Health Information in its possession and information related to such disclosures Disclosures of PHI as would be required for Business Associate to respond to a request by an Individual for an accounting of disclosures of Protected Health Information such Disclosures, in accordance with 45 C.F.R. § 164.528 and the HITECH ActCFR §164.528.
(i) l. On request of Business Associate, Subcontractor agrees to provide to Business Associate information collected documentation made in accordance with Section 2(h) of this BA Agreement, Agreement to permit Business Associate to respond to a request by an Individual for an accounting of disclosures of Protected Health Information PHI in accordance with 45 C.F.R. § 164.528 §164.528. Subcontractor shall provide the documentation in a manner and format to be specified by Business Associate. Subcontractor will have a reasonable time within which to comply with such a request from Business Associate and in no case may Subcontractor be required to provide such documentation in less than three (3) business days after Subcontractor’s receipt of such request.
m. Except as provided for in this Agreement, in the event Subcontractor receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, Subcontractor shall redirect the Individual to the Business Associate.
n. To the extent that Subcontractor carries out one or more of Business Associate’s obligations under the HIPAA Rules, the Subcontractor must comply with all requirements of the HIPAA Rules that would be applicable to the Business Associate.
o. Subcontractor must honor all restrictions consistent with 45 C.F.R. §164.522 that the Business Associate or the Individual makes the Subcontractor aware of, including the Individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with Section 13405(a) of the HITECH Act.
(j) Subcontractor agrees to, subject to subsection 4(c)(2) below, return to the Business Associate or remove from access to any third party, within fifteen (15) days of the termination of this Agreement, the Protected Health Information in its possession.
(k) Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to either party, of a use or disclosure of Protected Health Information in violation of this BA Agreement.
(l) Subcontractor agrees to indemnify, insure, defend and hold harmless Business Associate and Business Associate's employees, directors, officers, subcontractors, affiliates, agents, and members of its Workforce, each of the foregoing hereinafter referred to as an "indemnified party," against all actual and direct losses suffered by the indemnified party and all liability to third parties arising from or in connection with any breach of this BA Agreement or of any warranty hereunder or from any negligence, wrongful acts, or omissions, including the failure to perform its obligations under HIPAA, as well as the additional obligations under the HITECH Act, by Subcontractor or its employees, directors, officers, subcontractors, agents, or members of its workforce. This includes, but is not limited to, expenses associated with notification to individuals and/or the media in the event of a breach of Protected Health Information held by Subcontractor. Accordingly, on demand, Subcontractor shall reimburse any indemnified party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys' fees) which may for any reason be imposed upon any indemnified party by reason of any suit, claim, action, proceeding or demand by any third party which results from the indemnifying party's breach hereunder. The provisions of this paragraph shall survive the expiration or termination of this BA Agreement for any reason.
(m) In addition to its overall obligations with respect to Protected Health Information, to the extent required by the Security Rule, Subcontractor will:
1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information (EPHI) that it creates, receives, maintains, or transmits on behalf of Business Associate as required by HIPAA;
2. Ensure that any agent or subcontractor to whom it provides such XXXX agrees in writing to implement reasonable and appropriate safeguards to protect the EPHI; and
3. Report to Business Associate any Security Incident of which it becomes aware.
(n) Except as otherwise allowed in this BA Agreement, HIPAA, and the HITECH Act, Subcontractor shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual unless the Individual has provided a valid, HIPAA-compliant authorization.
(o) Subcontractor shall use and disclose only the minimum necessary Protected Health Information to accomplish the intended purpose of such use, disclosure or request. Prior to any use or disclosure, Subcontractor shall determine whether a Limited Data Set would be sufficient for these purposes.
(p) Business Associate, in its sole and absolute discretion, may elect to delegate to Subcontractor the requirement under HIPAA and the HITECH Act to notify affected Individuals of a breach of unsecured Protected Health Information if such breach results from, or is related to, an act or omission of Subcontractor or the agents or representatives of Subcontractor. If Business Associate elects to make such delegation, Subcontractor shall perform such notifications and any other reasonable remediation services (i) at Subcontractor’s sole cost and expense, and (ii) in compliance with all applicable laws including HIPAA and the HITECH Act. Subcontractor shall also provide Business Associate with the opportunity to review and approve of the form and content of any breach notification that Subcontractor provides to Individuals.
(q) Subcontractor agrees to comply with the following:
i. Sections 164.308 (administrative safeguards), 164.310 (physical safeguards), 164.312 (technical safeguards) and 164.316 (policies and procedures and documentation requirements) of the Security Rule shall apply to Subcontractor in the same manner that such sections apply to Business Associate. The additional requirements of the HITECH Act that relate to security and that are made applicable with respect to Covered Entities shall also be applicable to Subcontractor and shall be and by this reference hereby are incorporated into this BA Agreement.
ii. Unless Business Associate agrees, in writing, that this requirement is infeasible with respect to particular data, Subcontractor shall secure all Protected Health Information by a technology standard that renders Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary specifying the technologies and methodologies that render Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by the HITECH Act.
iii. Subcontractor may use and disclose Protected Health Information that Subcontractor obtains or creates only if such use or disclosure, respectively, is in compliance with each applicable requirement of Section 164.504(e) of the Privacy Rule, relating to business associate contracts. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that are made applicable with respect to Business Associate shall also be applicable to Subcontractor and shall be and by this reference hereby are incorporated into this BA Agreement.
iv. In accordance with Section 164.504(e)(1)(ii) of the Privacy Rule, each party agrees that, if it knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of the other party's obligation under the BA Agreement, the non-breaching party will take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible, or if termination is not feasible, report the problem to the Secretary.
(r) Subcontractor represents and warrants that, as of the effective date of this BA Agreement, Subcontractor has implemented compliance programs, including written policies and procedures, designed to ensure compliance with all Business Associate Agreements, as well as applicable state and federal privacy laws. These policies and procedures include, but are not limited to, policies related to mitigation of security breaches, training employees, documenting disclosures as required for an "accounting" (as that term is defined in HIPAA and as contemplated by subsection 2(h) and (i) of this BA Agreement), and maintaining the physical and technical security of electronic data, including encryption. Subcontractor represents and warrants that it is currently conducting its business in material compliance with all applicable laws governing the privacy, security or confidentiality of individually identifiable health information and/or other records generated in the course of providing or paying for health care services.
Appears in 1 contract
Samples: Third Party Administrator Agreement
Obligations and Activities of Subcontractor. (a) Subcontractor agrees to not use or disclose Protected Health Information other than as permitted or required by this BA the Agreement or as Required By Law.
(b) . Subcontractor agrees to use appropriate employ administrative, physical, and technical safeguards meeting required Security Standards for business associates as Required By Law to prevent disclosure or use of PHI other than as allowed by this Agreement. Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of a use or disclosure of PHI held by Subcontractor in violation of the Protected Health Information other than as provided for by requirements of this BA Agreement.
(c) . Subcontractor agrees to report to Business Associate's Privacy Official, within five (5) business days, Associate and Covered Entity any use or disclosure of the Protected Health Information not provided for by this BA Agreement, including Agreement of which it becomes aware. Subcontractor shall notify Business Associate and Covered Entity immediately following the identification breach of each individual whose unsecured Unsecured Protected Health Information has beenInformation, or is reasonably believed by the Subcontractor and shall be deemed to have beendiscovered such breach as of the first day on which such breach is known to Subcontractor or, accessedby exercising reasonable diligence, acquired, or disclosed during such breach.
(d) would have been known to Subcontractor. Subcontractor shall comply with the notification requirements under 45 CFR § 165.410. Subcontractor agrees to ensure that any agent or subcontractor agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Subcontractor on behalf of Business Associate, Covered Entity agrees in writing to the same restrictions and conditions that apply through this BA Agreement to Subcontractor with respect to such information.
(e) To the extent Subcontractor has Protected Health Information in a Designated Record Set, PHI. Subcontractor agrees to execute Business Associate Agreements with all its subcontractors to whom it grants access to Business Associate’s PHI in any form. Subcontractor agrees, at the request of Business Associate or Covered Entity, to provide Covered Entity (or a designate of Covered Entity) access to Protected Health Information in a Designated Record Set to Business Associate in prompt commercially reasonable manner in order to meet the requirements under 45 C.F.R. § CFR §164.524, including provision of records in electronic form to the extent required by the HITECH Act.
(f) . Subcontractor agrees to make any amendment(s) to Protected Health Information in its possession contained in a Designated Record Set that Business Associate and/or the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526, CFR §164.526 at the request of Business Associate.
(g) Associate and/or the Covered Entity or an Individual, in a prompt and commercially reasonable manner. Subcontractor agrees to make its internal practices, books, and records records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Subcontractor on behalf of Business Associateof, Covered Entity available to Business Associate and/or the Secretary, in a time and manner designated by the Business Associate and/or the Covered Entity, or to the Secretary (including official representatives of the Secretary), as applicable, in a prompt commercially reasonable manner for purposes of determining Business AssociateCovered Entity's compliance with HIPAA or the HITECH Act.
(h) Privacy Rule. Subcontractor shall, upon request with reasonable notice, provide Business Associate and/or the Covered Entity access to its premises for a review and demonstration of its internal practices and procedures for safeguarding PHI. Subcontractor agrees to document such disclosures of Protected Health Information in its possession and information related to such disclosures as would be required for Business Associate and/or the Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and the HITECH Act.
(i) CFR §164.528. Subcontractor agrees to provide to Business Associate and/or the Covered Entity or an Individual, in a prompt commercially reasonable manner, information collected in accordance with Section 2(h) of this BA Agreement, to permit Business Associate and/or the Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and the HITECH ActCFR §164.528.
(j) Subcontractor agrees to, subject to subsection 4(c)(2) below, return to the Business Associate or remove from access to any third party, within fifteen (15) days of the termination of this Agreement, the Protected Health Information in its possession.
(k) Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to either party, of a use or disclosure of Protected Health Information in violation of this BA Agreement.
(l) Subcontractor agrees to indemnify, insure, defend and hold harmless Business Associate and Business Associate's employees, directors, officers, subcontractors, affiliates, agents, and members of its Workforce, each of the foregoing hereinafter referred to as an "indemnified party," against all actual and direct losses suffered by the indemnified party and all liability to third parties arising from or in connection with any breach of this BA Agreement or of any warranty hereunder or from any negligence, wrongful acts, or omissions, including the failure to perform its obligations under HIPAA, as well as the additional obligations under the HITECH Act, by Subcontractor or its employees, directors, officers, subcontractors, agents, or members of its workforce. This includes, but is not limited to, expenses associated with notification to individuals and/or the media in the event of a breach of Protected Health Information held by Subcontractor. Accordingly, on demand, Subcontractor shall reimburse any indemnified party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys' fees) which may for any reason be imposed upon any indemnified party by reason of any suit, claim, action, proceeding or demand by any third party which results from the indemnifying party's breach hereunder. The provisions of this paragraph shall survive the expiration or termination of this BA Agreement for any reason.
(m) In addition to its overall obligations with respect to Protected Health Information, to the extent required by the Security Rule, Subcontractor will:
1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information (EPHI) that it creates, receives, maintains, or transmits on behalf of Business Associate as required by HIPAA;
2. Ensure that any agent or subcontractor to whom it provides such XXXX agrees in writing to implement reasonable and appropriate safeguards to protect the EPHI; and
3. Report to Business Associate any Security Incident of which it becomes aware.
(n) Except as otherwise allowed in this BA Agreement, HIPAA, and the HITECH Act, Subcontractor shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual unless the Individual has provided a valid, HIPAA-compliant authorization.
(o) Subcontractor shall use and disclose only the minimum necessary Protected Health Information to accomplish the intended purpose of such use, disclosure or request. Prior to any use or disclosure, Subcontractor shall determine whether a Limited Data Set would be sufficient for these purposes.
(p) Business Associate, in its sole and absolute discretion, may elect to delegate to Subcontractor the requirement under HIPAA and the HITECH Act to notify affected Individuals of a breach of unsecured Protected Health Information if such breach results from, or is related to, an act or omission of Subcontractor or the agents or representatives of Subcontractor. If Business Associate elects to make such delegation, Subcontractor shall perform such notifications and any other reasonable remediation services (i) at Subcontractor’s sole cost and expense, and (ii) in compliance with all applicable laws including HIPAA and the HITECH Act. Subcontractor shall also provide Business Associate with the opportunity to review and approve of the form and content of any breach notification that Subcontractor provides to Individuals.
(q) Subcontractor agrees to comply with the following:
i. Sections 164.308 (administrative safeguards), 164.310 (physical safeguards), 164.312 (technical safeguards) and 164.316 (policies and procedures and documentation requirements) of the Security Rule shall apply to Subcontractor in the same manner that such sections apply to Business Associate. The additional requirements of the HITECH Act that relate to security and that are made applicable with respect to Covered Entities shall also be applicable to Subcontractor and shall be and by this reference hereby are incorporated into this BA Agreement.
ii. Unless Business Associate agrees, in writing, that this requirement is infeasible with respect to particular data, Subcontractor shall secure all Protected Health Information by a technology standard that renders Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute and is consistent with guidance issued by the Secretary specifying the technologies and methodologies that render Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by the HITECH Act.
iii. Subcontractor may use and disclose Protected Health Information that Subcontractor obtains or creates only if such use or disclosure, respectively, is in compliance with each applicable requirement of Section 164.504(e) of the Privacy Rule, relating to business associate contracts. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that are made applicable with respect to Business Associate shall also be applicable to Subcontractor and shall be and by this reference hereby are incorporated into this BA Agreement.
iv. In accordance with Section 164.504(e)(1)(ii) of the Privacy Rule, each party agrees that, if it knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of the other party's obligation under the BA Agreement, the non-breaching party will take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible, or if termination is not feasible, report the problem to the Secretary.
(r) Subcontractor represents and warrants that, as of the effective date of this BA Agreement, Subcontractor has implemented compliance programs, including written policies and procedures, designed to ensure compliance with all Business Associate Agreements, as well as applicable state and federal privacy laws. These policies and procedures include, but are not limited to, policies related to mitigation of security breaches, training employees, documenting disclosures as required for an "accounting" (as that term is defined in HIPAA and as contemplated by subsection 2(h) and (i) of this BA Agreement), and maintaining the physical and technical security of electronic data, including encryption. Subcontractor represents and warrants that it is currently conducting its business in material compliance with all applicable laws governing the privacy, security or confidentiality of individually identifiable health information and/or other records generated in the course of providing or paying for health care services.
Appears in 1 contract
Samples: Client Services Agreement
