Common use of Obligations and Activities of Subcontractor Clause in Contracts

Obligations and Activities of Subcontractor. (A) Subcontractor acknowledges and agrees that all PHI that is created or received by Business Associate and used by or disclosed to Subcontractor or created or received by Subcontractor on Business Associate’s behalf shall be subject to this Agreement. (B) Subcontractor agrees to not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. (C) Subcontractor agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. (D) Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of a use or disclosure of PHI by Subcontractor in violation of the requirements of this Agreement, the Privacy Rule or the Security Rule. (E) Subcontractor agrees to notify Business Associate promptly at xxxxxxx.xxxxxxx@xxxxxxx.xxx, in no event later than three (3) days, following discovery of any (i) Breach of Unsecured PHI, and/or (ii) any use or disclosure of PHI not provided for by this Agreement. Any notice pursuant to this Section 2(E) will include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Subcontractor, to have been accessed, acquired or disclosed during such Breach. Subcontractor will also provide Business Associate other available information that Subcontractor is required to include in its notification to the Individual or Covered Entity. (F) Subcontractor agrees to report to Business Associate any use or disclosure of PHI not provided for by this Agreement or any Security Incident of which it becomes aware. (G) Subcontractor agrees to ensure that any agent, including a subcontractor (if permitted to have subcontractors by Business Associate), to whom it provides PHI received from, or created or received by Subcontractor for, or on behalf of, Business Associate agrees in writing to substantially similar restrictions and conditions that apply through this Agreement to Subcontractor with respect to such information. (H) Within five (5) days of receiving a written request from Business Associate, provide to Business Associate such information as is requested by Business Associate to permit Business Associate to respond to a request by an Individual or Covered Entity to inspect and obtain a copy of PHI about the Individual that is maintained in a Designated Record Set, for as long as the PHI is maintained in the Designated Record Set, in accordance with 45 C.F.R. § 164.524; to amend PHI or a record about the Individual in a Designated Record Set, for as long as PHI is maintained in the Designated Record Set, in accordance with 45 C.F.R. § 164.526; and for an accounting of the disclosures of the Individual’s PHI in accordance with 45 C.F.R. § 164.528. (I) Subcontractor agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Subcontractor on behalf of Business Associate, available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Business Associate’s compliance with the Privacy Rule.

Obligations and Activities of Subcontractor. (A) Subcontractor acknowledges and agrees that all PHI that is created or received by Business Associate and used by or disclosed to Subcontractor or created or received by Subcontractor on Business Associate’s behalf shall be subject to this Agreement. (B) a. Subcontractor agrees to not use Use or disclose Disclose PHI other than as permitted or required by this Agreement or as Required by By Law. (C) b. Subcontractor agrees to use appropriate safeguards to prevent use the Use or disclosure Disclosure of PHI other than as provided for by this Agreement. Subcontractor further agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic PHI, as provided for in the Security Rule and as mandated by Section 13401 of the HITECH Act. (D) c. Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of a use Use or disclosure Disclosure of PHI by Subcontractor in violation of the requirements of this Agreement, the Privacy Rule or the Security Rule. (E) . Subcontractor further agrees to notify report to Business Associate promptly at xxxxxxx.xxxxxxx@xxxxxxx.xxx, in no event later than three (3) days, following discovery of any (i) Breach of Unsecured PHI, and/or (ii) any use Use or disclosure Disclosure of PHI not provided for by this Agreement of which it becomes aware, and in a manner as prescribed in this Agreement. Any notice pursuant to this Section 2(E) will include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Subcontractor, to have been accessed, acquired or disclosed during such Breach. Subcontractor will also provide Business Associate other available information that Subcontractor is required to include in its notification to the Individual or Covered Entity. (F) d. Subcontractor agrees to report to Business Associate any use Security Incident, including all data Breaches or disclosure of compromises, whether internal or external, related to PHI, whether the PHI not provided for by this Agreement is secured or any Security Incident unsecured, of which it Subcontractor becomes aware. e. If the Breach, as discussed in paragraph 2(d), pertains to Unsecured PHI, then Subcontractor agrees to report any such data Breach to Business Associate within ten (G10) business days of discovery of the Breach; all other compromises, or attempted compromises, of PHI must be reported to Business Associate within twenty (20) business days of discovery. Subcontractor further agrees, consistent with Section 13402 of the HITECH Act, to provide Business Associate with information necessary for Business Associate to meet the requirements of the HITECH Act, and in a manner and format to be specified by Business Associate. f. If Subcontractor is an Agent of Business Associate, then Subcontractor agrees that any Breach of Unsecured PHI will be reported to Business Associate immediately after the Subcontractor becomes aware of the Breach, and under no circumstances later than one (1) business day after the Breach. Subcontractor further agrees that any compromise, or attempted compromise, of PHI, other than a Breach of Unsecured PHI as specified in 2(e) of this Agreement, must be reported to Business Associate within ten (10) business days of discovering the compromise, or attempted compromise. g. Subcontractor agrees to ensure that any agent, including a subcontractor (if permitted to have subcontractors by Business Associate)Subcontractor, to whom it Subcontractor provides PHI received fromPHI, or created or received by Subcontractor for, or on behalf of, Business Associate agrees in writing to substantially similar the same restrictions and conditions that apply through this Agreement to Subcontractor with respect to such information. (H) Within five (5) days of receiving . Subcontractor further agrees that restrictions and conditions analogous to those contained in this Agreement will be imposed on the Subcontractors via a written request from Business Associateagreement that complies with all the requirements specified in §164.504(e)(2), and that Subcontractor may only provide the Subcontractors PHI consistent with Section 13405(b) of the HITECH Act. Further, Subcontractor agrees to provide copies of the written agreements to Business Associate such information as is requested by within ten (10) business days of a Business Associate’s request for the written agreements. h. Subcontractor agrees to provide access, at the request of Business Associate and during normal business hours, to permit Business Associate to respond to a request by an Individual or Covered Entity to inspect and obtain a copy of PHI about the Individual that is maintained in a Designated Record SetSet to Business Associate or, for as long as the PHI is maintained directed by Business Associate, to an Individual, in order to meet Business Associate’s requirements under 45 CFR §164.524, provided that Business Associate delivers to Subcontractor a written notice at least three (3) business days in advance of requesting such access. Subcontractor further agrees, in the Designated Record Setcase where Subcontractor controls access to PHI in an Electronic Health Record, or controls access to PHI stored electronically in accordance with 45 C.F.R. § 164.524; any format, to amend provide similar access in order for Business Associate to meet its requirements under the HIPAA Rules and under Section 13405(c) of the HITECH Act. These provisions do not apply if Subcontractor and its employees or Subcontractors have no PHI or a record about the Individual in a Designated Record Set, for as long as Set of Business Associate. i. Subcontractor agrees to make any amendments to PHI is maintained in the a Designated Record SetSet that Business Associate directs or agrees to pursuant to 45 CFR §164.526, in accordance with 45 C.F.R. § 164.526; at the request of Business Associate or an Individual. This provision does not apply if Subcontractor and for an accounting its employees or Subcontractors have no PHI from a Designated Record Set of the disclosures of the Individual’s PHI in accordance with 45 C.F.R. § 164.528Business Associate. (I) j. Unless otherwise protected or prohibited from discovery or disclosure by law, Subcontractor agrees to make internal practices, books, and records, including policies and procedures and PHI(collectively “Compliance Information”), relating to the use and disclosure Use or Disclosure of PHI received from, or created or received by Subcontractor on behalf and the protection of Business AssociatePHI, available to the Secretary, in a time and manner designated by Business Associate or to the Secretary, Secretary for purposes of the Secretary determining Business Associate’s compliance with the Privacy RuleHIPAA Rules and the HITECH Act. Subcontractor further agrees, at the request of Business Associate, to provide Business Associate with demonstrable evidence that its Compliance Information ensures Subcontractor’s compliance with this Agreement over time. Subcontractor will have a reasonable time within which to comply with requests for such access or demonstrable evidence, consistent with this Agreement. In no case may access, or demonstrable evidence, be required in less than five (5) business days after Subcontractor’s receipt of such request, unless otherwise designated by the Secretary. k. Subcontractor agrees to maintain necessary and sufficient documentation of Disclosures of PHI as would be required for Business Associate to respond to a request by an Individual for an accounting of such Disclosures, in accordance with 45 CFR §164.528. l. On request of Business Associate, Subcontractor agrees to provide to Business Associate documentation made in accordance with this Agreement to permit Business Associate to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Subcontractor shall provide the documentation in a manner and format to be specified by Business Associate. Subcontractor will have a reasonable time within which to comply with such a request from Business Associate and in no case may Subcontractor be required to provide such documentation in less than three (3) business days after Subcontractor’s receipt of such request. m. Except as provided for in this Agreement, in the event Subcontractor receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, Subcontractor shall redirect the Individual to the Business Associate. n. To the extent that Subcontractor carries out one or more of Business Associate’s obligations under the HIPAA Rules, the Subcontractor must comply with all requirements of the HIPAA Rules that would be applicable to the Business Associate. o. Subcontractor must honor all restrictions consistent with 45 C.F.R. §164.522 that the Business Associate or the Individual makes the Subcontractor aware of, including the Individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with Section 13405(a) of the HITECH Act.