Common use of Obligations and Activities of the Business Associate Clause in Contracts

Obligations and Activities of the Business Associate. (a) Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required by Law. (b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. (d) Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. (e) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to the Business Associate with respect to such information. (f) Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524. (g) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner specified by the Covered Entity. (h) Business Associate agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of the Covered Entity, available to the Secretary, in a time and manner specified by the Covered Entity or designated by the Secretary, for purposes of the Secretary determining the Covered Entity's compliance with the Privacy Rule. (i) Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (j) Business Associate agrees to provide to the Covered Entity or an Individual, in a time and manner specified by the Covered Entity, information collected in accordance with § 2(i) of this Agreement, to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (k) Business Associate agrees to maintain the security of Protected Health Information it receives by establishing, at a minimum, the following security measures: (1) Limit authorized access to Protected Health Information to persons having a "need to know" that information; additional employees or agents may have access to that information which does not contain information from which an individual can be identified. (2) At the sole discretion of the Business Associate, provide a written statement to each employee or agent as to the necessity of maintaining the security and confidentiality of Protected Health Information, and of the penalties provided for the unauthorized release, use, or disclosure of this information. Receipt of the statement is to be acknowledged by the employee or agent, who is to sign and return the statement to his or her employer or principal, who then is to retain the signed original. The employee or agent is also to be furnished with a copy of the signed statement. (3) Take no disciplinary or punitive action against any employee or agent solely for bringing evidence of violation of the referenced security requirements to the attention of the Covered Entity. (l) In accordance with generally accepted ‘best practices’ and at the sole discretion of the Business Associate, it is recommended that the Business Associate train all the members of its workforce on the various elements and procedures with respect to PHI required by this Agreement, as necessary and appropriate for the members of its workforce to carry out their functions within the Business Associate organization. The Business Associate may wish to provide such training as follows: (1) To each appropriate member of the Business Associate workforce within a reasonable time after the effective date of this Agreement. (2) Thereafter, to each appropriate new member of the Business Associate workforce within a reasonable period of time after the person joins the Business Associate’s workforce. (3) To each appropriate member of the Business Associate workforce whose functions are affected by a material change in the elements or procedures with respect to PHI required by this Agreement, within a reasonable period of time after the material change becomes effective. (4) Business Associate may elect to document that such training has been provided to its workforce members.

Appears in 2 contracts

Samples: Interagency Agreement, Interagency Agreement

AutoNDA by SimpleDocs

Obligations and Activities of the Business Associate. (a) The Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by the this Agreement or as Required required by Lawlaw. (b) The Business Associate agrees to use the appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement and to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic Protected Health Information that it creates receives, maintains or transmits on behalf of the Covered Entity pursuant to this Agreement. (c) The Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of Protected Health Information by the Business Associate in violation of the requirements of this Agreement. (d) The Business Associate agrees to report to the Covered Entity Program, any use or disclosure of the Protected Health Information not provided for by this Agreement Agreement, as soon as reasonably practicable of which it becomes aware. The Business Associate also agrees to report to the Covered Entity any security incident of which it becomes aware. (e) The Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by the Business Associate on behalf of the Covered Entity, Program agrees to the same restrictions and conditions that apply through this Agreement to the Business Associate with respect to such information. (f) The Business Associate agrees to provide access, at the request of the Covered EntityProgram, and in the time and mannermanner designated by the Covered Program, to Protected Health Information in a Designated Record Set, to the Covered Entity Program or, as directed by the Covered EntityProgram, to an Individual in order to meet the requirements under 45 CFR 164.524, if the business associate has protected health information in a designated record set. (g) The Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set designated record set that the Covered Entity Program directs or agrees to pursuant to 45 CFR 164.526 at the request of the Covered Entity Program or an Individual, and in the time and manner specified designated by Covered Program, if the Covered Entitybusiness associate has protected health information in a designated record set. (h) The Business Associate agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, records relating to the use and disclosure of Protected Health Information received from, or created or received by the Business Associate on behalf of of, the Covered Entity, Program available to the SecretaryCovered Program, or to the Secretary of Health and Human Services, in a time and manner specified designated by the Covered Entity Program or designated by the Secretary, for purposes of the Secretary determining the Covered EntityProgram's compliance with the Privacy Rule. (i) The Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity Program to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (j) The Business Associate agrees to provide to the Covered Entity Program or an Individual, in a time and manner specified designated by the Covered EntityProgram, information collected in accordance with § 2(i) of this Agreement, to permit the Covered Entity Program to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (k) Business Associate agrees to maintain the security of Protected Health Information it receives by establishing, at a minimum, the following security measures: (1) Limit authorized access to Protected Health Information to persons having a "need to know" that information; additional employees or agents may have access to that information which does not contain information from which an individual can be identified. (2) At the sole discretion of the Business Associate, provide a written statement to each employee or agent as to the necessity of maintaining the security and confidentiality of Protected Health Information, and of the penalties provided for the unauthorized release, use, or disclosure of this information. Receipt of the statement is to be acknowledged by the employee or agent, who is to sign and return the statement to his or her employer or principal, who then is to retain the signed original. The employee or agent is also to be furnished with a copy of the signed statement. (3) Take no disciplinary or punitive action against any employee or agent solely for bringing evidence of violation of the referenced security requirements to the attention of the Covered Entity. (l) In accordance with generally accepted ‘best practices’ and at the sole discretion of the Business Associate, it is recommended that the Business Associate train all the members of its workforce on the various elements and procedures with respect to PHI required by this Agreement, as necessary and appropriate for the members of its workforce to carry out their functions within the Business Associate organization. The Business Associate may wish to provide such training as follows: (1) To each appropriate member of the Business Associate workforce within a reasonable time after the effective date of this Agreement. (2) Thereafter, to each appropriate new member of the Business Associate workforce within a reasonable period of time after the person joins the Business Associate’s workforce. (3) To each appropriate member of the Business Associate workforce whose functions are affected by a material change in the elements or procedures with respect to PHI required by this Agreement, within a reasonable period of time after the material change becomes effective. (4) Business Associate may elect to document that such training has been provided to its workforce members.

Appears in 1 contract

Samples: Business Associate Agreement

Obligations and Activities of the Business Associate. (a) Upon signing this Agreement, the Business Associate identified above agrees to not to: A. Not use or further disclose Protected Health Information other than as permitted or required by the Agreement or as Required required by Lawlaw. (b) Business Associate agrees to use B. Use appropriate safeguards to prevent the use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) Business Associate agrees to mitigateC. Mitigate, to the extent practicable, any harmful effect that is known to the Business Associate Associate, of a use or disclosure of Protected Health Information by the Business Associate in violation of the requirements of this Agreement. (d) Business Associate agrees D. Report to report to the Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes awareAgreement. (e) Business Associate agrees to ensure E. Ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by the Business Associate on behalf of the Covered Entity, Entity agrees to the same restrictions and conditions that apply through this Agreement to the Business Associate with respect to such information. (f) Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524. (g) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner specified by the Covered Entity. (h) Business Associate agrees to make its F. Make internal practices, books, and records, including policies and procedures and Protected Health Information, records relating to the use and disclosure of Protected Health Information received from, or created or received by the Business Associate on behalf of of, the Covered Entity available to the Covered Entity, available or at the request of the Covered Entity to the SecretarySecretary of HHS, in a time and manner specified designated by the Covered Entity or designated by the SecretarySecretary of HHS, for purposes of the Secretary determining the Covered Entity's compliance with the Privacy Rule. (i) Business Associate agrees to document G. Document such disclosures of Protected Health Information and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (j) Business Associate agrees to provide H. Provide to the Covered Entity or an Individual, in a the time and manner specified designated by the Covered Entity, information collected in accordance with § 2(iSection (g) of this Agreement, to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (k) Business Associate agrees to maintain the security of Protected Health Information it receives by establishing, at a minimum, the following security measures: (1) Limit authorized access to Protected Health Information to persons having a "need to know" that information; additional employees or agents may have access to that information which does not contain information from which an individual can be identified. (2) At the sole discretion of the Business Associate, provide a written statement to each employee or agent as to the necessity of maintaining the security and confidentiality of Protected Health Information, and of the penalties provided for the unauthorized release, use, or disclosure of this information. Receipt of the statement is to be acknowledged by the employee or agent, who is to sign and return the statement to his or her employer or principal, who then is to retain the signed original. The employee or agent is also to be furnished with a copy of the signed statement. (3) Take no disciplinary or punitive action against any employee or agent solely for bringing evidence of violation of the referenced security requirements to the attention of the Covered Entity. (l) In accordance with generally accepted ‘best practices’ and at the sole discretion of the Business Associate, it is recommended that the Business Associate train all the members of its workforce on the various elements and procedures with respect to PHI required by this Agreement, as necessary and appropriate for the members of its workforce to carry out their functions within the Business Associate organization. The Business Associate may wish to provide such training as follows: (1) To each appropriate member of the Business Associate workforce within a reasonable time after the effective date of this Agreement. (2) Thereafter, to each appropriate new member of the Business Associate workforce within a reasonable period of time after the person joins the Business Associate’s workforce. (3) To each appropriate member of the Business Associate workforce whose functions are affected by a material change in the elements or procedures with respect to PHI required by this Agreement, within a reasonable period of time after the material change becomes effective. (4) Business Associate may elect to document that such training has been provided to its workforce members.

Appears in 1 contract

Samples: Business Associate Agreement

Obligations and Activities of the Business Associate. (a) The Business Associate agrees to not use to: (i) Use or disclose Protected Health Information other than PHI only as permitted or required by the Services Agreement, this Agreement or as Required by Law. Notwithstanding any other agreement to the contrary, the Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by the Plan. (bii) Business Associate agrees Use appropriate safeguards, and comply with the HIPAA Rules with respect to use appropriate safeguards e-PHI, and to prevent the use or disclosure of the Protected Health Information PHI other than as provided for by the Services Agreement and this Agreement. The Business Associate’s administrative, physical, and technical safeguards protecting PHI, and those of its subcontractors, shall comply with applicable law, the HIPAA Rules, HHS technical guidance, and any applicable privacy and security guidelines or standards issued by the National Institute for Standards and Technology (“NIST”) regarding individually identifiable information. The Business Associate shall ensure that any subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect such PHI. To the fullest extent permitted by law, the Business Associate shall be liable to the Plan for any acts, failures, or omissions of the Business Associate and those of subcontractors, as if such acts, failures, or omissions were the Business Associate’s own acts, failures, or omissions. Upon request the Business Associate shall provide the Plan with a copy of its policies and procedures concerning the safeguarding of PHI and those of its subcontractors. The Business Associate will make its internal practices, books, and records relating to its use and disclosure of PHI available to the Plan and to HHS to determine compliance with the HIPAA Rules and this Agreement. The Business Associate shall provide the Plan with a copy of any PHI that Business Associate provides to the Secretary concurrently with providing such PHI to the Secretary. (ciii) Business Associate agrees to mitigate, Report to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. (d) Business Associate agrees to report to Covered Entity Plan any use or disclosure of the Protected Health Information PHI not provided for by this Agreement of which the Business Associate becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. 164.410, and any security incident of which it becomes awareaware in accordance with Paragraph II(d), below. (eiv) Business Associate agrees to ensure that Require any agent, including a subcontractorsubcontractors, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to the Business Associate with respect to such information. (f) Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524. (g) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner specified by the Covered Entity. (h) Business Associate agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information provides PHI received from, or created or received by Business Associate on behalf of the Covered EntityPlan, to agree in writing, in the form of a written contract or other written agreement in accordance with 45 C.F.R. § 164.504(e)(1)(i), and agree to the same restrictions and conditions that apply to Business Associate pursuant to this Agreement. (v) Make access to PHI available in a designated record set, as soon as practicable (but in no case longer than ten (10) days after notice from the Plan) in the manner reasonably requested by the Plan, either to the Plan or if directed by the Plan to an Individual, in order for the Plan to satisfy its obligations under 45 C.F. R. 164.524. (vi) Make available to the SecretaryPlan, as soon as practicable in the manner reasonably requested by Plan (but in no case longer than ten (10) days after notice from the Plan), such information as the Plan may require to fulfill in a time timely manner its obligations pursuant to 45 C.F.R. § 164.526 to amend PHI that the Business Associate maintains in a Designated Record Set, and manner specified if so notified by the Covered Entity or designated by Plan, to incorporate any amendments to which the Secretary, for purposes of the Secretary determining the Covered Entity's compliance with the Privacy RulePlan has agreed. (ivii) Business Associate agrees to Track and document such all disclosures of Protected Health Information PHI to third parties, and within ten (10) business days of receiving a written request from the Plan, provide the Plan with the information related necessary for the Plan to such disclosures as would be required for Covered Entity to respond to a request by an Individual for make an accounting of disclosures of Protected Health Information in accordance with PHI about an Individual as required by 45 CFR C.F.R. § 164.528. (j) . Business Associate agrees to provide to the Covered Entity or an Individual, in a time and manner specified by the Covered Entity, information collected in accordance with § 2(i) of this Agreement, to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (k) Business Associate agrees to maintain the security of Protected Health Information it receives by establishingshall provide, at a minimum, the following security measures: information: (1i) Limit authorized access to Protected Health Information to persons having a "need to know" that information; additional employees or agents may have access to that information which does not contain information from which an individual can be identified. (2) At the sole discretion date of the Business Associate, provide a written statement to each employee or agent as to the necessity of maintaining the security and confidentiality of Protected Health Information, and of the penalties provided for the unauthorized release, use, or disclosure of this information. Receipt of the statement is to be acknowledged by the employee or agent, who is to sign and return the statement to his or her employer or principal, who then is to retain the signed original. The employee or agent is also to be furnished with a copy of the signed statement. (3) Take no disciplinary or punitive action against any employee or agent solely for bringing evidence of violation of the referenced security requirements to the attention of the Covered Entity. (l) In accordance with generally accepted ‘best practices’ and at the sole discretion of the Business Associate, it is recommended that the Business Associate train all the members of its workforce on the various elements and procedures with respect to PHI required by this Agreement, as necessary and appropriate for the members of its workforce to carry out their functions within the Business Associate organization. The Business Associate may wish to provide such training as follows: (1) To each appropriate member of the Business Associate workforce within a reasonable time after the effective date of this Agreement. (2) Thereafter, to each appropriate new member of the Business Associate workforce within a reasonable period of time after the person joins the Business Associate’s workforce. (3) To each appropriate member of the Business Associate workforce whose functions are affected by a material change in the elements or procedures with respect to PHI required by this Agreement, within a reasonable period of time after the material change becomes effective. (4) Business Associate may elect to document that such training has been provided to its workforce members.disclosure;

Appears in 1 contract

Samples: Business Associate Agreement

AutoNDA by SimpleDocs

Obligations and Activities of the Business Associate. (a) The Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by the this Agreement or as Required required by Lawlaw. (b) The Business Associate agrees to use the appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement and to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic Protected Health Information that it creates receives, maintains or transmits on behalf of the Covered Entity pursuant to this Agreement. (c) The Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of Protected Health Information by the Business Associate in violation of the requirements of this Agreement. (d) The Business Associate agrees to report to the Covered Entity Program, any use or disclosure of the Protected Health Information not provided for by this Agreement Agreement, as soon as reasonably practicable. The Business Associate also agrees to report to the Covered Entity any security incident of which it becomes aware. (e) The Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by the Business Associate on behalf of the Covered EntityProgram, agrees to the same restrictions and conditions that apply through this Agreement to the Business Associate with respect to such information. (f) The Business Associate agrees to provide access, at the request of the Covered Entity, Program and in the time and manner, manner designated by the Covered Program to Protected Health Information in a Designated Record Set, to the Covered Entity Program or, as directed by the Covered Entity, Program to an Individual in order to meet the requirements under 45 CFR 164.524, if the Business Associate has Protected Health Information in a designated record set. (g) The Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set designated record set that the Covered Entity Program directs or agrees to pursuant to 45 CFR 164.526 at the request of the Covered Entity Program or an Individual, and in the time and manner specified designated by Covered Program, if the Covered EntityBusiness Associate has Protected Health Information in a designated record set. (h) The Business Associate agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, records relating to the use and disclosure of Protected Health Information received from, or created or received by the Business Associate on behalf of of, the Covered Entity, Program available to the SecretaryCovered Program, or to the Secretary of Health and Human Services, in a time and manner specified designated by the Covered Entity Program or designated by the Secretary, for purposes of the Secretary determining the Covered EntityProgram's compliance with the Privacy Rule. (i) The Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity Program to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (j) No disclosures shall be made without the prior written permission of the Covered Program. (k) The Business Associate agrees to provide to the Covered Entity Program or an Individual, in a time and manner specified designated by the Covered EntityProgram, information collected in accordance with § 2(i) of this Agreement, to permit the Covered Entity Program to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (k) Business Associate agrees to maintain the security of Protected Health Information it receives by establishing, at a minimum, the following security measures: (1) Limit authorized access to Protected Health Information to persons having a "need to know" that information; additional employees or agents may have access to that information which does not contain information from which an individual can be identified. (2) At the sole discretion of the Business Associate, provide a written statement to each employee or agent as to the necessity of maintaining the security and confidentiality of Protected Health Information, and of the penalties provided for the unauthorized release, use, or disclosure of this information. Receipt of the statement is to be acknowledged by the employee or agent, who is to sign and return the statement to his or her employer or principal, who then is to retain the signed original. The employee or agent is also to be furnished with a copy of the signed statement. (3) Take no disciplinary or punitive action against any employee or agent solely for bringing evidence of violation of the referenced security requirements to the attention of the Covered Entity. (l) In accordance with generally accepted ‘best practices’ and at the sole discretion of the Business Associate, it is recommended that the Business Associate train all the members of its workforce on the various elements and procedures with respect to PHI required by this Agreement, as necessary and appropriate for the members of its workforce to carry out their functions within the Business Associate organization. The Business Associate may wish to provide such training as follows: (1) To each appropriate member of the Business Associate workforce within a reasonable time after the effective date of this Agreement. (2) Thereafter, to each appropriate new member of the Business Associate workforce within a reasonable period of time after the person joins the Business Associate’s workforce. (3) To each appropriate member of the Business Associate workforce whose functions are affected by a material change in the elements or procedures with respect to PHI required by this Agreement, within a reasonable period of time after the material change becomes effective. (4) Business Associate may elect to document that such training has been provided to its workforce members.

Appears in 1 contract

Samples: Business Associate Agreement

Draft better contracts in just 5 minutes Get the weekly Law Insider newsletter packed with expert videos, webinars, ebooks, and more!