Common use of Obligations and Activities of the Business Associate Clause in Contracts

Obligations and Activities of the Business Associate. The 2.1 Not to use or further disclose PHI other than as permitted or required by this Business Associate Agreement or as Required by Law; 2.2 To use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Business Associate Agreement; 2.3 To mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Business Associate Agreement; 2.4 To report to the Covered Entity any use or disclosure of PHI not provided for by this Business Associate Agreement of which it becomes aware, including any Security Incident of which it becomes aware; 2.5 In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such PHI; 2.6 To provide access, at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to the Individual or the Individual’s designee as necessary to meet the Covered Entity’s obligations under 45 CFR 164.524; provided, however, that this Section 2.6 is applicable only to the extent the Designated Record Set is maintained by the Business Associate for the Covered Entity; 2.7 To make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of the Covered Entity or an Individual, and in the time and manner designated by the Covered Entity; provided, however, that this Section 2.7 is applicable only to the extent the Designated Record Set is maintained by the Business Associate for the Covered Entity; 2.8 To make internal practices, books and records, including policies and procedures on PHI, relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of, the Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary’s determining the Covered Entity’s and the Business Associate’s compliance with the HIPAA Rules; 2.9 To document such disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528; 2.10 To provide to the Covered Entity or an Individual, in a time and manner designated by the Covered Entity, information collected in accordance with Section 2.9 of this Business Associate Agreement, to permit the Covered Entity to respond to a request by an accounting of disclosures of PHI in accordance with 45 CFR 164.528; 2.11 That if it creates, receives, maintains, or transmits any electronic PHI (other than enrollment/disenrollment information and Summary Health Information, which are not subject to these restrictions) on behalf of the covered entity, it will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information, and it will ensure that any agents (including subcontractors) to whom it provides such electronic PHI agrees to implement reasonable and appropriate security measures to protect the information. The Business Associate will report to the Plan any Security Incident of which it becomes aware; 2.12 To ensure that the provisions of this Section are supported by reasonable and appropriate security measures to the extent that the designees have access to electronic PHI; 2.13 To retain records related to the PHI hereunder for a period of six (6) years unless the Business Associate Agreement is terminated prior thereto. In the event of termination of this Business Associate Agreement, the provisions of Section V of this Business Associate Agreement shall govern record retention, return or destruction; 2.14 Implement administrative safeguards in accordance with 45 CFR §164.308, physical safeguards in accordance with 45 CFR §164.310, technical safeguards in accordance with 45 CFR §164.312, and policies and procedures in accordance with 45 CFR §164.316; 2.15 To notify the Covered Entity of a Breach of Unsecured PHI as soon as practicable, but in no case later than 60 calendar days, after the discovery of such Breach in accordance with 45 CFR §164.410. A Breach shall be treated as discovered as of the first day on which such Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or agent of Business Associate. The notification shall include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. In addition, Business Associate shall provide the Covered Entity with any other available information that the Covered Entity is required to include in the notification to the individual under 45 §CFR 164.404(c); and 2.16 To the extent Business Associate is to carry out one or more of the Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.

Appears in 1 contract

Samples: Business Associate Agreement

AutoNDA by SimpleDocs

Obligations and Activities of the Business Associate. TheThe Business Associate agrees to the following: 2.1 Not to use or further disclose PHI other than as permitted or required by this Business Associate Agreement or as Required by Law; 2.2 To use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Business Associate Agreement; 2.3 To mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Business Associate Agreement; 2.4 To immediately report to the Covered Entity any use or disclosure of PHI not provided for by this Business Associate Agreement of which it becomes aware, including any Security Incident of which it becomes aware; 2.5 In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such PHI; 2.6 To provide access, at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to the Individual or the Individual’s designee as necessary to meet the Covered Entity’s obligations under 45 CFR §164.524; provided, however, that this Section 2.6 is applicable only to the extent the Designated Record Set is maintained by the Business Associate for the Covered Entity; 2.7 To make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of the Covered Entity or an Individual, and in the time and manner designated by the Covered Entity; provided, however, that this Section 2.7 is applicable only to the extent the Designated Record Set is maintained by the Business Associate for the Covered Entity; 2.8 To make internal practices, books and records, including policies and procedures on PHI, relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of, the Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary’s determining the Covered Entity’s and the Business Associate’s compliance with the HIPAA Rules; 2.9 To document such disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; 2.10 To provide to the Covered Entity or an Individual, in a time and manner designated by the Covered Entity, information collected in accordance with Section 2.9 of this Business Associate Agreement, to permit the Covered Entity to respond to a request by an accounting of disclosures of PHI in accordance with 45 CFR §164.528; 2.11 That if it creates, receives, maintains, or transmits any electronic Electronic PHI (other than enrollment/disenrollment information and Summary Health Information, which are not subject to these restrictions) on behalf of the covered entityCovered Entity, it will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health informationElectronic PHI, and it will ensure that any agents (including subcontractors) to whom it provides such electronic Electronic PHI agrees to implement reasonable and appropriate security measures to protect the information. The Business Associate will report to the Plan Covered Entity any Security Incident of which it becomes aware; 2.12 To ensure that the provisions of this Section are supported by reasonable and appropriate security measures to the extent that the designees have access to electronic PHI; 2.13 To retain records related to the PHI hereunder for a period of six (6) years unless the Business Associate Agreement is terminated prior thereto. In the event of termination of this Business Associate Agreement, the provisions of Section V of this Business Associate Agreement shall govern record retention, return or destruction; 2.14 Implement administrative safeguards in accordance with 45 CFR §164.308, physical safeguards in accordance with 45 CFR §164.310, technical safeguards in accordance with 45 CFR §164.312, and policies and procedures in accordance with 45 CFR §164.316; 2.15 2.13 To promptly notify the Covered Entity of a Breach of Unsecured PHI as soon as practicable, but in no case later than 60 10 calendar days, after the discovery of such Breach in accordance with 45 CFR §164.410. A Breach shall be treated as discovered as of the first day on which such Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or agent of Business Associate. The notification shall include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Breach in addition to the information required in Section V. In addition, Business Associate shall provide the Covered Entity with any other available information that the Covered Entity is required to include in the notification to the individual under 45 CFR §CFR 164.404(c); and 2.16 2.14 To the extent Business Associate is to carry out one or more of the Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations. /// /// /// /// /// /// /// /// /// /// /// /// SECTION III – THE PARTIES AGREE TO THE FOLLOWING PERMITTED USES AND DISCLOSURES BY THE BUSINESS ASSOCIATE: 3.1 Business Associate agrees to make uses and disclosures and requests for PHI consistent with the Covered Entity’s minimum necessary policies and procedures. 3.2 Except as otherwise limited in this Business Associate Agreement, the Business Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, the Covered Entity as specified in the Services Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by the Covered Entity; and, 3.3 Except as otherwise limited in this Business Associate Agreement, the Business Associate may: a. Use for management and administration. Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate; and, b. Disclose for management and administration. Disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required by Law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

Appears in 1 contract

Samples: Business Associate Agreement

Obligations and Activities of the Business Associate. TheThe Business Associate agrees to the following: 2.1 Not to use or further disclose PHI other than as permitted or required by this Agreement and to fulfill its responsibilities under the contract setting out the scope of work for the Business Associate Agreement Associate, or as Required required by Lawlaw, or for the proper management and administration of the business associate under the requirements set out in Section III below; 2.2 To use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Business Associate Agreement; 2.3 To mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Business Associate AgreementAgreement or the HIPAA Privacy and Security Rules; 2.4 To report to the Covered Entity any use or disclosure of involving PHI not provided for by this Business Associate Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR § 164.410, and any Security Incident of which it becomes aware;. The business associate shall immediately report to the covered entity any breach of unsecured PHI, except as provided by 45 CFR § 164.412 based upon a request from law enforcement to delay the notice in that such would impede a criminal investigation or cause damage to national security. The Business Associate shall provide to the covered entity the following information: (1) a brief description of what happened; including the date of the breach and date of discovery of the breach, if known; (2) identification of each individual whose unsecured PHI has been affected by the breach; (3) description of the type of unsecured PHI involving the breach; (4) any steps the individuals should take to protect themselves from harm from the breach; and (5) steps the Business Associate is taking to investigate the breach, to mitigate harm and protect against other breaches. The Business Associate, in consultation with the covered entity, shall be responsible for breach notifications to individuals affected by the unauthorized use or disclosure no later than sixty (60) days following its discovery or by exercise of reasonable due diligence would have been known to the Business Associate, as required by 45 CFR § 164.404. The Business Associate shall be solely responsible for any and all costs associated with the notification requirements to the individuals as provided herein. The Business Associate shall be responsible for any penalties, assessments or fees assessed by the Office for Civil Rights/Department of Health & Human Services due to any breach caused by the Business Associate or based upon the failure of the Business Associate to comply with the HIPAA Privacy and Security Rules. The covered entity, in consultation with the Business Associate, shall make all needed notices to the media and the Secretary of HHS. The Business Associate shall report immediately to the covered entity any security incident of which it becomes aware as required by 45 CFR § 164.314 (a) (2) (i) (C). The Business Associate shall report to the covered entity the operative facts surrounding the security incident, what steps are to be taken to address the security incident, and other information which may be requested by the covered entity relative to the security incident. 2.5 In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such PHI; 2.6 To provide accessaccess to PHI in a Designated Record Set, at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to the Covered Entity orEntity, or as directed by the Covered Entity, to the Individual or the Individual’s designee as necessary to meet the Covered Entity’s obligations under 45 CFR §164.524; provided, however, that this Section 2.6 is applicable only to the extent the Designated Record Set is maintained by the Business Associate for the Covered Entity; 2.7 To make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of the Covered Entity or an Individual, and in the time and manner designated by the Covered Entity; provided, however, that this Section 2.7 is applicable only to the extent the Designated Record Set is maintained by the Business Associate for the Covered Entity; 2.8 To make internal practices, books and records, including policies and procedures on PHI, relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of, the Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary’s determining the Covered Entity’s and the Business Associate’s compliance with the HIPAA Rules; 2.9 To document such non-routine disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528, where applicable; 2.10 To provide to the Covered Entity or an Individual, in a time and manner designated by the Covered Entity, information collected in accordance with Section 2.9 of this Business Associate Agreement, to permit the Covered Entity to respond to a request by an accounting of disclosures of PHI in accordance with 45 CFR §164.528; 2.11 That if it creates, receives, maintains, or transmits any electronic PHI (other than enrollment/disenrollment information and Summary Health Information, which are not subject to these restrictions) on behalf of the covered entity, it will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information, and it will ensure that any agents (including subcontractors) to whom it provides such electronic PHI agrees to implement reasonable and appropriate security measures to protect the information. The Business Associate will report to the Plan any Security Incident of which it becomes aware; 2.12 To ensure that the provisions Use appropriate safeguards, and comply with Subpart C of this Section are supported by reasonable and appropriate security measures to the extent that the designees have access 45 CFR Part 164 with respect to electronic PHIprotected health information, to prevent the use or disclosure of protected health other than is permitted for under this Agreement or required by law; 2.13 To retain records related to the PHI hereunder for a period of six (6) years unless the Business Associate Agreement is terminated prior thereto. In the event of termination of this Business Associate Agreement, the provisions of Section V of this Business Associate Agreement shall govern record retention, return or destruction; 2.14 Implement administrative safeguards in accordance with 45 CFR §164.308, physical safeguards in accordance with 45 CFR §164.310, technical safeguards in accordance with 45 CFR §164.312, and policies and procedures in accordance with 45 CFR §164.316; 2.15 To notify Shall appropriately safeguard any and all PHI provided by the covered entity to the Business Associate under the service contract or agreement as required under HIPAA Rules and this Agreement herein, as set out in 45 CFR § 164.502 (e) (1) and (2). 2.16 Not to make any fundraising communication on behalf of Covered Entity of a Breach of Unsecured PHI or to Covered Entity’s participants and beneficiaries; 2.17 Not to receive any remuneration, either directly or indirectly, in exchange for PHI, except as soon as practicable, but in no case later than 60 calendar days, after the discovery of such Breach in accordance with may be permitted by 45 CFR §164.410. A Breach shall be treated as discovered as 164.502(a)(5) and §164.508(a)(4); 2.18 Not to make any marketing communication on behalf of the first day on which such Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or agent of Business Associate. The notification shall include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. In addition, Business Associate shall provide the Covered Entity with any other available information that the or to Covered Entity is required to include in the notification to the individual under Entity’s participants and beneficiaries, except as may be permitted by 45 CFR §CFR 164.404(c)164.501; and 2.16 2.19 To the extent Business Associate is to carry out one or more of the Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.

Appears in 1 contract

Samples: Business Associate Agreement

Obligations and Activities of the Business Associate. The 2.1 The Business Associate agrees to the following: Not to use or further disclose PHI other than as permitted or required by this Agreement and to fulfill its responsibilities under the contract setting out the scope of work for the Business Associate Agreement Associate, or as Required required by Law; 2.2 law, or for the proper management and administration of the business associate under the requirements set out in Section III below; To use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Business Associate Agreement; 2.3 ; To mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Business Associate Agreement; 2.4 Agreement or the HIPAA Privacy and Security Rules; To report to the Covered Entity any use or disclosure of involving PHI not provided for by this Business Associate Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR § 164.410, and any Security Incident of which it becomes aware; 2.5 . The business associate shall immediately report to the covered entity any breach of unsecured PHI, except as provided by 45 CFR § 164.412 based upon a request from law enforcement to delay the notice in that such would impede a criminal investigation or cause damage to national security. The Business Associate shall provide to the covered entity the following information: (1) a brief description of what happened; including the date of the breach and date of discovery of the breach, if known; (2) identification of each individual whose unsecured PHI has been affected by the breach; (3) description of the type of unsecured PHI involving the breach; (4) any steps the individuals should take to protect themselves from harm from the breach; and (5) steps the Business Associate is taking to investigate the breach, to mitigate harm and protect against other breaches. The Business Associate, in consultation with the covered entity, shall be responsible for breach notifications to individuals affected by the unauthorized use or disclosure no later than sixty (60) days following its discovery or by exercise of reasonable due diligence would have been known to the Business Associate, as required by 45 CFR § 164.404. The Business Associate shall be solely responsible for any and all costs associated with the notification requirements to the individuals as provided herein. The Business Associate shall be responsible for any penalties, assessments or fees assessed by the Office for Civil Rights/Department of Health & Human Services due to any breach caused by the Business Associate or based upon the failure of the Business Associate to comply with the HIPAA Privacy and Security Rules. The covered entity, in consultation with the Business Associate, shall make all needed notices to the media and the Secretary of HHS. The Business Associate shall report immediately to the covered entity any security incident of which it becomes aware as required by 45 CFR § 164.314 (a) (2) (i) (C). The Business Associate shall report to the covered entity the operative facts surrounding the security incident, what steps are to be taken to address the security incident, and other information which may be requested by the covered entity relative to the security incident. In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such PHI; 2.6 ; To provide accessaccess to PHI in a Designated Record Set, at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, to the Covered Entity orEntity, or as directed by the Covered Entity, to the Individual or the Individual’s designee as necessary to meet the Covered Entity’s obligations under 45 CFR §164.524; provided, however, that this Section 2.6 is applicable only to the extent the Designated Record Set is maintained by the Business Associate for the Covered Entity; 2.7 ; To make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of the Covered Entity or an Individual, and in the time and manner designated by the Covered Entity; provided, however, that this Section 2.7 is applicable only to the extent the Designated Record Set is maintained by the Business Associate for the Covered Entity; 2.8 ; To make internal practices, books and records, including policies and procedures on PHI, relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of, the Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary’s determining the Covered Entity’s and the Business Associate’s compliance with the HIPAA Rules; 2.9 ; To document such non-routine disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; 2.10 , where applicable; To provide to the Covered Entity or an Individual, in a time and manner designated by the Covered Entity, information collected in accordance with Section 2.9 of this Business Associate Agreement, to permit the Covered Entity to respond to a request by an accounting of disclosures of PHI in accordance with 45 CFR §164.528; 2.11 ; That if it creates, receives, maintains, or transmits any electronic PHI (other than enrollment/disenrollment information and Summary Health Information, which are not subject to these restrictions) on behalf of the covered entity, it will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information, and it will ensure that any agents (including subcontractors) to whom it provides such electronic PHI agrees to implement reasonable and appropriate security measures to protect the information. The Business Associate will report to the Plan any Security Incident ; Use appropriate safeguards, and comply with Subpart C of which it becomes aware; 2.12 To ensure that the provisions of this Section are supported by reasonable and appropriate security measures to the extent that the designees have access 45 CFR Part 164 with respect to electronic PHI; 2.13 protected health information, to prevent the use or disclosure of protected health other than is permitted for under this Agreement or required by law; To retain records related to the PHI hereunder for a period of six (6) years unless the Business Associate Agreement is terminated prior thereto. In the event of termination of this Business Associate Agreement, the provisions of Section V of this Business Associate Agreement shall govern record retention, return or destruction; 2.14 ; Implement administrative safeguards in accordance with 45 CFR §164.308, physical safeguards in accordance with 45 CFR §164.310, technical safeguards in accordance with 45 CFR §164.312, and policies and procedures in accordance with 45 CFR §164.316; 2.15 To notify ; Shall appropriately safeguard any and all PHI provided by the Covered Entity of a Breach of Unsecured PHI covered entity to the Business Associate under the service contract or agreement as soon required under HIPAA Rules and this Agreement herein, as practicable, but set out in no case later than 60 calendar days, after the discovery of such Breach in accordance with 45 CFR §164.410164.502 (e) (1) and (2). A Breach shall be treated as discovered as Not to make any fundraising communication on behalf of the first day on which such Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or agent of Business Associate. The notification shall include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. In addition, Business Associate shall provide the Covered Entity with or to Covered Entity’s participants and beneficiaries; Not to receive any other available information that the remuneration, either directly or indirectly, in exchange for PHI, except as may be permitted by 45 CFR §164.502(a)(5) and §164.508(a)(4); Not to make any marketing communication on behalf of Covered Entity is required or to include in the notification to the individual under Covered Entity’s participants and beneficiaries, except as may be permitted by 45 CFR §CFR 164.404(c)164.501; and 2.16 and To the extent Business Associate is to carry out one or more of the Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.

Appears in 1 contract

Samples: Business Associate Agreement

AutoNDA by SimpleDocs

Obligations and Activities of the Business Associate. The 2.1 Not to (a) The Business Associate shall not use or further disclose PHI other than as permitted or required by this Business Associate the Agreement or as Required required by Law;law. 2.2 To (b) The Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 the HIPAA Rules and DoD HIPAA Issuances incorporated by reference in this document Issuances with respect to Electronic PHI, to prevent use or disclosure of PHI other than as provided for by this the Agreement. (c) The Business Associate Agreement; 2.3 To mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Business Associate Agreement; 2.4 To shall report to the Covered Entity any use or disclosure of PHI not provided for by this Business Associate Agreement breach of which it becomes aware, including and shall proceed with breach response steps as required by Part V of this agreement. With respect to electronic PHI, the Business Associate shall also respond to any Security Incident security incident of which it becomes aware;aware in accordance with any cybersecurity provisions of the Agreement. If at any point the Business Associate becomes aware that a security incident involves a breach, the Business Associate shall immediately initiate breach response as required by PartV of this BAA. 2.5 (d) In accordance with DoDM 6025.18, paragraph 3.3.c.(3)(b)4, 45 CFR §§164.502(e)(1)(ii)) and 164.308(b)(2), if applicable, §164.308(b)(2),the Business Associate shall ensure that any agent(and all) subcontractors that create, including a subcontractorreceive, that creates, receives, maintainsmaintain, or transmits transmit PHI on behalf of the Business Associate agrees in writing agree to the same restrictions, conditions conditions, and requirements that apply to the Business Associate with respect to such PHI; 2.6 To provide access, at specifically the request of the Covered Entity, and responsibilities laid out in the time DoD HIPAA Issuances incorporated by reference in this agreement. PHI. (e) The business associate may disclose PHI to a business associate that is a subcontractor and manner designated by may allow the Covered Entitysubcontractor to create, to receive, maintain, or transmit PHI on its behalf, if the business associate obtains satisfactory assurances, in accordance with DoDM 6025.18, paragraph 4.5.e.(1), that the subcontractor will appropriately safeguard the information. (f) The Business Associate shall make available PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to the Individual or the an Individual’s designee , as necessary to meet satisfy the Covered Entity’s Entity obligations under 45 CFR 164.524; provided§164.524 and DoDM 6025.18, however, that this Section 2.6 is applicable only to the extent the Designated Record Set is maintained by the paragraph 5.3.c. (g) The Business Associate for the Covered Entity; 2.7 To shall make any amendment(s) to PHI in a Designated Record Set that as directed or agreed to by the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at § and DoDM 6025.18, paragraph 5.4. (h) The Business Associate shall maintain and make available the request information required to provide an accounting of disclosures to the Covered Entity or an Individual, and in the time and manner designated by individual as necessary to satisfy the Covered Entity; provided’s obligations under 45 CFR §164.528 and DoDM 6025.18, however, that this Section 2.7 is applicable only to paragraph 5.5. (i) To the extent the Designated Record Set Business Associate is maintained by to carry out one or more of Covered Entity's obligation(s) under the HIPAA Privacy Rule and DoDM 6025.18, the Business Associate for shall comply with the requirements of the HIPAA Privacy Rule and DoDM 6025.18, that apply to the Covered Entity;Entity in the performance of such obligation(s); and 2.8 To (j) The Business Associate shall make its internal practices, books books, and records, including policies and procedures on PHI, records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of, the Covered Entity DoD Component available to the Covered EntitySecretary of HHS and to the Director, DHA, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, their designee for purposes of the Secretary’s determining the Covered Entity’s and the Business Associate’s compliance with the HIPAA Rules; 2.9 To document such disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528; 2.10 To provide to the Covered Entity or an Individual, in a time and manner designated by the Covered Entity, information collected in accordance with Section 2.9 of this Business Associate Agreement, to permit the Covered Entity to respond to a request by an accounting of disclosures of PHI in accordance with 45 CFR 164.528; 2.11 That if it creates, receives, maintains, or transmits any electronic PHI (other than enrollment/disenrollment information and Summary Health Information, which are not subject to these restrictions) on behalf of the covered entity, it will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information, and it will ensure that any agents (including subcontractors) to whom it provides such electronic PHI agrees to implement reasonable and appropriate security measures to protect the information. The Business Associate will report to the Plan any Security Incident of which it becomes aware; 2.12 To ensure that the provisions of this Section are supported by reasonable and appropriate security measures to the extent that the designees have access to electronic PHI; 2.13 To retain records related to the PHI hereunder for a period of six (6) years unless the Business Associate Agreement is terminated prior thereto. In the event of termination of this Business Associate Agreement, the provisions of Section V of this Business Associate Agreement shall govern record retention, return or destruction; 2.14 Implement administrative safeguards in accordance with 45 CFR §164.308, physical safeguards in accordance with 45 CFR §164.310, technical safeguards in accordance with 45 CFR §164.312, and policies and procedures in accordance with 45 CFR §164.316; 2.15 To notify the Covered Entity of a Breach of Unsecured PHI as soon as practicable, but in no case later than 60 calendar days, after the discovery of such Breach in accordance with 45 CFR §164.410. A Breach shall be treated as discovered as of the first day on which such Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or agent of Business Associate. The notification shall include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. In addition, Business Associate shall provide the Covered Entity with any other available information that the Covered Entity is required to include in the notification to the individual under 45 §CFR 164.404(c); and 2.16 To the extent Business Associate is to carry out one or more of the Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.

Appears in 1 contract

Samples: Business Associate Agreement (Baa)

Obligations and Activities of the Business Associate. TheThe Business Associate agrees as follows: 2.1 Not 1. to fully comply with the requirements under the HIPAA Security and Privacy Rule applicable to business associates and to not to use or further disclose PHI other than as permitted or required by this Business Associate Agreement or as Required by Law;. 2.2 To 2. to develop, implement, maintain and use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, safeguards to prevent any use 3. to report to the Covered Entity any use or disclosure of PHI other than as or EPHI not provided for for 4. to comply with any additional requirements of Title XIII of HITECH that relate to privacy and security and that are made applicable with respect to covered entities. 5. to adopt the technology and methodology standards required in any guidance issued by this Business Associate Agreement;the Secretary pursuant to HITECH §§ 13401-13402. 2.3 To mitigate, 6. to the extent practicable, mitigate any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Business Associate Agreement; 2.4 To report to , and notify the Covered Entity of any use or disclosure breach of Unsecured PHI, as required under HITECH § 13402. 7. in the case of a breach of Unsecured PHI, following the discovery of a breach of such information, notify the Covered Entity of such breach. The notice shall include the identification of each individual whose Unsecured PHI not provided for by this Business Associate Agreement of which it becomes aware, including any Security Incident of which it becomes aware; 2.5 In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any agent, including a subcontractor, that creates, receives, maintainshas been, or transmits PHI on behalf of is reasonably believed by the Business Associate agrees in writing to have been, accessed, acquired or disclosed during the breach. 8. to enter into an agreement with each of its subcontractors pursuant to 45 CFR Section 164.308(b)(1) and HITECH Section 13401 that is appropriate and sufficient to require each subcontractor to protect PHI to the same restrictions, conditions and requirements that apply to extent required by the Business Associate hereunder. 9. along with respect its agents or subcontractors, if any, to such PHI;only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure. The Business Associate agrees to comply with the Secretary’s guidance on what constitutes “minimum necessary.” 2.6 To provide access10. to take reasonable steps to cure the breach or end the violation if the Business Associate knows of a pattern of activity or practice by the Covered Entity that constitutes a 11. to provide, at the request of the Covered Entity, and in the time and manner designated by the Covered Entity, access to PHI in a Designated Record Set, Record 12. to the Covered Entity or, as directed by the Covered Entity, to the Individual or the Individual’s designee as necessary to meet the Covered Entity’s obligations under 45 CFR 164.524; provided, however, that this Section 2.6 is applicable only to the extent the Designated Record Set is maintained by the Business Associate for the Covered Entity; 2.7 To make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §Section 164.526 at the request of the Covered Entity or an Individual, and in the time and manner designated by the Covered Entity; provided, however, that this Section 2.7 is applicable only to the extent the Designated Record Set is maintained by if the Business Associate for maintains PHI in a designated record set as defined by the Covered Entity;Privacy Rule. 2.8 To 13. to make its internal practices, books and records, including policies and procedures on PHIprocedures, relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of, of the Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity Secretary or the Secretary, his/her designee for purposes of the Secretary’s Secretary determining the Covered Entity’s and the Business Associate’s compliance with the HIPAA Rules;Privacy Rule and Security Rule. 2.9 To document 14. to maintain and make available such disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528; 2.10 To provide to the Covered Entity or an Individual, in a time and manner designated by the Covered Entity, information collected in accordance with Section 2.9 of this Business Associate Agreement, to permit the Covered Entity to respond to a request by an accounting of disclosures of PHI in accordance with 45 CFR 164.528; 2.11 That if it creates, receives, maintains, or transmits any electronic PHI (other than enrollment/disenrollment information and Summary Health Information, which are not subject to these restrictions) on behalf of the covered entity, it will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information, and it will ensure that any agents (including subcontractors) to whom it provides such electronic PHI agrees to implement reasonable and appropriate security measures to protect the information. The Business Associate will report to the Plan any Security Incident of which it becomes aware; 2.12 To ensure that the provisions of this Section are supported by reasonable and appropriate security measures to the extent that the designees have access to electronic PHI; 2.13 To retain records related to the PHI hereunder for a period of six (6) years unless the Business Associate Agreement is terminated prior thereto. In the event of termination of this Business Associate Agreement, the provisions of Section V of this Business Associate Agreement shall govern record retention, return or destruction; 2.14 Implement administrative safeguards in accordance with 45 CFR §164.308, physical safeguards in accordance with 45 CFR §164.310, technical safeguards in accordance with 45 CFR §164.312, and policies and procedures in accordance with 45 CFR §164.316; 2.15 To notify the Covered Entity of a Breach of Unsecured PHI as soon as practicable, but in no case later than 60 calendar days, after the discovery of such Breach in accordance with 45 CFR §164.410. A Breach shall be treated as discovered as of the first day on which such Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or agent of Business Associate. The notification shall include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. In addition, Business Associate shall provide the Covered Entity with any other available information that the Covered Entity is required to include in the notification to the individual under 45 §CFR 164.404(c); and 2.16 To the extent Business Associate is to carry out one or more of the Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.to

Appears in 1 contract

Samples: Business Associate Agreement

Draft better contracts in just 5 minutes Get the weekly Law Insider newsletter packed with expert videos, webinars, ebooks, and more!