Obligations and Activities of the Contractor. 7.1 The contractor shall not use or disclose Protected Health Information other than as permitted or required by the contract or as otherwise required by law, and shall comply with the minimum necessary disclosure requirements set forth in 45 CFR § 164.502(b). 7.2 The contractor shall use appropriate administrative, physical and technical safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by the contract. Such safeguards shall include, but not be limited to: a. Workforce training on the appropriate uses and disclosures of Protected Health Information pursuant to the terms of the contract; b. Policies and procedures implemented by the contractor to prevent inappropriate uses and disclosures of Protected Health Information by its workforce and subcontractors, if applicable; c. Encryption of any portable device used to access or maintain Protected Health Information or use of equivalent safeguard; d. Encryption of any transmission of electronic communication containing Protected Health Information or use of equivalent safeguard; and e. Any other safeguards necessary to prevent the inappropriate use or disclosure of Protected Health Information. 7.3 With respect to Electronic Protected Health Information, the contractor shall use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic Protected Health Information that contractor creates, receives, maintains or transmits on behalf of the Department and comply with Subpart C of 45 CFR Part 164, to prevent use or disclosure of Protected Health Information other than as provided for by the contract. 7.4 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), the contractor shall require that any agent or subcontractor that creates, receives, maintains, or transmits Protected Health Information on behalf of the contractor agrees to the same restrictions, conditions, and requirements that apply to the contractor with respect to such information. 7.5 By no later than ten (10) calendar days after receipt of a written request from the Department, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Department, the contractor shall make the contractor’s internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, created by, or received by the contractor on behalf of the Department available to the Department and/or to the Secretary of the Department of Health and Human Services or designee for purposes of determining compliance with the HIPAA Rules and the contract. 7.6 The contractor shall document any disclosures and information related to such disclosures of Protected Health Information as would be required for the Department to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 42 USCA §17932 and 45 CFR 164.528. By no later than five (5) calendar days of receipt of a written request from the Department, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Department, the contractor shall provide an accounting of disclosures of Protected Health Information regarding an individual to the Department. If requested by the Department or the individual, the contractor shall provide an accounting of disclosures directly to the individual. The contractor shall maintain a record of any accounting made directly to an individual at the individual’s request and shall provide such record to the Department upon request. 7.7 In order to meet the requirements under 45 CFR 164.524, regarding an individual’s right of access, the contractor shall, within five (5) calendar days following a Department request, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Department, provide the Department access to the Protected Health Information in an individual’s designated record set. However, if requested by the Department, the contractor shall provide access to the Protected Health Information in a designated record set directly to the individual for whom such information relates. 7.8 At the direction of the Department, the contractor shall promptly make any amendment(s) to Protected Health Information in a Designated Record Set pursuant to 45 CFR 164.526. 7.9 The contractor shall report to the Department’s Security Officer any security incident immediately upon becoming aware of such incident and shall take immediate action to stop the continuation of any such
Appears in 3 contracts
Samples: Joint Settlement Agreement, Joint Settlement Agreement, Joint Settlement Agreement
Obligations and Activities of the Contractor. 7.1 The contractor shall not use or disclose Protected Health Information other than as permitted or required by the contract or as otherwise required by law, and shall comply with the minimum necessary disclosure requirements set forth in 45 CFR § 164.502(b).
7.2 The contractor shall use appropriate administrative, physical and technical safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by the contract. Such safeguards shall include, but not be limited to:
a. Workforce training on the appropriate uses and disclosures of Protected Health Information pursuant to the terms of the contract;
b. Policies and procedures implemented by the contractor to prevent inappropriate uses and disclosures of Protected Health Information by its workforce and subcontractors, if applicable;
c. Encryption of any portable device used to access or maintain Protected Health Information or use of equivalent safeguard;
d. Encryption of any transmission of electronic communication containing Protected Health Information or use of equivalent safeguard; and
e. Any other safeguards necessary to prevent the inappropriate use or disclosure of Protected Health Information.
7.3 With respect to Electronic Protected Health Information, the contractor shall use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic Protected Health Information that contractor creates, receives, maintains or transmits on behalf of the Department and comply with Subpart C of 45 CFR Part 164, to prevent use or disclosure of Protected Health Information other than as provided for by the contract.
7.4 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), the contractor shall require that any agent or subcontractor that creates, receives, maintains, or transmits Protected Health Information on behalf of the contractor agrees to the same restrictions, conditions, and requirements that apply to the contractor with respect to such information.
7.5 By no later than ten (10) calendar days after receipt of a written request from the Department, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Department, the contractor shall make the contractor’s internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, created by, or received by the contractor on behalf of the Department available to the Department and/or to the Secretary of the Department of Health and Human Services or designee for purposes of determining compliance with the HIPAA Rules and the contract.
7.6 The contractor shall document any disclosures and information related to such disclosures of Protected Health Information as would be required for the Department to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 42 USCA §17932 and 45 CFR 164.528. By no later than five (5) calendar days of receipt of a written request from the Department, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Department, the contractor shall provide an accounting of disclosures of Protected Health Information regarding an individual to the Department. If requested by the Department or the individual, the contractor shall provide an accounting of disclosures directly to the individual. The contractor shall maintain a record of any accounting made directly to an individual at the individual’s request and shall provide such record to the Department upon request.
7.7 In order to meet the requirements under 45 CFR 164.524, regarding an individual’s right of access, the contractor shall, within five (5) calendar days following a Department request, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Department, provide the Department access to the Protected Health Information in an individual’s designated record set. However, if requested by the Department, the contractor shall provide access to the Protected Health Information in a designated record set directly to the individual for whom such information relates.
7.8 At the direction of the Department, the contractor shall promptly make any amendment(s) to Protected Health Information in a Designated Record Set pursuant to 45 CFR 164.526.
7.9 The contractor shall report to the Department’s Security Officer any security incident immediately upon becoming aware of such incident and shall take immediate action to stop the continuation of any suchsuch incident. For purposes of this paragraph, security incident shall mean the attempted or successful unauthorized access, use, modification or destruction of information or interference with systems operations in an information system. This does not include trivial incidents that occur on a daily basis, such as scans, “pings,” or unsuccessful attempts that do not penetrate computer networks or servers or result in interference with system operations. By no later than five (5) days after the contractor becomes aware of such incident, the contractor shall provide the Department’s Security Officer with a description of any remedial action taken to mitigate any harmful effect of such incident and a proposed written plan of action for approval that describes plans for preventing any such future security incidents.
7.10 The contractor shall report to the Department’s Privacy Officer any unauthorized use or disclosure of Protected Health Information not permitted or required as stated herein immediately upon becoming aware of such use or disclosure and shall take immediate action to stop the unauthorized use or disclosure. By no later than five (5) calendar days after the contractor becomes aware of any such use or disclosure, the contractor shall provide the Department’s Privacy Officer with a written description of any remedial action taken to mitigate any harmful effect of such disclosure and a proposed written plan of action for approval that describes plans for preventing any such future unauthorized uses or disclosures.
7.11 The contractor shall report to the Department’s Security Officer any breach immediately upon becoming aware of such incident and shall take immediate action to stop the continuation of any such incident. By no later than five (5) days after the contractor becomes aware of such incident, the contractor shall provide the Department’s Security Officer with a description of the breach, the information compromised by the breach, and any remedial action taken to mitigate any harmful effect of such incident and a proposed written plan for approval that describes plans for preventing any such future incidents.
7.12 The contractor’s reports required in the preceding paragraphs shall include the following information regarding the security incident, improper disclosure/use, or breach, (hereinafter “incident”):
a. The name, address, and telephone number of each individual whose information was involved if such information is maintained by the contractor;
b. The electronic address of any individual who has specified a preference of contact by electronic mail;
c. A brief description of what happened, including the date(s) of the incident and the date(s) of the discovery of the incident;
d. A description of the types of Protected Health Information involved in the incident (such as full name, Social Security Number, date of birth, home address, account number, or disability code) and whether the incident involved Unsecured Protected Health Information; and
e. The recommended steps individuals should take to protect themselves from potential harm resulting from the incident.
7.13 Notwithstanding any provisions of the Terms and Conditions attached hereto, in order to meet the requirements under HIPAA and the regulations promulgated thereunder, the contractor shall keep and retain adequate, accurate, and complete records of the documentation required under these provisions for a minimum of six (6) years as specified in 45 CFR Part 164.
7.14 The contractor shall not directly or indirectly receive remuneration in exchange for any Protected Health Information without a valid authorization.
7.15 If the contractor becomes aware of a pattern of activity or practice of the Department that constitutes a material breach of contract regarding the Department's obligations under the Business Associate Provisions of the contract, the contractor shall notify the Department’s Security Officer of the activity or practice and work with the Department to correct the breach of contract.
7.16 The contractor shall indemnify the Department from any liability resulting from any violation of the Privacy Rule or Security Rule or Breach arising from the conduct or omission of the contractor or its employee(s), agent(s) or subcontractor(s). The contractor shall reimburse the Department for any and all actual and direct costs and/or losses, including those incurred under the civil penalties implemented by legal requirements, including but not limited to HIPAA as amended by the Health Information Technology for Economic and Clinical Health Act, and including reasonable attorney’s fees, which may be imposed upon the Department under legal requirements, including but not limited to HIPAA’s Administrative Simplification Rules, arising from or in connection with the contractor’s negligent or wrongful actions or inactions or violations of this Agreement.
Appears in 1 contract
Samples: Agreement for Payment of Litigation Costs to Establish Child Custody Orders
Obligations and Activities of the Contractor. 7.1 1.3.1 The contractor shall not use or disclose Protected Health Information other than as permitted or required by the contract or as otherwise required by law, and shall comply with the minimum necessary disclosure requirements set forth in 45 CFR § 164.502(b).
7.2 1.3.2 The contractor shall use appropriate administrative, physical and technical safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by the contract. Such safeguards shall include, but not be limited to:
a. Workforce training on the appropriate uses and disclosures of Protected Health Information pursuant to the terms of the contract;
b. Policies and procedures implemented by the contractor to prevent inappropriate uses and disclosures of Protected Health Information by its workforce and subcontractors, if applicable;
c. Encryption of any portable device used to access or maintain Protected Health Information or use of equivalent safeguard;
d. Encryption of any transmission of electronic communication containing Protected Health Information or use of equivalent safeguard; and
e. Any other safeguards necessary to prevent the inappropriate use or disclosure of Protected Health Information.
7.3 1.3.3 With respect to Electronic Protected Health Information, the contractor shall use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic Protected Health Information that contractor creates, receives, maintains or transmits on behalf of the Department state agency and comply with Subpart C of 45 CFR Part 164, to prevent use or disclosure of Protected Health Information other than as provided for by the contract.
7.4 1.3.4 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), the contractor shall require that any agent or subcontractor that creates, receives, maintains, or transmits Protected Health Information on behalf of the contractor agrees to the same restrictions, conditions, and requirements that apply to the contractor with respect to such information.
7.5 1.3.5 By no later than ten (10) calendar days after receipt of a written request from the Departmentstate agency, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Departmentstate agency, the contractor shall make the contractor’s internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, created by, or received by the contractor on behalf of the Department state agency available to the Department state agency and/or to the Secretary of the Department of Health and Human Services or designee for purposes of determining compliance with the HIPAA Rules and the contract.
7.6 1.3.6 The contractor shall document any disclosures and information related to such disclosures of Protected Health Information as would be required for the Department state agency to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 42 USCA 00 XXXX §17932 00000 and 45 CFR 164.528. By no later than five (5) calendar days of receipt of a written request from the Departmentstate agency, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Departmentstate agency, the contractor shall provide an accounting of disclosures of Protected Health Information regarding an individual to the Departmentstate agency. If requested by the Department state agency or the individual, the contractor shall provide an accounting of disclosures directly to the individual. The contractor shall maintain a record of any accounting made directly to an individual at the individual’s request and shall provide such record to the Department state agency upon request.
7.7 1.3.7 In order to meet the requirements under 45 CFR 164.524, regarding an individual’s right of access, the contractor shall, within five (5) calendar days following a Department state agency request, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Departmentstate agency, provide the Department state agency access to the Protected Health Information in an individual’s designated record set. However, if requested by the Departmentstate agency, the contractor shall provide access to the Protected Health Information in a designated record set directly to the individual for whom such information relates.
7.8 1.3.8 At the direction of the Departmentstate agency, the contractor shall promptly make any amendment(s) to Protected Health Information in a Designated Record Set pursuant to 45 CFR 164.526.
7.9 1.3.9 The contractor shall report to the Departmentstate agency’s Security Officer any security incident immediately upon becoming aware of such incident and shall take immediate action to stop the continuation of any suchsuch incident. For purposes of this paragraph, security incident shall mean the attempted or successful unauthorized access, use, modification or destruction of information or interference with systems operations in an information system. This does not include trivial incidents that occur on a daily basis, such as scans, “pings,” or unsuccessful attempts that do not penetrate computer networks or servers or result in interference with system operations. By no later than five (5) days after the contractor becomes aware of such incident, the contractor shall provide the state agency’s Security Officer with a description of any remedial action taken to mitigate any harmful effect of such incident and a proposed written plan of action for approval that describes plans for preventing any such future security incidents.
1.3.10 The contractor shall report to the state agency’s Privacy Officer any unauthorized use or disclosure of Protected Health Information not permitted or required as stated herein immediately upon becoming aware of such use or disclosure and shall take immediate action to stop the unauthorized use or disclosure. By no later than five (5) calendar days after the contractor becomes aware of any such use or disclosure, the contractor shall provide the state agency’s Privacy Officer with a written description of any remedial action taken to mitigate any harmful effect of such disclosure and a proposed written plan of action for approval that describes plans for preventing any such future unauthorized uses or disclosures.
1.3.11 The contractor shall report to the state agency’s Security Officer any breach immediately upon becoming aware of such incident and shall take immediate action to stop the continuation of any such incident. By no later than five (5) days after the contractor becomes aware of such incident, the contractor shall provide the state agency’s Security Officer with a description of the breach, the information compromised by the breach, and any remedial action taken to mitigate any harmful effect of such incident and a proposed written plan for approval that describes plans for preventing any such future incidents.
1.3.12 The contractor’s reports required in the preceding paragraphs shall include the following information regarding the security incident, improper disclosure/use, or breach, (hereinafter “incident”):
a. The name, address, and telephone number of each individual whose information was involved if such information is maintained by the contractor;
b. The electronic address of any individual who has specified a preference of contact by electronic mail;
c. A brief description of what happened, including the date(s) of the incident and the date(s) of the discovery of the incident;
d. A description of the types of Protected Health Information involved in the incident (such as full name, Social Security Number, date of birth, home address, account number, or disability code) and whether the incident involved Unsecured Protected Health Information; and
e. The recommended steps individuals should take to protect themselves from potential harm resulting from the incident.
1.3.13 Notwithstanding any provisions of the Terms and Conditions attached hereto, in order to meet the requirements under HIPAA and the regulations promulgated thereunder, the contractor shall keep and retain adequate, accurate, and complete records of the documentation required under these provisions for a minimum of six (6) years as specified in 45 CFR Part 164.
1.3.14 Contractor shall not directly or indirectly receive remuneration in exchange for any Protected Health Information without a valid authorization.
1.3.15 If the contractor becomes aware of a pattern of activity or practice of the state agency that constitutes a material breach of contract regarding the state agency's obligations under the Business Associate Provisions of the contract, the contractor shall notify the state agency’s Security Officer of the activity or practice and work with the state agency to correct the breach of contract.
1.3.16 The contractor shall indemnify the state agency from any liability resulting from any violation of the Privacy Rule or Security Rule or Breach arising from the conduct or omission of the contractor or its employee(s), agent(s) or subcontractor(s). The contractor shall reimburse the state agency for any and all actual and direct costs and/or losses, including those incurred under the civil penalties implemented by legal requirements, including but not limited to HIPAA as amended by the Health Information Technology for Economic and Clinical Health Act, and including reasonable attorney’s fees, which may be imposed upon the state agency under legal requirements, including but not limited to HIPAA’s Administrative Simplification Rules, arising from or in connection with the contractor’s negligent or wrongful actions or inactions or violations of this Agreement.
Appears in 1 contract
Samples: Participation Agreement
Obligations and Activities of the Contractor. 7.1 The contractor shall not use or disclose Protected Health Information other than as permitted or required by the contract or as otherwise required by law, and shall comply with the minimum necessary disclosure requirements set forth in 45 CFR § 164.502(b).
7.2 The contractor shall use appropriate administrative, physical and technical safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by the contract. Such safeguards shall include, but not be limited to:
a. Workforce training on the appropriate uses and disclosures of Protected Health Information pursuant to the terms of the contract;
b. Policies and procedures implemented by the contractor to prevent inappropriate uses and disclosures of Protected Health Information by its workforce and subcontractors, if applicable;applicable;
c. Encryption of any portable device used to access or maintain Protected Health Information or use of equivalent safeguard;
d. Encryption of any transmission of electronic communication containing Protected Health Information or use of equivalent safeguard; and
e. Any other safeguards necessary to prevent the inappropriate use or disclosure of Protected Health Information.
7.3 With respect to Electronic Protected Health Information, the contractor shall use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic Protected Health Information that contractor creates, receives, maintains or transmits on behalf of the Department and comply with Subpart C of 45 CFR Part 164, to prevent use or disclosure of Protected Health Information other than as provided for by the contract.
7.4 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), the contractor shall require that any agent or subcontractor that creates, receives, maintains, or transmits Protected Health Information on behalf of the contractor agrees to the same restrictions, conditions, and requirements that apply to the contractor with respect to such information.
7.5 By no later than ten (10) calendar days after receipt of a written request from the Department, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Department, the contractor shall make the contractor’s internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, created by, or received by the contractor on behalf of the Department available to the Department and/or to the Secretary of the Department of Health and Human Services or designee for purposes of determining compliance with the HIPAA Rules and the contract.
7.6 The contractor shall document any disclosures and information related to such disclosures of Protected Health Information as would be required for the Department to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 42 USCA §17932 and 45 CFR 164.528. By no later than five (5) calendar days of receipt of a written request from the Department, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Department, the contractor shall provide an accounting of disclosures of Protected Health Information regarding an individual to the Department. If requested by the Department or the individual, the contractor shall provide an accounting of disclosures directly to the individual. The contractor shall maintain a record of any accounting made directly to an individual at the individual’s request and shall provide such record to the Department upon request.
7.7 In order to meet the requirements under 45 CFR 164.524, regarding an individual’s right of access, the contractor shall, within five (5) calendar days following a Department request, or as otherwise required by state or federal law or regulation, or by another time as may be agreed upon in writing by the Department, provide the Department access to the Protected Health Information in an individual’s designated record set. However, if requested by the Department, the contractor shall provide access to the Protected Health Information in a designated record set directly to the individual for whom such information relates.
7.8 At the direction of the Department, the contractor shall promptly make any amendment(s) to Protected Health Information in a Designated Record Set pursuant to 45 CFR 164.526.
7.9 The contractor shall report to the Department’s Security Officer any security incident immediately upon becoming aware of such incident and shall take immediate action to stop the continuation of any such
Appears in 1 contract
Samples: Contract for Services
