Common use of OBLIGATIONS OF BA Clause in Contracts

OBLIGATIONS OF BA. BA agrees to: Comply with the requirements of the Privacy Rule that apply to UC in carrying out such obligations, to the extent BA carries out any obligations of UC under the Privacy Rule. BA also agrees to comply with the requirements of California state privacy laws and regulations that apply to UC in carrying out such obligations, to the extent BA carries out any obligations of UC under California Civil Code § 1798 et seq., California Civil Code § 56 et seq., and California Health & Safety Code §§ 1280.15 and 1280.18, as applicable, unless otherwise mutually agreed to by BA and UC. Not Use or Disclose PHI other than as permitted or required by the Underlying Agreement or as required by law. Use appropriate safeguards, and comply, where applicable, with 45 C.F.R. § 164 Subpart C with respect to ePHI, to prevent the Use or Disclosure of PHI other than as provided for by the Underlying Agreement(s) and the Appendix BAA. Notify UC, orally and in writing, as soon as possible, but in no event more than five (5) calendar days, after BA becomes aware of any Use or Disclosure of the PHI not permitted or required by the Appendix BAA or Underlying Agreement(s), including Breaches of unsecured PHI as required by 45 C.F.R. § 164.410 and potential compromises of UC PHI, including potential inappropriate access, acquisition, use or disclosure of UC PHI (each, collectively an “Incident”). BA shall be deemed to be aware of any such Incident, as of the first day on which it becomes aware of it, or by exercising reasonable diligence, should have been known to its officers, employees, agents or sub-suppliers. The notification to UC shall include, to the extent possible, each individual whose unsecured PHI has been, or is reasonably believed by BA to have been, accessed, acquired, used or disclosed during such Incident. BA shall further provide UC with any other available information that UC is required to include in a notification to affected individuals at the time of the notification to UC, or promptly thereafter as information becomes available. BA shall take prompt corrective action to remedy any such Incident, and, as soon as possible, shall provide to UC in writing: (i) the actions initiated by the BA to mitigate, to the extent practicable, any harmful effect of such Incident; and (ii) the corrective action BA has initiated or plans to initiate to prevent future similar Incidents. Ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the BA agree to the same restrictions, conditions, and requirements that apply to the BA with respect to such PHI. If BA maintains PHI in a Designated Record Set, BA shall make the PHI in the Designated Record Set available to UC, or if directed by UC to the Individual or the Individual’s designee, as necessary to satisfy UC’s obligations under 45 C.F.R. § 164.524.

OBLIGATIONS OF BA. BA agrees to: Comply with the requirements of the Privacy Rule that apply to UC in carrying out such obligations, to the extent BA carries out any obligations of UC under the Privacy Rule. BA XX also agrees to comply with the requirements of California state privacy laws and regulations that apply to UC in carrying out such obligations, to the extent BA carries out any obligations of UC under California Civil Code § 1798 et seq., California Civil Code § 56 et seq., and California Health & Safety Code §§ 1280.15 and 1280.18, as applicable, unless otherwise mutually agreed to by BA and UC. Not Use or Disclose PHI other than as permitted or required by the Underlying Agreement or as required by law. Use appropriate safeguards, and comply, where applicable, with 45 C.F.R. § 164 Subpart C with respect to ePHI, to prevent the Use or Disclosure of PHI other than as provided for by the Underlying Agreement(s) and the Appendix BAA. Notify UC, orally and in writing, as soon as possible, but in no event more than five (5) calendar days, after BA becomes aware of any Use or Disclosure of the PHI not permitted or required by the Appendix BAA or Underlying Agreement(s), including Breaches of unsecured PHI as required by 45 C.F.R. § 164.410 and potential compromises of UC PHI, including potential inappropriate access, acquisition, use or disclosure of UC PHI (each, collectively an “Incident”). BA shall be deemed to be aware of any such Incident, as of the first day on which it becomes aware of it, or by exercising reasonable diligence, should have been known to its officers, employees, agents or sub-suppliers. The notification to UC shall include, to the extent possible, each individual whose unsecured PHI has been, or is reasonably believed by BA to have been, accessed, acquired, used or disclosed during such Incident. BA shall further provide UC with any other available information that UC is required to include in a notification to affected individuals at the time of the notification to UC, or promptly thereafter as information becomes available. BA shall take prompt corrective action to remedy any such Incident, and, as soon as possible, shall provide to UC in writing: (i) the actions initiated by the BA to mitigate, to the extent practicable, any harmful effect of such Incident; and (ii) the corrective action BA has initiated or plans to initiate to prevent future similar Incidents. Ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the BA agree to the same restrictions, conditions, and requirements that apply to the BA with respect to such PHI. If BA maintains PHI in a Designated Record Set, BA shall make the PHI in the Designated Record Set available to UC, or if directed by UC to the Individual or the Individual’s designee, as necessary to satisfy UC’s obligations under 45 C.F.R. § 164.524.